From 53c3d18a935dfa228b89977ec9de003e0b4ddefe Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 23 Jan 2025 00:06:28 +0000 Subject: [PATCH] Added chart versions: gluu/gluu: - 5.3.0 minio/minio-operator: - 7.0.0 redpanda/redpanda: - 5.9.19 --- assets/gluu/gluu-5.3.0.tgz | Bin 0 -> 106613 bytes assets/minio/minio-operator-7.0.0.tgz | Bin 0 -> 21224 bytes assets/redpanda/redpanda-5.9.19.tgz | Bin 0 -> 158169 bytes charts/gluu/gluu/5.3.0/Chart.yaml | 102 + charts/gluu/gluu/5.3.0/README.md | 659 + charts/gluu/gluu/5.3.0/app-readme.md | 38 + .../gluu/5.3.0/charts/admin-ui/.helmignore | 21 + .../gluu/5.3.0/charts/admin-ui/Chart.yaml | 20 + .../gluu/gluu/5.3.0/charts/admin-ui/README.md | 58 + .../charts/admin-ui/templates/_helpers.tpl | 98 + .../templates/admin-ui-destination-rules.yaml | 27 + .../admin-ui/templates/admin-ui-pdb.yaml | 26 + .../templates/admin-ui-virtual-services.yaml | 42 + .../charts/admin-ui/templates/deployment.yml | 135 + .../5.3.0/charts/admin-ui/templates/hpa.yaml | 42 + .../charts/admin-ui/templates/service.yml | 34 + .../templates/user-custom-secret-envs.yaml | 26 + .../gluu/5.3.0/charts/admin-ui/values.yaml | 94 + .../auth-server-key-rotation/.helmignore | 21 + .../auth-server-key-rotation/Chart.yaml | 18 + .../charts/auth-server-key-rotation/README.md | 51 + .../templates/_helpers.tpl | 68 + .../templates/cronjobs.yaml | 97 + .../templates/service.yaml | 30 + .../templates/user-custom-secret-envs.yaml | 25 + .../auth-server-key-rotation/values.yaml | 64 + .../gluu/5.3.0/charts/auth-server/.helmignore | 21 + .../gluu/5.3.0/charts/auth-server/Chart.yaml | 22 + .../gluu/5.3.0/charts/auth-server/README.md | 60 + .../charts/auth-server/templates/_helpers.tpl | 112 + .../auth-server-destination-rules.yaml | 27 + .../templates/auth-server-pdb.yaml | 26 + ...uth-server-protected-virtual-services.yaml | 58 + .../auth-server-virtual-services.yaml | 184 + .../auth-server/templates/deployment.yml | 230 + .../charts/auth-server/templates/hpa.yaml | 42 + .../charts/auth-server/templates/service.yml | 34 + .../templates/user-custom-secret-envs.yaml | 26 + .../gluu/5.3.0/charts/auth-server/values.yaml | 98 + .../gluu/gluu/5.3.0/charts/casa/.helmignore | 22 + charts/gluu/gluu/5.3.0/charts/casa/Chart.yaml | 21 + charts/gluu/gluu/5.3.0/charts/casa/README.md | 64 + .../5.3.0/charts/casa/templates/_helpers.tpl | 122 + .../templates/casa-destination-rules.yaml | 27 + .../5.3.0/charts/casa/templates/casa-pdb.yaml | 26 + .../casa/templates/casa-virtual-services.yaml | 43 + .../charts/casa/templates/deployment.yaml | 147 + .../gluu/5.3.0/charts/casa/templates/hpa.yaml | 42 + .../5.3.0/charts/casa/templates/service.yaml | 35 + .../templates/user-custom-secret-envs.yaml | 26 + .../gluu/gluu/5.3.0/charts/casa/values.yaml | 109 + .../5.3.0/charts/cn-istio-ingress/.helmignore | 22 + .../5.3.0/charts/cn-istio-ingress/Chart.yaml | 19 + .../5.3.0/charts/cn-istio-ingress/README.md | 23 + .../cn-istio-ingress/templates/_helpers.tpl | 63 + .../cn-istio-ingress/templates/gateway.yaml | 37 + .../5.3.0/charts/cn-istio-ingress/values.yaml | 4 + .../gluu/5.3.0/charts/config-api/.helmignore | 21 + .../gluu/5.3.0/charts/config-api/Chart.yaml | 22 + .../gluu/5.3.0/charts/config-api/README.md | 63 + .../charts/config-api/templates/_helpers.tpl | 112 + .../config-api-destination-rules.yaml | 27 + .../config-api/templates/config-api-pdb.yaml | 26 + .../config-api-virtual-services.yaml | 43 + .../config-api/templates/deployment.yaml | 134 + .../charts/config-api/templates/hpa.yaml | 42 + .../charts/config-api/templates/service.yaml | 34 + .../gluu/5.3.0/charts/config-api/values.yaml | 103 + .../gluu/gluu/5.3.0/charts/config/.helmignore | 22 + .../gluu/gluu/5.3.0/charts/config/Chart.yaml | 21 + .../gluu/gluu/5.3.0/charts/config/README.md | 115 + .../charts/config/templates/_helpers.tpl | 107 + .../config/templates/clusterrolebinding.yaml | 50 + .../charts/config/templates/configmaps.yaml | 457 + .../config/templates/load-init-config.yml | 106 + .../charts/config/templates/ob-secrets.yaml | 71 + .../charts/config/templates/rolebinding.yaml | 28 + .../5.3.0/charts/config/templates/roles.yaml | 24 + .../charts/config/templates/secrets.yaml | 66 + .../charts/config/templates/service.yaml | 32 + .../config/templates/serviceaccount.yaml | 22 + .../config/templates/user-custom-envs.yaml | 79 + .../gluu/gluu/5.3.0/charts/config/values.yaml | 207 + .../gluu/gluu/5.3.0/charts/fido2/.helmignore | 21 + .../gluu/gluu/5.3.0/charts/fido2/Chart.yaml | 22 + charts/gluu/gluu/5.3.0/charts/fido2/README.md | 61 + .../5.3.0/charts/fido2/templates/_helpers.tpl | 111 + .../charts/fido2/templates/deployment.yml | 142 + .../templates/fido2-destination-rules.yaml | 27 + .../charts/fido2/templates/fido2-pdb.yaml | 26 + .../templates/fido2-virtual-services.yaml | 73 + .../5.3.0/charts/fido2/templates/hpa.yaml | 42 + .../5.3.0/charts/fido2/templates/service.yml | 34 + .../templates/user-custom-secret-envs.yaml | 26 + .../gluu/gluu/5.3.0/charts/fido2/values.yaml | 97 + .../5.3.0/charts/kc-scheduler/.helmignore | 21 + .../gluu/5.3.0/charts/kc-scheduler/Chart.yaml | 18 + .../gluu/5.3.0/charts/kc-scheduler/README.md | 48 + .../kc-scheduler/templates/_helpers.tpl | 68 + .../kc-scheduler/templates/cronjobs.yaml | 98 + .../kc-scheduler/templates/service.yaml | 25 + .../templates/user-custom-secret-envs.yaml | 20 + .../5.3.0/charts/kc-scheduler/values.yaml | 56 + charts/gluu/gluu/5.3.0/charts/link/Chart.yaml | 18 + charts/gluu/gluu/5.3.0/charts/link/README.md | 63 + .../5.3.0/charts/link/templates/_helpers.tpl | 111 + .../charts/link/templates/deployment.yaml | 133 + .../gluu/5.3.0/charts/link/templates/hpa.yaml | 42 + .../templates/link-destination-rules.yaml | 27 + .../5.3.0/charts/link/templates/link-pdb.yaml | 26 + .../link/templates/link-virtual-services.yaml | 43 + .../5.3.0/charts/link/templates/service.yaml | 32 + .../gluu/gluu/5.3.0/charts/link/values.yaml | 106 + .../5.3.0/charts/nginx-ingress/.helmignore | 21 + .../5.3.0/charts/nginx-ingress/Chart.yaml | 20 + .../gluu/5.3.0/charts/nginx-ingress/README.md | 34 + .../nginx-ingress/templates/_helpers.tpl | 32 + .../templates/admin-ui-ingress.yaml | 53 + .../auth-server-protected-ingress.yaml | 127 + .../nginx-ingress/templates/certificate.yaml | 18 + .../nginx-ingress/templates/ingress.yaml | 1127 + .../5.3.0/charts/nginx-ingress/values.yaml | 29 + .../gluu/5.3.0/charts/persistence/.helmignore | 22 + .../gluu/5.3.0/charts/persistence/Chart.yaml | 18 + .../gluu/5.3.0/charts/persistence/README.md | 51 + .../charts/persistence/templates/_helpers.tpl | 79 + .../charts/persistence/templates/jobs.yml | 98 + .../charts/persistence/templates/service.yaml | 32 + .../templates/user-custom-secret-envs.yaml | 25 + .../gluu/5.3.0/charts/persistence/values.yaml | 60 + .../gluu/gluu/5.3.0/charts/saml/.helmignore | 22 + charts/gluu/gluu/5.3.0/charts/saml/Chart.yaml | 18 + charts/gluu/gluu/5.3.0/charts/saml/README.md | 62 + .../5.3.0/charts/saml/templates/_helpers.tpl | 122 + .../charts/saml/templates/deployment.yaml | 147 + .../gluu/5.3.0/charts/saml/templates/hpa.yaml | 42 + .../templates/saml-destination-rules.yaml | 27 + .../5.3.0/charts/saml/templates/saml-pdb.yaml | 26 + .../saml/templates/saml-virtual-services.yaml | 43 + .../5.3.0/charts/saml/templates/service.yaml | 35 + .../templates/user-custom-secret-envs.yaml | 26 + .../gluu/gluu/5.3.0/charts/saml/values.yaml | 112 + .../gluu/gluu/5.3.0/charts/scim/.helmignore | 21 + charts/gluu/gluu/5.3.0/charts/scim/Chart.yaml | 20 + charts/gluu/gluu/5.3.0/charts/scim/README.md | 60 + .../5.3.0/charts/scim/templates/_helpers.tpl | 111 + .../charts/scim/templates/deployment.yml | 142 + .../gluu/5.3.0/charts/scim/templates/hpa.yaml | 42 + .../templates/scim-destination-rules.yaml | 27 + .../5.3.0/charts/scim/templates/scim-pdb.yaml | 26 + .../scim/templates/scim-virtual-services.yaml | 59 + .../5.3.0/charts/scim/templates/service.yml | 34 + .../templates/user-custom-secret-envs.yaml | 26 + .../gluu/gluu/5.3.0/charts/scim/values.yaml | 96 + .../gluu/gluu/5.3.0/openbanking-values.yaml | 651 + charts/gluu/gluu/5.3.0/questions.yaml | 1209 + charts/gluu/gluu/5.3.0/templates/_helpers.tpl | 48 + charts/gluu/gluu/5.3.0/values.schema.json | 2788 +++ charts/gluu/gluu/5.3.0/values.yaml | 1906 ++ charts/minio/minio-operator/7.0.0/.helmignore | 22 + charts/minio/minio-operator/7.0.0/Chart.yaml | 23 + charts/minio/minio-operator/7.0.0/README.md | 45 + .../minio/minio-operator/7.0.0/app-readme.md | 78 + .../7.0.0/templates/_helpers.tpl | 37 + .../7.0.0/templates/minio.min.io_tenants.yaml | 5745 +++++ .../7.0.0/templates/operator-clusterrole.yaml | 183 + .../operator-clusterrolebinding.yaml | 13 + .../7.0.0/templates/operator-deployment.yaml | 67 + .../7.0.0/templates/operator-service.yaml | 14 + .../templates/operator-serviceaccount.yaml | 10 + .../7.0.0/templates/sts-service.yaml | 12 + .../templates/sts.min.io_policybindings.yaml | 133 + charts/minio/minio-operator/7.0.0/values.yaml | 187 + charts/redpanda/redpanda/5.9.19/.helmignore | 28 + charts/redpanda/redpanda/5.9.19/CHANGELOG.md | 313 + charts/redpanda/redpanda/5.9.19/Chart.lock | 9 + charts/redpanda/redpanda/5.9.19/Chart.yaml | 38 + charts/redpanda/redpanda/5.9.19/LICENSE | 201 + charts/redpanda/redpanda/5.9.19/README.md | 1259 + .../5.9.19/charts/connectors/.helmignore | 29 + .../5.9.19/charts/connectors/Chart.yaml | 25 + .../redpanda/5.9.19/charts/connectors/LICENSE | 201 + .../5.9.19/charts/connectors/README.md | 580 + .../charts/connectors/templates/_chart.go.tpl | 13 + .../connectors/templates/_deployment.go.tpl | 136 + .../connectors/templates/_helpers.go.tpl | 131 + .../charts/connectors/templates/_helpers.tpl | 79 + .../connectors/templates/_pod-monitor.go.tpl | 18 + .../connectors/templates/_service.go.tpl | 20 + .../templates/_serviceaccount.go.tpl | 18 + .../charts/connectors/templates/_shims.tpl | 339 + .../connectors/templates/_values.go.tpl | 15 + .../connectors/templates/entry-point.yaml | 17 + .../templates/tests/01-mm2-values.yaml | 176 + .../5.9.19/charts/connectors/values.yaml | 313 + .../5.9.19/charts/console/.helmignore | 28 + .../redpanda/5.9.19/charts/console/Chart.yaml | 23 + .../redpanda/5.9.19/charts/console/README.md | 353 + .../console/examples/console-enterprise.yaml | 94 + .../5.9.19/charts/console/templates/NOTES.txt | 20 + .../charts/console/templates/_chart.go.tpl | 13 + .../console/templates/_configmap.go.tpl | 25 + .../console/templates/_deployment.go.tpl | 133 + .../charts/console/templates/_helpers.go.tpl | 82 + .../charts/console/templates/_helpers.tpl | 25 + .../charts/console/templates/_hpa.go.tpl | 25 + .../charts/console/templates/_ingress.go.tpl | 46 + .../charts/console/templates/_notes.go.tpl | 40 + .../charts/console/templates/_secret.go.tpl | 22 + .../charts/console/templates/_service.go.tpl | 20 + .../console/templates/_serviceaccount.go.tpl | 39 + .../charts/console/templates/_shims.tpl | 355 + .../charts/console/templates/entry-point.yaml | 17 + .../templates/tests/test-connection.yaml | 22 + .../5.9.19/charts/console/values.schema.json | 323 + .../5.9.19/charts/console/values.yaml | 281 + .../redpanda/5.9.19/templates/NOTES.txt | 26 + .../5.9.19/templates/_cert-issuers.go.tpl | 59 + .../redpanda/5.9.19/templates/_certs.go.tpl | 71 + .../redpanda/5.9.19/templates/_chart.go.tpl | 63 + .../5.9.19/templates/_configmap.go.tpl | 597 + .../5.9.19/templates/_connectors.go.tpl | 47 + .../redpanda/5.9.19/templates/_console.go.tpl | 165 + .../5.9.19/templates/_example-commands.tpl | 58 + .../redpanda/5.9.19/templates/_helpers.go.tpl | 663 + .../redpanda/5.9.19/templates/_helpers.tpl | 368 + .../redpanda/5.9.19/templates/_notes.go.tpl | 167 + .../templates/_poddisruptionbudget.go.tpl | 21 + .../_post-install-upgrade-job.go.tpl | 123 + .../5.9.19/templates/_post_upgrade_job.go.tpl | 87 + .../redpanda/5.9.19/templates/_rbac.go.tpl | 116 + .../redpanda/5.9.19/templates/_secrets.go.tpl | 419 + .../5.9.19/templates/_service.internal.go.tpl | 38 + .../templates/_service.loadbalancer.go.tpl | 105 + .../5.9.19/templates/_service.nodeport.go.tpl | 80 + .../5.9.19/templates/_serviceaccount.go.tpl | 18 + .../5.9.19/templates/_servicemonitor.go.tpl | 26 + .../redpanda/5.9.19/templates/_shims.tpl | 338 + .../5.9.19/templates/_statefulset.go.tpl | 773 + .../redpanda/5.9.19/templates/_values.go.tpl | 1559 ++ .../5.9.19/templates/entry-point.yaml | 17 + .../templates/tests/test-api-status.yaml | 52 + .../templates/tests/test-auditLogging.yaml | 86 + .../tests/test-connector-via-console.yaml | 166 + .../5.9.19/templates/tests/test-console.yaml | 49 + .../test-internal-external-tls-secrets.yaml | 122 + .../tests/test-kafka-internal-tls-status.yaml | 62 + .../templates/tests/test-kafka-nodelete.yaml | 100 + .../tests/test-kafka-produce-consume.yaml | 83 + .../tests/test-kafka-sasl-status.yaml | 79 + .../tests/test-license-with-console.yaml | 61 + .../tests/test-lifecycle-scripts.yaml | 66 + .../tests/test-loadbalancer-tls.yaml | 173 + .../templates/tests/test-nodeport-tls.yaml | 173 + .../test-pandaproxy-internal-tls-status.yaml | 81 + .../tests/test-pandaproxy-status.yaml | 72 + .../tests/test-prometheus-targets.yaml | 84 + .../templates/tests/test-rack-awareness.yaml | 61 + .../tests/test-rpk-debug-bundle.yaml | 104 + .../templates/tests/test-sasl-updated.yaml | 71 + .../redpanda/5.9.19/values.schema.json | 20037 ++++++++++++++++ charts/redpanda/redpanda/5.9.19/values.yaml | 1157 + index.yaml | 177 +- 263 files changed, 58685 insertions(+), 1 deletion(-) create mode 100644 assets/gluu/gluu-5.3.0.tgz create mode 100644 assets/minio/minio-operator-7.0.0.tgz create mode 100644 assets/redpanda/redpanda-5.9.19.tgz create mode 100644 charts/gluu/gluu/5.3.0/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/README.md create mode 100644 charts/gluu/gluu/5.3.0/app-readme.md create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-pdb.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/templates/deployment.yml create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/templates/service.yml create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/admin-ui/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/cronjobs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/service.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-pdb.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-protected-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/templates/deployment.yml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/templates/service.yml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/auth-server/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/templates/casa-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/templates/casa-pdb.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/templates/casa-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/templates/deployment.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/templates/service.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/casa/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/templates/gateway.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-pdb.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/templates/deployment.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/templates/service.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config-api/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/config/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/clusterrolebinding.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/configmaps.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/load-init-config.yml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/ob-secrets.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/rolebinding.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/roles.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/secrets.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/service.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/serviceaccount.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/templates/user-custom-envs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/config/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/templates/deployment.yml create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-pdb.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/templates/service.yml create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/fido2/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/kc-scheduler/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/kc-scheduler/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/kc-scheduler/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/cronjobs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/service.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/kc-scheduler/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/link/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/link/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/link/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/link/templates/deployment.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/link/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/link/templates/link-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/link/templates/link-pdb.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/link/templates/link-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/link/templates/service.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/link/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/nginx-ingress/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/nginx-ingress/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/nginx-ingress/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/admin-ui-ingress.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/certificate.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/ingress.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/nginx-ingress/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/persistence/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/persistence/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/persistence/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/persistence/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/persistence/templates/jobs.yml create mode 100644 charts/gluu/gluu/5.3.0/charts/persistence/templates/service.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/persistence/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/persistence/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/templates/deployment.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/templates/saml-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/templates/saml-pdb.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/templates/saml-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/templates/service.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/saml/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/.helmignore create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/Chart.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/README.md create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/templates/deployment.yml create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/templates/hpa.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/templates/scim-destination-rules.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/templates/scim-pdb.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/templates/scim-virtual-services.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/templates/service.yml create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/templates/user-custom-secret-envs.yaml create mode 100644 charts/gluu/gluu/5.3.0/charts/scim/values.yaml create mode 100644 charts/gluu/gluu/5.3.0/openbanking-values.yaml create mode 100644 charts/gluu/gluu/5.3.0/questions.yaml create mode 100644 charts/gluu/gluu/5.3.0/templates/_helpers.tpl create mode 100644 charts/gluu/gluu/5.3.0/values.schema.json create mode 100644 charts/gluu/gluu/5.3.0/values.yaml create mode 100644 charts/minio/minio-operator/7.0.0/.helmignore create mode 100644 charts/minio/minio-operator/7.0.0/Chart.yaml create mode 100644 charts/minio/minio-operator/7.0.0/README.md create mode 100644 charts/minio/minio-operator/7.0.0/app-readme.md create mode 100644 charts/minio/minio-operator/7.0.0/templates/_helpers.tpl create mode 100644 charts/minio/minio-operator/7.0.0/templates/minio.min.io_tenants.yaml create mode 100644 charts/minio/minio-operator/7.0.0/templates/operator-clusterrole.yaml create mode 100644 charts/minio/minio-operator/7.0.0/templates/operator-clusterrolebinding.yaml create mode 100644 charts/minio/minio-operator/7.0.0/templates/operator-deployment.yaml create mode 100644 charts/minio/minio-operator/7.0.0/templates/operator-service.yaml create mode 100644 charts/minio/minio-operator/7.0.0/templates/operator-serviceaccount.yaml create mode 100644 charts/minio/minio-operator/7.0.0/templates/sts-service.yaml create mode 100644 charts/minio/minio-operator/7.0.0/templates/sts.min.io_policybindings.yaml create mode 100644 charts/minio/minio-operator/7.0.0/values.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/.helmignore create mode 100644 charts/redpanda/redpanda/5.9.19/CHANGELOG.md create mode 100644 charts/redpanda/redpanda/5.9.19/Chart.lock create mode 100644 charts/redpanda/redpanda/5.9.19/Chart.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/LICENSE create mode 100644 charts/redpanda/redpanda/5.9.19/README.md create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/.helmignore create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/Chart.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/LICENSE create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/README.md create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_chart.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_deployment.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_helpers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_helpers.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_pod-monitor.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_service.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_serviceaccount.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_shims.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_values.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/entry-point.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/templates/tests/01-mm2-values.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/charts/connectors/values.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/.helmignore create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/Chart.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/README.md create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/examples/console-enterprise.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/NOTES.txt create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_chart.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_configmap.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_deployment.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_helpers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_helpers.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_hpa.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_ingress.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_notes.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_secret.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_service.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_serviceaccount.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/_shims.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/entry-point.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/templates/tests/test-connection.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/values.schema.json create mode 100644 charts/redpanda/redpanda/5.9.19/charts/console/values.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/NOTES.txt create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_cert-issuers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_certs.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_chart.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_configmap.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_connectors.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_console.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_example-commands.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_helpers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_helpers.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_notes.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_poddisruptionbudget.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_post-install-upgrade-job.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_post_upgrade_job.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_rbac.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_secrets.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_service.internal.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_service.loadbalancer.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_service.nodeport.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_serviceaccount.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_servicemonitor.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_shims.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_statefulset.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/_values.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.19/templates/entry-point.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-api-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-auditLogging.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-connector-via-console.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-console.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-internal-external-tls-secrets.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-internal-tls-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-nodelete.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-produce-consume.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-sasl-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-license-with-console.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-lifecycle-scripts.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-loadbalancer-tls.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-nodeport-tls.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-pandaproxy-internal-tls-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-pandaproxy-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-prometheus-targets.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-rack-awareness.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-rpk-debug-bundle.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/templates/tests/test-sasl-updated.yaml create mode 100644 charts/redpanda/redpanda/5.9.19/values.schema.json create mode 100644 charts/redpanda/redpanda/5.9.19/values.yaml diff --git a/assets/gluu/gluu-5.3.0.tgz b/assets/gluu/gluu-5.3.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..4fe320bb82abf9e861736ee29839b989bfcd288d GIT binary patch literal 106613 zcmaIdQ*b8H9ya>eww=7u#I|i46Wg}!Wa5c!Yhv5BZTn>JQ?$<@9L#4q$@JszsqW0 z%3UtIC?KB&_|h1wYxA>4pCE)ZD7kw6;tYO59LmNqhfpQy?hOW(-)bHhi5lZBCWlMf zv;)K6Dt!Ak1t1Bz4A@JoK@D4~q>AVu0Z$_bKChW`+y&b{L7FO|U_gIC-lBQinBp|G z;K<`ty)Dt^J~}Z~!*a*o@w$tYA~Ex1%?1sx`Xd+t8=OB)lJ@{6Js7>$1@Xn5HA~xN zi6?*`UtK-SZ#;=}!=WULNG3=Rdrfc_L1RC$gHs6L$3YkEFsBj!xI_0DMnqwcB2rZh zGam`q#e?pl_JdCf3h=S$Mm;rv*aMp!AJ)y;Va`K^^`fx!87e>>ZB$6xiF|Nqgt|0T zF&O|byaagr$Sexvf;*AR?AWz%p*%Ep{Sk2q)ToJSqmVXZQMzMDXwg7riuLcyqCt47 zaR>Zh_OLF&c%Ejv{jFM(R1M6U7pQh#dA-R` zTo+}6+^_|+o{zJB1&F+ zFXEODf;V=#;(k%c@2b8{;t?t99?BQ0<|>y_+7%`@8~=8B+09VSb-Sa=x-_gsLEU3W zGZk{8t^}d)D3R~Y=AgjneU5kli-GfADZ6a0bUQKbn7WuHt@gsELLYT)@bK_ho$;~` zirR&EWQhlcm*`j>P(mTkd`k~5Xc6S?%5%F<9nACyrwT6>=^>C2k_lo{0t@@je%OJ) zcHD?#XVU(6Pa-y3xS`U{%ch82sdV9TP-i7WT0eh*V`fo{Bw&#>b*a(sVdE;W#s_y zQnw$%EmC^0D|&FLpx>xiwdntC)ojplD2SJc+Dl(bp`s35IWl82gq$iBxBg&E#p^V3 z=c8~nNPOJypXO#H**<_Og0J5AHZT+to|`Jy5t&M^zWb#87){B*%jYS6AQOzrnEp*>S2DB563=1{Q#K|D903h zO(bt!01D`01p`b^m1hr_Fg76?thXx^kTL^^v(6>0E-l$EKv9fffN=m@Rtgy z6-fq8<4BZ3!pol;<#Rqj!1w8b7DG$Og>*n%@b08;e1aWjGU?}P%O#-9L&$0GE&1D9 z(iVW?+;MX*_hy9a^8uz3%6OFsYy$Qu*+b9zhuC!gV&;KaEL`4u1$>4RyPuYnbI)O? z02t9(nwP0e29l|gY$~-?0yj4Ds4m!M~)n0`}Cc;7a zTRK9fPMNgQzpHMKSZ$$SkU=cjqR7SZK7fvu!e*Tt<~Hn#v(37o>HylLLq{61KBjqQ zIXs9ZD9A6DPZ3LUj3=-$_jaPm-uN>mdYzKrgp@9YBF5{{QDg->Nkfq{*Av&gK-YIb zb$LvKN^1-k-<A~0rfaQlRhrOGX3Piq zDKrGR*6j%NR06i&=ahZSyUMOo`Tm|7Toh2ZVG{)yJjxny5o?^B+{!Guetn@1Lc!u` zAO)ihYVE#4`CyM^`9a{5EbEp>sROmeHl@%xLg$_u^p0RjLJ`6GZ^ps&l$fr&eNp(^ z;(D~`h>y3pdqBaq&>gHK7eXY1llf$Ofq~U%(sjdh#@v@SI1&!hpKst8J^k7?V1fC0 ze=YuOD>5k@?=j<+Td*0m@+DD%{M{6Ii`w7TvKbnW$Qv}9yNM66mNB5(dw=7O+#_OO zU>&O?vv+?XgLz4-&s!avOI9?I=&##eKXH2)QmnV4klrs>hx+ZX0?0RX?w?=^OqGwAEsT#22TV#w*n%se zz?UVCUIAOZ9Zc}pu9WDZwamI!EW$L@;3vjMIebkb{Y_6rEF(XCPa6rOyFe`BN_TfF z&kXFO%*7107<3b{&lTGWcRywT5E=R-p(u9>uLL=RlFQ10U27Al=q(&>aVjGC{Q78| zZK<-;R$I!C+%rf8bKfA>YD%?v*tpVQA>&aSHEPfn7g4wZAYKyi^{|A4pT>YCkP^Ij zS`Y5e1%m228c1e(aWnneG1y)awKpiTrqMcaI1yb0K+%Le3SP2RhrdV2T)AE<#UpxD z9+ryURHep1r8^sGQTVtBTqT7wqs;){4(SOXwGrX8M|UP*#5bzVsA^DhAd(2SM~csQ zUV|c#B5`%eW#TGg7ENw|29H4Q6>T?`;)kZa+B|s4##&~Usy#n+@3zTzRhZy0BvTllU2@*M4IAEc>WZyh3OyHCw((?GQ?K{#0^J6(o zYMXpw&PvPrMyBM2V~YuGGfR%7mmgA1KH%7ppTDW`qgZCXfGk8~UNXbA`fg!Kz#if0 z_^@|46v}*1ASL$;hqHrsx3GM!T2U*I=f2HXr%N4l6*k#`&m2TnzN+=&qTOKv_AWXI zrxCbAWY1kn8ctgpsr{dtJp00hKrbu|C-w~ounieX_`w}E1m4eTm}sWbERaM7g&JV_ z0W!Av`g)IFmX&!d4tkQ3U^10zC8aVz!F4Jb9TZ%4*2cU$DZjO-ivLe(DNmz=n$!|y z-}KCFKW*@6FXNmKFnXv5i3{Hw=?}n!)IhF~Bf$gPVE!FmJWc-s!afsw8+GC&Ogt6H znCMWbN*=L=Kj#MT3{nkGHX=Y6U{2&7{<|!dT%D9eVWKoqIr6*#{c#@~G`on9Ut5)b zNhsT}AcUH!XX{iAHXnv^K7q8cqb z`#bP8yD%*}vMh}mdjr16eoSR(@?z|Tdhi)S(?k+QY`zB&?BfogiX`TF)cVrhL)3Q( zZi53pDjK{+c=6K1H5f&uDjF&UIgg2iM}V}CDgoIn@d=bP1B!_Z4(`g@{9o^}G411! zKVL3#T*yWm`sPx#@fN-8(WDMWD{Oj85@*@;C>E!jNKb<&;lg{^t`-;~;)#Fb?7W?F znWmsLv?=_i%35tAnKxiQ0z6UdFWzP68uz9IEekL~fq1e7!7Sj=s6|zz4)6344carW zNKZii7GwrchX~;7)gkO&BtpM6q{Jxsa>Rz@G~g=VIihBe2tgPG)S>|F5y$d_hB(&2l5!o`ujl z!5K{{R3|GR0^^3bwiVc`c^l{tJQcTOAhwrCdDSIAzFUq>ynG1Wx!3}(F6!tmxkR2@ zo=`QJInAMb$Yvp;D4&*-&mosd7W%$bezo=#^&T=YShD;CT#!!Dr% zuyE*Yr^woz$NZ?$IZ89pK%pg{`4;y?BPP7HFwvSMx;Y1jnKw$9q!iK@@d9|-uyY#{ zxO+i6Ktx5;DV-o@AYcr_6+sx!q;&_gQ#2pBmk(KDj$d%)G!9)-M}q^PPjtX&?qoUD zmXl|a`X#w`vR-xF+^}?s3|;3y$k}!E_B9UVr5?5CE6};tF$~Xra`kS|VmFj5 za+KjD%(ayZQ9rpEoTMfQ;x3Xg86=;ZWBZzLACj0MCmNG~j>R3N3D*@xH^) z0U%JwdY;hOqwWCi-&3+OWnj_N$ze6eWA83DTo6QAZPBJVJP1|TbW zaE2RXI5-C&ufMRlLSbwcd>(}!`+oW>9v*1!7k>HQ*4-bs{OjVFUlnFm+s)zyz9*2K z>h#*5OK!K{A4A>p(3X=u;cvEgvTh^glh_dAf68}Q%!FmrwQ)K`9k=b)bIvh3+V@-{ z=p{CFGfaFptB2b6P`yok-L1qG11~G3?Cg4=KO0oEDjNe;#89L>w(F^QnlPs;_fR`f zH=9Rqm3$SgoC}fHtXYDQ{Q?>LddUf-$ka#sZ(#;{HZw^fvr40Wjqf8YHV# z2j?lN$;^F}hEcGX`GYVi+)T<9gYL)5$LBWAI7am^*-xA}ijR38ajpH@I-fg!QJOj& zn5wXSTFke-xXxDBb@RK=ihc}a`!H0i2o2v&vsT)+&Rh~ODcMUl_)f`4V)@s z5%445_u(gvIk~zpHucn%k8^d^>9(kO%jM$cozYIY+NN`9p>I>D6lXyWXNR92n6p01 zLIzllg}cX35h;#=VfP6&LIgeJTXkiM(VnM@l)tHghP}v7-4t27^LTrMUX%*TCyHJ% z5-zMVBO4zHCs8m}(0e6oZ`i@MU{@5T&iXtKWP_AdHMz`}a)zE|p6Ckclg_r+tY0&2 zuG;kXSQHdW7V~>k1)y~CjX|&wHFrR~VM}+Aug8GFm&Q}4K-DVNy$MFLQm&lUC|x6o zQIWj_n*Y*={j5*u_N=rpN(0rY))UAyt*}0OWQZ=4f9P-L2H6pq=NKE3SdAuTm_ohh z5SJOxp_38Xx6{D<{HimhRI)125=vStkyUx$SBpDLy)bGh{^P}JHW@NfT{8h|U1a*V3i1T8`y%6VMPS~P&c|DC& zRXJ&3_N`zSFjj9e;u9FlZPuAn+y$&lvI~-}i2PNPWlt!Kw9fE9mo@54)N22L9K*7{$cZDy zS_>6Ibrl3RBNlPN^orbSGm6eGJTW(U!5_mjx)$5-%I)IS>H0DkkF;!7?=<>S?n3-h zU6=8lBc=4LhE#sQ8`63JjqX57B<^33&$&=B5qn_X@e3~quQ$Y9{~3#KR-J z#P%>b-l<$)=ho$qh{gw8+M>|=_y*iZ!I~6M&GH)|e^h+Rf1c=DiH|_##>?g!eq}R3 zH|OxbzPqgk{kiuy0KE1VDw*Es^Lr*bn=rU6m_}h-x5zHJ&V~mL^I=XS^vc%KYOaBF7lhGVtE#LnD1;Kh&c`_*hl{)NosstE4o;0 z$nSRjDghQ`IWd=_8yZN2@&xyke0->TP$O#?g(@I@;7A2&U>{Q?8uuiH;J8o{FPgwL z6;l826%=glN;kKi{IhGU{#AC@p1B%6xsw=Bkfxxr!5vIPS3 zfe8stYHS+)9`;&u6@T}25ltNT)!HwO0xO&8QpMqxnk{J$u@YYn(%1#B#v9{_L;}hr zaWJwszobu0$HEw5rorH&k+)1s>gml6DXrv}QMus9M@*m#9UBrFr`~i47)dz{Qpg3v zhfTX@58U*y)~_76T#v)khy2==kHsa!=s}LfW-t7%CY>^6`hz-oxNB~9Mw6DDaXI`%9kHIq+9Et>ri%?3DrCq@>;)8Y~)>n&9UtEJDjD0|%gxjdR z6aP7gR*ZW;@ahcx&KW>&GyBZn&Uw^Z=$6gtP7$FY%joEiTijW%{bp%+)+E1vDKx4X z6|B#I>en+s*PjGR`=i1j{VLs*hY=mQo%1qvz#=h)kjgH8ErzyN z-zrcS?SPc*pfN2msfPF266@b7^R{Vm!%kS|MjM*ehFel=i7_7@wX2x;=}ZbJ*!8vt z#;+vX^RG>@4Fh~veOvdgK8g-DyP(H+ZJfow9kQK$c0@*daU?hl3XYsdXs{_am6UZl z1tXj?#H7`?$qPTjVR4r9z=1S8r&Z*hW*#Y}I#dIeMNr`ff;W|b*%OB&rUHV9U;`kI zd`<7nQzO|dJq!QxNctB|KJ4nW5W7>9G3wBc;~KrKa04h-;Cy1*k34a1V_1h-*ogT8 z?aNP^fow3=89)u8DWAzkG@s}!>jg%QX2}V)aFU8 zDCp{SypLPG3Ng1-LT@W}g;uq-fn6K^>@OD|b~Hh=^Pm8mXcytKspLfsxwIp`$41QfPuGu!ukbW*d?MHvXXfqpXrPj3+Gv3$T!23kQ z(e%nw-po+2!Ep-nN!n5y6Zr$;8U)UrM@=Bc6mlw%VLWmmC|2eHcRII}xQe8>xW$D! zMPF)XcK<8a*%jRuiVO6@_dezkFzOS^tvVS(%MrS~*u~lZ24F6J@0rk*;c)h1{B2(V zvdujX7I~r*r<0flqqAr$eT;Mi7|)H67>-KVN<$*QwgHw&}Na=O00ocW8&^=1=| z#gw*1DHCGM6iD26zvk(&j~f-us^j<+&GJjcY*DC)a%=p4C@ub0_PVG>h6rl!ptqNN ztIgZ#IdZu@uOkBi6Jo|qf&l8&vY(R27c^)6dHxnJB6LYMurVaLnE+$Up_IDOpvoMOoJa#1K~y~W3_S*WB=y2!J4 ztSH2a2-MFUiU_tF4w_o>@pB4KEq8U8*-L}!GGXz+%Dg;90%uA&>+1}+{;5%{)yVc? z6DA9e$QaVwTMgp+I({VN9}YO%mzc$SjYQZu%uJJ9QjK)bDIV{Li>xZNS~WjiKMYAV z7k1fxet&m=>tnQCIL?^5CJL>!hL^Tl+BUqm%myw;VljwjR_b|*>%wb zCymS}B2aSbEEd=dnu=wrjs>&SBm`sODEOl#e){RGUb4n0q-M^berDr)(C|5t0zZb7 zM*^*Xe$j!e8;&VDNdM!BwQ|Q60NDg2i(mt*dfu+p9I{iYVO_ z@YTOhh7Djer!vA)-C(%bcr1@o3tz2&u9(}9lic}p$xzoG>k;j3q~*+18VX{n#}+z( z>`Bf^Nx}GtReh~k4EAgk_p&rnx-K#sU@<4qF>El%d+OYAk~%d$wZ5OU^>wR=`G=`P zBGKRys99^4<<-@gFG&IriNbQxS#{9$$4;4DQB20wx?uS>Z=$gGX_u~0wtrAY%}^pZ z?-i*2O6lmz!-QG(RYeS#po120Iuq$y>5pi$Mb8Tikr7oKB~s6N+SSpyx!>@&Un!*4cx`y1A#rMcx?d;ReeW9`lB{nYK!Y?|%+>%k(Uum4s|{gp=z z()*-7YLTU4p*{^z?=DPgM{93;9&6)I??rDC zs=FhIyxc>QTiiTp6hcf;VKYi$5rn~_`q=6L7MHeNPTst2iSNcL_ozY3@ISDQ4eoT` zOTG@a0Q1~~fPpNBkOz&C9;7`S|`@ahn8yqA9bA6{?$gS?e8P1lSMtiJ{?voga zQXp-AH=h4QW+YOl0PYRIVIEv5kx%IWkcAN??$V*jKB5I~TMpu8O$9t3!maD>%p>AB z0uSs<;sa!I+nN;=`L;SJzyb@r&{y)!B}XdhlqMvLM+^SN|LtEI)OwI33zQe6?&Ovz zZRYMuF_Dt4H7hZu@lsaJVV5-B)FX8s+~s-7LfW2PW^K|7?`D^P%b1Ze4t}b{6%JOm z7E(h3HHA-4rxU;cebWES=Qj+78xZKiFJ=K#cK)5MHsulNiY(=mNd>NBkenK~;@acV zze&1PO#U9FHU3VV)={pTMRn6x)68Ou)j6*POblZ&G!3uxyjc%vX^d%YJ;!mxA-cAB z^cSyziJ+#ZyE6ES%wnp=6|X^=XJs2$kJv3|WAf9(*aaD|-e304^Nyqva*IW`@>){@ zeh3GzBLH~mI3mtYb!?G2_a}~{9(|7FLL150HG;|s1-YfPL3t+udV`WnLC%ZgzYA|O z-$}K7%4=WE0&4YkRZ_V+0Os(<(kSphdh_jgb@la&)WVD)3$)sgJUda4h6eQfu_F;q z6w>dkLn)Z5($S8F%O>L4*ROgrJE$C`!OXu9$*YPlp{Krfe5~4XEK<51%%TU4EW{=3L=r8l-OCbpDL#&t z1N(OAiMhaG(#Rt$lh#sy2Gp3ZAcL~>Cd>cK?&g%bR1qd}>VVci+JFnXwFH_~vL_Ag z=$pHFIb`b>GMW*tI8A(sH=t{~m5y3$SQ-65i7}7$Ue_>cS3um7i;WJ$+P8fvp}w^{ zj-gF`$6#u5=U#=497{&8Zdtr2c2!2537~d{WfA+ICbu)t3{Ry>~l4Zq|+UJ4j5$A&nt_O zNrwh<$3qT%OAA;{_f`-wSF^8f<)@n_SE**h?x7Oiw1w;(0Dhbwc)4ipein3*P12{E zK1|Qm6iPnHpPw|rXj#6SgMnyhXRrG-q(u+JvQiFO8DTAEa3Iw-IMO98(^BCs7 zDb4=4_=B6QSF}vnmmwC9@vh?trbQ4T1`_G%gvLChq(g=MIdqAz2PW+Sa*|9aR}#eq zJjkRSdYARq-0pk3VBLq?Y=8oP(MnXr@ph<+DB0PH-lBEBdK!R%hjX%hociw9g~RXj zwyVm1qgN-~e(WQ??FVS_%fLb2VR1s!ykMn{JkRcD2I!WYyP{rH8 zb_#Ljvd`6S7UIsnSj*{n*c{W}M-y&pvn^iBQq;ATjcF>fk@FDnEhG{!brz@pwUNU! zp2;F&$o=Wu45L+9bY!(gkFA;QcC?x%n-(3+?>L+3lbB!zFu5TMwV4Hf`f0^LV}0BU z!4N@6jFroPex|X1GDke*?lxeN^Rk{ThqDuX{T2PZ(owOY2P61JIrqNi9v#mdlb^9G zl=7>hF!~!rU+Uf10&cgIgZvA%@&%{Yyq73g{o^%marpJ($Cs1peI&yR@*l~1*Q~r* z3QmUQM{+hRxT_g+y`*NTmW~#q{IknjBdcjZQ!QeyEAtAKDY`dX#RAKPNbwBQp|v;G;NW{gw-N}|y|E)7Vv)FCNRhyW$k4iVX%aF5lQdZsx z0==%D`VLF$a_9APi3PCTS>QhFj}=?h8Mz!nopOT<1O+r`oZqctnH35(UUS(!CVga> zDPpgil~Ox)TdXsa$$|Qj|3U_b%-m8lCwWWuR#T`<(s0*$y-qEOv#xmRCghd*6 zFM2!O&8#PTUKS16~u(w7W}(w)b4;7>$JT>Z3%c+W+$PD zJ)NLqVF6fNYhigdrmu*$4o>rwSjQnl&m`%NJ*&@;f20 zkjy=D&u!KWD$Hq`%y=-@Sg$;#Dhm@x1mm?*-At;hyh17pa< z88HRvv*@7TBf=_pW<)sgM;53E(d^AG5WRm2eV6-Vg? z%|8+3#%8#9qAN??TNK$>^U_hH9a@_~8Yr#xFx-fB%11ffKn;9eui$kK$om&o)gI!mwMxdUf|sO((M=rU8RGRx0N3P!Hme7 zfDF}wo9x0kEWtiwuVLfi_eR2)v`7QRbg0e#%HyvwlgVWQ)N)Qm zJ4|D|GC7&BDR1g-_V>X+Dc^Z3=DnKibjY~N4ccpkB*z=g{ySJnktzv5A`E8%F$yl~ zvOT&hVRh7gC$p^9f-I!9_mQBf3tH~yc&q=?cCVltR!U%~ng&K%Ya?X7+lw(J&&p1< zZ+~B(mf>J$H;mkOU>nXk$7OH^X(n1RC3drvLGeNcD583>VH-x+1DP<&MhgGrVB{z* z=b_%YbBBMMrtelgSz+<)FFN3XFLR7<8HFI^2V&cBC%z&kAYv#p*;Vagu9>tkz}(1B zfgYdmbU1vMv~_T8?ASNH?TCVec>#UNs(X&I%(jA@@^zp)rkFQnDuGW%^AxOR27+t0 z)z$7IX)z_UKn*sDsceoQCsk$N6&o>Bf=iVt&d9`od{`9mhZ^vp^)xso#xXA`;nUgL z`fOSY?pYBU8?IUUV_LvluhPWq<|_Zcu1yg)?R43zmQ}E1uAS;k$!Q24g>V125w|Jcx}3D|g+iiJ{9sJnI0*RW*QEepE4mXBnVEH)Ti#U9a4>QVXaRu~jB zbf2Z8Q2+G6b$W(qa^a#WQPR(B{H`SaYat&ihbN4C@Jf5YBi=U& zyd{0pj{5!Ad{mOR0RAlLEQqoM@6UX;EDWva%274y04xK%F8Uwkd&Jn zBsR~GGSA*YSn9&HT^X7S5T=KQ`#rKl{c%mQ_u|~ zAa%+?Wdl?1zg*8a%eSp_5uR9jAp%DNKYH4~L)4o9K*lC$>%LPdmyNd>`5Q-qI^h6(f?_Q-2FA; zEV23_6NVBdXhNj5BoN%6`!4`0OmOSx$e^qMr=7+@WqYX{$eXERZ^OyC-;hB(?hKEB zw#IMAek_3za|`4XG)yo(ty6S}4G&^DMKbXMOe1Fv&&7}1-`W&N#DcYfOpf~c*oi~ zSgZ7{502>YZjq7>2dtEnsA1~m?R2tOP?-0*`wv0-Uu-fpclZvXY?ptb;(8v9%?nve z3h}NVI37V3104yaL3aOWv|F7Wtu2Bmu@#ruMA=$6Gk@%OXOD)OGRlH*H>suXe&^4w zZ^CP3#KaiyyOt(lSZUBqCwf_*krDM=#+WO@C z4dv?0ggP^g*xvFQ8YRI{XSmSB@0*hX{DL-_Hw~ldB238+8B>b)8$j=VX$(bH3oa`6 z*W8sQ9#}|{uX^?Q-3#sckR0jeJ{o?C{3Hj5gRY-L>U*tVPip_DISkR*Ge=9jUUHConQ-) zfW!GFHxIGIuNy)E)EZ-{okTe!*ab=(UWE;%UZo5DqElC-gl|Q(TDOc|!)?!r?ye>g zw4a=f%(jl=3`sFaiYul6-^^JH2lg=9Uh|d4Vva3M+lpX8Xp@1&Rtc_!k0x?!ROU)z z4>;V1|Jf6u+c*zQ5-7Nz6>alWN)(X3c>vHLNvLOjbT=b1oC?)@-@7AvXcRWlF`DbaNNvsX}g-ZSpKoE*1ww8X|{Z-JU5<*7s`B@ zYVcY$RvZuyrRWLp}>z(OgxZTg$z4$O<=ooOeOXyrLsv2)}`PYdT=S;Soi-f<~r)jyahORJ5<6SM6UZA{j9b?88m z(vz$ik|rcjE!~H_2L%Vf0#^y_osjb(sdkZj$}3=kj;mY@tT)WoQP4P$4U^y8QJ&r@ z5T$r_!t~vg^qU}D=@`N^{!rAg1h>w@*BUZ|!)a1G6ZC7a&G`@P=fF80{Fc6H6PlGS2P2J5Tg?kAxK`-x(*QYG>0D?Yg^14FiMBRl;HR`A*>k4sp3XjMJNW({>KE z&NyYKcJX*&)h0$8d%ZyOMp{(sN{oPnKX#+Z^Dcg3gX%~9rr#_4n3@0Bk#I!aDZIz5 z?{H7khz1Cm;D0S?u;+!KF`rDQFjH#e)#OPInthe{!Satw`e04M(N4!!8F)gDx}E$M;JxN@}|L;X-O! zujMbk!}rnS1?bomE-u|clTs>;OWXg-tL@_92Y$eN37!6S-XCSU93Nt-hiC`7xx7?G z0bQH%!j*Fn-NvlDQ{(5#4cl%K74cb(7!I#QkGTQGg+>$;<{%?doEk-{UvrewUOOA2P|~w#PTQb-UFzDq|)^I%@wbTXpnoZWUEZbTo(cN_4Qv(!mgE z5OqYI2}F)RgE8CVoXjOov(gkMEvkYPrnjDyS$MZxv5h|qL0$z$M=@Y#5Ar?)pHf45 zJ-2ObLQ^V(l=l=J1L zmEqoSseZCSXUV=ACC)Aq)BpUu{H9JiS|9Eg@qKsRTFac5YF|md;cl za30e=H)Fl(Qq9Mz!@~Eaz1d=|!a>B@XlofH*b4`m06C8`p^5D+jk4Jy``?A~%OJq? zbp34}zjW~HM=48Szg|$V)#IW7V?_mDvH`1wtK3-;w8@Xg<*+e_oBGrDJ^sIv&)%@A z=}GS2D3cQ&a&vdZw6Yjah@4CW@caI%VM(n;=ar7Y+b<_r1;X!WN|qjiLf_s0IKEmy zCN`0WeT-t_6_rJ4G)eM@?tKWHBOTm%@#@0p%K*{54c zoY>1Dywn(TeoBML14nfJ6HGW~oY>N6$N~Q~Y&!gR1b^I#^W%RRLP|#ybXK2!cUAMc zs!j(9ZYF#rJ`nrkLo(p?eYB5$6mc+xU5UV;rb%TP^(ZE&(B{JJT3?0Y zrpY!KVsVfVmdDt0!i>aiXV1XkySzxJyGmqa% zPgbGKlkwb_P|LfL&fJ00zN0*)7E_|C^39sY-JIrP%D$@f~z#@?IJ zspA$tscH+!nr+Rk5v(=B5NWI(c2mhjmsoY)vh0$z5C8 z)wnHkUg}=Dc&dkabygH~ZY_=qUR!prcf8fDcX+P;Tzc?S?{@Z5&(7XbHT${y@~Jwu zy|beKb8B(>&7;N5CI8!Pp@VDT+RaP-Kc1s2)Mc$>jq^;`#rI72vvs*+?ew9#Y5KiK z9d@uxvye~nuHF&2l2x~evA-)RaR=?eB&5o*f1`H`irSQpm&ZJU#foJ{v83hO@%nOf z%fhYu$3CpBu8Wj-b-Zte^6fpvZ4q4I6XblA1h~dnH6fBO z=pdO5r`Yt;dT#<#o2sDS4>6-O(ib#1_ouEA&Ry^8+{J<24|}@Ke*4~e%c**E^Rw!D zeR-JQw<{*F^?UnzulOhc;oF|7A0AA@O1X-M3mYb zt5V%RfR2y-2tTU_+i95RhPNwCN*07!9+lNJh}tzXkQS$qfAZ(%Y^4tD;}R=#xE4^f z_<%q=w!s?E{ST++&`aU0nnyx&tu1bBXxh}&BIkLi3_3=mHsx^*liqQQ#MJi@z^M92 zDlB7;r+yajb@kDWDcJf?Hv%n;O~mIE+5_6K)k5w>e@+YGzbuIL;Rgi)`31d?oiBe4 zFC9IVh}Y<|KWuAfuICVZ+czy*o&u@}e~#eEhYNNicE(i3xevZzU=F9g^7veS!J#?k ze2m% z3m`y%5dC-{rA~rmZ0`VS1bBF0rv2+H{Ku!bCxk6>bhNqOw?7alh6@rRd2+odAI_8H zj}$fCAN{32k(;2(gh2i*Gj*Lpk2B_Vi2?obM7LT&dHcHmlR%yG=eL_vy_zj8Zk~XR zx(Tt>&o-y_jux+!JwFr0Zb!VXw=3vmF4W#gGCpoz24ZI&N-uQCPiBnX?zQiQxGxu) z#?DaXLO2Jq)3L+TeJO_36SYn}Dq)~oHSB7;8x73~AYew;`1EUOWm52+V58cUwt6&= zsEMEd0?oW!R6_&Vl1vkqcC4~#!O2wx7s>;7SNA{A1An9LIM9iI(b7sZC_m9h>pdsQ z$)H___?2r3k?=1HsJ-nIOX?4kH;X!DUQ?-PwWin3C4km zki2x1;g;s9R5)0aH*0;a!0{194#HtkNNHFwcI=ZBoixqgDs9s2EvTc$ba%9Rc151L z&Cdru^pVn?;gJZ92V1ismBm9!mOq{5v3ie+FI^6|&JOvAk-Utyj7BD4NA+^sREV%f zJmjM;#`k59lHd-Kry0#^r`}qs67-oIy%CVdmUGU@A%gBfO*teKHyZPNy z7rb9xk-ztZ6ae|@iEDa81o36nG8A^j*2V3=OvA;47cV)v_tl_0oxSg{XjvL;L;s^h z_Hn~k2o-Yd=nIFUJ~xdTH_h|J-)b(0(-UO3q~c+i31PR>j$~2DBS0Jl!3fr1X^9ue zWQF*ckaE8$%z#bOOOgI(GX^}j4%+q3VI>U--DMRf?DgOlYcfo!{gV}A zCJ{7ujIR2$6`JY(r8>PNpsQtZ<{qghAi6Tu8&{op_GWFoyz+Up`I*sYEKB@p&&uM& z`&11MnV6Cx{je2a0%-|YZ8-4sOc8i4$ zxa-g^Jn%6<)|>*byxAF0^hq1D3m28s7A%u zibxU=9Px*w1=WY`v!&S3(^oV!x(u9SA}nT*+WBBhlbKZNuI)RNTs!^5$Zoz2mKg*$ zhKNee)s^lP9wIovglpb8EhRpDXHTwi)1K<|Pl!)PocWt269h)5jskQezn87%Ea@~s z{9U|MJZ4W_5UQW#lBTt=ipb zCh*PWpdZH<$C2Ej1d+DxOL2H0t64ISS)FFS%jj z@d+=D&s;%hFvz!0|G|VOUK;g1x;5*!hYna8G{S!KZq^Ag$|}xM|m646{5W z(Qj6o7Z57EgjQcfYMs5_op=hdIM4B<(SCkm?*|zl20)9vS4m;L5T_%{<1kLp4v3rv z0^mPl9w8zb>CHh_%-wJ|4{WD@Cya`#GWFM3{2_s(INsi6Qx+!9Ob`kJYu~v^KpRp`4DhHy`9;)*)_q$W6J^%4m$=rW%VGaK$bSY#%F!Yc<6Y9Wv(BsAD zdQceS?d_Anr1sa-4)Ns+hgtzYwDx$Rwg%$aL<>hvDkKK--ru_bXt#C>RA;6XDncAm zERf1n%=!m+jc9`gQsnO8X=rUyZ4rdp(X0EJ7gG7u%>6$h#-3OkPL|356*!h8mX=;& zx}ZT&qk_)FfZ>L4!?glh**PmC3*a^r$PR`^_w-p)n+GeL8eCFKHabb9g=y?=<4Kat z$Lv_1rjcr&4eWx8Yy^j~k=Cb#c7n6K^L#pbTtC|OPM3y$xvFsXvDx-auYu`^dcT4o zInTE9Itq#;T>R=nL$vre^3&xcgzG;o*$D??VZ6C~-QtzmVsaZNr7rB%7aN~AA8TRo zePN;ACBm6S%Q|jZhS#}K95l)Qm;%+6k;>?rGl)jmXXI$X45_h%mzsWJxR`agOKH*9 zIi^!t1hI-Ra%0{>NQFErw%MW=gfoyhuw%Fy&Vc{fZ6RpK>h2Wl|&ct+rv?|Gv7 zW7T^gh{vf7+2s#|K^$Zf)V;Se$sU5v{=X$xkzj~*dSIjGjZQ06#-yEhRx zujst_VUv5F#;L(xQ|j+H=O+#DiKnRUVWI29xYDG&d{+}Zfa8wg%sR~yNt7-H+vk+p zA2&LK5ia!hGKCT{L=;I3B~sTlgsN4N>^9K=6Q(4cgqdS14vljcDHdV>A%}4Fcadr7 zcd-gJD`@H+iPu3c)h%e27HUQv8&QuF=P8XF0=m)~Qm*2o$yxEFYuESwrN}rl{u05i zemchnZho}2?FyJD5RoXQqz`4CmXLZHcTW!D4;3--#BeC!&Mn6j`9BW=x zl0Cf?YbKlT5K{`QH89ojh;(5ZZ;#SV&CJ#xy>Py%n2h~1Sj~^Af25L3Ip6VCC}KgZ z-wDZdBO*!>*Iu(-dSqg$_miR@M)ghPM9EEMyi5)M9V{(K`7Py!FCsL0lfWIgd zKsR|9uOLW#vsc~-UHzL)K(t2m{}ZWeJ?m{RN~M~WJx;9NcI+Zl0BU?w9j)XE2&9*qNnJfW_$Pd>oal@M^{ zvnNMDnEo%8fY&`SCP`U*N=y^{^Cs*yw*8b&0L1LwHn>A?Wxu>UT)V)X;0;BUyK{>w zm*{Irt)@sEf~8EddRolX7qlyil4I-pwH z69esZvLeM?iNXmKU(jL)SIC!Z`VV5Mh&bf|`H?ceOv(FMn61SCZ>HlAFRuH3qiEc@ zH$>c*3DJmr=02H+?cuF|sSSNL+B9*+!Q z+ZDc)rR}xTrP^^SvL$ky zi8C-?q4Y@*aXNiUh|FX6NgO(-e8oh{(Zw#sGUOLRiACj}z zultQ}N)ioA{KX1-RgCpKm{p8*24)pwJqPAJkpv%Jn3CRo*A;QBVLkAGG{Q`I+Nz3UhJ zGN5ooKbultS>jx;(pR1~RgEu;rMq@`Z z-)+XQai?~|1`WAr}80Uc1{BcF$uGQ_l! zsyONs6I46k!bC_=CKV2XY!oQ=eV{SKQn&_+BSEk?a&Z;&FLT!ZBFI3a^L5iF1Il2E zWK)l%?l#_XW2Zjfu1u7biLwA@WunZ$tW1=1U{=2U6~#~3e%ECj1z?q3be3Jzkmrju ziNesYuaE0xqMWwn{{ zK1}j0)q=QBbxr`En<Tog_?wvW2Q$}hgImj-yN&DtO}-odO)$Z1a(n@{_@PHm{8iGC{&O zl$xddPE!NDllw2_#y7-@T;g%!igVsKDdUhx`;yyZsdSz?;sd9RAOWdmVcqNk(?EA} zJEUPaBr?J!Z0bcfxRcgyloA>L1>~kN*ORl?{Nb&-97{#QTd)qlZO*q3U*r7H8{Sfv z-48N*8`?iXo*XI-#0c>T97FFin=fP@G~a_Uob18H zJg%DI=%vweZeAElebIWmm)lpNEk8FNl%dRhO04cvy+r!){1OS1a*W=Fvn?f(aTIZ( znGy@qc3zw-9ua19W34lHQ~~(1!c4|q`Nf75+<5||$`^b8GVNp*#(mnLq({RqcA-|W zKl5N#u|FA@RqW3knALf6|IVB4&i>(TM!M*OWL;5A8rB03V!A(pKR8yS>&I+>YgNz7 zXA`So>2kdwjXYT%W^l%BhyNrrt3rS#8<(ckm%wSeHc;h;IPR@);eU>-m!aJauwb5a zpDiyMLadYh%;V37;SvI^i^nqbd6-;v13JRz5$LF=cTJ&ipxI2`Nd-IBT}Hua1a2Xa zQ+IQZ;yBY$Uo#BIsH+bs@-H3vdINyw65<}lf@wOeW9}c!q~E}F-}yYRdTd?C@n8bA zb^<)l8$C&_Od}+T2l@C1T%hBKu-#vby=%e=@5Mq8rh>7#WZfTwi7DgS%(+?{=s!G0 zAs*X0ZewJ;7AV33heQz}5ti1oztHEp9={0=0)AG-&1&v=$< zm2-S;OSAHiF9fm@^*&pUT$hVHN5;xaj+P+N!{n_SkcK}GN4XX%*5pA3p>@(x4%U*p zbQy!xbUlY54D3NT3^k_fbr^nDK0qAK-VZCwT{*NW%iT@mQd#aS%rDe(_nBTk(!1~4 zZtUPNsH}&xtcO6Is;Ka?A)`19)>Txv+c`YQio)mK-G)u#Ft~2eoF37G3Yf%Uu;$n~ zO@c2mcFtqn_rVF4@{$Yx1)U>27NxrhxCb=RdpG3H(yJX)CQ)QTLP#B4BK_?E#gd5W zgj|5aZvRXYVR8upqzJ1K3S+7CS~EGNQgS);QC5>;ga9_XfH@+#zPqI<`Ekn`; zS#hS0JV*yLGv~|%;`8^%iT$t`y?NkdGCHJXVw`iUYSoc#Ya>j zCb`*sK6!l2{d!87PH2Y%NzF@U}L;GFw4r zvbsbmEj8(Bdhy%t5t2&8o{9zW6WbDDKw$GbC>l`T2}po^5_0kZhfzQp!yt|uT+E0) zehAAl7QwC0SY|dJ{qNQ5*YfeBM*nj%&Bs6d{`&Q0{mtJVy?))We?I=( z>(`AR9<^V;_W$cNL=_z$(A!V9Qc-WHo+Th3~`q?H#fV|vdu z@;H-l+9?r}#dbQh&{ntjjWt;F@-o1r1z<#qFLsui_fqpzvm%dQxS8bMq#+)XMMix= zqJVmMR#k<}d&WE~XV27|`PZvT^Xn+Wr9JS|6|iGrd^SJN@O753bT8!=S$23yo0S&L z(%uYI&bp7Ruzu>;VI{06Q)EcQnz6zk?jcqtuyN<)>`c*s{t0HS6CymqlwNiB2hory zLA@nOH?guT3`7TL{QIM7lmT-MZ!e1)-< z^+%y~oO25{^H_>Kc2PdgDNBov@4J)=ruGDA$tHdR5q6Q3jd5`u_h!R2=w6EvrU$>; zh!glLaYsqkUoxfz%^&ZzW;lU=A6J9VWXW6DXg-O2CQ)P{Ey47qL%H+X-mb0juoJ{m z5%Gcwng8;Ns?pC}sw1MVjyNM%i{iRV(8-8c>!6cyy{xb~Tx$qMBwi|w$Ib3ZQ5*zI zFkjMcg1Gy7Tqp&mS77Ki=mu#7@TOQ`~j2jO(~RYq~@0qYU>jZl$gh^AH!@{i5J~SaSE=dqD!JiLOLUHVWRU6@>=g zZ^u`PaOL~D=f1C!Q&qXY(ibcDSLOb?E37K_SLOaH1?oN;{44iY$xr3}s@z{wuUGD` z%KcT;qH=$s%Kc@aR_?DwEi3m|A*9OvweVB9zm^16S>r4B*YsPJ`zvi&xxXs+*Yu}y zf6aD(6(+NID88^9_LXDo!8pds&)ZU*QCUMvekyBdWeuHry|RW@*3hCBl{FMq)=&er zvW6~ddC#q(=VUAo=%D0YF}c;nYJ`jc2kBg$0H?o56wm=dl%WxiMH#<(Wg%VssVt;R z0;>!*m4$Trt;#~0Hmoe9m4$Tr^MEX*b7GU%9#QRNin3DG%-7!Bid{FCO88#ea5bit zz4m_FYZuN@b%P;&vAV%f-C(#Ytg0If)eVMHpzfoWqVn05{8T=>%4awAdgZgLe0D`G zDxV#ye0BzE<+EGV@}B$bsv8WIe{N+AleU$A&VBCQU2vc1cORSum47a6So!BF|J?NF z0r}_F;<;Gp>6$KgdB6Q#3BHxr>z;eP%FWaR^?j8-3@b0$beqacRuZeqOLiSZD=%5) zC7Z;l@{*POR9>>mOE&d-(!mS>{t&v*vVLS+mNvtgKm;HEVIp%9>ROsj_A*{8ZMgC4p7Sb!E+(eyg%(r41`< zR%Oka{@gojR!PT zVBe>DSHwYwF`ERqY>2Jit43wt9dRxCl{HKRb1p@=&m8k^is1@NEhWhT?vvnp(c7H_ z7zzLyQX{O;B@F`9CkXpK@e%d}mlEM1K$b!Dp+gz8l!!7os0LhwSm|TyV>kw2ZS=Yp zj&T&du6?>Mfv?33wI&kc6y#dy=nvf_dcsT`R0z4P}s6oqTP)cV6VBmbWL3N zhzCApL-cd6chW^W9i;ght_GZw@k(;*Z86Hq+C93ahL2WTNx9~$5-SH}HNxdUtaG(x zKjpR7q{RyAwYl4{v`UwQacw0Z6{%k3^{(t^IjY?|%fKCLfDsXrN=2AQ9)|vxLAcWX z?zi?=cB*bJ`S{HDZa-9|x`tTtQ(Z%>t|3mnUIlJdfm=l_s=zHY#ido?Ru#Ba*z(>7 zZdEZ)t73K?43oB1%#-`veF(;VqThW8z^G!L(uP&cQx)?x{i!UQdCR8sX!tNpni|u} zmU+KznG5Hry1r-Ltdd_&wW*R{mc*(`et8{4tK^qe^2r~XD@;af)>tvu-UZ+JZ@4eTlN*7SM&hC>f|30~X9-<}xKGE+!*zqgZS=z92omH;0 z>Ce4$ojtsC0n(%4O=Jt`?(82{$pRMqdOHr)bFVJF5%J@Ih=<`=&0<_RSns!kwe(z7 zw=Nd8sqEj2+f?@NMSWHF@5=sN+@i97qssnmpjP(pMJ?~S{hKmH#6?MIVT!`GvDVf^ z%ot@ub6z@04n3j_g_OmL$j6mge7Z$t7B6gAnZ+x!c>YtF#TU1&%;M?i?ibwsqTqd4 zayMtdniG(IW64Fz3RW{;dvkMU+YR&Yr?0BdgZd1EIBqHuMgdktHs6j&5D_68Dhk%t zN2}FpJ%9QX{@ZG`Cja}S^|bZX*3-W~efp&JRu9&Qq2S5<@e_wt=Gk7LMFi;w&hC-%sf@|*S(g;R^GBrT8|C06plC=qFrr%{)Y}Vg7*2~PP zUL+SpNXnU>PncKBB<3wh?OQyz@Ir0oNV0@Bf4{UHT|r17_6Vx|t%hoEYpbs!&t7(e z3pij|32|KzeL(og=ofMZ_Rz9nnxwt_#p7Yf*^ygXJWn{r%=*7k{XI* zG~>c;cx)#D#l;R-!@Gb-Bh&6G;n^%sx`zuM#37OG4TS12jcxStWA3d_M#eGF+E(&O zVVn0eeI-B-dCXJ^$f17k1gjCeFn@emvb~@|ie21a6~Yzj>#b^nGw%9)sy;XS0r~HA zud{o&*9iTa>0_?^_oVfF`}wm8`ETpl_R~uKyN%D+NOQo(#{c=hgVz1$m7A&+nZm zTB?Ke{gQobZ2T0&G3t08krK|}eV;Hz)fgQ@{`ZhDwXyNdH$U@`M0iNr-+Y7q>2SEb zyliMfG`JZ4Yh&Z;UauqbANL154>|6~ z=nDN)5gh(^0vTN)bOqqM#?rsTeX_BULB!{toWSJN*b_AVa$_SEP21?*zrMfNYHV*c zTJ_dDjpb?LszV9NiG;9mRnL5`a{tkPZD`~W_Cw0*F-2Eqo{)PUt5IDNaX|#SLR&L_ zs-Kf_UDy=PNkyU)$Ex19nPuZr*$0B$zPy~(B#8xsL$kY0cGct&vI2n zCV$K%nVtMe;xL$c=Fu?oOi!pem-T%8O7uka#*qeP!w%rD#JrbG+w^?ZbJMwzn>r(= zp)2(6};1Lh_aNLdb@OLU{VWHkx><E&`x}df zirY%o#D=qp)qh8q-I?=lB96~26oe&hk>-O03}BFf}lPj z%qWD$)Ffht`eeXu1{%VY7)P8k)j)OBRAJOKpc-Oi50=i9R@tAJx@|;X^!7BMr^3dVP zYh(h{a`Tcq`gDio;@M_(VUNwJVHl_0vHC5X)uRoY3G85W`S~}T!fH|gjfit98$&LW=f9* z2SlFLTuUUODe}^`4RpknW*BfTQHd}LafFVJdkC977bkV@;z%k%aELl5`^Xs(&J+89 z-cfz-$)?AdMl_QukR3yKC5{ zbA^@JH%8C}7F2IrTWxfq_3o|WUMyB~dzpjzf?l#(!qnNB@&;yOl#0;EY7({?2#0#> z(S2)4S%HVvcc@s;8WFOn@8!E)*kQzd(^JkeR9PObZF%?uGbss+1lOd5ugwgR6XU~H zdE*25Ks-1a64KV9u^Msqq_$aW;wWlb9i*8#{2I}?_U6-!Gx*8$8LS`Oge7AA$ZKh# zNPxJWS>oB`f%|OE={)P@+cHZWcVaa{`X8|eLK13(E&0_9(+EMtenbQsV_)vD zKAXiXA`#f|--YwJhX&%WJhz&{%99W=Pa?U}-jIlIqaQw8{#7~lsd4N}Gd+Pt#Y2}8 zu>mlfb0L?k0&=goUKQQdkG^ zYWzrkQA`r_8BN*T?70;q>x=Q@EvNtS{CZWiHTLuU!ba=$^VL)IRQ!HbRIca;tO2)* zU$6??2EAI#QMUDR)k9q7^;))2H*KEE9xFHLa zZnLm-%8fzJ{RWF?ZXe39>|Vo3seJaFM$$NwO4|!FUE(>PN@nAP-eN%%R>5*)H9~84 zwY>b)2B$nc0{G)3B)$rnGcE8~kfaeM&sh{Mkia*DBQhS#$#^#&-~U|LG;Y66jZ ziCj1$wEJQ?Bllp!#4k1$TvKn>8ut52Pu5b}Dm_~-s~lU6LArcOFYEkV%OO|$yIVouz{g0LONZ7qmR7!9=t=#S{0ZhM+;X~D&# z;3{T4$zFlu6*!fY9(^YMToAPZ=!Q0(UV08Vp<+58c|M!%{Gf)%xgH(?^KVGfm7}C< z(Y!MX*=T2mxgbde5hXS^A39(mtBoFb#501{p#<(B^q?KLO0+_*dBcE(^&E*bF!P$k zEWBQB+BFPYcwJ%6!68IyrGw=x81ixG&qHbYYhXAGnXjB7a!~w$Z?T6C=1D>#5iX== z1?~Vok7Jeyj;>GWb()JdA>#zo2#pgqLvt=^Vq!`XG>;^`H5}DMPrPnoMm7$hD2b;M z;(tmEg~jrN8^{l46F-<4{K%H?=8au_Q|8f+BmX^PDWr5)38Ik8!*@Em5Q}N2*8zB4 z2~TghUD$CYbr60CP2hcJ4WS74jicBI{Vn1^nuk&pHGvwfq2kkr3Zu{}8aj|O_IXGC z(|Mux98SV<*Q{xGWQ3$laR^&JiGuE&%e6%?q+Cj{!jMQ%tr^Hg9_L~#;)IMzLL#Ym zX=Rco2>ZUIPi|;9B?p}KDkj5ASClWsZ&sl7(Hv$#$D?`5EbLFjMFteD<{L9jS8$3! z(=W>#W=L-B21^^R-TwuUH|O{&fN$yXvRbcnSS}acMm{bJ(fyrU0Ibfd^|<;%3&$3y zn+0!HnLAJO<4I=nva8}t(jZ%9sAG^5i2_)9GE5uyBmtIM7t-UZM{T`Gm3@}y@jjiF z5m41@E4Yz#yJr5QHRyp=zN0)Hl}@87pOL${%Nz34eMJRMs+~mDKB6iRjl@xg^dI6B z0$v}+8)T!}j2kG2VI%$@!0-r;9}Dj$Jw6Vdy1mZ_F8!Qi&hJ?^2K!K&|;5>D}Zi3Ck}}@r;}&WK2Ih!E&v?E26Yo??(qxw3m>{ zxO3XS9K1jJcz$#-91JgyP7jU%gzB&?iH`dFL`tFKgIJ>P7@LGdAG&}jCh(-ImCmkU zU5;-_*JPoIg033PyepUmLeZ+S4<&j}>?>=%)9VaByc3tRZ+8Fj{xtNX|Be5#|NiYi z_D^qv53hHB+MiBGvmm_u@P2o+`_24+e`4R30J~*mf1y+V01uGgRlp}d5Fr*9YT5ms z;D97U`YY-5-t2v|FW;Zw&lh;6ZHZ2=^Yv?Q7aE=r&hf-Z_;4`nzdb%WgjZ)VRvjsq z%ihioi?JvF$8UYlSEX~(f8~Z2_TKEh+1t5Qqv$-#sq_6}l+fS=$1#m2onGg+Kj4cC z5>P%Qk)RO?zf0IWHiJgJ;o)U6=Yk8CklY(h?C`RGde}ccJ3Y!?DS{LEtEc{JQ>&=_ z>gCtpSS>gi^03nza< zibLYdr?UnB6lO2JXIwq)>O7)d_`owI2usvvO;t(6Y*fI*b5L4ezTEvPeWX$(8iB#1 zOFARJvPd?+x;)69UvZKYKnC!zYQ2fxODg+8kYvLG$ec1RdT;i3cdf7D_=1JxT~_33UG7IVV>U^;tl^m3G|!@uxV!z97j_ zY;sI)iJahr z(|2c`?M^t-L$R~n`83DL&75B*IN}(l?h#m<7sO|`MA{FM*gxbZIgdoLI8YP&YS>xN zxeA$KDoM*_hbvzHTJdnhO7hv@kYh$CD%(cxWI>P1^rajw@4#IucangPJN8Q|rMlyj zZU*d+?G8&OdKLOkEg7)HTEq4Hf8_7GNzi$Si(wpxLJ6M>EF@W%KX=x33XsdDiejAL z84*%}lqMS|VjioDi^@Y#%&@C8Vflg90z|1FqQFI z4+~SMJMw?Gd)oQ3BO#=or8m1@zj^{Uuggr-^B^HC8Zohv8`yirlqY-p)k{U?#}9RM zsE<+lF-<*d9Qim(lfes?t`wx0CvF?vO{qTxM@EELOroy#aaCO0M$gaAU%(<$b$J^- z?+;%TmzOW*%+N*g|8NNc>B}EeDn36 zF=p^Lc+%)X()PTu2xFyF$4otFcJ^3Ax`q?T4CG4ZkPoMdtS`#Gif41sRp5P9hMS#S zX0&Yn{4&GkKH+mS-dbO4c=~5k)BX(5Zr$u8a80URSqVVbNb zd^YG}sQQF(uQ~}|J)~yBsRH<)a$cBm{6MFMC4?I~J1pbb%n4$K=P}L^i`X}Qn)qee zZcoQ<^K!?i`Bf?Nv0taT-DC5mU?^l0z^3}+YG5x`o=-(#k<+KK(D_s>Jai@3dWgv) ziJ)T&b?W?ts9W|qVCMYRvkpEB`8~>Kpnyq!jl?1*9=a}nbG?nOFOCie!)p(*1YHkK zKb{<&oL&6m+A}pOV8XeYqG}SW4qo#l`$`y>g(8DiLB6bE*7s8u24>D#o>lOpRuNP< z<}E1xZBBe8!5R*tfgxGJM;e4)o?yk&Qv;1i$fAjqrS5mwts(D=so4ei`T>pwNls01 zx!g;A&aOT|kONQ1-ccM>cE{2a>byK!A6DBcpovhwqhg8@780)hyQAb`RtlA3d4xIn z>J=i9&*WrQG-!>;=t68PNQ7v_jWfhJ$H7BEus^LD438`5?8Lq>+QRuT4rIBYj=anvzC$8{!bIBbDCw651!AfWQTOMcdlE+f z#Bu;t;mYDf@|e<)5vA3`SFjPG=PZK7{`_os`Q63Qa2vrEv@Lfa)9OVPJ{5eDN7XtG zMUr%NaV&{AJMV)kUxBVFS|v}wZ-1y!921|87bw62tFfjBlrJJ;BCS}4+D zQ1;<9vc~lF6j;9Y&~H$P9#D09sPi}eDg1k98==k|B1P;clIr{uU?=|wm@2eW+}RKR zsOpt+gpk823?Cu$6@t$^bO!s0WKapB3c3=8C5z$F>E+<`==j=02iCz2KyiXe6}21~ zqixl4W=A+xb2dCiBK^!mXR%V3H&0)AvRffn8G&hvU!{F!-&}*Pd2oC+yga&i0C|=c zj0SOF85?q;klR4a5}{pN=x_5R{Cn?j^3mTPfPM%?L%*XDWAdMCh}n=7zGW;VI5K`? zIV5PL=-wz<X4Wp_earzbXNd zldT?z3W9SinEC~b2@`3PgZ?Ck--wR2!}Me^{OMSwMCTSbqi83Dv+!1x zb%$|b^S&(yT0)c;@tkonNr=SX1lV;ao{vK6cdlR5b8mt<^ZZ|39+dk-=uhhbUU8`M zu(WsQI#{m`T0VTV&d(x2r(PCBBWY2Sz_O`%wc{a;LUrngg@9C8KPCNI6MSDgkBgzJ zc?>3s6%0H1Rxkw*=_d7XRm^K1r1t8TA^!M26$FVUw5AvHVY7~Tp#Vnd7v}T%fn z9xcOeB8Zo=qCad1t^qq)Y;seE^j5lz1{LA#Qcv_7U&SYB%f4=&6{4f-)`=f=Trkr0 zx~>M;HF^bX$v>lEHJx{-t?O>OEM(sBC01tB?{NxmWD>>=uSb} zJInJ(nTJ@|`_Bw7l!hoFntevMtJ-Y}QRS^Ds@Wy1cyx!F1NlAlBM`SlQdy9Ep0V}B%e%?8W?Y=22Zy2R>sXBe{wY)%jXHnU0f}1U1wANr z%2speoKH&z!tyDl;{2;L<}$=v^}QPGR)2xoru}6vJanlHC2J0t7)yVOqY1I30iCVH zRLQ=%dQgaYI(>JRCo^P|iF_NXk6pmjodw6XaLjOkMmWTgPZETK04kNs(bxYlgvhNa zLGOM#JT);|37JqiOY&hf7OG`eBCMrc4opeJPpSzLSsRq-&pq@(no&hHIg!Iqd%xgV zP!fg{Fvx!Hf4n$4ID3C|@v(n+GC2Kj1o>{H%+u=l^2Nu`xU0$Qs&!n2R0&MOVsECmJ_?HSP#vJD_ef6D zR!4S^RjMS1|4GGx-YW+5Uh$tET*ApW%-_e6P>$duGr>%~ZaI1=R7hY6n)5jh!&Yav z_l#V;chsW39@HXkam_J{UV2riDr)ZjSCC+)9!XLTPSHt*SXckq2f<{ ziZVtZkm}&b4cNg);owWM1mU+SK)H`~b<9FQViLhJ$@0eqBkbQ0InReG%8LZ*s6n;k z2qy$d*xT0r{$Iav7HxwA6IN6B+uc2$E#rbQkrTHh{g5Wahw*5fY&Z;U3DGbYitOn- zVtKgV8Hd7IGQp9#qoCBp=2I+p+boYDyLgs4ba6hCgO2a#7kvUXP>Phau6R-fplyAV z5}Z}4nN$O5U%N!Z;y4s8zaW;DXgbh{*1LBCqJBY~M4SqGtNeMeJF^)Ta^|Vqenmyu zR;P_O50V4wqH%is22 zSeH$U$!fX4QGk;`tsko2Ie0b_Jke!;XHumlX`G$~0sJZ~3Tb48^3e#5n3$p&8_`e& zT?K^S2o~GHELzzCA$=+F&P8G$E!EGr$zWJ{Wo^=RopjfGic_ ztgMo_wh~7B%(V)X@e7m>Kds5&y5OY7D;y->Q86_d96U{(4O%)kgv3&SnCBx6^CZN% z(`;!sK*WK3n#0)+`hUn>TgB|dT(iyL+RP2xJc^B6u2m==!Q*8k-k`%v1q7EoUNahX z=Tt7}@cR|j+sLVvsZoAlJX?9sSVw7DGsv?F&Mm?Pjo|&o+&ForZY5m3j9HNWQrzH+ zW7PIB{IT7+rHPp1aF{(S+ZZ&OB!qK|!G4{W5571moZ;!mndeX9!6CSaQuy$#d~Ve( zl}O|Gm`x@mQ6$U*Dux0JUe52Bdv^&&L#NkyH#k1(D5$O`@HG8+czJksb=fgO7>a<+ z#W9%jNB?Mfm%U#vj;e&Rlp-B<%uS=o)O7vxPhcMH3Hdy7fJYWH-ft-C*0GqwA zVUB4+Mwk`f7;>r49^7L$kuHAvM5 z&YrSg*)Zq(;~IeT{jn2T`aB0}hWG1W&G5b(So*?-c1K15!{oFkd7O3T-Gw=)ACNK zpSD&O1f7wj49+|*?Yk0Ben-{yD*t^qLCIjv_?54V%L(*GPNDQeHkSl<1mWTcPKXru zW(-692sJnDRPAY4+z!6uAC*7+dOL0?_@sQpME6J4XiK%3%(1P2KTNF*o@ z>mb3WAN};(jI0AIj4zjb+6^st*U|fhv#1P3AH%4W@xST5)gutbW$yFC`7CaNi_Jxb z?~wU(*(Y*3rd1@~T4gKxG004|v?Nr0W|HJy{BU=} z4-!%J$|_jmcy*3BKc6NleZKRftAu8+q)kG7{q{$)_>l(LONh6QSt1Igrq6R!rcZMO z+D~1yrSIVa`Oq$rQMl>f>2*v6igP)A#FWgr%JH98h%hmA?%wC0!jC43E-f-sy-TR8 z8y74jZz+T~>KPBspel>}Gu=qwK3)1-u1V!u#0!O2%4<=I5R!RXmTunm)DNYZ=`bbp zZ%g*4Hi4_!IhxdND{^DZ?^#NRiybKJSFLxiFV%Xj-YktYT(+w<3?6k`y~kE+*sI%5 z%{K*oFdHbgJ{X7d2?gmHXVx~j+_t$-XWMg5lJ0CGIvLz7Q%~pv2i=PCP zi-eBmO1Vt)i%26UVEbiVZOQP3R^@SH9+#)Xzu$QOB9%kvp#0o4aZuJ^hex%BbHMhO zTDR6$MJ>~Ml{el4w(tD5^wkG4lD1QwPa^l76RLTcS9r&t0yRZujC{tkI3%7`N@n7d z^B`|I#X;A^X-PTqcb|gjBE1)uqNH3g#~qgB|53CPj-i91Y@5ud~1Jng8!>cS0K7 zv|dAGBS$$Q_4Lmb*5+IpXEAEKFD_*2u{B7>8$kv z@Kk0row?>SJS{In{~im#di+aLNOfb%r?aJ6LiSN<_@!^`y-+@NeVHGqKAjZ?svMvt zt5v_uv|+9`_Ja`XW27)-ckkgy`{;9wBb7BzpKGY=LYFG$ff5rRDgmec{LfB6M)OJM zU)!Cme3|Z^gxyjJ5VZ9f^%HjU1_CXnj0=be+wLU94>6skHz6*Fz)+)5owI9GT^Gpw zfT?)Ll6N%W;($ebJ|jt|QP}z)Dr-hsUk$>K)X{vnFrm;m46`uuDG6tAfy%@U>C9fn znDNTz_Kqwd-MNbVIkiG|%!|emG)2ti%ckaLz5A}|PCz-_In7}Q-XP9I-C>lER8TUG zDN@#(8^4|*UfsdIGfG6~K+)}yiJ!8=E3CNsM#zt?vUnKw)rSG8|vOqYFAs-yRAqDw|BZJDtZr>O577M~r z|M+c+!fs!27IV+>l!uB8RHRRG)Hw4R5n>l|Q_O6{f+qp&f8jNUXdNfzxCx&h^Jh!-Zpw|0bh57ElVyr}`Gro&9ew-lw|__byZigyz5VX~F53IL_v)M8 z>(|>~zj}qFG#fBxPxOlJke__iLBk&t!ebV3(yD86>qf<>s>af|lWNwXr4z<#`!O)5 zfNglJTi=#Wq)P0o@V*MqtFpQhi|sheuj@;hveu-g{1kSGH7 z6KTiD9R-xJaKaKQrZbb%Az7%j_I6sZ>jJdv7j^WM&W{RagB1o@vK+E^t&N8w6)Lu} zD3w*hESt%Wt8?t4;8s9bEnbHw!f~52#vE>jn4DQzv4Zq|u>olA7cAHu1q?0>nvib^ zMd}tfTBI6`fuhp(E+FX!jYPtNxlaP9+j0kOvZ0R-&)~kod4D)WKlI=CKc1am4$e-8 zV5CI1ys{Tp*4ph+q?Pl3uz6bRf~e6Y)TIi+5Lg(MWMmdeUW@)SJoV4;)IY;h{|rxk z8sVvyS+I6DPXO*SG{{m&ZfIqR7d%#q~}?xVYWhF-cJEi>Oi;xMRtU933=5137|P^hmSqX^9wP z10+q;x`DA%u_ZPp4a)Ouw8vq?T;APHdm9MeL|0eq0{0c>`a0QCJ|44&tJEC_P5N_l zc(G2|6jiF~^)nkz-W>_U?oGt*q8$yRn=cvD261IiEaQ4r;V)4N9h9gRU7rPHZNe{U zolPWf6Ve!drGRVMT2;Eu)ME!V?{q_ywp^R6tJLr&A~$WjGt;=s@4R0sPhBc;R(3-Z z##il)N*lsK$1(G7)+X{L)=3rmHLq|b^QUGDb+2y{f^mtrTH}iLRa=hl)8lQJ1>Hb4 zY67^Pm9_CuV_`aQtFH^av#t^3uw~nBkxu$rpsf^oGsai#gesHVLCAc6yzZG>H2K>K zeM|$^PUHn=LQ6JRmU5N1!i9f^_t!4xqC2Fmpe2Bof-X2(+H$(8sF%8O9E8|y)+Td@ zv#71qIi1BJ>E4l1H>0lw+DggSGkg!x*Z8{JWT*z~6nf5;)>h&fMNJXa$+(KSwgPUp z+h=<`&dSUt^C(ifCe(_zk4$W2xjW|hqbAB!mP8d?iFDwlDq5Y^f$V=6nuJ36K62ku zF9cQC7uJ`fk|0q)`As#dA8Ax5d0?)*gYgd#4D=iMtqZyh+{YYOhgv=6efcLCd{hvY zXN#xe)E$~QPueShEeXy^;gyfoivS-#AV*TvE(E8@LvF~_h!|>|Ca961^W&`|l%W8$ zLfVCl4uxXHnB!7_0Kjb-8K6+Dk_2YF|FcORqj@hoewyZT^mHt6po~GSMYIVU?}MZ>9SvjQT?64~giC z6SG)2amf+=Sq^3>kE2WXo-#qUb2XZ$m}_zc*6BQD$CbI0Q$nsTBg_e8NtG&HOnf?~ zB#_va2(wP`7UN#Vs$-Qbrf4->%uU@KsX|%Hs7o?6gqRE}Ejm6;reb$~FrURFXgUT; zDOmF858tXnUivFwQEQ-9Zg4)OqY(>jNY#Bz#Bpo2k#BF3D(S6q(tOJtndl>|rJmEmV7wOPO=eEoYl? z45YJ|L}-K~ICvzV1xe&8YXa%|Lj(hMXIOx0$yG@m_c8C}ABtri@$erV5#B<+Xy zCnfgnJXFizOV&~pej@HQ6{_fHFiUfEfJiq(NAtN=q{uy=%5>j@zAV>QE8>J~rgnYk zL9-{R`?%o(r8Ntcx+}-c*;}aPEMXn=x8F%{mlN4m|iQ~JayBu_w0@#57}Us<55f4*8OpE?REk8%8J zl#R}EGMqXutvgwhGexapc{an=1!pjrIOrC7*crIbb!j^5k(_;YNhgz%6q0srcTz;# z9Tkj1qnnOORf%U|=S7*3b&Pf6^4G&1OyksA&s_!{5p@T+Oox@TH!n{sH?KJo(GhFL zLdL48Rhf9o!a!Nfc><+&mUsx?@!yq~|Mv`fnWS8n;B^wEE1PL*Zskh!`%;?hw8VL0 zOingQ3Bb2M-V(bg16kJ1N-*1-3;?2qwa^e{t?Ic1XFERI^4FfN*6cLpqLC?} zpx0Re)o>e-U90=+qV(%f`xU6CrtvGP?xlFBrKPN2E6~NP7S|7qa!DAuUf_q#a|cXUct_AAZ>T)P7l}B@03(huZU85JB(0Rp3lF%C~`1`&y(VE$DsxR>ipiogipU zDMmUmrnHTGL2pU8KwO$x+HIl!nc>(ANBtm3z=E2`0TxO@m@+Q7GDxiW65tBY1)E6@ za2PJUyl4ewp0ntPyH>elLRuF82qvvGyj50kNr5g%Vrt2cSu(>=4*xfwB%*6#1S#90 zoX<(pL!FQauJZ+U64U*LCBSNI_Jn{NZnVfWJQH#!?zBIa>w#2YjaknEziCiiwT=@<-V{W41y=TK2TPp#xdEpM`eqX13e ztW3{8+3Xh6P$F@VnwH2Z+)1;m<=COh>RU|!=yV}lKnRVBje@S5F7KDS zyVp9`Ebr~?WKJ_VcLL@^2#HT(!FTRhawAtMcq9@Qh9u!TLWEd?9&6A$HU)NZpXP(v zX{y+uYEqfQVw{t)T{y^y_?Y3qthH!xZjWB2OtVzIu3fta=iH90QU)P`-RIic4Im6s z{T(h~vkq@d10|%<&B_kL|A^8?PtaXh=(H!`EtC{>S3b-y@?(#y%KLb}l=V0vydph$ z1<<8e9}95HE}kOb6@m^dBrP0?%@8lSao7ZNE1p;6wKa>YveuBJW1GA=_%BZ)4I74u5C(4_0BpC%6+pzxP6F>l9@)9M8h_EQ0{4-691|?l)N_h$^<+llA`f z4L3MjZMwZmN*z;a*grX5X||RyR?b#8iYBuaa1?4n7OsHcSy-B_(6=pTEBEPaWozuI zm{%LEGx-Fqu|lUk0c#9SQzTjK%&;OOE7tLmU|Lu;&9E*n2~&@@tU}k|U4_fm%&o*! zLtgAjxQvNrgy$x3eO0d%XcIb{))WFk)LC4Wpc@Lg*4zT%>(MhLq^D+X0a5o-(}o9w z6PF?*0aqw8PqV1*Cbc6=7+xj&F4aW}cO~tph_PMZgX+}P;~px|uX>s-AyfxFR3NL? z2kV$?q!tztF6Rqy7VB!jK3xa5o`uzEFI0~%sI)$vl~r0vYFm}IREfGe0J@NpCB5$a zqsxtAU{Bc9!^?zwnh56+e}PaZ zb+LB8;LoHPP&{3L8D1&viUxV#WD3s#EB~YkMC50`6SZ+ z^!?cZNrZZv*4*!O{@Ct>BiZ%p&28)-&_K?sT@U_mXSZW+PbIUV#-HWQQ-lA#)Rg4} zmmt)Q42gEmiMkJ>@|Y$XAD!U|0rE&dg?^ZxgDW7g&kxiZ3x(zLuM+}`V4Cf0yA!cM z!K5+QAY>Eu>#rELdS=ScE3$8#@9n2a6ad5&^8@#%S{UHY=0Z{oWT;NFNHNs^ zA;}MDldp12ZbQn8WsTJGc5ar)p-8YGlSP^n?kp;-RO#q~SOYFcqaI{hMaJW?9BC0t zKm)ehsv`DsjOGsP3!}59a9$w-M_<*0i2_%?qCo8pzE1xpZ3Vqu1QA!NhCYRec)Hei z^ca)EisxaNz8H*8nK(}fCz0rE!#g!VHOz#>j8nl9`SE1xLrjs>7C4FGgh`%MrVX3j z&UQ!ONvGG@^Im$p-8~rMks!&fTpIUww>u#n6Mx~GvypT!mGr43gfJ50d8gNTxw|{- zY_Xi%vOmwx)kc1N#AFmc>Vv>7NTa^=_D>r}|{4;U&JstPfrQG@(( zi^!iQETX^4UF}D*@I!`gl!wm`DUrHWaV&f(fngOiKU!c|j-K3vC`D^od&@6u^jD62 z^`VCbW3X#Uuq_ouppDs~T_$mj&!Uu@v~dL$dJfi6!SyE~5yV$b z6Ou?I3sBBI)I~dD7Vjuf9-rnP?8_%5%F?Bve&-D$ZY&QM2(?N$TnhydvHq?I0+t*v zTW<<(6?^HCPzUmJWPNUBYE(z8=`F(wG9z-fZUgh2jnka+%Ahh^)pHu58I9(G@E2vcmeo@@x?TIC ztruKnOG?{-JNQiL@e~D~AJ6l01n_WU`us{IxNQPPQB#6+qEZE%sJF|Z8E%)5r9W#1 zsu5|`5I1hORHD46#Zh4kI5FMN>}Z0?Ru)R@jY*G7z~ z^^F^aM%G)YnAl>AgH+0b+#^9}gv~|z?6tJ!f)UVA68=?`dLBBx&NsXNk6P(*KsQYM{_7I)@{x=9 z#2x~*2FL5dhP1a|y?IrA`^R=iC~w|k7)wbUu!xHUQ?M<5Tbo643_){dzJ4jTMS<2w zvnj0Tz6Q2L%!0Mr5*GF+VnYB$tJw~w=?XRjG@Zu9^!*RJ;^+5HDZlUC0h>9JJwv4H zP{hZflmJMCY9DOcP}5uLar2yxQ9aeh+s^d?u?iR5n8j59-_p{uTCZYZr9p^GEh`Jr z{VggT9cgXB#W<+P+l|ZP)ewp-Txp0ewu{}5bEhd~E#O8 z*yCX2j4)fGW0YlZUJjqmu;dkzbu*blujJBbAeK!I>x3!sre5dr9qV?@Z0@z_Emc-` zo{~yy`*nr2?QZTeWi=&bGaHT=RbFUwsS;{Dh5kImf*=hHhapp?I$-esfN!x~JD&=5 ziCE{e;^_K>UZ+RM2^mWrO{D}^S0x#QTg)RW+>)p^@n2V(_*Ed9$)gOaQq`=?m1ic5 zX^A*Al{>m=n+6AEHAH4OhF~77R(;HkrZtbbNC=*x{`sKMWlC+x(rD5pw-gSMcML6E zMN8MBWhdkHVf+_1s?GQ;HR+gZqPrGzXVWN$4Qc%u&O_G<(8cNs*h}y zwenrU=5eRjDcCX{^ZrLFH-^qZIOl>S19+CcOpje*Ur*0yTRTi3-+&7BaHOR8R|*_r z9yC%AL}$ALVIIBCPG`F#B)otAwj5lpM3xA7*A~?u|56j^v=CudxNcGIjWlRzW9BFh zLnlG^GfhpcH#oT~)%zil&^4eGw<(wTbq-3iN>SdDgpLbvVkfKl0?H)Kw>d95-iIAdYiW69YFR_ zXD>rb$9bSQA=-=vMcnKoT2*a?Og6W9>`n>T-50gpkqiFE7uB=%5ch1iK^@Z;@2lx1XMXQ+UJPS&Q3l$Z+5eY4}2e7=BD1f!0Se4OCi@#|lueus;!F04Q3` z3NTGqQ2(LnmldF3NNydVkTzUEVYmM+{rg_*;i9=yp#aY#~oc>#zlP^Di=Np}@*2VGC6t zRtQ@FQ2!xe3&88cct31Zn{j*OFl@x%0T>>^(P81;q=y5NZ2alr*pP=q6|ijW;gECx zJD7ZF7)6>AWrr`!2HJ%kR8q(i(doU}eY5)nu2rm`_>Fii_I6ur^pzjyQsKf~|4t7i z(A9mP34ORm_a}yLB#^8P^1}&1bRL^7@WL7w<A zjpS*4Jl_bULVGmdNQV8X_(mi}EBZ!s(^Y&UvgsG*8_^`U_l=l_>-UX7s;$lWM)Kg> z`bM(WEBQuD0a0g|0H|7rd%b!2%`hm+1RwlzP z3?c3<@GM*xj@{ke-LGD~f`4~+cMJc1y|=gf^|@4fsB z+Fcg`bw6`1aPpVkd*doH_l5jCL)|Vq>(9j$$^S_6PpJkfdVL#a-C0bc!J(YJkzAk7 zRW(EX^6I4TY})ObtwVmLJUfwqJpqle4=L8!EM^gjVDnRzGza3ZJh!^RijWX7PayyL z4T<QQF6_t4%hJgYZ!d+4?L45(VgK30fT!yfwQzcOe=8y(&l zo4$vB`@;yM?cTYCklxaI8Ma2dr2f3LlfiS4{5(b zv8n9@Ntw`p_s~Dlzl{7UOsOqop6JN~9~Vxj;UjGsDA6iwN&RkSa%x`br+z%|q5app zyEFTuk4d_uJ#mHkmdVJwX%NDAMU&^T706{0-05X$*DtigBmnfP--)B>wR z9&E^-{?zF36Dp?jk>|77&JSwzoa@mOF#m=mU9h&Tk+d@k*=T2mxgbeJ5QSPbKNH`G zQoD!Ep9pmgY1WgPs0{eZ;iu@Kmud;kxhm49d2dAzy>@p%y~Coi2R1Ilyho(>fKuIm z?UJf~+CZwSYyMlve62UMMvz;ZF)13=(#EyHvzaY~iiblz^c(uaf%<_@uX2=GM{J6` zTpuX?&#EZ^*`Cw#?D?CL=5xJ)%MbL~3S5)qX@c;4`S~sNQEyc(#amrX@iwEU)PpT6 zDhE_7Jai?cBjsyfxQB}5ltmJxPsO5#`g1O5B>x1l&2VgS{R0tVAy>A5B#6^ri5w}T zh1??akg--cXy!-I=0a^{-$TnG{gw34o4s%LEhY1(W4IwZ!knOh;*j{lL)Wtf{}f&$ zmZ0l+B7fCDho8d3(V_aRhv2IUSX0IYnkUq=TYk?tH0$b2_g#SC8DAN{^*vuDpzuQG z<0{xOOGFOtIZH$jy?nX*RYeOZ*=Dym#WT`F(yFd#G3O*HwYuVR?$xxC>*}v8%D1}I z4}0k9@*v;PlpK(2_%FItUYa(6BMVFb$j|lnJ#RATxKrWO}%)>+1r~S*p z`=gKNM;F7v@bc*N;OKfAU0)m>4u;nrbnM{tTaz#u)Y|?@Fs(kg6SbY(un`5Dp7otbN64WyhuVq ztdF3T7yLW;#Oj4YDI6&Em#~m<_1_)U7iI~@!Awp)%*j`;5Q%&yS90a0&Z@+~g2={# zM2JS*oVlmPN(7T?fj_O{Sg#r2-M^cXv@nXVi%Q{GsFWhe zov37xtJE>fRS)W+;fHtPa`w&cKi;2)e)PZbKlb0h{m1_4ZSdjs?oa#E>1Y;&mml8m zj&{G9|L;%i+f1NZZ9+6Kov+X#ZPD0yL9|q%vRX8el6fHBHIaj$r(bt9bzQ-_9N!XM z|Ei0lKxZ7`UBL?DOuhK1xo9x#w8^C-W)i4VCs<-efxRPUV_y$bcxnP`lx{RPTT7N^ zB^yimNiE6YYV+1*Hq|y5E)Wjy@PZ>Q@Ip^Xyx4d*sITmSs7uPoF6k(0JNBT0+Ma37 z2F);y+=9*XK2aX4F$&38z+bvc4H%=B!LCe#M_^t;Q#=;87rElc(*$c9zZv(rg-ABj znxY(ulIDP$KLs4XW}s@}*|DjW`u#TO9ywBiNd_9CiPl zh8(K0(el?9aCohcu1R!D6Ba=fDRjQTH-saiYEi*RxHi2VooD1oUGy4Ry?s4hj1n4L zYisQ{%_&L?Aoft_Z~RmE_s(|uN^;GG`#Ge9`=vVPLGrUd~kdm7y!rb#-wJiyQ=_D91bc+dK*X-us(; z^!K$Bbd`iXq-xc9>c1t6y!X}1ufMS*Xi66AV+h%)G*a}hpFB>6JnSLJYnhQ?*_L`s z0n5{5eamk;H)O%}7E|6`sy2`;M#dDY=XMlzUaiZ>8ETJEYM*wy=$PREjc|w~pCkwe z0VL9s+iw5E5DpHf1iky|@YEa;CS)Slg+%$Q5ei5BAV};Zt^;YYB?}~N(I)OD_4xtp z23JD^&r-A#h^AJDyQaX$BQ zwd1)86cwj)FYUv*p#af0n-E-n+(VZ?|J$8`toxY!&*POQ$1A8GQ>*y6Z*78trP~on z-S+xCaXZ^va0KO~yLz%#g!Q23XXh_KL8uDtLC^cc7v>sI^m<~rxT1P@RW`K&lA+M`E;3b|Mu93Lw( za)TfZ4fR4c(WZ;(#JQLrv&khq>!Hr@^6>2HvQym}sLD4!mXCU4|^KDVO` znnM}Wgp44{m2i$HG@5kzo%ajZjm+y4^L91n=QF(TWL>^!%eW2r zj*P}Mn&^!mq4e+7z;QZ@L(;t?qi#UC&u&Sw$RMYWRs%k!0dossf80z4v&-Y59Nw-W zYmL~Qgm7`Yw*v?L$j-+QF@f$_awDe+jnF_&C9gEVbvOnIE+v4{S!SM?#?+WY!e;b1 zsJYMpGJ-56u6sik-9(#!E$xLo6l9v?-|?aPP93dNw$}{Iuk!?Sy&DBa{;2`!fLMK0FK`s#B=~rIk)E5Xwg&DE zjRGg!0@xpE6!diXRIr7Rk2$VT=H;u#TD<%?r@zYwt$Ga5xq2m?H#O@$G`1G{6uY9V zI0yZZ&4a1|MaKrW(&M>EXqWtER>25hVg3os`-?TMl2*^ipDe~938$@5KTKd&h#uee4DarMRAR=e?y`)HyZ@~ zLF~HY28iw;r&Soa{chi(VoR|s?IgjB#o^%)i{Ifs=?V?L^+>JSO@)W z`R4^=0v+^WL)XI!9rW$FUpw{9%wJ;{L)_@liW|-Dw6@Twasi0iAqupl;>o#2N5rxU zit1PDuUnS8ORD}M!vQ=J2@6A#@EsvSJQgGw(}?mZ33j#+`h|@yMX1m3`tt2N{T8CC z4ARS#l~i}YI#RN5k5f?ZNZLP?}{hM{uM60TM>V?D}2#r4lQ4hIF z^UIesVEYw25WH)=`M}q?EeD>o+HDlZIyd8&vC{w_<>dz+FWF(TruKv|Eh}d)e6XHP z#SN;>hVsy}v-+69eb@qT3MUOYH{*8)M-^UTtq~eG@x&+RLC%dG2VJf`&s((vAI;RI zK@$uWjs`JOS90NRIc<&A7qfs%p@0uo$CPQW4BUvIKB6(K8KHe;iF@cwH_EqxJDYkL zA!$U@@mm$;0d&Gt(UfAn=fPz01-&KG43hJ%bnQjmc!DW4j{_{!(uYCe=q~h)YXbE$AcwAx*)*tEDfSnZP$MH|UF`nUpPXENyUb9Tg1*wK8{X zyA{6bawrg^pr;UextG>5yU}pU>VV3p5K>tiRB3fX{*vI}+}w>vqlI4ISi0iX&fvj0 zx1BLUhfl-xGHXo$r)e4}nGnvxTQgwf8q!1i`=0s#Eu?7Z=2p+9+i|X`+ES_Nf*M;8 zfU9X1P%aWWnyWTC_r2_`g!GK^@Vk{KSpu}%^pN#(E4S~oW5m7@Uqd?g>8wH*YMMcQ zOIZkXmeYjfgH{AX+JG-#4@wJ1xJ)rRYZ7ahw$7Vi(6~PKNq)3OGusJn)#$b&uyseb z)x*DUbQ?gwZ**G`NW18^b!(R;{jyP%j8A7y1yhYsr-rFkmI7skg>|d6W|x=mG>F+i zF^BDXr}k8cS{%ducYH&lTr{?GzjcLXmEmLOuAGD3uiH6WA**5r;MnnE8)8U7Xu^*b zhSrjeEL_dWL@nSt+B3LK=zpgp+)x_g){>1THQ#HUTG=&ymjgoU(a6E2h@w#vxK zb^s>}wSen5$lx}nzdhmAB)6uu36RwlBz}7A+`{O25Yd`BMbX&eNC*}2^>sR&^auXixXxnxyWFfU~uR|T+TIDB&+l2lD z%yHY{jyZOZbSJFZL5?|YE9KY(AnQ1&Ri&N}t6tg%OVKv#lRVZ(=iN9sTd;2e$L}ox zgS(LsTDSml7&?ub$8rZYr>CuJ@L75=7*Z06Qb;R_gpLl;pMyo`X=1#5ED*%qi;#D3 zNkYequ7cS^9j3GFnNyVm@GROnnf0xBh#H#`71~7tD(>g*LspyNCOoY+Y`(<+L&Td|E0OCUDyUBS8r zTn}|bGAEr{H?bNiI%5U=4#yzMhVND#$QoTsCzUse@xH&jJRhQiJ}?WOx*M|40rO!B zlcy%Tt4&$DOfaxPdxak#bhjwJ}AvD~%paCjr837b!*X}J}t zI=u_YXQMx{2wmXFpOR!7#p;-u6Q%S2)7G=H?^0a(q%n&WH0#|CxpPk z2{Icn8;d)sm_L7aHXOcy9Y3ov8_9Lmmo}POG~p)Y^FjaQg@=Y154W{4w4H;gDx1w_ zB=My-dPhd^XvRh~B+>#m;rZ%dJS4XS!ntsclQCpUCP~3)+s??Nky_f}sY>t-x>Z1Y z%9WM9b--pbb*PAZ%%RSgAI<~P+uG`)A&uY;0i8r$7NO_E;n@p>&{h|nXj*fqk$TrZ zA2_5U-(23Y?il-m6^TaA_uutjY<1BAh>I+j@qrYw!Z$FVj!8h0loEvGXn2O+$u5N} zMMEY2q3Kfh;E?@{;t&fdJdpCBf8r@v0OkW3r8l&B35E`3NW+-~Gtnb@vkgOb2S>Ru zA`BcrRP0G?=UUx1{E@86@piuEaV8+>K2^qf-`mw4Q^@bC9$v{Iq%Vl0z7n)-^8D(g z|3ZH=gxD$|@jz-3T^;$GO8&&^nc>0U#58<2I6OmF5xpe|$06E}0`yMx|MRQ;cQ4Er z65o!Lt0Xwu>Y`&hnTk6i|BDVG%tNY_n!59Z3Ffm9JwHC|pX)(zL1s*-L?G6%I;1%4 z4kE>*$&vZ|qJKEJ8op3nI+)46!I3}_lSVj9a4T@RCr3NJA&5g7$utD=S`AhDD?#6r zaHh*`a5N%gmJkEt8o@Ovj{CR2oa!{0>u*6w(e;3#l)36rs|ax#(&V(Uh?)4W?}agOR33{!er2 z-x#j!75r+Tz#c;NQpDAg5wU>Csj0s&MPzle%VH*0DF3w_t4D8#<(KNxSDF=$YhMaT z$R-|h6b3l<9(zOm!hS&i1IrCIh;^3zPk(ClzrDTJulI`j-^;z%f7bthke{^cdt1-Y zx22!0XXu#vB!UtgeKbkfJa&KBO&v_VG)!Ez973)R9d)RkM+x~fr->EMC{zjv$V#w< zkT#1g+yFuaTS2&G=dD?I<>D&LS_{Qy)726bKVPUtL@>lgQV&EJ-Qti2NE3+US}3(r z^8oS+CWz%qF%S~y5{vq1Ba6`%Ot+WX@wVOqR3xHY(xvVJmUW=-=*J=UNq`{GF^yT2 zUrJ?SuC8+HrMGaqIA0*rlcJpHLO7PJI$Kqpd1&ju?RwKzopb$Z1-{mFEs5r{tYblJ zhee2X_m;l!V2?1@#Nk?i*6U5}&n{@9Ix-Y=A)}+2ty^7IvfofdsEf9HhYlxf-r68&3^J|}{jR*wE~-c@(WKkKRVem7aD;z$C zFmHa7zTdF}o`1Q!0ZHV$>7JQdI_dbBGA<%KBUU$5396HgBfBe0*njx&;}Bh447L#B zQ+D@}j^V7RG@8FHj9@+=S<9mA-Uh-yNQ91Lv)4ICcQoT~1vx*hbTx_z)wi>GC}>C{ z#lF>b_v5H(*ZfEpkKZ+qm2_uK{g9F0Lh4xpk*6X5M@kuFcY&$Iv|0~j3_$xCjXs7X znuuu+ebuC2AoWV2FKRLaJzzIISSqBtOh|S|rGvd;HyH-1wrWRKqukzHO;JhyO{8BV z`}-$ws>t8esnp}^@VDEYE2NuGE>vS~m`h3blwp&+M-9c%Fon`4G#ES8)q}0j>rC0z zZgVSQZXlS4R2|ltQ|umsxdE0N2<8!X_syk0Yqdw$kkMvecBBJ)97+DWq*;3io1@xF z2h&~$XADh&nra_QrD1RK&UpGJt-YI>?Mv}EQnzz++gX7C_wJ{~vG&3&s*f~2slpi# z8=fRYofoBEv*nwb@o)a(Y)%YEMp4Em_L5 zL>+oM*}ShwIQ5!9rJQcaf*;dyVKsX7#<8f_;omu)B@7hOF?cwqY@YDk^fXn*wCH{$ z3;5X8ohr@D`X_^tP*XAId-bph?wZ7scVq+=`EaNUfCOE2uUs%4MNk}` zu+ry55hr9!5)%3P)LcvnO-#y41ji~?V1!#*kRsu!P37Ui;G`th6=EQ6Ny4R|_PyPj zGk~pU=#p?@&&VZOf^*n~Y#w;|1oUkL3M3q5B-D+*BDv+Gxb^4PcMEXqSuWRnrP$nV zfYnElyM(x|~#h`@?PH+-K&> zDPWS`m3Iamf&|x$KzYk@4RL&{j8}m0oJEk8NfWyb@tfPo$NrRTBTfa`R?g{d#1g~_ zm)pmGBdaWk{`G~2PMOelgS~OUF}T1tgd;K@OQl8~OjJq!8fh~d>V2thxb~VHa7)s& zm4b?FRRMO=zkr|YL&a0Wsb_}8Gc^3^c-i0>ehLpqhZKjz&+U9R<@X;I!=H}PAr=_& zfCLt{+=%$;7)FErk%z8l3;rp*mR)-tPvoyoLBp$5V9=(axZuksQu?0pyoh4P#Uvs8 zQ|Os&VEoqi{BRD{o0IC8u^*8)-8l{mgI!+`qj(*8Wxp- z+Jd{-z^~*?ez9(@t~lIS%ersFcKIEU9F(`eTUQjeIf)N+)rRn7f=3U0eZa9aSlXa%&zOR&%N|-fAk)AZyc* zWup+cVb<&pYh*U-nRIZ%Ap(s6Rlj^k5ys|<(va}usOhesi6TSU*?%xn`o{%y9?9@*Rt4Mk6iJ`4De6vY3 z0;nduYf8dcUr*9?s#Ug2G$P`TkO&2I48G=^-%+^?aTv0@)B}w;o)HU=mY-dpVzjWp z=}F4Q>I|}G;i>e7<~Teka`<>1H;4lA`E)+JAaJ47?z`QBSyS#aRXtR4l&Iz$#h`Wt zxGok}bY0B4`5bp`=#iY+`WA;eiF35gft!XkjHboeML4 ziaFZPq0~1h0;D-elHFGm9e3Fr<$Z0>jS78DwrVB{V~J*K zUnZMI6d^Tf3%z4qQ8hiJYGOA=XQ9UBW0l_Gr8L(ff5G32c{$qF2= zzjJHuzNII>NEa_U2r*Zxpvus+EXJjermf|u_`vS5xFX^>g#3`oRECp8)F0NKfl^&5GcV_yq|l z*Alm7KD_Lo9`=vVPLFB_;6ZloTXy-RLYGKBr=DJsVY9^#l;l40&~-+JIzv4;z8YR0 zU0i$Uz={L}bq8J74XA7T%v*P3r(%v2d54D@b8(t$oQWj<+`cnVp?5g%7qpiq*Adup z9%Wgc`Oly@S9>uv97f7VXtNGtQNk(v3433?{Q8?}Zc7eBr<`&!QSmQsL0nxN>wH*= zFedxo=1KVX-rwY-zprUTRV7_G$klXdmvv$MDToTu4dpbrHA|wy>6#;_xI7N*;H!5( z9iEm$oFBF-Y(=c{JQB&`Ky9O$aIS_mq9|!@mNHlTANred)Yp=5?>{-{Ey zV*8&4Go>-jM=2JYXn2~AY@IR@R$$6Sf(2ynn?vQ$Raj%mq!cjlo%S)@m!UH&&rLao zFqZ@e{Cq2r4}w^3nV0s*O46%LtF+cwY$MCvSjq2-f}nvFat9C6?s^Co zAat;je0W>l*>$L=aqY?8iSzD_^@YB=R^(zST*n=&ieXv~7p@wo1C`Dgj^-RyMH@y4 zZ?2f}ms`u&IcH~dl2qQCGrHQnJN3k1QI`Oejds+yFY~RH6}9SpxDwy#Z--dmcW@Y7 zP;$e7j_Zx2BHOjn|R#JJ%whO2#nt|{g z|6N6}{hsHd==8vMJoRa)2I-%6!>wn!XhO9V)q5?=&B{>+n5{{G8rr5LxAjbibFDwB zuc=a5>GUoH`{h#^mTeYSY#@a7)r1D-VdkU3jB2FLU>wIUnFT7Q#5vO4YE*Grf2(`+ z_v#V*t?9%2#sl8BQ*uFngVaPB^3pbhu33W5Q2)blnH>9f zT%|exkt{YazxyACXwW}NBbIea^&iQ?HRa{k`imQ~kTV}fST?H>jsP4Sd&7#XJ4eg) zg5cmoLIu&K2O3IMZi96qh25`#By}qz&y7h_52j3*PD$p!k^=n_rOBW4?9SxO?>)EI zCAag0NsC}3(vtj2Nd?5vBNM4U?7+FV10 zk`v;u98DNg{xX7Z38DgF*~CM+QZD$8dw7O_Ws&Ez*^VF59krY7$YDO2(}2i_X`y@4 z)iiQ%DrOZ|A2-%ldZ=8GNinPSoOkaC7u~&ebel#4xx*dmg6uORZP~+$9NlT#D*jv@ z`D~->lrVKFYX026ew^juNatrMUJ_VMY=s0>g{h4UGUsh~DaEUcW2vo5A*w}!8`V^6 z`5qdK5t~sVNU$x(FxY31bA76Um35Ugo&1snY0s$6^U#s%ie5VI^O(G}gY-O*Gs0)H zwRTT^wA0ozG|;tVLFUf~Tu`=+PQM$R{`_J|+fqaaG+r9fk@|rJWvk?f04&ZqRObk^ zQzxnGJwN~gb-hjsF;+9Z2oJPTIJYxriF9}BG0u#WuHu>=abLL4Syl`4;rKAlN+*) z@D1Nq5vDjq%qKY7R(G6UbgDu!%z4$@?ATKREUzH2?zE2yOL=!+6a=WwRW&yO3%N>) z2UY5IIsSJoVk-%)vB+}k_wr>o%^7JbMZ<$DdbGkqtRT4e<-(b_PIzd}T+>`__7Yq9 zkz+A^X6JEpuOHS28MA5K_>A9nVXYR^4VDu-(WB0Nn5C)P`2|P3D@n@D`-W|rGtFWW z(Lm`^56ZS78|`>^Bn-PZ5xa|a6ggeL@~owG>*k_RDH0D@KpsgDih!=q0#eVj^qkt(nF%na0b6wf zl-t6luby;qOe>P5r|(mVXu~9pP@zyhIl|g53mt;|QDB9-<6T}xJxMVjZYLQXBvD}uG6?94n60xwz zsb*VR_D({$xZT@HlNIJAw+fVdh|n0LU#b*MMa)V;wuZFz3~`^%DlrslhR%a@Ro?KVZ)+}ed`$-%xGN>OTLKcXb(mfyf^(ZbD-^GbI(-PgQPHd& zn*#mll-yQiZ(3DY0#90vlRaax7gteAxJ z`IrPcFUF1mTEV>{qi#CXeb!J8h4MYFPR_IbP}3pDR>f4%-)wLiv=+~LCqPaJg~4w# z-(ujqIkI;I^dnhZ=*l=%(>-5;XPsMxPZAR+yL?r!C~dlJ*iG)Sg*a<9)i04QnLWbh zQkL2Bjiw~DO>a7D67QpJN99qr%GOjTg=eVbFi@U?HEvK6pj#GD!l!1&!TYw;%i(OO zVDEvZjm4#Vj$~|ZWI{9-NZWz_+S~PZyRVjZZhnMYz1ny2t_XglIv2T)Z!KF~O~IdzY5i`9*c?>0hN z>!`L_&yQ%kcN>pp7az||^*5U#U5jj;YPkaGW>crus2R*A`9{mpT&Ss5?ztSJ4>X>0 z+`0#}&F)4Weg1o1sAIc1iG++yOMEe>^g_0JMBQ-IiTCW zx^|wxskV7$mbn_%&sSeRQ4%PwX5(z4Qg1g=@jFySuyl z)vH(V@9yqy@!#FAzyA6!d#}EJ_3GvB%hxZz`pfR#>%Fgb|AKbcf_=%)oC}=%W%u5= zip+f>KRBj3SyB((?r-5ZPXB!Ez4UgsaVo_Caw@V&;P9LU{kdS=$013!rZJWVq23u&6KzH#v+b%a ze1<<;51=?9P9{VgoL^lDYO0W(lf);Hz!TC#uXo|1P`8U_L?qOQ>VWl)Obu2}q+Xz# z_0T{6WgrcG9MWilz^0`{sstl4#kZ6tJ@nfjTUs;$^5oPxLP(rwTQ4E3qa3e0V|rfA+royKNg=`2Ebk z0z-FR<9sHycuAgS+VAso+^O5x@rj+zypz+DLL?-y<`x2!t+D<7_U~XL0WK0H%WKHf zIuZq3Tx|DVT-=3o3l?Yw(*hay0KoSGkBI1>eE*$(;xBFX&WY0j=+;(HY?qVDWk(XsuiUxLA1E?6c&UFhE))e2{uP2gjvHCL+!b{~?RcBQlI$ zAQX!TQ$qN+Gd@i@q*a{RQwp}&Rx_v+qXBr^eVfr38LmlW_&A9|1ddoXQg8`F_AY=I z2w+YSA&cc0B8REOcqD2FVwe!mNqv|A$M;Z308DslHJ!a*G1scFBFGz!|X-qulV#ZLUq_RG8f@(Ytt_BU%o>= zoMpJ|G0s##aF?zalz5Swz3S6MrCao` z8{4*R+w9mK+qRRAZKGp$>`uqFopfy5TzBog|EJD5_kOtF)`wNK=3DjFnsYq!`Hc}b zasfN@G4yI#sL5g`dMVicR>KKW}kiGLL!T)X| zCrNtKh3aAvp8%5Gs5i^wPUS{Df=XoxK_#H9pHsk&HZ&ZLuwZU?paDG$h0mlC6aWdL zPb&Qbsy8YaB>W1*kLz}D1FY(7^nHO+MeY@n-UKlbuuwH3$C&J0l z_5lP7miQ@M^8BCA)rFvcpjs&@w6@HW^qOg@FsJxwNYi6Ok0c3^_c18Jjou=SF!;t8 zsJ`b&)Oy=CWoEL((>{{ifQ7+TzVq_&b!XiSD3*e)z~+##NYFrl>I;$mRK^P?#gjDI zFHEFhKYAE4)0rg|Ww4kUPT8vx@*fe-yG_TSsw+U1zIxWG#l_N#S9=lot;ZoLLuRTl zq2=P%GnSN*Cg}>j_V)e>dH@)|Cl(c*4CeCamQN%uhFGUC_@w!B^3l3}jXfRU=;8VI zemg{9WhHmT=nN8^>LONvI7vJ92h2%54>|`(9e-;p6r*{4NgF13`bVv5Zgj2J89V4zy)iE_(zPDvFmT3KQHKnCA3p@b`qn8SpFV9qJa5h3W)~wG zw>8W79Z+~{IHTp^Ux}5m^LTmOANi5umWQzRA?7Sl;s+u=48Z2Ey>;4V{#(0A5q{Y0 ztno5y$uZtIop{r$MxFe|x7rnpl80{!>pXZt5K+yq7?DO^nF;s-$Ebpsc!MBp2avxX zP37QE_s`=RcT{UB;Un!IteGz#hI0?S|HYxUn#H;A|3@DhwoS8r(MKN;oq6&&82!ab6QA^N*D0% zGSso&`J}4Q{!-EvylJV#}uzWFu zs0eBKknxxdgX02Qn_q}5cV5G8d@B7bS|CyEsFrLE1{Ay1damxN_Z`uNGa|qzaCvF* zJo~^Lw^;!B^qO}g>K~OdKrkyYv6q`B?E?*j}Cq_`LkO`uX(njH0wVs*E|5E63TEB@#Jm zo~q}ys|BSK&$mFdPP;xFhTRT+!(_-vtVWCrN;Vr7x`|}r*CMgkID~~l9FxrO&7+OS z7ty7k4(89Qs$$Q7kqn#Tzls%VX&{3ntla zoJeY*=HYnsuq}FL5lSuGLb7Ks1XTuSsw@?YzW?f!f{<9Wjid6mB;;bzk4i~wcMnFw zIaHmMok>Z3zmjsV_TN;f>Bp$0_SUEtHZ?J;>tfx)#sY6o%eA@#hZisE!7@8m2fV?C zw_53KnJ5xWc!9-D_r=JD@xr+Qe*=2xz-?p!rk;Nq1xLw%*FyBG0goN)9UY9H0g(~4 zCpmbt+Ue@sbcy~B__JA05OKnB8=gdps#Nr!o@eo>6=nD4cRy`wF4DuXN7eO+mXGB| zs`#3abPNQ)P0Zed82H0AVG!!|Dsu&Wu@nE;c)0o9ynK#|jI3}9Sd{w)=T9$J)C9q< zB?5Tw;NL9z*gm&!eE^UWHFOxC96eOi#mFY*Xvhf_IWd7p85QLOGkQn9#4+=dN^uH^ z-#~~(yC-@?(o7gKzR%H~tK&Z$Pk6(9YC$j1B2G0PL+>(H)Z?8V+%F;01BG>DNf)}p ziIi<9%wj!#M)BXsi@uFu98reOy3U!)nR=DE;FDMhD|@>0)!QlYqv*XjjU^C}KgbYpJlj1B9F4=GK;3(mF{Rro;R^Zq-0S)ifX=L>+6FrH#eu>axr%=GguEy2A8%+Z=Kjo==*-ZY_VY5Q`7F*XA3 z)<2p!wSL~))O;Wmh?w8UUJGsXXSOUO9g?L z11|Gz%Mt7L{4n&;FGf7DArkgdAIwr$C3+`cewt7D9j&n7{t7x`O=NeAs*-ryy1M=> zO$|<@%80M+C;(&g2r)&3)%{^vnl^53N#ZVK-lh4VQ5BY-;Hn3bgd$%rVaxoSmEXpMU9S8b%d*G)~XzjAPm_Vw$&q~`1moT zeIe-1(~nC@EKf>Z$<#PYUtiUPuuc%V>O-i3?f&Pww`jISFxTd!L>&tvTWlz-LD4hI zqVE;W_0t)I$7^ig>|N~F(Nw6W)6P}`C1;buwfa-G0f#wg--B$5Q2 z40#BE1GEMC4x^U0(za)do5fNw*{I(s317wH#K6*I^Q8KXnzbT$3C`STxj*(VogJ4= zap;c%J}NXhqIY-|3*4&3rfJv7kEZTC<(g@mSvY@(r%kvrskSX0Zw{M4c4FjL!?7jv z`_isAR4uRM3^j*y=oDb39EZZ;ev8m=n_#@saf2HxiB91!#G8B*nd*B?IWFF#(rvDl z(6Bvt{ZciBaz z-$kC5kR)BB8|J!O=kdg)wF)Ry5xa|WWIoBu>lr_e1x5qscfkU_3oOznr5XgqwWf*u z85^IVS0Iyr@<%o)867gvYa#vERjDQ;xxcaPEHl721ddh?hp5 zhn|>)qb(v0b-U+}Uf323XI!cLN2=g2Xk~}SR0bFv+afk|BIH-4xENzM9+uJql@TZ) zLpF7Z8GwHS*!tW{d@iK&WRp&Be)9^@{@8v)~&FCu_+V}ZaJXKH z_Zs-MF-s<#kjqB>U25VElSvx-nb*}X9N>e~jT24vk;i_6%=(c{CeAc*UOF%YLa7{! zcWd#dHAD;=W6#GdpU9WE?oE9@z&H4#7e7KJczJFZ>}`AVGHtKN@%s0dA@ZGFpxQSW zSurfq%o*MoH}LR^;|>EJC{{P79USBJRghzJWbm9}c_JvUU_av7smVCYE~idNv;*-y z1=L8=EShWM6Fhtp3DdlO0Os?P2otsdpwT)6xlkBfWz=Fs{5pF- zT>QFA(oPnGb&ANi6@aZ>;I`48BrTNmHBy6d%z<_p4)H zoZo3>VHgaM;LxfY37B7B^IjMa06y%2So&?ojL%iZw&9o=g#pX&+t9F{=B{7tp;tKW z62>vm6VGBqkeRT!fQ%vGFXIDolifO6`B|!$iQ{_{u4G8W*}HVrP8t07AqXz`zoQe} z7ZJvjQ|ZQ?KR#VC3UK1*b{=hSp2yvIgz<)lp?IcU7jT9VQEnNL!B14Y_to}7@b{s# z(#=7?5JNWsjb|Q zqU{6sFQb9c{RX67V%h9`VJ&T@xw)i|w4uMnRnQw|4IiiF3@NCDqFeGWPACW_<-i-VtIO+8I(b0QIv}Z$)C|A70 zi?~f$>qT4X#aqTBPURW(eWAO-DTwzLTe*V%K2ti7ix0>3Z+3H2+=DN)CXoB(JmB#(}2rMO0D8N2(c-*-D0 zYENeF2ZYAXCYobdgMsNEm9br7E zJj=$>96Wfj?Tfq!@iwixIs7Ujtx@VL=B(GDyeFQmlhJ-yM@DrW<~9}dlcE8h6O(r) znIX0*L@JYg>sRYnm+2M9-7L@@nCC8Q2;|k`lF2mV2=ChODy%QuJm7i{AKA#jZx?mYCPC}C&D}r=%F1BIKRBSY<|rrKFCS|v}sNQ{3J4< zU!ak(Ihl7|kEe0-*JL>uaDSf7r3heiOPeaxWqBr`aAn)!84x1yoB>EcPvUyr z{+j~04YFqkbj?l%`1ufXUTz1c1`vpIZg1x_`|Eg0G~e&l&0~D|Tg<)Ys6LLB7{Cu# zt;$rPg)~AJ%1Ucaduz4n#H8xc)sP@dQ(bwVy{pCQf0v1VF!??3^LHbQBkre{#!15- zOPe+{qk0DocK~QDtx#rMp!&tlh{fFV8%HW&kk+rIc!%sA&;|GESl$BgNwhRTNH<0lqVnfoJ`SoWil;* z60x(bP}vuylk^)ym24Vf*7KwLc8?LORR;NxNhss1ZVcI|@G~Hwt^}}d zeJ?CDy6_iJH}|!jXF~0wa*P`l>-r4H{s6%m3;66R0?Zg(EBpjpi{{1M4W*w!&+7Ig z7d)$ff@Hgi-GW;!BM;0ni{s;ddFF*323#^8{jL6pv2~EK1&nNQFrTPcnjf^O1n5f< zk2ghrIX=fc5%cq3z5HzIixgsXU=#!Q)~aN4tO}Rpe4xQTrK(l6OUE#8kbz3&Sx3CNTBpxuaCb$ z(p7i2PVY0`T-z%3e<+s+te8C%3&5WM>xg58q_3XS%jSRTB2#d!Wxmrle^vK*J90-h zQ#AIlCMU-Uj7XiuDFfC!(lSiW<2+TZfsRbx4|R)x;cO?W;IGE!gg*`O49-n?V~ra z{Jv|ySewq4SPAWqYNNh{apj^9aEDW}#cjW9a|5-DT=a4`VYiUZ&?B5716OXU?^mm) zA;8cYoKY$90$8sOD`B&i(^@q)Va_T>YUj_FbttB9;U4#eQ{`t%%?JWSa*3s}n282| z7F0D7#r{gKeRl8?FG*9H*~+FSxAL|lV^DrMc5KpNv9GYEDtTUsS!1AuM8?l?rhrFh zHPOK7A8|9?(E!9Pa3Zzw&?Mikc5tt5h8dTE*L+wBzj5gGa~uF%okH>|C`V+bmuIhvGzf8n&# z6h(c6#ljfzg~+7G44O-mJ|ZD88aqRa`6$sGf<%?*r5I76c>BK)r+PPl1(hatZ|Vy~ zFN6(EiPR@T#rwK$zau^p6GMyCLh@E4zk8wIlE!5CQ{sZ9nT6C1T;PfIbV%s%9*`aT zm1a5j8sORL2k2SP10D+7gx>>xXY0HJ9@hc)LH3sb!(X4m`CHO0fbzy|Fk+DS(z^9V z=6ItzG)Rj{p%GUR{Kz!M?ffwKAT1$UDVef06Y$GMzm}H${L&e$9xhn-9BO}!`Q50% z5vZLrUd|h5jn=dTc>V$_sAG3=g~Kih$GhIC$F8x3&%61aqO9Z%t~!ktmmXb$jvVt4 zv461C@I}Vw_EV1^kD&0IlM57*(hpNhTRJ{=b3WpU37R$(A7?N@;YV@}$OXyr@jG>n6AGD?lc__K1UZGC-X95;ZI1C33 zIbpRFirK&?H>9?rkgJ#HG|Qr8M&5FpJ__}Yfiv~#&yZW-@C-4=jkag6SwdWQ7X?rVRvn{xSulbgNUm^Q?SHjk<4zD=0NafMp zlqZ&*QJPfi(CPhXKHo~IVXcJDxJ~OY&XvKR9n4@A2U2|j_V%KKe|Sj0UH6x7bfK?G zPRSJ+<7r_^(}18&w#dVN&6;uA7LkT_so|ImnyL-mDwqj9q2QC}>-FO!brX!r3q(G- zWK=KlvD=$?u~M#9T&E*5vlff?FibBIbM0=NG?$&^qFilAf*ijso1xKB^r+vUSGplo z<##Y1rT{;yx=EHap{D5c)VgMZyz%f65!|4=uRf~(H#mNiE#p$O1vtHlBseHcq5MNt z-p~&lu4lX&)6i1EYKGwGS9(Z1=H)7ynn94BF2d9wR8H0QDhDO7tzjf5(FX&FBFW+J zFX&QZAP?=E4!0R8G#@yUZO@DW$~+pzqe(nGul=#mJ-^@(OLHo9=+0hb;o!MiE(ogK zN?d}>=vdr2AKK&2D)`FZ&fpNG4CSiA|1T86@DB>H5%r2<Bjq$G5{udEUCN77@#nFhYU3E$#TH zM=4z~Of!X?K$2i(Z>%bA#gvas@JN!26? zKT_MdL^BE4q!B9!M%Ocj4>oK?PMt*YlqaX@lP2$DI0y#4gW}-mh3Yt>Sk|5eBa_HZ ze4Q~*pCY6iqCslL)eY#}^N6*}z-+B`Z6+z&{`e-%UEW>}4r$tu&0 zxKqkDd`Q&l0{E2xGu^sO{e$q{J7E-$nofv%2Y{{>f3-=#)~4+~KzNj0X_MOT_&dz! z6O$o35M^^BfR3!_iumbu3ejv6`7LBX|J@O)!iPY-$E-tj!@s&U_efa`~kD2E?I1M$23oE4npE-ZzN3dx(YpgUV$MpVy0o#hA>|*NQ{* zG;<5o`_A4Ud8o8?y+0^j3?MCWlZkq(lt^>LW@hAT7l*0=eswEDN`aYmHwm@x}vK8_^h zR+?4N#WI1jJJciXr+S?469zs?>b9F0o1`I`5AkQgtoIJ_xQH%1LHM31@BGinVwnaM z32}_YC~Vb4bVdUqjM*+>Jv3AVW$(wal#ya9haJ&%ApTBE4mg;COhGUyGc1C^^;2WQ$YTXc6x5aNWR`gcg#RyY5}W$cr3P^ z;inIxWin(lM}c`H^PF_|lcriKn*nP&pbA6DDhra7s%@k{cr`7|;%DGwJQbvy*^S&5 zH|qTSuX=47jM}!VEzn9Ovww-11Qn2&O;-O$%x2U^xUaKD0Hvh|xj6v58vt;KSQ4P; z^!M#HkXY^Y$khrNI|)%}O!|M+6=@LL>(W{@;*vh5PcUe3Xh-L6Cs z8M)Pt0&&r=CIPLlRDb}Po)aFtv5iJ(>#fZ|f`Lj^HnI_E+TB8eBUFazOY!%)AbhP? z%KECKJ*~Q9C;)738n6QPr?(vBfSafFeNQbb;M`Q{2u{fx@b6b9w*g&OTR&C5${p%j z0RD-V;xO9w^D7oIhWT=3)s8&)mml)s6N_|*Yq6mTEZKT9?X@|9T(^HDlCr|X&Wai z(|Ln`u}nqlG|*UX1j-;hewX)NvP7zNY?U{jH$wWBT*Ro>X2%KLb(K!*Kt0uWyxl5) zxV231@O$#rv*gIAb>eN2hQ4r+t0$TPS&`EH{H`JUAhB#woIGtOOfzC}vM0Worv&@W%Vk#e61~IS52mBl91k}j0#rPsw zA{uc*bfVB)q$u?Aquz~65AYPUZW39GkM{=Y4#pIACWi5Lt#3pX#U$iC{LYovd{9Yo z%IOM??G{+<26cWH4S#jY#=t<<;vnND%#z((@JS0m=W5|we8%sJ(pGYERBdxa$FQb= zu!+guxs)OeZ(~ogWVt7WMxxr1Ss?7N6SX4QOFqjp*`b20)QFe*)u3JXOfEcaHVFIg zabe>hiours2Uiso+f)@Td&%&fZ2GOGa$Kfzh~+@b6-d{>nZ72xKUjGcG)dKhF~#!- zcQu@260i>!H8hrCI!i;tHVIEQ$m|u>O+^*a(mF0RnvC|$Ca$8J zhRAp6_e^^p-<$AZ>zS=F2(ZR}a;U=rnAdFwEX)HUyu9$XIp-fubatd%N=XO18T5U~ zQIj#5WPBLPk!#3I6w~J^S4>r)6Ex@8zGrYIg`?$fbI`-zsc_u=ddDC`zGFhQFEe8g zR5b%p*T_Zs_1mY`1V1oXN8u0x(#XA?^~jqIYoqV%bV;2uUqp{ed=y;?&X(}H!0dnJ}R zKUzfS%c|_$^vgAq?|M&-3aWtM7@;OsSN=m#_+LTMPF>6TDz2ozJ=DMF6ht)JmXk6z;;o}Tu9W5Z67{rrOB3Slg zly~PRQbzB-q10C0q$VD%qZp}VB1b}1JH7t58N+CZMb`VXGBS* z0t+a5FQmvjFh;;l$(uyGIy;+<5prQoxH^RD!uhWgkbq-!k!rd(Ik|eN8NdSw=E~0c z<)>i9*W_X6DzWqA7RRK#wneAvWg%oK{Yp};Ufzmhx-yTzJ2hr>Hqf8dKS+MelS>D4 z<^bACpFn3?o!r{}0{4a<09Ps?*mFP;j}>tJH0^K>xFwlEj{!VSCGJw=z0|?}^(5=J zN9iqpT$}^AOM&W%06IE8ivZjIGQC^TJg%>8ynVo$+JywunE-i>*yfj^CB{Es*3+}x z@By%S)%p$)%|o2xZixe1Wq{kk`#i*xJoCj0db`>i?EKy919!sJxz$Q&;275}wC&;5 z1qU5ua)^zpq*zFZjIU8^m7sQ}-?ZwgaP-SMu>MkPvF`E>#F$g^8imBJ1B0a6+pqqT ze;9hb+t#lh4Gb@lOF|95=#*Bl@&ZDQEve9*i0x}Zu?GiW`m9g~L?lFe+Du;y5ud5@ zAfM=zWS!MKf9)DD0i;s9bNubDVzQ`;DOP7~cOyz8?>-vfk>lw@0yGsHW5GM#q&#r2 z=!<5!p(^!rnPH9sPTX@b8g z>wR_t03QzcyUuh7SUbP`{VGg!u#3vJEVr_vv~(R&hHY{-8MW>pZ{h)X3I(+iYqLl9 zrHU?sIwbB@iyR(3@rUovu9@&>tMJ^+C740=s=Mq!F-$$BHQo4R`#Ofsp;Uge8^=My zmbaLx+00&*?hI9);(|Z+@4IMHs+IYtZuaQ80RDs(4K zaml7Gf`q64Ak|HY&>WS4-Roq}OOnBGs8T-7-Vt39S-T!f=4`yqE{}(!%EJXwr;x@8 zv~QnpzJS@&cjoY@k}~=6BQ(2k_Fe?xsw?Jm(*=92!v%YN$KMuyYej0uw-)tf9Q0*5 z^Zv{nV#oKO{OSV`cnf&i!q^8qcdUOdf4z(5y~hB`tIL2d?Atz|Vqkq3;9GbLSd{s( z_!6K#t&0M#Jmh|g6KHPIKm%noH0y`X3X&0NT#hu?lwhoRG1-bSporgQ_!O`XxZ8dB zI2jnj#|%T204nZh{p1LhYF#LOb7X77{WKdd^9l)aY>cQAe!wRV|k^#KPY?LZr4 zqcvRT+!Sc#rQe8Q>tp%_H(SUXeOK4mv4}f_n67qEETFb?N^PrcMIVRRZJ;It>P};8 zS|D{>-mosC&QNM5#-HbgA*P?l?AO~T5k2ieum(XSk9}1nkJ7k8`o86@us%lY&;giw zrz9ct2887U)dsNR0rqqxvMD7A7)F4sHI{UrL8toWD2*Uz2jwP`N97U~g4a1O4=ie! z_J5tRu0$gXi6*0pv2iSm7N9e>WyZYHI`!Kfq;8sN)?6yf?v~8+=}u}7n%NHPDPUQby^g_Aj+Tei+q6x?+bKU`N|Ju!>( zMFE&o2MAWzi?j@>OBP^nw0Mz`!$%B$UYB_a0pSl!Q3pcEBcA^cHw{yR6Y~t+y9&w~L5) zs@G=Vr{ke;;65bq)b0_-^4a^Qfs}UEhx}KLowDOnjplqgXjh$G?c^_NR8b_+ zTFytbWU+0u;cu?UV8C;gVyk8(VB3-wRObxf+Aje@g^xyVXy| zv$a&M1Jecd>me;QLMw><-3Q)q4E(U;NJTT0&z25aMg0$I#aa;7gp?iC;b$p+aEj)P z9L&!ay*G|-gvU~BUK~)2CVGVPrRly3w2Ktds!EU16S`{q^lrdS=0x1*Is|dt-f6`N z7|nrXMx*Kmvt&K-$$nDEnv220iSn9OCY2H&-~1Y?S{!g@mvf+0r}Sq^;?6@!m+GaF zur^r#@Ru-6*z-E3m8U3JvQ&Y-Wt2Y<|CV`qpPGMo05C84`p9AiJbS!#nS5O5<{IDw zfd5C~cYtD;iyEgbxZ@h9FTK!v8mYo#7v>D{T5$uhU;8bRWI0D{IsQ?8+wCyL6ZOSG z-@L6rNXH8&1}DOJ;p9>Pcw(t~fs&%dfZvq{na)s4`~^nL2M)xv|=)ggvm zm$mMhwW>BE*D5-BO&0ytGMZ(n}gLEGLW{~#s_kd}3A7a69i1qOByG31VZGbP_#k9hp)Tbrg1 ziqpv|hRk-4vNPPx9+f|5;TTKT&D8EVRVdruDBVE=vc90NqceN&!bBoWBBTwLRgmDh z0YC)c+4?^8LhS2n|1ksYy%-~iGs4q){Uc-QU4OD&7dmgLOYPuA`23u|6yMf$T?NV_ z%eF&6zSPB*+E6G^kQ*eq67FXFcTqxJi+U^iL7nFSMBpT?hW?<&Gr-f;C^06Zu$svT zF+%bQx^ZFEH3>Xr<3=P>``!8D{`Hj>9z1ggltm^vI;JqVx`M+e!=R#fdACzpXWUg; z)8HVh@)VgNrO2*3hn*T+b&@-UnHNqn8Quw8END(wyEQZcO<8kI-6pS)AytGj-J6IU zvm~~r0;SH+>nw?up{&gr%q#9M*;}IeRk^nc0^My*uNIE#CBI^7_yI*z++3@8n>rF{ z0(2HJ=F$BL8lf_l#E@QkBOm6uM(TGorp+xRSz&aZ?}Y_Um3gETU(nQsPr|u?4@pF? zB0|nP5RN64pm7x`JKS9{YyW8kOHtRw(+l^EUo}z{70|&z)lZ;=K~(c^5S`3`{|D>> zx<=jlB~}1$RDXhsL}TE=U!j6fLVrd^Dl|%`SR}v5214q&#o~El*}w{D+Te^;F>yNw zCTNOimB?@eFn)&lH*I@Hp^{_{-I#+v6-WxC(Y8ZOEBAeAWo0BE7)>KGa4Y8-RYzQ$ zuk#oGhwo<<(;R$s8gN&EY{R`ZXJK=>_%Gs`i_k`b;8*Ae2U^2)w7Zs{bIm8*+!(A<3XOg}#(1z5H^Kp}sEVO{p9SUrq1>_nrvE6n*4PrnP36U)UFgi^?rL!cvfgt)XLekEp@mRpvQ;lyKs;#)yoaZy6dY>FfNqdLxg9} z&kVySjpEVQ^j1G@JZkFOEdAiTnrhU~Y~8Aqt62<#glD`K+s8~N=XUhh$k3^PKbDCe z!;MM~my4ObQ}5OB(5B_Q{Ig=X(b^7|w&_Q@cU&~kQUttaX>oCGc3_gH^~{b5PiXk7 zsa>pS<$BsTJPiSvNX#rPgP|PW(Z*$=H_D|-D@;RaBZ{r&t`0IEGb!0gQx50b!Bn|26-sX&C%>3C%%)^kss1xv8#)FkZtr|+GN>(^A z8nzLv%&UGl=Oxt^Y|GKbB|*C8UT2Uz_D+@2H7p#it){sUpD*I>GpJOD%(V)&{*3)p5^$5=7&^DEfd_F!xaZJ4u3uh-t&65oA`#qQN<^vIVk zXlf4Qslu2cG0f8a3`i!j3?o8y{5TniHUY-0fQ)5mdOQI44&W15j7qn*0;Lk+(PFfw z*s7Vhb$4mu;$`X`Bo~k$ptqejKH%QFX=Gj++oYlazwmQYv}2)mC|u@fTT|vwyeuxw zorV8Ma_J(*_PGH<_%mNZ5H~GB$mO})CQUS=qzdJyt2u@>)pT0+YCkH5vpXh9h<{T2 zP@6INs>92sJ(`p|fxtQpSi9_@y#ZWaa@&7pKzl#j2do7)N(mJRb0eH*S&rwXptqPm zY2?Jk-?1M*R>RwxKAMPRJNZnv{|`Qvt;?83LrDGTwW;0z7azxY9$pHQJ3jHfIVvR* zd+oEx&gQNI<@t_|uFc>t&$^Z2fFGHb;5lMq%4jAcWWCfml*y0-i}(7>1R*$l*iNza z_I82yQ4yeurc`fW0;1i>Cs0SVjRrhhV6b&yEcpWy%b>V4gxVlu{Kzct5@Nk0CW9|zVeEJsgd3b{Vbh9lJ@tMX< zwU6{k-m_=DItGeZ=$bTabnpuE|0i3H$UIQHL>l`t1rr)DMSc0jC);j*0lfYIu3l!5 zHaMFbNWOeM9qSSSb*<~$_K(6q-_q(|-!iLtrK$Du>bj09bkJ+|)T?iG7#;bQse_$Z z%rlm+sD5Z%$ABj~8N}sw4`9M}KZi_Cj0PW|U>wZVXDF19?vh260i<5DL2DVGqhCx+5OjU+lR<0w;ce;*>3+Hj@Ulh_>pgZL~vG zHIbWCK_A4NFwiVcL8NAlPd|%E;>GA*CCG1p*wfxgqWc(gu#F%QmV!i-;*jGLEX)i3 z<8J2unw5S0=GTsd(ld%_D$CqBmYF^XjH-Mu3MPIl;{M}#elf_9Q!G@SVMxz}iaU8k zw6nF1^w^8^!0IZ<$ZU$kShzEI=0N~B63_wNJ^g<)0TA2>G3*u<@JM9XxWnh;cRjr*rWkoH(Rm}5X#9I4 z7E2qWZ6Z-i&0M){`H3-J&E?ah(wcA>`}N(>EbJ|5e~DiYuFHf-D^~DC^gRp1z@o+ifib?jE{jZx330RbW0(tF{>pNBuChaMkj61Lg zMYOVLGm_QDnv;#_VcMRJrvKEE42&qVr{# z(mF;#NU(cI(B}J5UqwpW%4T;~C~5bkD$e2zu~lX@41Xc0U@23%caZ;Y0d~dvKLOSQ z<$nZNc#Z!ASg85`5nwI;6JU{T{uN-M$+wwCqU?WcY7ynIJ7j{c@_4~mx*rHy zJDVK(IyUb_XI%YcAp;@r4@~bDwKDy|!51}Z9n1m;iw_{zA)pzOfl!^~g4hZ2qp<~= zvY>L&-&~E#E3QMTzkOGU;w>zEpr&3Dv(S{O2;LEEh9NjNYWp?2VAOj{z*G6t-uX=e zbTdIpKl=oZ_h{!YhVBZ1A6M9QN1M6L)j2wZKbtevXj}b$*6aIa`dB3D!!{|9jiQu7 ztPhPNLk(Lkq2qM?!W|QS0B+)$y)uZ0)-CslS8Q zNGWYfPfJzkL12W~h>OD625Iukp%p(f^$eICMrV!}y!V)ppIyP&l?v0g6pp6Sz9G{S z88|{*SIjwkj~g%xaesrYSLM|3t~&fXLR9r*GN3k;q@(edw@U4AA9f55n!ox5-;>}H z1yC4je1$~i*A&fR+X;&3f0L{V?gJyoVml~xl~zS^JH6icir0a(m>FqyC#cK92jAwqeRwM7F6TIX-vZed+NUzjr+JPX-ym z{ND_6yVRJ3^M_!yDJ92t*pv4p91}9^<@-OZSRvM;w6)}LexlL2_m>!AhcHeWuOjMl&Tq@d9PL5_fqq#L5s+>$FLq6m0UOon&MF z=Aq+aTY2D8G7;fm8C5ORo1G6!@=4&*)-X zJOc~P=3#Y1%!DqxbxQ>$!O#3V`ddzxK*^_`j`dBl&u#0=0HPySu0V6flJmWcAkaYN z7;{u=ZT~#~AZwu_)SEdRKKA+m9|(vwWmhP}&LIKQ8x+*l;>LtON>IG85P}`g-}U5T z{dl0f&`P`I!pa~Z=P=qxBs3|&^PPT@gM88u+{2suvmPJWC4ae4tlj-aByl1NM19Dz zW%b;;97STPLa4^cYsna@ECfEps&2=X{P8G!_pAk(PEfdYGe!|q=i=W2inTujk!^cUL~l z-AvzR%S2mawbSd6KPJFUgrfvKXD`fwS@Q>Z4UxtnQ~aWw zp)~}svftUEmceNm#y&zzELwk!Ds`j6&K1R>FYIGRH!V-C4)j46#)AqI`RQF5ATgct$zKYg4S>)`IwFmD0?S9kW*`Hum zOBZ|vj|MZY7KE0&YHj4^7k;}uET7ds``B?s8?v^jn|n|SHtT=+E0Q3A2U0xFflXqT z;Gh<7<36InTCumDUOynYjQ7iC+~lJag+>>r5^XRE`z93gdM zO3V|3KBy>`L-B#!M{N%668Gm#l(l5B-g%3%K$$6dONJc(Z4^SoB@5j}b zb+UuAZ+L040e=J2W4=qP*Gvj6Hk&*!upVWd)pex#3_pqfe>gj*=*YsZTgSF-I~{k& z?4V=YPKO;k9ox3uv2Ckk+ja$Ys=xF92VRt6jD0-D}M?=d;R|S?Qz;px_+w z+;_16Id5ixd65`2a^9<#u7{!B?|+zuE|?Osabsrms7|m0mSY8p2Oe2K*);vclAOJK zqdDbYznQ7rmIw23N5YU0q|v+3-5-gEKXHB80l@}81AE@VrUi+Kh;p*+0&TAP;auC- z{T85Qn(@00#SfH0A*vr*sEVTg2slQt!=oR2dB5MQ1+MrP_T`V%R;AHs7WAdQ99G=V z>|(o&3Xu8{z_xdkip3d$5>j|Jn46}YPq?&Q)CDG$hz|I_)kD1C@a1a;y)gC>c66k# ztYn;Q4CGNMN2lzolMl7EYLX9S>a+R_dbAv`*dP6VJoH429mrgPMZWjAJ|lpFbz9R{ z`jtSRuu@^zQ&mz#N{3%-X3B9{)~)D~ikvUtoigrh1h{F}FS4jX7umQ@Z!~q+nwEUU z*xKrnYh^NuZCXg8+KnnRD2T9p?Nbzq+)?5+AyN9h2q|Q1V6EgPlKpb80PQ$czCTq+ zJpD6Y6ioHTq&f|W)j52KP{fL?f3_Afa^tc*yhcZ$DflJcEz(2$X4UiN})>+!dBZZIz~=^k_&#a8Q32XDeUG9=t6{;OT`B+bs>{ zzpykoqH2eG_~#Zt6bK9p&6vFR+ub7P9<3fuTH7v4V2yyp=9%2`yKYVSg8~{RHRewu zJZnLkAVv(ZG)BUIDgwiC!J^wJ!_5*j2KXo4uVqy7~SOE!v@CLlfK$ex(L3FRcxwE8f-<)-+9R)4{J12WWZMRLMYN3w%OQl~>& zyQTwS`3GqDK+j;fmP(D)Ykhm%Yj|I-4Qs(H;uX)NhF3N4K%TpsQF}S2CWz^Dh)Ot~5p1a8G|KVVJ?{O=VY}SN7ul;%wXYg3VO66+RO_{q zg=pAv(O{PQ+$X4}yy`TS+*)#OM4M4y`b2?ev6LCo$-xSgTd@ea$>6m_--@&-SV1%< zooj26N$dffY@*8Qfps5NFl%(7)@Zj$Xv0)i%kHWL5VMXR#rn>A10}zd6fA&ot<4Et$yS}bswVLr1>t(m#F6RjhG0cu!d-jVIX8+Hv(4Il z@@pZo5Izlu0^=BdEwqWi1CL)9X^(&2iwA1v4O#Jn%Df~?Mu{0`JhD+WeHs?5ETNa} zQ`4H|hDc>A!HIg|N_|ID{kLeaEuICNL5q6gKP=39nb~hVD3`JNQFfMojZs#X`T%;z z!QlHwoPk-0Ke!$ov`MiblH`&x?i%T4sFo%1-xR&(i#x%;3E1oT8D75MmhA(bai*JG z@&Kz3b@l-0jfTU-D%N7I*PpGG7rKFfxRx56TfR!FG9P$K2)q7;VYFUkbdI zRb=M>-VyoSe_$e?#+iL==uyF6X*831Op7eis9SVM zVFOx*MWHhE^=eKzzWNv7I3{bqryaQHHTs@Av;9TvbU%S!FgMt4c>nO;cELa};31Xy z-X?uJK?|F7&iGcEP>&aFz_#Qh)xs~QAluS3PhmnJ{9e@xg&?c+?5ygXA6kl%^(aEKcLIZ=1z;tDz}PCMta|5Lu@lTImGu>%uo!Cnbh`m z=j-J&pIN89pk~w3X>Mtr;2_&g1N^_+>Hyu=0p^bh0eDx9j364pIj&#&NF9Yfo*5T4 zoDYod7Cex1^&Kgj)uEeuyr?tBD-@-ESJTJMsmIQ2E{L9KYnWxEe0NKe8@Af?8r!pH z?U3t7_lG%+9I~x{K>Bx34rgxVuM=t6S^Xkho$S@m3X@-`1b;y%1hVx6Xx9T=aJ*1A ziB4?u$Zi>=S;|cP2_U7DN6_7WD8Tsj?ZdBnzSD+6tgo$r^Yhx-X5zv>4d)E zn=FwKB3BNi(BC6lz2UDC{;UaN2s5xg)7LIE*m+lDMWr}S6Jk0fo}{I7XW6&N_e(&_ zTrNQqp&#F-p=hAoIN1wK{#%qIUO#c|*zC$CezI>_XZ~E@yuAFBvOk`ho_2Nfa`UT!i(mzAqfGmsQ?L9PAvyiiL*z3+^7#$);cm!uBj4{pgCF@D zADIm00v?DXWVGKD&1$mWB=8$|*d`OI?iSz|jeJ8W*GV_DbFxX!eZd?4DUQN!J0tOD zV1jxscP5^5@fsK#`gR?IdfD6MOo;ddoPOHUHv(Q?{pz^<^b50qv~2i^=l7bG4fK3! z-u(E$PS(E3TeuCZi>4*H)1&!|n*U9bSZT%BjG2{4LK>_s4B*F}{(2G`j~X7_Q^F>a zxx<>ZKs3{T8OuL+6EK0rVd-2e*f)fxba zpy@(PINd)8-u0TVB~b({i^_?q_eqgWOdyHGSgB?al>(9XVc1R|VTfR6@B5Hnl3sR( zTftMzwETgTLVun|=AdA}UHU%Re(lNQ$%abJa&H~}EJ z&`*?QFVNoNps*4}8tn{f7Lod}qS)B`w@^WCd1@Y5Fcjf%Eq(~(%}A_}oR@2lgFVQg!vB4>?7>Y-fx_N_` z#x70g*9GpEc0{@Z^XD~5_6$Z`Y~1u@X4(9(Z-z*B`)9huB8*?;?>$T51T4Gs3r-Uh z!Auqe3K!_06{*!PoPOJ1B1?swdz)mAQcermUCfXC%i){l#+Rl7R@qzRM0MW0yYM`H zSvX)DQx5ZfyHmCo$9ufJF<*WJ5*MS$U-D_jTsM2mxm$YSufgsQPZtpW>ih{9-}7l=~vjAQo^XG6#~#ld8hr&#W6>VwWu zN`U1@g6k9}-|-aKc_9%1xtYLE;t_(y6+2#!ydRh(rJN%$>^U2F8^PHM)7;jeVBrgd z>94#|{4v>$#c)Y{WD~G34g`X$Z5w(z!Uhr$eyeZ-k{pa}T?|jzw6Smr}Pu}5GGG%j#w{B z&o2)3bdnd52tFE$`f#zOlbK5>DM$nf0@7?33&<*>{fI{tb&>dT1Am7;2q!FrF!FAh z7g-DiU5BbhG8o@z!FFS}G%;lQR99S6dS8}>InaAeG&^IbW{ee9k{jXDlgafC{S&%nl&M&3pS-K%y}QG+9wW z(u^Ev+gVgU{X)ExRtB+YG!|{>Zj#>KU$C+Y2}A{>y}5vMWUzHdmm+uU5PAInBy^>3 zI}5yihKb098k@J0n+JU%1Y4+LqGQ?HM7vM!Bl85$W(+?;|A5*1`^?8gV`M@TuWYp) zYp!a@`Ol9WBT0+S_XACmd=7k3T|tq^C{}#T77QvCO|F1acaW3LK^HN+w=OS3U7^-B z10cw2ViF2HytfYK4byW^j`6IAMc&>xB#>f9HNIv6Ekq&z0v;0|WEBvF4z}YJKwB&R zy7cX1&|vL9(cW*MXzw69LV;-s4#EoIzi_X~1D8ZAlzOK=lqO?Ikor$#t!Nd7Gbze$ z9HX5HXsaLBmc#m# zc7`GpSW3~wrXdNe*G3{&-dt9>W!{LApquP9C4n^h5&P>EsY(EKA!n+scI8RI~k0( zK)CWaK+_q+N#2lJA zHiN)_uEtaL#Qq2iQ;gts2D)~FS?rcTuz%pgqn6#2s(7F4UfwGQ4_r4@w%e$5CHKLg z&u<3?1=c^*a3ctZ8vW zUE4OxGbq1oeyx7_1<8VJImzGZpcEX#6KzepeLNIS_#d>fMGKT^rkl|8p)4B#L7j&F z1ZN;oYjXCThr2#O{|FP^@uEDKBq9apl)(D(FWxNmU-4#9@&ArD9{`k0C~Lp6ai@j< zF6-?X*V;f!!EmDKv%plCWH!`B`5@G7)ra`1#Ds$EM;8RI9;{UwYhnfmWGc(?DUp2>JDCxbM1LK-N6#?|43t~h0Fx%T+E1h_f{v&aGD?~~ zlvIj$no_Q4j?!SQwB?BK?D?PE$BgqLXSt>72yTX7ry!Uk()bwE$S;UeI3#og5#bh? z?XS}RfjI`ofMAXdymz9;gha#mu<_R#(B4FC+a_((cH1@7NWNE>rbRK5a_0gJ4d2P1TS+~LBvx!}esX5Q){8fEkBds*SS3~0+{v}PP8*o+ zlG$fT66zAi$=T*;KMIuWWZFjLHE5)e(SV1tutKna_k=Vz*Fia$w5pjHeP!hvHg~QA z4c%+`X-h4JjD?1+5<8;k`ZpvPaX9Qd$;7UEr;1$VQ&M9v{5y#CGsh{r_v-repQjaC zDdo(wmYqIXVgME_LAdBr)jkeF7?h#U(UCBXX@|uvmT1E)cXE92``Q%%BRAr#d&dM* zef!MXo{D+$Pb`mOX!cyKIyrZG8n(YvER4oWPZGq|pIT)teaH(^!m!}?z_i|X6G;P*BT#!jq86LPg&amUI z;1VKxKz*4NNJvo8W!fyA*eQ_U|EA2uB=mDX|B0WGZm^b(Gl>x zeZ@W*%RkoUqF7tUW(sHD1NA3e-6vAm{&sgyKix9=kYE`UOno)X|8liT!sO321lxcf zCqc+OL^p<&WXq}B%UQ@3l(aWkAe6Z$_45|E37ugVa9uL1AyDvJW*G;tzOFN%%%55I zFzGpxRP{~_t=J{68v94$g%PmH*R@leauo$8*uo)1t<<{+)%j3s`Gg)_v_}TY(9iU! zSj}HnOMJ7uMfsu&9f!y{p`-tE)OQtV2b>6901*IbEp~1WcuJ7+MIqcXUM4<~GbgsO(I)?I# zdl_=QAWU>9Rv@v!5wbJxV3NmQ<2vnr31m8^F#rEG9T!$YyfeaF2yqauD97TVq;LZm z*rvy=Q{v=x3wiGfZ!ehS(Oggq&=R3M$@_Yr*~)c@>QjQXxF*KVxmH~tqw9(PJ5i6S z(>dCu-x>b`LRCtDCnm4hzq%FIYlCVqtM^A9HgPD33lQ^jA!mxy#W+m{SvtxunM%YX zo=1&A4fe_@uwQ{ZWN?7em3ioYqbl?FqsnIre=krU>D}l%(y8gnWR6pAt08&8JZW$y ziq&?h9M^#I^bjW_i6zcxk}L`BzZ@fn$CI{?t2LI|Fky~u^KsTSw$G|@$64oG&$k|- za`*tGzIp_CH#J9w_m4tdm)Y3`pT|=_?Q0i-{DXySeto>dZIQqZTR>&kyA3Krpmi_U zE}lB^{EAK7f{RGUvw}iT)&(gkf>*gR=H0B71}{IORJM5lcnS&}8ugA^TYbTo?Mc67 zDp8tFy2A@^13UGXtK}#2{KS`p>D}c=N5$h^-A&j1HRn0{*6QPCtcZ?w@3Bx69&Ff@ zd3jT{)cJ2fF2o~kB-{nQ%hTBLB>#uAw-ymcansTV_ix7ie3qKV5-xx! zDGAqUcR`AMLRsDKsTog~3{fgC=|E%G!=?>9wLQpLZo8uQz^DR)m*cY@d!nop{b`}x zm?L?LBDjE)VA@Je&TALYijmM;=1s4+C~k#5DNqitlG0A`RS>Y0<>p^SbT@v5tLBvq z?jc+31lNW>ARJz;G|V+9;^lU}wwwm}}0+gUSx>cKTsjxb!Vn|w?g7yw}=Y6Mf_OjwZc-IO8I!sP6BAwX5 z>e``kzbZ*0(=N(pz?@-O0HO5NOfm+I$3!Tk&Z#ul@TdNaQ{Ygca<~1Q($00N zZSFu#he|pJ3S!)(ed`j3JmY@(iirB`?M83Ce%h=YCt`;R<$$$_$5~aJbY+?y{3Wiq zrcJP@M71+0y^q!WhbawuhaOSiTt?KI8()Z5!iK$e(r1K*N7Nl1aEJa1HRk41qG}V#KlDnJnx@ z^Jwd79rs65Yn=_Vh^sa~p76`oE%Ei1!kq*}SVYQ+mXe!yh>z>Wu#S{4DgPl5_q>0B zBf2}9v0Q-|h@ebQdU-*zNCN{yOn18x^;T?kUeB?`^v4WU$hjk=z9DdZdv%><4fy0~ z_g)K1YQx9N^C>$)TepbyKQ1GVyizM=JKr$yNN(@x%@%pS=gbT#{(x0)qppB#noLHo zbeh&3YFLn6#HRHzXg`9=do^C%*uZubb&I>pY$R^0V9f%S;1`sc;kiigDd1sxB<9bRAlLVP0q*vh=j2F*nWIj(8cWgs4{$m|#Ot>z zp5L2R(R1&%pkgF*DF1%g3M6dIQ-G2=Sb{EUj_vl9+i`mEVTO*$LS16w`3-pg%Pk8Bk`?1;0O17Y2K+n~`cG_oQ z%@1Tf)URT)cpGc>N1~JK3Dfe8vP z%L)xQg^G9|GidUCmO4q$=x#laqzx2Gh!j*5C_$V(z*dV69!k?aJDsc_w7$1*HU+R( zo|a&|$6w39N?)qMUJ^! zq>d6Qz#$?$dV4&5&GmRUNQ>NjMR7m}f~G*PJ!>yQs1KI6J%@8Y1xbH4dg-A4;j4ld z;`te+VKLxt^{Hb41^tnKMKm~&5A=K5>iP%wC;c?Yg%E2gbsZ_7GEkW+vQX8L-h5G) zm0wRZNEMBb8_b}<4{R)yzVm%@+m(bM`>s@fF<9QJEmhzj{RYAq-tZp>K(e0BDO)LH zP0ugkAKCV4tz2wK1s68o0US>!v?C4vjvIAY*O%|Llyqp$$7qUJ-nJ`(|E+vlQ}jK) zaAs_JRC%RO2Mz^w_E#qjT?Tl3Zg(x^*MDwXkyOn9`Nt{W{O*sJ5icO$orlakLn_q* zQ68QfAsm$Q52#TcTsC9o=**_w=BWK z{hq}Q0mToYj?j*`^IIU^3=CKOQsc~`WiCfa6-A(hB*C-8-)V$zn-!zkm1wg*e757L zGGOlxrijARZ{xg1sWcU2_{#AZ{J8O*ov(?9hv0Aozkl=5iAwiBljo4pn_2R%jZZgZ z-)hpY#f(!_Qma5lviT^8${M{Mjr?uG+Ul18FWj{LNqAw}HRpSO+)Tc~$F^2&SNQJT zGq+`*P_Iz{*l(MPnLB1wI$W0BzqtompRzx4UhQaw(d!de+FTZ-i# z9*D7b;UQ;=U0yB(!JL%byy?_3E+jQ@d2vjD(o-?-fH;>`htW`}jD`M2>Ap^}CN(oW zT436;It0j1TQ3UfAG9QVn>za2tNn{WoCEMN$t7qmTL2TZ)lOG0Uw{4R`dxIM-Ye1o>J)o==#TZ zX6c%=XHDtcf_+8VC_wV9#iC)AI3`m`zml8G)U5H<4*yIo75}fsR5;eLQvFt__5y8j z#!?-u1YQ0nhNSqNeN3krffq^u5N|dayB)dRsD%RK#pA8#TWAH)-tXGb=kr{N#LCaD z)V!RfF(Z-BaxIB2r~F+01mfhIX?*nPMIZg-o_2TC{evfLx(tXb;}mSv(mW zw;a|y1oDQIm~IXnVZ&U@!_?me3@*6f#k=d?xg?jEQLNit6*~eNI>?+9JJb~-#pkOR zMUL-^ToaLuv<{lYRb|EqL4YrN ziL{2`q|A#Ua%GB%`TJKud~4Nc9_Ab9>E=YFc=bP_CbZ?*M3cUbj;G06># zd}YcO7354ts23L)r~Wnf%8*LR!ISy*-|>}YHSxCnjyxLGv{f^iFtbSpocP%$dI_rQ zJBg~r_uc?{9@2D!{azDwq3l!}byw%zL~Z(s4rgm3cbrls>9c;8@(d`}9}A~!66i1e zPXwL8nqOot;MLWP{P*;2CD_?<`r)4T$g1r8ue@vsJpVM4QyAFCaT}qZXn+Js%ljF8 zSqOKNyzn~YsP<@}ygd;QL^RpK`B%J=2FdoTpR=#+0mh83moR*bfi!5t$on(eDd2NB z?pY16T#sbpgx+AUa^CRA+)l$YJ}6X%MtSH8VoP6WGRkUQZ@!(n{5I6)pA3k~a6$O} za5vM%ttEsC#Hs=|=m-bFKZxRybD*UDf}Yd?l3p>sD14hbS_8iE&V-^yU-wmiv%?hg zIPhf43BGy7(ufoYuxg}10-F=vt0wbJ6yqaB zmkPHJ3euD8`YS6*`7FS8Cdnt%nOqW(`oM9+QpfLhu(wKqBn>J@?c-!hN2p?Gv;xS{W>9S<)HfCbzJ| zTVkbruW|sSU&@5ZDFZqE+1XO?)K;EM-KfhXG&9tE1!DI`)LKchRj>{c9-ur|z7#ko zMp35L;wI{=>0ZcikR-U9G*#DQTC{9ITRpXYb2l-GDdh5r5Ct_(*q*=C0RdW%D+?8^10 z^*g>57V-zeG!#M+Q%Vhw9|tgov5)B31;FFbY&aCo6q4ulnbC^)r!5vF6Xm;!xQIPO zLz+xH=0SEE>gtzzl!$ru-4oK(e-Pop%q;UX`xS+Zkn3&-TqjTD88g7Jak4|#S!t)6 zb3BySZPb}qipt`WCd+c|q))Uy=n74j)RsSfu0-b%=N5nQU^(jnZV4v(U9|y&XL^2> zz^p(m3_@lu3=$TBvUS4J&nLu^l{WjQ0mTFs>#A2pz)K4CdrR7`UDyyW0a=mSYZ@eGqEYbh8p6ynNAn=>CN#V_YG)C$J%jSj3yQIS)hK z8ZMAjvyK{cB5cGn&$AqDTa?@EZ!p68%x343sBAhpSTbW7ae|x{p=#FgSU5 zaUmAe1>ld}bAeTmm0C5`Q3?K89Uzh+l=HD4?cs#jfJm?+JDJ#Xk1# zWHjD+aCCz8{AvLFh9}3PLF75fLN6by(rE*Ju|8~uWxmc{3ghxgtmX)82aqI{vJy1(i(cm&F~;lWJ5wb^V9wkSH|5fA%J4o6VYQ zBpMw_oUXXWz1(`BcgeG;(vWxLCmgow3yRoqLZ4&U8N!txqg@L6SRebwFmE`8kii35 z3Ys#_j!(QDTpU054i592J-(pDev$4QYA{>d_kE=lrxEI=z%Fk+oxgW5{?_D*6V5^+ z!kAb9W-!KuN$m@(N7;#I$(1?vZhsu$hYjWEIiqb2GFjEz*6977Xjb-x3P#;N{HjeP zzJy2Ofg@^;2i?NLjbH?Y^a@q@EA-4EEUJ3wHx&89Zrpb=Mk*qqXy#29^cTz`MtU75 zqZhL>@5*R@?(Ujk?DOx?qK6EBno1+Hm@9`qxA5A1A%7&b{L=BbRXTkpc%&;VWPmTH zMvHA*1pjuFas^KY?}h_4U1-zOCI^8Di8w@n`BBmusl{imKQmz(>Ny;=7T(eJ%g* z9km^4t4YT7o~S_jC|Wj=RE!U7T-jf)X(1J%Nd~gsNk#V@%bli;AEEJ`(eYVn9p%z-(9Oix*@J+nxI zil3)he}2WM;vK^07W*_}yjewHfl$VR3Rjr*^oMN;@sS&#F_^o-)F-jTmck376sL(p zQi*NovaxBN`!8$1E$eq8ju5&lKnn}Wm~WM(y$NO-9Bo{;|DeWa9&Tb|hI99gNm< z`J6ERZdfBU%?%&%r+*2yPrVtJZBFA>WebmvVcyymK7!FUo*5FOT!HOmULy2o15(e7 zU79qeY4K0i{1f*AT^pe2v@TvF(|jkJ4vkGy6hN06j8)hhs&N;l$g%Rp3>lT zg2A|XHl>i4tE1r?t49zbkibFpGiB=LCd4FHi?JaJ6!z5=$jIAQekWn z@zqUO^6dWY#kS%d?!9UNcifmn z6@K*fR-zZ$sT%sTH6wR+vakKCPIF1(YueM^Ltv zagqtH`c5ijwXeXnD&16B&ayGK&iZ?w4QsaAaDP2c`?OWMUH#C{o(b&N*OQU0E*pX^ z{HDzzBSbD~6#$^&!L6k)T~1msn5AUVjlY!Fn0S}V<@*Gx-#cjBf)b!4HP1lOL#-%a z8;=-!7DnPR9Rga#Hz;cSEZ*7JIvRe;m#2fO7xU|r16xKj!4>vQRGFD5l{Zn%^jlu- zl-Tq^y@>EO-lKjJCJO7R?sqqLCxBn^|O9nQ4o@4J2T;5|r6V$BS3qORV?k=AJoJSkmX~T-^K}cPi zIG5Es+g8I-1`h!KPIAAzEQv|m_&ZI)ZKj;z_pBLjV9sw0kEC#k-{xU$>E~2t1Tq)A zvD0YPDPAaCF6uXOwnk$biVx6fh0FZ2HY6vsgOJq%;H<~b*W&0OZ5piS$K47)KYEmp zEC8Uo`1-p1xd#;mb@^Q(_Ku$j$Z_?<=ID5lLnzTx&sor~IBTZpSC31xMZ#FHM-Fr_ zTkNh@RWMgeL&;q(f2Ff_1Xu1o!b{evd-?Q1R(B$Ns@fnu#jmNp_gyPzwnTH?23Ehr zi;4b=_9MN|JCD?!q*Bul)-OH$WS=@V$A)eSLw@U<2DSfw6L4T;J((W(J>u%h1a&^7 z&1=CQ?Z%_T2nl2Jfiqb!3oXtWKqKSGCxx`m-{8{%7iO7}!`f6iLMHJkH3dOp<_|E;ISKMj)g@uGyHPAeLgjDuw8n)KZUDR*0~I zXx@2%EE?JYR?xfv))G$qgL>cKeQ_If(p~8dZ@y?oJzM&OH$|#fe5)k`mDIMf2VpTy!yZ+fkfV0&sxSX<(yu!Kyrhh_Vb;! zJWt^(0=p(b4Cg767eCo|Afusg{!G@r-#0H<=Erw~%C;jvzog@ao1POlq|Xp9aA;L( z1q+kBJg|ui46Ja#WDzrClYoW;-TVd=ywr7br%y_wUr$cFvIT(oz6?m9eJ_-C* zJ+PVm_zuKVSRE#9fx;5&4ZYPv+id;hT?cm9#V4|NoUR5mF6&a0{LO^q+s|}qwYtcE zybY+IasdHBW6JYPz1xDI>cb@DAUjQ$ufX?;Zb$>X;Jg8*IFDa3H`huosofWC6QCJ$ zd?;-=o$Q)drP@uhveD9DP;7$|^??V*4z8O$S6RM%_hbAYq+bWTSRsy2fgi-bKHOF| zv~ocQrj$N#cZo$CsI(Jnd+LVIJHiryQ6KcCvKO`M1Uqz9IlvWh5~;Cg)P0o`L$Pe? zi*HtgsUniU|1*K%5!5NHwftmWmYva$)YJNWC6A5rVF!56S>$~7{3_(F>-@T&q>F%O z8}qrnsdf##YW!C{8pPhI^1rm?eE>6_2#8}%>s}Rp&q;s{#AvfZA~YRWs}3kw+{N8@ zO?Kvg*K|P^ZkJv)*INz4(_!yyc!4JPtk%IqkCauM=90kw1VPWS_yIHpDyyHdt_nm2bxVgkI zl_7}U807m=%@{Z#ED@~jW&}!DX`CjM-$VJW>n$(sthHtc>ONNCL3HZec|O_4Gn*(*XH><&Rn(zTdUcm&6TXJSsdFL32@2%@)pbCx9x`L zzV&I(5eszsqYo6CR!Ikbb8D>gZmqRzF-C+D;3`CBwy(~op5*k|VzQ?*kSG8<{EsYM zu5KmsW9Gzy-mXT;vFYuSnEv7#*H*Kv}%km8FZPFxgFWzMLYI2Vx&*Kv)kPHNE z6=~}c1U}NmUI1ru%UJ)Q-ppWce#I|QhEJK^o=50Seo2Y~+oHv30mqa0>y7C@eTtj^ z$P&P{)gs6g1rH6yNrygf?fwVWhmcN~>9ll408eNjaRGP)<*6c*)KkHEbOJo;t^n$I z!A@;9efmXNKwdU*tOwhESqPapwK^n>Dpad8-d0h>7hVTre z`;7{2;(2U~2$TS$t37!DChnF_x5_%0Ad$-S-H$WRKol+uV4YbY;&x_0FD<)ciZC4I zPMaX7&5@)1Y-AAJ5;rgJ?s*}J!v@^qWE~;Ts6oa@2H(5=UoyYf$g$P{;7#qxlD%nQ zNQzJ5Z>Tq{#crNCJnV4FrEVb5nsBEHyGkWx7*fNSLMe-uBdKH@1VZNR*|yuDVFEU^?Gh**7wQm zm>-tb^5u%Uxe!&D6Z?Mf_3!ub7DK-tSn4QRp+9d+YU{(Nq`^XK z5&J5O=9I?HkBZ`hYc*rEFLT7Do349+d};l&1Ordc+d+Od|T@^I!JNDiV{|_hx8(*W7N;Ey;ED!tw>ZW&G2UIZq)POy=D8A_c4|~7y~cEy^4A( zB87@4!&;}MF=u<;Nl!6f)!*PEY+aE3&QisFzz#Y~CyEnng_!K1#^Mm9$(>sSk&px9 z*hcc{q+bL%(fBaJ_@SZ3GWQ0B;{rNg8^7!_4c;pDdxojy9EZ62=Y zm&~9UqodHKbP~^kXxh{SdyQyYp~e4*pZhf2F$;1*@6@Ky+Kp?;)z6}@e^*VIm~>H;Ql4^QRoX4r%rpbMLf08}zwBK(E(`cznd{&<{NrybT!m@`da{=nEFY)X z*Rb;g!j2dRXd03z0+)#^_8TGXDRmVA;G*sukn}kI$<56=eeTxttU zIaJHn>vl+ourYtS{iSR);Xa@GC+HK0n)Lq@^t&If6atc zab&gW!BQG>Mnb1Xy@m8n)~fW0rUMqtPDbGz^Rz@fKWMG;m+5aDHV}>NMwXEE=PdY! zUsJxLx0_u7J$%~<&;lC+PA(Inu_b3ZUF_I$Rt9})-A_iL$mo3}T;f}z^I)S_#TD(x z=EQ5s8DXTFW==wC(^UL-4k;UGgfAh^yo4dpJ&xwdt}ocEf;P>aGlJtfaUNh0J;eI6 z+lmCs?nTfivXPvjWcy6#8c%$Y3UwwR`{2aGuNNd(psW@He=NhQEGrm?HCwYFZoyO& z`Fv!|zDr|d?0XvH-jQVYck*9CbKfGYj`twd-|=g_8uU3#seQI8jS+j9<$1nQdcL;*nV`+6YzS(r& zBuIMPb?&y!zh}P;kQ#p08Uk09c7WJOsn5{UbwCsp6sMq>-5V3xrP6Of9_F1Cf6gcH<_7y=`wU|K`)RRPsR;CRNYpAprx8GE&y6`8iCgw zTLFIuM|u7Ev~x$t=-#9HqQYG?4ATmjR;Rf9qP_sHLeJ!OEy8T>}R)lbB5B-3eGBFu_1&9my(CEx}^3`gV~t%UOX+5K>W6tv?F8H z+`ObKOx3)1D2YjDL}fo~=bC&V6gHi(nW&K6)!jqd!`xgG7QQQ38FsPmAHA$Q#V1;Z zTHJi0NuDi!j6n+th&$D=&WgL=Veh!%IPpEIW9SW3IQicvQ>&8b980w*L}XLH=gM^Y zClpbL4sUo#CRj6#Bv{kUV>vA_S@{4LG2=+ExP0s4M87IWSDBrfo;E;{X3?N}s<&1Z z$vO^L&C_3Kkdnk)+s4}-@S?n`3}27rO7NmKWHAl;q?wiaLpu8EA335-R~H7ip=+pw zK2Nuhpc#?C()&Ef6^RC}SsB8s&sSut<)=bUC{0?8`TR2NW2BX+Omc#{1u!3Z-VzZO zHt7bb@Af1PTDO9qsw9)MVHVy%nFk)-LNl28;t2@{Kl(*Lwq7XZc^nJ5X~VvLZdL%tTL~Lqc#e8IR>IJn&7u22JZ9!~~ zgg`-BEp4hz)zZwX>MZbiI3UyO(@$y<*x?mg{jW+nMjY_dVZ34mhqbE?1#*M_@do55 z8$=(qeSY6oR<+K7QXWe$_BQW4moNV=WZm}kIRB}P0)A|MJbuhbd2k;@-*BPmauKzf zvGn5v^wdohqQbtFY$*GD-)Sj8EW_SicFkdXUmLHn=Fej9L7j z5($BfgFd@6oo}R5n_Wbp`W3nmllJW+~=~?{Rw#8>=&kDFXmUOx~JIQ1o;h5VAS?6Dw0Uvp_SG*I|S4 zAKt5@9p00jeN$DcEfZr}TH{nGaU)&uR{?UYax-l9eo)ExIX%g$*0K0GyTa!Jgdi zR0;X*g%djbl3OQb-xUn;18WVe7iNe9Aj%0PvqWA5?!4ygs+P{=aiR(#*sgaRxJ z)*ItSkGdit=Xhm@vxJe;2$#&}xU{5fr1D~;P1K(^YYP-->h;X2dNDjkRRdWG>h5UQ3q>M;PlwAj2S=>OP?=WT}?GUz-_2sFud-wX_ zIF6@{zI*&6C5FlHyOXxMc2>108Xb<_*NnrS2eEA)OQm{zu2!yCelS0@1ajP`{!Q za;D}&vx`*j1WXS=Fi%I#>le#HxmxGZh3Qh?#nJ1uS#ng2F?>^>ue&6>-M`1G6zyZ3 z4j!jExsm^+St?QJom`g8Hz<=6UwGelI`&!_aH6fKM5MwRy9bK4qki8^kSK?+NwKF8 zpgEFn3Jc~&b@wR6`p)E&m^6y<>EwZPd0I z+qP|WY}@GAw%M_hj&0kv+3C1r+cs|z)738s_BO^=Z6dcUG071dc6T0*#glw^p&v=!a|56z>0RreJ=mo97EoiKL~c{ z?p`3pW}5|3V?2r;Qax#Amj5AX{+Wpp<%%C(OM7D*j{77wFJ{IymQU1P&)u zh6eu`T`(jsgJVpbT}qO`DTa&sGBxI{LbYG?^cyA;|IH+HYYCJ)YY4GHWM{~%m6NLX z$!!yWr7>henC0*2KC+*Hsbh-MDV(Ewl)f zH_Nsggn7fqlk9QzEq?cLJ3VK&*fWP`x?-kX|NPr&T1}xVVP;cAx3-t=X1%t$w2?K| zq7H_gLFv0N7#Ykgi}k8ufJf51s+$7K`s&j8s-qB}^hO*|%ZD;rr&Rb-G@=WKYc%t@ z!>fE}=&2LoYx_Aa<^9Lw9pW2WCE}f>555S0h1e3`zn#&A&4NpSFX1_>dW3%0Z34Jb zJtBLINHre$Pzm|d9uZ2aZmryuh6dO08YhUs1a%mso@=eA&XQ-;x+!2a=*pFCCjgkg zU^En6L~+wny`PIL3ovmg?zLQ(gAPmbQ^Y8J&!De#(Qv*C6Dk%w9`}t^=dLuB62G3_m1r_cuZXBId z4^vjIxfyVHgn{biO0_R5eeSlM20r&XmlOB1$leB*u*^uuX8>KUX!NP-=4Mto(2(gT zz!hQDGeE>O;6LyP)zk4fhcU;Lr!nwSg3CP0(C_Is>$y`^v}5y?Vu+hy&gZFMrL$di zS}>PZYUYKl`8QeN`$C~z&|j3LOzPNx#d)E#;?mAl(0xJ+3A`O#dZTW_|8h6muykJ0 zmLkMf8G;B7^-+=0V>w0g3~`4xPpL`0b>YBzij6gqp;_gXpawr%xsSl9`YAUt-EKP5 zP6V>EO%e&yToeJrXQ zV#EG>H2|qfB_pQOLSqkSQGwbTyqcuNE3p`)Q^mKCynp_w(|zv!%}>bzcq+WX4>;Zg z*k2#d04|BHuWL^L<6fMnEuF`|s>eRkP)R-sS2q_%H{<102j)8r1)esBhmr&#h&Ovl z^sU1?=2eAbH8KSp!cfWr9G|%ntMc(OL$gEEhSEmkrBwPD+CZ&Z4rqcl!kvVtt=h9T zp!nv^TXsG>?O`mpVm)j(XoR#ZT3)jA&FCu7#$bWz$E#)^nnqRx2a=FynMa^G4ppC^ zi(nH>fVyg5r@YU(0$XFq(90YZgtuD({uLKg_b)3T?O1T~KeQv_W#|8bj^{kTC`0n_ zfuN(KKE#5cAsc$S1noB3=+Igge5{gceG!_t-it|@*pbinFz4Kie_haRH63CL%B~$1H2KF&&%QndT?3r9h^4#Gcr zv!?49S^pv8dy9A;Af-i8Z3&X=`R!_HDRl(kv#a|Gh`(nT158Sh0N0y}HkGlA4P)VJ z!HmgBr;xIrt|p~HTUL$V=i>GMK;*X#FLw2N1d@7zj}@7sZ08W1Y|a5cLab_3e>bh9 z$YBJKQ!g9+GukXHvxP>Jt4L|r$vr}{juO)~A1P#QDFetfyF0EcOIDVXBQY|VLP)U$ z_aWj}QkgpuRWuU(w$kJiDM=5^K8JK$JzW34F~E|PI{D(m)+w^hl8ci);@{tfJm7Yn zK)ad8uIdEvq6>T+tw?#>RN8J2N*3Zn3J$XDjge?vnVu#GUB|OyB9cqYGLNU&FiEA_ z)Me4P{xr&Ca6f-H+X|ybXBdMY8*x;GG|12R0Uyz6CbC|Dtg^YjwzXlj>F&VKKKLW= z(dlZPC3-7S4#xTt2Cdd=+0MnLAh}@m2{*GMOe^1-<8&kF;Qb&R{0us0oVxZ$?BBb=SZ!k#Fs z%v=aXKNDm~hdey9q1We9FlZ1J3K<&FR>BogVpDK1C>mLy4731Tx1%_}o~sb+KBP=a z++aXf#w{S+yoy;(=`i;b%-j!x&}aAE@dnz0V7K!;->K`nL#D1ZZc0{e@`&Ac975W) zwhofFb(1-ECf{~zd_A0>#&wfFG$*{4B_KJlDImMxbCK22S=MJ(3%PV!aUYdYGiwJh z+(!xnLv!0@c6s~~>2ZcfZcA~=Z`f%o6F3`wC7otFqr?hu59nMd3HM;4J~Fh)q@oNZ zq*F+*^V-Qcs?ezUQs=a2s7}6&a z?}X&V$rO7`h2Rm_)s&m*z@tRhCz>`3I~bj2sY@@rt;p=bf=-SmMF^>DUsX{HkwlZO zzCN}iwB%IcylDaMXi(j^#NA6`K~MAxP^I;FO*4k0B*Jec>ePECcmJA2o6lPJ2-y#V zlXe3v<#dp@)(2f=H#>YX@i?^(q=K)YI5`Gj8RU960N2rw>@W0=keb5rUKWG?>1|IG>XPr z5b~loZzyM})ZsWC88;PpTqCySH5?BvyT}t?8+aX-528d?UMKB6&D%m;c%PFEB-bitrAeDcpMrw7&c?>By-xi<#Un${ z?J^nGQQ^`S5j;|bsjlLjRHVED$vS9lRjSuDQTZ)42~bIg(0#kO_ER*IQ*$1w@19q_ z&>tZBm%b4k2_yP}hKi5qA>*%=h#O@vw);zcTz!UbxI> za)oHx0f)Mc+&3-N!Cb@$I@proz^A{bz3(MpK**0V6f)dL|Q03M#QS_OYnW;XZa7-2b53FG<_X(8i_yh=ng zX_y`7oXEIGkC0%~BwOuS511rg1$4=4D=Is=eXvRws{&47SSM>gFGruZJ5WMh_AlQB zw?PGtqtsu7R|I^_1DrWYB}9`MNzf@*Le&Vpv@Hux)!072RE)ArOTA(`7!y?EqcaQ{ zHXv`yY7#Hx1b7R1${GisBkuOQlkoR*mveTp2B~C~FfTWw%tx$C{ciFrnT4#TZPcCP z;sDpg*|%AFbXk6qf%J~*ApZhhy;<)W2CP2ocrDjZ>60-0trga$I9ZThrY&?-1lUBT zC*D(LD*qnhiw0ilH0@JN#i48%(1Z)-ecWPT$95oXP$l1RHr$~(;gfKM16Qj%6!a^6 zk(t528CL#@0snTMf;bUDI16t-B_e;2w%Zbh*tH791~pUl&ffF3TpNs;X&27m-d402 zo^X$p-FX#`hC@grTh;(b-t-Xvwtohn@%?6G68~nTHU9oVTP+F2*l|Bhy+9}W9YED7 z&^$EvG;VL?_nN{vi|M8Z;WHPnPwca6jzLif%QQiTik+qj7gDRxD^zxs9NA(L>T~8k z`$2uOwb)L@-Sp|EEnH$XS`ylcIw;-Vg&=MM%@ zB)b`Z?!T)h*2=-PnUQ!cmH`~=SzU!}4HGxXFv9R#IqODqlw2(K)brZHJSUXP+Xr7n zOf!q)DuKm!n3^+BAm%vJb2tWKtz~3>z-}t&`HCWiSw2&^HmG=Pa9G9j)MS2C7(kZ? z9U(Bz-rM8ckqeC6jyzY$As%7(6Xid!*Q-Q7$Ew|i{}Z0@xvY=E+@gR1&ML@b*1=I* zLUeJa;`$H7Ya-SE-Q*5xyqxa4zu3(22=eg&uu1r` zI>1yf(6+Pwbw^*xQa9kE5-2eC-~F}YEZBh|e_4Lo#VO(y`SK_bWB7ykIlSAeVYybV zW{53NfTvq0MK$T!!v9snjnTg!ol0B!yKoxGvJLwu*8u#OX-)w0wy0hA_G>?-zkV+>-Egw81dv8UoD82u*SC2n=j5FqIj_> zr(=RdeN<62f>(Y99myG^T^5EL9pgy_nY{y_y&cc@E)`dUB`L2y53IBWJk^N#iXEB^ zSiUyXKjYbk%uYMo2FdL2hMp%@{K_6GjW^QLf82K<6MNR;cduIJr;DW&t$H1fUOPMl zs-vK0THNs7-{*bx$Tt#_-DLFEsnQLyAs3T`s$2q#9VA<}y-vJNqOt`!mlCsTNm&mn zdpKFXxkPT)J+B6WX737K^WESprk;!Q3||cY<(uC?!3!j68_;R1plq!Dv$t$ByteO1a7otOnrbmhZH+WZlfd>EJ_KAZM!)WVNSmLW4v^&5QW| z`4>G+%HYBs2Xj!41Nki;Oht`H%^%oqA+`pT5c3%hvptVVB~&;JX+2yQacLP3QAdeq z^;3Y|`00tgGwJaLTQF1Tg7M-tMz?kM1+|sKTtX`Qh7CK#W|W0Nn=wuvO8e#wyS&bl z-cwL(2?ik;0jUNIc`OC3pRASZbo%&v1@?1*T;!M!;_(`15479kSsPVsK~Z&%{|VaIUF>#GOOn?RQ_2sgt!|HyO&JMvn1k>;OU9`{ zCvFi}ff}k?Nj#vy!Z(!IC{l(N-*s5=!o%%4z9u8+;$r(}r^U8OK=8hztw3v17%z^< zTxIa_fQjKfXrIxyjKd{29N+@33mM zBk-WXOD4EzwON0P-i?xUgo$wc@lF*cx-pggja{Sk#<}OD`H5f1u|8A??-->S7B`W0 z)}ZtX;ML2x2J60VG3XblJ~-!G(xu6_tcu{+U_qoUjCQ+4Ms&Fsq@#qWk1)KbMy9_v z@R-1|hjA;T4<3k+o?fzmB?M6k*1By6?=%?)*+xgnuU%hsWqrFC{Sgo{AF5-&CIinY`)5l;5M z`o=U+-`G;J(&GR5N{UV2eUK1`%Ug}z&J1gYktSJV_nt{8ggR*pum&+TVqnc`7>z!` zb@7AWfCyVV1hK_n?g7(GE5U)e#^TgGH!$L9g?+r$le47270|20Oy2(!UiKI9^qr>7 zkI*kC(onLRJ|tisSmQ@&q|!+Pw$ueunwl=kNLVhIGwGewAP>*07HpJ)cUH1YDEgtZ zi9?Id^}$1CFy!d4YlrXWYU}OQabH-uDf9VQNhKV#PlG|jV2VHu_IQLPIKvp^1l8R_ zK*stCHfp>t7n6K=s?m}>c6CVj?^SRs4vK6}2 zOiM~Pz(gyp+;|3ywp5G?JPk@QWVq9|HS2gq2tI?sgkqFcCl62mjYJoKU&8PL-|bUk zqwA|(V(xf-Orcy}XgjyfoTBj<7hHV*$XddPN3_K?<{s>nel9w`+T9-OKAr#`YWX+{ zu3rWba}f2Q`Js2n-t!1eC;Tn?akW(;aj_J;F(FmrDyFNQG}B8{<%Rs)qA4d(w0HHC zMGzdpzr*FHQk#CRCS1y^Eny|i1T&6`D|daH`ajd$?#@x>C6_vcO=|0fi9zvJ@f~pdujp5(n0s$AbAA^!@$2*E_Sm!3qPgCw|c)-IBRf1%jFW9!21#cUx=BAG+2*&?^wV zQRHj>CuB=QI){f~kU!QXdFTKRg72rbO^GktOcE7nJ|1;+7sCxG@|SGFpJ+3XVxjuL zGD}a3DkM^yg}**!MLWLs<)d8ZvI8*OyX4gPUa@HI1O{d)Qd58g1Cd&*&Bm#)=f^w* zqyX}ZxRu*vw)2IH>8Ujr>qj~&y)nKf8p(nAx7~Dye!%!{)yIW<`wH>r<`scwJydTp z;6j$YtRrK27%no7FDG@1Bw9`C|HRl}{W)JqHLOPoLcGL!2KqVfA3~n>z9CaF)qM_G zZC?z$iFBoIZi3u`XHWHt{$1DkdN~&m+)UBro*5(2?06uV3+xIvCab@QUp5-O*umeZU( zHy?@piN+0<$o;qzG=!NP23FV7qNW^cGy6allr^{P-o=CRH3on91*k|#NG_)|s;vv) z9bPI#i+Wtb`gvlWAnlT#+xLjqCPX^tUN7B>pty4?5~`QN)(#UoJwDD7^=BeB7_yhQ z^WA+5->IHK9&jG*w1Q8d?;hWM@|8SeEmFETk&7^QM&la)=V_qC&_MrlLEs!Y1rJlI z*ri(Eer&v_$=^-T=z58zjOD=Kk;cpDu^KmS3x-b-`JLP!+M?#z$A#U!U66;&{1#WUlW`xge}bZ;SU8qz}? z%zW1}#HVXvcYb1uGhcIMbq}52#OM<+ZR#xkUfFO14|(LS8<$==B_KA$Ok?aN$hl}u zie1^NPR0&Mku!dYkUP@T&+&k!9)J5zNKV^AVoIOrQ%|DZhGI&O)^NXRa^;XRYCEJ& zeLjEMZCV6$>S6Ul=`mTwaiZ0Mrca&e86>4; z2i~AU3;_GG<;=uVbMTM@7;RTt`U-xTVi}ZQXkq&bRJ+=Vea~B4^*9M6G=LEgy zd1@cqZ6*!c(iS$9ccF#1O^yQh5+(B;_7h931k zr5IJRRmNU;vEwYFl8AxvmnaBt8F}C%tcoGd`7GNku;9!%$TZM#g@_6cP0>M<0$P-p z6meoIY~Kb9nPJCCivzrqLx_m1pnLAlye@iqIe6}hRpXcE9xCTZAHAxa5XN1X(oJq} zMeVpFHFI2}QRS>&KB5r%aGLua&dhBl6fYR#j56ZUDegE#Qt3#&?~5_HB!ivBR8fOF z$S7|?BV{nu9K2-YSR2e4NEb=xWbACZb`P*m7q z_rSftk7W(`*5hWlJ;Z>A6+Im$O%$#(#MiZJ^m|uZGf6U$KGmlKL$RH7tIxwdYBY2Q z;OOZ;R<_@dj$(4&Be+!0%|UR#clth7A;xZnSg5^xOnUeGK6SaSLyc{-li$SB*~I-D zxyVI|>(crfjH!-czg|UUPuW(@z$TANVhC2&4W3`&;laj2Kd;L%qD-K~6`+k>|LlVb zGP4EV`VoWi#cwi-R$FnGt8b>A=6^6k=t0m#qQa0p(^k{xTCxNjrjPB{r2)sPvjLxO z?k@b?7r+NrPCr8nK}=tt_MfY#nYZx!0USho1Q+wh#Q{6*kMgjU>4IFi0%n7gu zu;iQ4Z<)Agc26PWM71r^^-?OIXylaURP8Ze{Y~!^v%KA74Cw*={s8x_3v{)9y@b#_ zb&B{sDMSMUeLZaEfA<;6rBBuPfC-OsDt3mZL_aqd&eJ^fLzt_10#;Rr`Dk+B1M;z3 zN*py;pCFxK-QLp&7m~F%;ujWomIO;$c@|d}g88z1A#2F+WO5}RW45f!sU4Yl(2B*> zifvm3z1<3|hs(ji=;Yn#Opl;UvF2$CMZr(4LkVY%yW5_!rrnFUwE$cTN;By{ zhxhLdyL0LK$nn%&;C8h_O3ZMxC1i8KObBWLLFTm1n?JKx`L#j`gwn4MyeN;YBsWB{ zv|{rG_pUwuow;{xw5(*76UltSt)oUH>mg$`$>tz&xSc!h2DxKmcB|n;6-~yNtnu?> z=RpRfSge8|JsKelI-{{jqcmtI&c+HS7f4pOE^dMi<2vb?AqxBngd2p>aYhq4Ztd%v zkQcIkTl;u&b6Pul^6&0guoEl0DBk9aH&yI4;u=-A#3a0cN4TGp8>?fcNm5N-&hoiW z`MPjFIbZt0H@0MKVSUo`(BwP%=Z`Ud3}?W}9^D_!i)!-C2k7#xm8~KTiSUMu7@toy zV*;eGiYT$RC0WixadC0|$AzsagmmTX`z7nO=i)%6pBUX{_^Ja04AH+f&piFlA7$n8 zj8U+T_s;j5e3yjIo{tYHAW<2F3|)PkA7ypKHL{I+2l~$Lqxe08Z=2M*{+1<#ynQt| z)USB+Sdz=>?Ok}H*4OiX#nA7;JF8>T1(WZgw2ZV@3S^K_I{W?d&{ny3W<%5ndb1U7 zuYDwNxGV%Ug@h+#&uJYT=jG{BAnAq3(eadZVzDN)XJ@lUOZpm8RvXny@u^6g9EM87 zotgMWJxh4+ba2U!j~Gi07S8xY;P-M>7G}raZ%3*Oz2mSi()|?cPnC@5-KbEL|RfbY%7HzFexqjAr_rKgk*V+vy=%g}-HTI04*LsAgs$9d;ZfTW~ zd1jn+XBCud76qrfJw=rkfdGzXKxqIvjh$qCUj?BU^jCN1Xt21GkuQ_i4BZw#9NBBv z66}^jS_QZiNsEau8%z=CQ6NqU^fRG{NrL(Y=j|qrWLmodDmv7lRYIRkF~5?MygmDB z2puwChIC+f?0*F@!lwBBh<*{&_n-W?g$ZrfE09Sey&2-`Hsy^7!yO~;q$rE`-3Pb5 zF(#5piQ$gueY!q~qQ55ZQ+?}~^_he{^hLiUDk!%cMeQ-ld8rAAH!jT~4k+$R;besz z1JS{1(YiI|yBYanggeI;orVW8%?WSaW5P`YFi>D*eZWKz+(gWB23N^`-SFU+B}pes z3<64o8pe|33dddt;PY)`lw9CM$6lp)KtNM|F}1~HBo|fH0VgLgEivn?Q(gqqhbbLM zEN3*#cpGOQ_DSuGGEf@kWf$?m(>FiqLy+?WFW@(^i3NkA!f1+!WZ-#sGSy|OtnDWE zt(oNv2VXc5Ot-Ob?^iBE9nyQuCuEeFiuu6i#2YcGVfX`(p0j*OB2OF4>o<6&6RIop z!cuL-sxDJ>eDmsg?Jj=v%1pUY+tUK6`=rtEYrMuU0J zDg4ZOhYyc8)DOg9?Uh2j!rz=T4Wj=|W1cc&x{5{O#+Y4`_RoQuzKJe6omLnG5ft!@U4a|nGdR)VF(0G6gdpS+8(SN0O zp}XK8HsWX03B{3!ijJjLElS+WRk4Dnqv7X2_LG2hA}LQVQ%3(nwN<5yWMO2W3C3^k zI9A}(`5QSFZzIA_y=5Xon)HK-7&S_u#VHR%EH?!)ez|n23?^la=`n%L{%(ybI@pRm zy~LSFdiA(vHjocq1u?YTbSBsQ&=ft3f8%~Ilq6Y&2)ilN^Z_!R4~`7(7~g0~B;zSO zCBhK~7Dmv`?Ow@m%-LLQCwen*sthhIBy{1`O%@GpuZ6lvuPkT_6(?a^2*)UU5(mL4 zXK=s@9vwl`rPW4jU@3bI7mHTpVW2AXT?e}lwXg5_tG(}8|2#xibUeC{%S~(^wDm4t zGPr1L?g@XcA99Z&58|7NTJ*IKiH1=IpW?3K8=-&C;`m3R6x94A8r+pZm#eBw{yU5IF@Yu3Olwh!fahCN@#m5MH5G% zBr2S5(<_BwfTn^(-6|p7`KKGuXZ_t-I!XO)i9YC++`FEn<|38@_o1LT=|Z4Nyvu|1 zq+|pF{+X;1g~38EG>aKe$B?q>LjkYbgfiLr~N?5SA1ImK46b0E*?6d{)V{u){9 z^+?Eq4LK@8{}nZL&h~mHx=O-JhN~Ji9t)Z+2pB%Nhw$* zn5DK<^H}5f4r(n)(9aJyQQ6w`seVdSrOcaA9m?^YZ>SveAU1FPCxm5l(;kj4vGdJf zaE+yb>|`X~7=zNdMxT63I}vylS2%#l<|Tq`l|hO9hTQdCKXt?N$)FU!?(wnMs>MdU zkQgS537lh6`7cDgKZBUp(SA!DNgRwMtHwY+NB1H2jA<%Hp&4&XgrAu}pqV1VQLdVm;w^JIRZH0DHi{}yRlNTSwo|jZ z^;5x2yiNPX_Q&We8fsk<{j{)&eD`RsZd%>d-V2UqwM?Jln;>(o*8&uxB<#8}a&w)< zXG32)g0)RplrVskyr3vkKB7rjtn{!9!##5)&_Z|)oH(UL8 z+2^S_aU>HtLm@i<@|?VcRmY>xiZG0u*MC8v2x1KTd7KUoEVk#|M>=Wsb&*QLaKmng z@C5xC9d%3|k=LIH2Y2@b|hS5whlRTX@H zX}Q)8dOWKzv!r-e)mBA4(7X%2`8s+|pFq3yWCkRtK%+Nmzm64~@0grTzXMYLmQaV? zVm}K8do>cf#yk^j51l$*^V2;6AclE`5FeaAk*9l?xAXo0{8rZuKLUsjDq*k!Fi@vN zrm#e`GBI;M2OE%f#@)kP3;-9`P)k=dbvpyv0u&pihBZn7by5~fHKI!d)`!6`1uIqy z$!sn^vN_2YYu9H|WgrZkbu=hNX8d*Z1EKzv$sWqV7f#8T-N7nPN}ax^J`_eT_*TL- zr#0a;@B-DnYFuVk>>eT-WH#l6cSd|Fn~Su^d5#Kh?j~{Ba7jUnRu$5*MTAI(tE4?; zD$}(@VUTPX{tIx#NN$Nxo%o2Qc<4f(>4sMJ_LGU}+@llM4epEbSK3yDds(4NCf?4HAo_PS}Pu!zSa93D!;sGca8IcYL? zmb(IR8)q!v2pk70au-GtLJ(HTkkcUEgGp%s2f8K-zkm04qCvmZ7$?iBL&TjWVxTS# zqD%s7?44s?%tXJZSJDXaX|Bs>RG!{=zUVhOBq7K5=R$kB>=S^FGvN3F5R#iq=nk-K zcW+n*viS{-wZ=Kh38$-?00>1!kCafF_jg&3Fgw(fIzg9}X0fBSpte!9EaIjR>6lrR zNb;h;`Q#KYR1(=d7KF~YtD~e(;pOc!LJjPYV>Fq&FZNC}qZ8QpfwYMEEK|}g2P}*$b{|M{wK?v~0yLIb( zgwHtr;-Yfr4ZIot^CZj3O3qnn24TliXG4C3x_W=Q= znvi#rB8>CVS{3oGJkgtU>N5K@iKPzq9KK7(%LC)iF}d=Pw<2EGr*a400vz8N5N(4R z9I~`>(57O5g@x{~Uzsn7`8*c^MXp3%Upu_&H-I)I&urg|C*WTzr>XvNgj3}nztl_X zYJE)9NfUn;Pb9*CntRY1(;HP9S?`|cew|C$=Ej-_S~@NL32AO3W|I?&1cB^Mkf6UY z(zn?uA0)yi#Bx7OMAp-F(%(pk^i+fosp#3p5lqbyY9m;nQ*Z68itat%K7m;P@$VwQ zcUlt(U<|BU0jLlS0;-EaXYyU8af#dh`1PB#fDt>j>Wxex9;ok4g4& z%yN*Sz>uVbSNZ?Ma`GJ2$MeYl70ds)qw3s=dpW)-+JnD3$%iwomV9pcA@36FQgz(+ z;==f$p@<9Yde2l#C>tktW( z4uG41TmR}ezghlCx=|db%IcVNoj^<|Jc>0Afvihza9=6E)f$n0HN=?ZfAu@mb|&nV ztATL{3g|gYep`W?goPt;QUv4n(}yvj{H=(?q#nuOH|p}wW?@ZPxP!tNfn4@A#3&~; zMS9iKbmczKtx4MquS^JJHfwJJw&?bQnRb-o&XTNI^W*y?KZF*cmeno*An?k?9E-k6 zL%IIisJXEUVwpD8$Yt9aADG*8+4PVZy4~}P`tRb2w*YX9eE6l!(paW81)6KT|Fao4 zCoq0@=YO!;y2e(R+ z{-eNgSQ3utkK$dySbS0>!=xbtG3lwH>W|IWse4o`Kk#DSZ$0eVFEZSYGDBhLg*59} z{?|TKDHP7Kv^eHqts5*|MLGb;!^fa67SJFC?)DH6k?=G|fCgc}g<@ zH19xDF$k%Vw}FQg6iB-2CaYJs5rp6>OY}uf<|43AKomB1ec;w8w!l%UnWZj5Wfv!3 zeyH9ujMND=vKC)D8is?uB*|`ZRQrg4&q-X8n8{r5VG$Q~1!~OABCPN(%3NCTdSq2b zD7amcxTvGGxx3wX&Q3v}|5AH`8^nNxYI1Hva)p`-bz(*p-h~%7T0b9#$K@bX23gps zmXr-TNlwCHm!0;Wwk6J9EEIV5k4lmv)4&dSV)HRlh)XVbClq%EX2EZ4aFUO=-6)92 zQA0SFfh4mQqw-C|?)p2VAYtNKjA*DAU2-N0OgT%RQ9uL(*m(PKtYrU}d@4_vGc>GZ zhVLtRWoyvR!gDshtEJG{s>#zaxc!aAv3+o(`ua}hrWQ6BrbmE>ILCdKsqWj$ z*5yn1uZzBV!VRgL&7YR}#9cnLdz(eYRjoR2%R9F8QkG+?pp%9VxBXbj<9a>C(>IN> z{G}OLo6-X;gqh~`$mh!CXZgTTX-Nzl6C2U!Uas^A5)h04@L3gklUS5rM- zy8=irXAvyUuyMn?7Co13%z8hg*o_dXe8)h#agVU*)30Z;Yo!3I@4NTS<}Uy|VAcC; zk(lqKea7))+R&3KdGFuddw;J3QnnBU;KlYfM;!_sX0;HZ%ZCiR^~})2I=&jXHWO!u z!)Tmcn@GMZ%Qf=}HP+-5d_}4bT>G~wJ48B=y%mF+;{aGz?R5_4ePyt*HZkqL2Syuj zOATbn61k3;fKrq14yqtzjEV*~2fWIQ*9YiR$i8cAkfwLj4ht3Mr zu&7r5!4#25)GL-r@IorMHgSYvxS7c!4K%SG;|TlVJL2;SId+GTZGti?BsLYK0z|9@ zz9iINo0pOKI-sPvSx8AihD2@?GK>|*FTv@fr~~mzI@M=tUbL1U(Ih$5p>Oy4)+pTN z?f6YFg-y^uO}2Cbx1T|ub^;ttadX+JhVh2|$Wr#$gc=F*A9;mxJ>q597%(!G2P}5c zw|;rgU-b8!KevHq%C_Cf51HB@p>@I3Zhrnj@eG+`y91mqbK3jNF?^*L+_mMm=C$Ir z|1;|7;~lLu)bp4)viU){CptBINH>*<8O|X>dW4*Bg^gHv6=(4utIkTYn8z6kGK(0R zo@rIUf}X7j!k5sZ&@t5(^!sGfK5!GqA%wdlNU#zO0`(dI*dKIeZ;aQa;zou+W-#WW zMu=E#DbK~xt%VtwhneLlk?LpcYJ0$f>3wGG9eP-XAQtwp0giD3iaodE$2dWtW*R=B zPIUamqRIQo!c_O?7owPjj@A$1c$v;cggkzoCfYvW@x?%Z@net-$~%crLF=*UfNzr4 z%a*s2sEgM7ZVU0;57hy3R4k@eIqkGp+us_;;v>Qgd(q%)Nf6*JlFnZzY5a;P-ZL@+0UHICOV} z5X{?n6$rhnD9a`FB5CYEfAYjfpPEymovc6E+rgF7$A%`6rs(()DGD|C++udB)3fCgY8GP$$k$YL z0;E$nu!nd`$seBEceksp{9Q2E_x!nqo7jYgCt-O+K$%FMf(zse&hYf{_N+HQ=m9R0g5$1q?O4gR8u41jzo8U}qauotwUF z(S9=L6_m*9y~N*pM{3W3$*jQOQ$EBD)xX+|9s-qPUham!|9V07h?yHsA#!S)lm!u8 zked&<6PH^i20rtzI4UO}(P!A%$qX(&C{l65wSu65_hYh{wjmT|uZq(6fZyPBFby=2 zV1`@A=8YSp-YWG54`kq{@%sAYiGge0ho6sPl%>#_mCI4!J;5O`8WoybWGBp1QrZFw zy&P2%7h)ZamB z2)h650u+5S_zDT5#3T0j_~(rjTQ2Syh(v{L6O>J&GsD~eNoZsCIk89Y^^#j&;%r^c zum&$T=9km|nN?(tgSE85BSU_4*c;x5E-t~TV(^aD3D)86`reP)5um1?2X zA`l%HAcan9x=;2f#Y|?twPq0vYgcaEQJOK-n|ON&zQX~W&krPFIA-K`%3LlExP+%! zzH!C|9&w`*?RHqY`(J>jznd6-`uN37%Lzq_K#Y6w5Qs=kpLUN#JD`a-3^6W%cO5#M zVgASKM$w^o^5(qObHGJ5bCZ}1D%|3?g<02={*dF95ADWrB}mYx%^{~J(|r2>!MmeT z!>!p4)kC_;aVC5joH+vy;!Yf`pJVLJYk~gcv75RpA*PY%|5>R>ZvWx(oVUm!FPgdL z^@_c99Yq8tO<2`oaOwUY8mh#H!rGhtn}}2Ms8@^+vCR`zhvT11gqF zoKBh4=qG&pb%xvaiyysa)Y%d`FU9aIYxiQZ@vFGVMfT1CoF;FXH48ep?)}+tge3XREQI6O2=)7m;*G z2`XgVbWUYd!7QgP-u`h{BJ2^o{rZ_0b4KYq&%tTR;Q~4~qfGb@rbKc!y{apDuo4bi z7myHrQ?B)qu60fhH#^CVTLMqBNTII8c}_gezY}{1Ny{qOmiMOwIi+W$oYgX&(vAGG zo9N{6Sea0mvMkZTw2Crm71T-Sgn$kd?jZT33B{8E6jhw7f%Ke8v8lcwFSnP|J;76D zM~2@KftVtJ=8o{Lk3s;^ASI+{6}b>UE_l~VI`&w-X71T>2k~pgSyipbBX5)34x$o) z<$4wZwi?#GlXSl;Kh)oh`NkV;T*6_675k#FNz8x{LoRZu+gR;;Yf#UYl6)DnVhp~v z6U8kY+$-d8LMq9PReR3z4)|efleMQ{s5w;29G7ox+g8p|XgC-U${d z&L+rI4+^V}l3bP<<9FPofOKE23Bo*iUxWGc3j_BdX(x^| z>3-F=CZB0dUMaypfRwjQ;ELOqdK6kz=@GqL;){K z`Hg>ocJlKLV69!3x3S>2V1|%S6lnQC)dCwHK~7dd&Gd5%@4*mx>Q)Gf@A)gfck2uB z8_)}Jpt(ID)&}0n#nh_?{)#&a5r-mjJ7EcU+prrA9ziILW39hU*eFz{pdMxIFCQP5 z-Ag+Jed!orP3_zA17kUb>X6aphJud)&)s98@5vj&Ntip1)m7-)W>6^*&Iy ziJn`?(BQDIZ?ap7}gdJ#K8cblZhhhOJN*~`egd0DjmF3%oQy8&Zf zy^jZ9X4mLJLh$E(}=z~W5_ampDHLS~6RWG;Z z-NhHg8;fUZrng-nG2ucpp~$l;mG-=Gu?-0^-Hs}IT??c~uDS8o+4k)?eCi!QRnMM0kSf2~o@YtQN~`k$y=<1&OXexl<|f;` z-^!3)8-^`okV|9;eCel^u_VW6)W>cY4$trc5#tw2H%@}Qy_3Z7Tl$qm&BYq@r*tVU zQmW2Qchznv*~z`?9&IQo7tB=UCD1P)^3N3WY+C zVsR0)P6~*Dyds)UmT|DD4P2FiL6$st!*q$=P;<#YZ7y%}oIf%R&8Ad~wXLeAZ;XL2 zx7ihBN0>~kze}+-SEgFpX32HR2>j&{prX z=cli-QT1?yw0q&sDO+9+=$PflORmq6*Mjb}yYMd#~H`-YPsPV7+DKB13cgk=GUbq@}nR7f{NGESS z6IpXkZjHNiO(M&(vyw|bXD%!#S2AO&Bsua%NsH|Kviq#WFZoX&|5pGE81v_@*(C}u zaf}Ip8AcJEjb?asATSXCHJYap_O{BTfw#r0Stbx)0q`{*sn4JeeFJ#!6V7Ya z8L_|fi*cAiFG=N2?{`e;LcC43;FAZmJwg!;M?HRxn#?e!J^weaRDjLfo_>P0O6w(mO6%xQWOH%c@1BWkP^3Sa0 zzK)~Cng%Or?v1&=V1z8>+l9ME65$wnB2+r65!&FhLm;1TM>e;ty1NaCx6(zog zOTeD<^0KM#U3d_9hMz*&Up4V*GQKO%2+wfGV7Yzi-QDs~+5ea5pXW0ir8py9ntoRP z*QbMljsJ1*bc6qKKjGuY-eb57=K)`aPQnP&MT&o%vuYX5Z~%{c9LB2m*gL*X*`#9A zL-WSd^<=z`7_~6?tTjnI^G^8_?>st+n?l;MPV{M($0In{!?XPB=Bgs;1%)w#o<5>Y!5vT(f7;B2I0DR`nf`Qqp%^_u$9&uT;~ss0Ja$#Q7_9HJ+}lV48(7oq+#6 z>3mOoOWJpFYnif<)qOS^pY~Q+M^QI!Q3>x-^cS%dsC&CSieFn6y{g4$d2RroxB&o- zF!+D=!9Vxc=}7_=ORQCD6jX4D0s+1ay+Jt`aBhwnj^NS?3WYOPK1%kIeU=QL1d$35&IQFZ!S*wz&V=O31Q~mJ^&6 z7C~McW8kL9no7z^#^FJI`C}WzM-ADxgd~-?j~)oCrV}C6jXt?lf6buUPzn)i<-%x4 zthI&tDNE*oq%h$(8S&x`o+t}Snab7Azgv#W%EAR+lsT_fWj`POa(Mpw^zDn+CueYc z@(Z_5u$4N$Fe$3?D#th5J`4YifBb$t z_u&!D^9UZz^Jr4&)9>!>Y{L$0m*TJI*QUt%wMb6#VUeyP z_jjIF?EeQF{@;5ECUXmW+iKLe*&T&{RHf&|W)pug9?(E!$X-xeZO~3Gk*C_e{u5dV=QSPRv*W{NTjK4r= znE%E7ggL$i^S=nq^Z(B7-rm64|2^G%I@rwr_Yw4o8l@>I_jk{W*T2@b?pDP8-}IDR z_N#|89hW+w~=8}W_qbeIL0HCmD`65Uu7Z1hiUqcw{K7RO_YoT;L|L} zzLrN}GHA-Sz7Tp1t!&&VoBA`eri*2pon$@zz}qrzBT|0GixMMtNcm*}Dfz-Z(oq;J?T-gO* zD^UfA@a86{{7eyR(Y_`L$CsvFs)$D?=SPQUhv&NYm=RHTdHp-&znN_Q20?y>Fs)i~}it3M0E!P)Y(7!9w-#zb(4GNUYc)sE3NO7d}+VnUBOKb^9~=sGAM z7jfa;D0*dWqrtv7l`Y|hTQ^Asir_W&yrx#aY@hrMH1;+P9qL+oF)o{fa{Yi@k>ae@ zwT7@;zQ;DNut+mY2tABKM9S6$9SBp`dLbIVNR5Wd5_4O$R%y-0WR~7v+Cu+%L&N#c zEJb$%1Gv=xWFy*%=ucyTWcJXWs4fDUU7TtOcux$R{8SGc_e-1YD|9u1l|6R@M&3>4z+_p9zAPqAe zd1&64WPLYGvafT=pvv;k9#Sl9j<20buf85wcK>hB z=6@Ls`n#L`|Gflr|6e`6s#zbfpIctjC~>tK(1HG#s{mGu4`~sg8pY~s07L7Q}ces9+w63q*J<)~0{j?!xOhT0j!>luRW^aRyNs zNEbmY6P2RuX z9x0Nya6avl8HYb++teW%PjOF1?g+-3Fc!e@eBtrm9PaEHv|48OIMN=F+ehhzUAVU1B=WT7ltCCaD z^FDz@Sw5EZ_V2QYv&eQjoeqfq)Cc~&$}tF^;4c;<;a}OaI?lnr!Y8iBnV=&&O2*jp zT#8GbA3H_0p&b(lZ}RYb*pm+*YMZG)&QpN#YU+??a#|}!4`0_l^58nUw#Me$r{b1*b-+U_R2mAdSlf$}!5m0Gc9{yD;(Wc=m(x_8Q z`|Ym70LX<_+`f(K)v4!rRktIsvm~pVShmtt9yu+ccG<>I$w6nQX|_}!il(MK$!%xI zsN=)qa&)&}`@P8srgx^^CM748AAI!LHpCD78m=k-iO;4iKky5xDgWk)@8Fv9gTek2 z-=LZjk4&a1KiGG)(YCx|)q-_pQM!CPWmIWhky!Rk-D(4WbjulO2BOO5m-uEZ?*A5@0+~kfjN$IMq*SSCxXH`B*b3gF+ z`~A7kM&EgoEyVX%A*)IR?;?Z!Wos88+Y2jM|u7e9`o0b z#Jx#`uX{AZxW@{t`gWUsE)QQdtE+cuHij?VS~uaYL#y%sQXI3dI{_>i|M&WPyY~3M z|8#TydoMxo;jS^R+dR6h){357$`zdbt(Jv6a%J_#nQ2&(g5lZX4X)RsPM%1@<=N6o zYpJKjomXSd&f74jA(Y$eO%ZV30kLc;wx8RLRP zjWh7mB$8`KQE(5HF6K8I68nchV*h(G{3DatZ^GK4)%w4@6L3DmQHnFtrD^-Ez|!@9 zh5upjbg<$7znAd&`2Xu#Q`h9JZ%rV-29vp2`8J(GTIeLZ+~ z{l=30kr?;C^kQTa?meuy{vTyY{ChH7?JQu)`u{0g^PB7c-JQY4{(mn)T49BB|I^y{$ z$%f(B1Nc1|zBTA%bZQWjXa*c)GvFp(5uw7T62`yd5e>kfporiSIakkfH4+eLBm#jJ zWFSuXP*|N8#i_Z28wFbMqnIGLPVH{b*#R}Y9Z-WG+h!jGU{}30?zH1vPNQuLBByl4Y>ofXD@&T3WU1ncgN8J zE}j;!Nl=z=GL7zdP}dOJ39MyWamZbt(*f2)xOeDKhjI_MLArP3Q`_D?BjWukYB>2F zpapjUtikgD>v286GQNjqUD|LdG}h5t+z+>}!&~dUF8)0=H$Rd#z|jW}}$$EU^FolE$=kIqP00Ou}y!a*j5<9AA!-o+aH~#e8?ZKfiK(603a@R90|(&7pI$ZpG{bO{$C3dcG>;E{evBA z{y*sNZ07%a311oh>t?dn=O2DA`x~08d3iq1R4uD&12MZ|Xf^)d5)*dG_}|~J`2Y6z z_xhXh|31P7|Md>>U%&LrTqCsV|F^`1UDE&epYHZ8{MV-koBO}_6SnGIYc`m$?J!~2 zxIA5l)@s0Gd_J631M}i`D6OkPSkwWz-WiC+2JQ8mM0-UgzL*nVtu-3#9bT3EhS6Xj zJX~ox;@mH4X>n{@Anolv<5k@r_n?qd9?2HM`T|Vv7U%_r^y0+UMD08N_4ti1kSD)5 zra__aEp&BYL$rgK)i2A}L!Y)o;M}!fHFxU~IBTNTB5-Oq_$$3>0|K}K0o;U5*n~}R Sg#Ql!0RR6S&p(m?L=6Cpr7QUW literal 0 HcmV?d00001 diff --git a/assets/minio/minio-operator-7.0.0.tgz b/assets/minio/minio-operator-7.0.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..e27bed94a6133bc820cdfd0aa82610b8ad4f904a GIT binary patch literal 21224 zcmYhi18^oy^gX=E#1hkx*zq{%haVKWGglm6?ns<=ACCxY&$X)tO9G*etbGxY!lc)!F4VY^)6JOgvPT zfP9jsHnu-5x;)%A*zc&g{hmwzx*X+L^PHv}xK!OAO)ZYZ>|-)|+HpDg4ksE!QB-y? zlYl_{XfkQb{lo_~xh8`l)3F+@5_L11V#_g`ac=^3jxw%Rk0_ z_q)|0-DG|{G5{83?Oj$#$?`J9jaZ<{mXP7nR$v9K*v*g#5`v^Bh3vfPO=!YT)N<#s z5Jo$qDn~-ID%pMQQ)2S`5R{pF5l6q@w*3UK@H$VfziXozWx{^bjOZ}7Hc6m9sm%7h z781xMyyi|rz6XBlL(#<1%^s~Hzk(E`fnmoc*2Q6G0Qo0ovm&Y<%a_8rH`XJu37KY% zg`Q5+#OzyJB$7d^pX$x6fLhKF(76v&J7>Zpiug}&qL##`V4glC;@|#)&&P-%v0ke; zerrr`X)HC=`$Tf2NGcfk2}o1lv8N3EVR6{;+ukoRox4KQ{F>rrrJ^)HnI_SUGnn|~ zBmxBoFy6aX$KPoDMT8T{jQkBlw`}a_$blJ3JS#9&C*Mvu#d+H7KNjD3;! zdmH4x4IsVmCpo%+BND^_u0YyCbXXsYrs7*DPw+q!c9Qp?IN%5}rK+^2*g)D30dwUW ztX7I+RTl0DL1cPK;pEqzoW9Ooqy$M_Q$|Et8Ol|eB-AiepJa{-@KH1I>7Mpqp3=ft z^MJWAZwvk}eM!(%fIJCj79Sp*B$4n*ED3TJK0!iMzPSKO!mgL*M@R1Y{C-PrNNFwq z*WF!zMN4>Yr>htdOlC}dz1$rxC+VAB z&EIADy$X|&1t=0^JXckU0RlxEVD)8u2p6+lD#wn!eYGeO?QM&o;*rA! zp`MoDD1Z?r;e=iVOPX4BjtqPku#zU^^I`uUaP^iX_@sYX|2nz7$Lzf?jm_bO$%)>5 zjU3)}2lzVQSbQ8f+}M22_9ptY6ZWZK_3qz@-GuR%OiM5h{ky)Nu;lWvr$*W|vqR1h z*u#R1h{2o-MK!5MPHO#CYNSYnO-+IvN-(=e+&O^5ESHc3ddLXs7J<}>wf#8WdFNlc@8OsZa$;k6Tj4F*XI#nK$9-NVQG@c5sg@$+MO9Z-~%G9*Oh81ocVS&+~HzQ1G zi3U$k5PHD+>H&Tq1C2UK`#GFsJ~_FW)3ACY8%E*;1nvDP+4w5aJ++ni z)ZvSyRQwdx-(Zw&uFg9zf!+Q}IlPK_9bJ3xC&RnXn0}P8TV_9^2jzhQjZ@K8)!$VW z{sr0x9X)LH9$shv@N58 zwZF%hU5fkx6?qEVRpF36UBbS6*<@ml6n8X~&CiQpWxg#vRxIru4F*Pjgy5%z zBe}Ac?D03t+T^cabX4%5imR;Ivy0AoDZ?2ZBGdxPxo9IIj(>W31pJ<~BLG@HFZwq& z*gletvc0?nwVkb*K{@Biz0Kvk=T@!oj`I`4-0>G#Vod%TGdY~t9~j-)=PE8z%(`D17@8ruDMv!4oxT7E85w&{!39szvGg3OSG zNBQeNBeI_sby~)yA1SuoRAPG$VOhs9@5kMrB#;9zM);>wY?ClCYKxvZR$)xr!qd*O z?yFO$iLyv<^t5>6bxoEySg*A9wPe8M5J#^~7SY*Jy-9=}Nz$1jD%m$#11LRcKShO) zFifY-A2{yo9Y7CO5$DuhV}T#bY=Q(o+Mt60+g? z4-6*K2k9Cb*Z{c2*#0cRMp+m*lKBfPh$d!a#yQlYqZ6!?H)GB}p+(6+t#k|9){U_! zbV%vglXlhM`p<4fgCukt3X4MrT5V*7Us#f(6haz2d|7vmo?aHo!62T+3Jv!{S@knN zf1$|@jn*8$OxzK2|nVL<3U zN0{OTMI7l`=Mr#eHFMEC3Vlp*Cc&C59!jW;kn00=v5Z&SKgK0G)|Aq{yG@z<6AEWk zUEhqyPQl(-kNs>HdGvL07RY2ulmK9E_ZQmt9-KY00-S{{#`L*K3~+ACcJzy}Z;!8s)v>SZhEfGW zm-n7!ke=`E=eVqfml?43hG6;Tzpq|L$8*16LJxMga{Zp_TRdwS5=p*vMR%Q%)9@ee zp5Ms+fsMmeb$P)DvRj%qFq8M$gfAbSM^uI@(H*==H7g_+8rG z66F4M&6^+kVOT&1_~CfH?sc%m`1~Pm21&8!ZfC-}$jW-eFmcJzyh|;5D=7CoVSzAu z-Ge$5NChu5%tPd{Z=(x$Zjqvq{3)Jj@~3LXJYD$To9-qGjMSFT2x5r0)uC6u^?#j= zu|LcndBcai4%vNm0d#o$_yQ}hM+~MdMG?N`M|LPXp!sko&Je0U*Sy8QKIWZ&@ozi<8j0)xqioKJ9rZ!13&?*wsGf+@lZK{9*E2~22sqKo)G#dM4}SPyc_^lA_fx&pva z!_#*mSPOEc|D0;66;hEh=(32MOPzaTke0X6Kl*n+O<7DY=P&Nb4e+CDdI)?4Syb%> z43T3lpXc9OQZz!q8VwwbdrGhI^P|Y4)+%i2a&PtCl9*Y zLBP^=HS+5BZwDBHO+-d|cfZxk-Rr#=VuVipao8FX#B9Defn%rW#F6BqRxF!s73NRQ|Nh|AVf5RXRde}C zN=%Y>PK>|)5B>(Hc1bJBVRTiwtwd)(-ZfIgt5%21Fq&p^r(cH*I3Nb3(>-n_P^%r7 z>@z!M7#AwTXeI;v#7Q`Dt%zl?M;0-daYIX2Ii>w1WV25rq$exLdLPJ5WFLtQbp?D6 zE|?pnQR9lQ+gfw;$bL^eIc;^?NCwkDkcCV}#L!@O25qwB^%SG%v$!mo4E@BB#m?PTC|ac?9v|zr>)K~Oo?c) zQ;l)xKvk@MHCg<|+WOH*`_)`XwzpO8s$9QPv55c}T#c*kJO`Uh%gP|A=p@@S(x^)9 zz6o}R)<*D&h4fXQ8qnJC+8q;E8CJr1Fpk@DZ9NT-{S%C1VMVJ*ntemAjO7!U=E+@r zos_@T4my|J=R6sJ-6?N7T|4UzYq(NV;WP%iK$OJHU3c(FkAamfD{Za6$~JXgn45I1 za7RXwVIXZ-ivdy&4xRBfF+Z#J4wBZZ+i@9!gH_b2&LRdvXfrBoz*axh^zt-GyNFjk zjPExy91ci=5}nbQ+3;PLsv|zv5w7tpGvig|Mh9(?@ebDu(T%k1+}mnyg7*Rp6tM}i zlZLdoMQj|*k%AFMA8Zp<&HDsGt&=fQd_Lj~E9=dAKYup^edkF%dfQ3F@eUa}K+92N(YQC4vuaUaj0etz!~ z-@O7?+uxnrez*56&)r=yj*tAPUi_W=F|zfXs6 z*3LKV)saBR?-yE_E^eM}mR<%CyIzw1aDOg`_XIW= z+CijxfE_`hNsqtOQ;qYst`%r4-VBW)CAyH@tsARo{P|`OX_bgCo)Sjxk<@S7Dt~s$ zi3MP696YpH%yL&MBDnh+A)_9LS(f+(N7+^|^^aXC4&k-pQM#3b<#idSiGU4UNd1HR zrVSQPlXFYm^Br>iqa^$0q)xFaEuI1m!IGj7i{-ItAV;LER|NiJGe_};6k;^a@R(fm z(5-xFI0-93fj-?R{(2OhvKK(-g255X%5sHSYdpFz**TiP4jH!=kD&^}03&K*RDmx3 z+zWbu@k7umgh;ZB32b!{eT1bEDTe4v+WC{W5|*3&6=rqd+@-1RrqAp~&9deW-gIXd zb6IE{l!nI;*^2p87(e3tq^h$wof`HQZnE8kv{%^laD zThzwiTRdaCU>~cf?zOzvczq#B4wKn~E!?BJpt+yAG8|<6YP898EAN#4S9F$jRKQ8* z-*_j;yn4oC+Wona1vZKv@zZKvkmB;J-(Sl;Tie0BpOLT_TVD>XuY3VAUfnlWMZ>G2 z1KE=^X9?@e2J6yq+s!JwL-9~k8QCdN`OfqmT=3>$@ow8t-&b* zW3i(CCeJvw9>#Ok66tT&LqnHpqU|NA_|l$NmIPOBBKSKas{^Zr@#yk+{COhsBK;8A zK!kIX(S?ab%ipG-y6H>xre_D^FJ==9W9j9|Y$~yN)p7OWSF-aL=^0taavIl&8K$!@ zCLLZVKUCPwnjBJ5Ss*v!UvVsG*;lvPTyqmAr%?L_V)e3InvZtOk9YxXsdKf)Hhl25 z^yx!tk!gVjn_+4P-t#@T0d*^pn9$zUX|doUcU{35Yv{l_939$D*Fi`~`inUBr;HGa zCm5wd3xpPp@LgCqw)4;hDsDjNT28AualsJZl2iMwX@olR!$U!4hdoBOXM<|##Vlw5 z8+e&GbrIJ>3UTe7q|*&=fLZ>PP~%~(HT^2EHy;2?k1yA-qoHkyuv|en8=R_s+kyOe za$Ubg%(3uOpo7vkHM`O-c%>RCo6wn7RCk}JMOgJIW~q<}iF&zo4-V-ZXPTwjazxi7 z*y$zmE(N)1(#{3We+`hU5FCX-RaZeC7_RnY z)>anl+6Y&(C1*tEKbV3no8vuJYp;6k3({fIe!s*;xhg71T`skv^o)Rku$5+o`Gyk} z-W{$ieyskCpG~J-|D~0kuYdFg*-2LpTj7)fvfrT>?S(SehecuFg^nb<(U?sq5v85? z+TPYu22{#V&`S%;)~Ll3)-a?TikYXNoViUuL}9#aP;e?AI^R)4(R-U*iU9ydv>4j3 zxd^jyv9^cjbiAY*jn4sZQJvT1`I}c*T^=t`hr=m zqHG?!87}Csbv_-g6aa8cE43Bgl}}?7jqG9qIz2rWrEaI<_BJK?Njr;3qfa){97t2I zk2kNgC}N3xI>tV}_(=sn^-HBXQu+JupjtFSfcD3BMBYPQmd>qInktzQmtvXJ(2pX1 z_VV8IPjyr}BnLWou1KC6__p#AO%}{#`5Y&fifk}q%A|(v33eH-xAp!!qmuencb9Y~ z4;M85g;Eu0E1Cj$P_;{8^|mN>WZtHA+3rMr22zHf+EVq>M~}?$f2ZBVNYk8@CcD4% zBg{fmBeT8s6(0Z0MvAgQ z<{(T1+peC9P-v!cb?vNInnewoU>7q@eKSq;G>yHoX|^c5P_$vUsO<9}x!SNp+MxU9 zsciaTkiNK2Dtl4AP{u*?!ptE8^o%cjM=Usc3p{#c4G5 zk30D*Vif|(pqp?>Wio%Xk}AJrov|DM3wDg9stFmeN;PPz&CR}n7lI?p(0}tjpO`YK zDOK`oFl_>p5}n+PdAqr~)Roj`h;x2;aIH=bT=cLg2^{|;e9N|C4X&mR883{pXD(HggEiH21!P-7Ib7shiz+%v(~c4nJR!rQZN>{8-+h=zTJZbo+=>1J;l~d zW^p4|H?@vRqcDYyqA}=578{xXag*lIuXmU`CiNgt4o&6kY|JMwtWhOH8M>%XCdZ+P zZpoayoIFYa#5P=yId#e>@Q}KUxRS7k?9fmlHWXZ)AW0*#B`23o*5SdWDte;U0d)rO ztF*yl=eToxgEIp$@|8x>8e3(XJ&xb%~{K3AN0^E@DZ*la% zRV+T$edxZQ;3wCWlW9Qh)xn=5si1s(@8flgk0j_#Oz&RtEM%m+Bt}g z%a&1~Md)e3>+V^27@e?(r^aa*ypCARf6^K#=2L)Q!^!zEGV)ROe2X|aUzUWi&cixyjp^ zragRWbWKR15*dR$8IL)#>`pR_g{ouj0F7^r$SgoA#)R%59L-o=jR+Z7LxMarVk6(W zPR36$)ajlLyH-_Kf=P>rN9*N@ zZ?-q~av0o@AbxnJ1HI_Vo60;@@h#Hts2K;kL0i3fGrF^M-_)v?$7uYdeQ zsfQ8}%mAH_(oPn{0KMC6=jbX0mHBp+fb{RfB_Of)Y?2du<4ZwFhfX*kdMsv4dVl$+ z@+4eQU>qIeQ;AU~WA5;@If*z;HY+!}dh4)pdQE=GP_-${2-8Xtn zDgN>bmY%!KBZ3^|;gjjUCGu6=Zx6Xw=W8G|j6QB!vZ2kS3iY7cZ3(*mC$~_I z6u$yp=0=S82>72-G&P%9bI5r2OA=2tfvi`NDUHh+#duZOM_Dq`g`BSd2;0_tf@2m@ zD3LIt8R49OfilWQjPuUfsW7(wT2`ZTd!8uG<7n4_&fR|bxMO=BuvhIarQBOKEbOMyNkitAKfN))<5{T8JF*d+Lf&(EOP;ui-s=lVfJ} zGrRenb@8idos%8~Iec_6*1h_Q3qV*sV=z#9X|YhfzOEZ%#ku_*!NI8$OXU&j)jm0C zr%;6LyO}e>y%EC~uWhHzido(4wd=8e&u07Z5{iE{z<0|g!r*3d(bPwqoqc&>!}`I^ z(}9qkP4CZRX8zen;5IPj9>U2R5@0aC-;dK#FDP-8YCqYImxz%;sTVT}aq^Twlecbt z_LKqV>?Oz3wY+esN++0VTo3nemg3~X7u?ykr{NufyQ62`wP&1}n)}jGb}4_H`P5Oi z9S;@pI1Y(R*g}adO`8u$8t=Un<$8$k%%k!o>FCvbb3S#TL*(hbJL(EVfIf6QJIugDBr# z3)!RgvyTjpqy}slih7UR9!$-<7IgSmNE-y68#o%pR&2))ylA(_!|lub=&mQ+a-&TR zUsACFpUvk-8jA_G?XnQ0g7B`L4puKLE2G-`A*K0e8Xy_px$b_n4USJRhd2jv&w0ms zJk&7k-)RnGCChr|`OEe^7&hMH>b4j4?$iR7ReZlXPQr#!o{SGD4Z>cJ-XeuRsMvcC z5rn@O0YlrSm(c-|7jx(W>=R-y{K(*LqBErRssa@NGo)bpdpNlj1)^l9*=cp@`wzHu6i=WTqk=5&F z*gR**{Ha#p$}dDifE3r`W{1#EjA;4f$+rHlJO_m?IA{lv&X_0;Pvn}GDq**f^Dd6k z;bf-daXTFfcxw7vffA-PW8n^&BnF0Ei0C22jQ=5-2?XK#PFz8)nu za*Z~j6YQI+Ub&!#soV7t%vf9b`K&hWd1<%UshPSa)X`}@)0I0$$bSw4P8iVmyEkG* zdXhLb%Y*1d?q9qic`Q%<1*yh55Q`8;Sr~SAW~#WtMDCAGQ~lIecFJg>^daG3 zI0UdYjYUzZ)d#pvNbQ(8*{8=Y$;8$)~vkeZp{h|7y2zxE9uNI2L~q-?!9e;Son8^$w<07){*O*K z{XDkUY6A3gQTc}%k6q7sum-*5T4i@K$m9}PteK8axh~aeQwscm7ve74@U&#GsmVwk z4vE-yZ;qJebsBJlqRA2Q)~%ywZCrJAKF~CNW)w?rrv4GXeV({_9zVZMWT^g+JCn-? zhTE9~Yzn+p!4&Iyf)n)*V?=k1ku@1%M6&VfD8S}~SkQV`5l)YJsM*(#U4~)9gYp@8 zu(vz}vY#7ZvY+QY1kkCxv#mPseWmm6eYvmA&AW2P+~>G%qIp&q@Aa<`iCHf7eB{Hi8*yBpmyxYSH5@r}mUo$vRgEROboNDc5jd&X)h$ z6AikiDn(6X)=&AZ_}aCSG^29X(F*wKq8lAe1JxW?G#m20aK^T-GX~qp2|AqYQSQVh z{8`D=b&Xu+1#cED!_>tJ1zY9?Vs?peuIHT3R`BthqmER=8c&_Vl>a}ZHea^s_ zz@i~=M`}S^1V8~s#JTisL3<6BX8!>Otdm`AwX%0zp!;2xeh=oZM5lpz*FPNlV(ghN zZ02^PR%{>P=jFVgz`8`s3+*MPhc2CW>ceIeZ$M=eJNNhv!y6tyPUWLMjVbULZiBT* zt<-LwKjNAfB72&=Rdef65k8chUnUG@zVu{JU3-tL%G!>fK6ab;*hv({hsvGNe76s! zF0lSBN^dF$hT*#DP7@`*iKhbwTf-eFY;i1<=Oq(yLNXTEmWpb6Dd3?tal)-Pcx>`l zFZ(g9oGgDrj@}oRY{A^psQiK3x-*E(;b@UGsVJNfPt!Bod_}~~zb90jc}2|rRs_xd zwvYS>P3JnHJE$_&^~sT2@r0XIaQk(3W+MzWsnp`y2g}?o?;uM121q8R1j=;I=3BHC~D4s{{w#n7vBt|LU46CeR8H3xa3z^&N z(zmB!IWwY!2l9OuUnocO#9?%U2*2J z#pT_W{NJ!y@Y&2jYf9?;%56Gxc&;jPERdIXPssh9561nyi}8x6*FEJq{BI}QzZIGK zmv=7h-uSSaU)wm&?|zaePv1*<>))9oskQTm=Wz@MrSu1M&QG53++NW^Q~I?+=C#NF z?)q=*l?IU8VE7g0P}jm~P>|Z`6`IK?Crc7Mz} zt1~n|jwn?;NXlPUoIhGT*z^p(JogbtngcQbk8g+)#XspVJg*X^&rG!FJ zS1^nsypu6&k*2yi*d0a{(04A^1H7jg$f6F2)~K?xnlD}*DR8w$US#L}Ds%kw{hab$ z%uZq62l^{KJjCItHXHc&87VDnVmE>PGrrWl4NL0%!_Uic;w(OI8+130?$G@-OCEbY zsmnzQyWQAURKm8o;kNE`JD_ahSGsX%U$|*H2mXA~LuJ^YtcL43VQoiSM>lE(o20Mg z*ZWsb&u8KH4&n2)-_~`{%j^34H$j>oulG$Xq#v4}_xn!oKlb70{rvWDusD6uOPK3{ zle^mU)%uOC{~2X-&>QIY(S%YB!SP)9!jPJ2hXcF^w9AQ(u|@837D%hTBFVEtuR3uS#*hqjfLvdx18ltFF11t5Zf+Jb^V zFQgW?;zTcEl%1~8xD!s@AMTbs1tY}>c@`E;IB1oiL5GS{Dw@b!}0i%6R(|-Yl}e?r{F3Nx@k_^Cgmcd|h#p6lim2JYk~NbLp-pIR@e9!jOQJ z5=V61A~<+dXaFyUuB8+Ht0ZWZJ zid{6Cu$%#+=Qji54S*&^+{~(WZ%J?miAx`mGKY zX-Uu1!v7EI7PP0Fz{sWq=6yyn*>su2mTgu{Vl>EqI)vJTs_A47&iyj|BSdvxokeYPb+tjmS_|QtP9caHi&dWVNoUZi;diEtShair^)EMz zi14EP_iTK=wxzr_QkEc$aH1c@Tj4W&=q)Vs>2b0iaB_}uux`2N7;ry?gzAoz z+31Sjf2c^j%75h2l`H~z1DJR+7F7iUFG@f=K^fADnn1bPTMKP|`>GK~YP^)?bA!|J zk~DpZ(R7ZfEI@(2rxumXh6Ax9c=U{CTAm1-2ZGEUpcw}*WU4|;?&wIAw$a@0CfOS` zQHS;anS=+jzdEAOj9S^hT#K4a3RMHw)Dc&4x(+F7Im$^ge^$)9PGxPs{sE6BK~{v{ z9rlK11`IgGy15nD6z_4zCzT>st9M(2t;~(YGt|_2ou95<{n1&UDHdyx5k$q|yb>hY z1Z=-qVr)zq=wz(7Jk?04;Pq1X2e%$&b`USlEKgwL*YBJ%n!0C8k0s|%#t>_mpxYJN zLaVl&Gc8-KT>=;EaGX%`#QXV^n=ek{a9~b<*mPlF9u+a*oO4sUvO+0S`=94FU$qUB znC#Q8Pa_RR@sGhxZ~4B;s>`TG8zzS&^4&H9cUYO%$)8=;$-|7mkMI*2t(3BtZ0j;_&+Tx(_*xT+0C7ubp^>ls% zw*H{V!;Mz+tEa7AS#)KttX5!}cyJsgbkgKm^5kXZVbbEKOMMLZyzx?((2_w_oH&8w zVuLGTvZeJEmv2ZzfanL}Hn-_nr9oW{uOB|FYuv0{i`*XY`(~7l=@Ox=(W?-TMlH8y-XRN)?05HhYmY5?pSkF#&=_x?b<6ug5N_ zs{T9DqD&L6%BmPUEjul8xKR9N ziEe;b=wNc94EUF2W9MHi;c+ZtZDnT$#ll4EAJjtgfuSXl}$BRwlpG>W7*e(S}(kBBDUDy zah}71BX*Q3=rer|NcDdsc*r`zr8}rQU_hbU@A0)ID(>-Tbi=M{I!t@x8^Av{nuaV~ zcG+~i^BO~QkN(Ou)rxvaH{_DNOVy-kE5u-;hj#=_V(GB9!0?f&L(4d;6 z^tv%rxcPGIUI=Na8cnje%Qt@;{dVWMD7w%OYF?}pkU_=twe zr^UBG4d6#-qDdr4>81Ux!sx9+>pm~7JCJPO2$!Szmb^_rxxW(hGr>;{>^BYOVP!R1 z$=(azP1Er4&bXxS!W85TdoTX0{P-Ugj5-x)2s>@F+t64txTbfz*QrW|&!YPZB~CYe zwy%b%%BxN*-F>%}AXj}CkZg_1zlHY|m^%oSL76F9wVFNqP5-0t%Yvt|lN?~RtcRBK zZP+4Sk0&~ORC$q(#~l6KXxj*Wp5>^2Ia$0@>2SJ9x2uY{#fHCaMw@c#cDh;5c-Z0b z#zzVY5pqIztUF>Y)=WGgPt1vIs7_gZ)QMaCqm=_&S6$kkk7>XU%Q!8z%vNFYAv_*= zr>PeDRP@nB1w^cKi+XHU`kVcCiyh-6c`-V(wpQ^8C@yK8 z1)CeFAlVlvgIqequ{V=Zlvj3qXQjB2C}%oX|;S#4&R zv3>w_*R0O%ku91bK?)lfUu8Lecq!t8`xAa76QxGK(GlkmBi162`Gb*cNR9m2%t8Qx-MlwqDO*#h6JCIl48*oN<$ zx}8QJ&n+7YBuM7@;bQZ2G7nYiCQp;)I>#x|pBk@3ge#i6tD$BcA7k97id(x3;4Q$o z3p?vmVpd-$E~8QfY}sC`e0}!0PdvVr^Zz)G<8QU~K1^>1(c1FTru@x8v$jZ)vU9yl_KPz$)x921`5J*KOBhpl+#b;qe{)gq_f&S#! zN77{?h=6SZAIzT~Y&wrz#*VJHBEq{dZC)LfJ4 zS-kb@#UAF1Yx4_+OeSQ+4&Cluwkm?LWpP8(r7TZ$PdwIXXSpnMm#(T8OP+u=ZTlqJ z@NReZu}8oPOG7D_uW)%k*bunUOLANJEZwmi=uw1CMlLN5M4?^>rTmR5iAiWhx{JCU zl~Lys3mbKilOfN~Caa;SA?;eI?$V_$mPZd)i^I~}Cx;FzQZn(vYIBr^l~!j;P?nI# zTX~HPrTv`eAf0LZ>aTsDIq%Az_^9l95xq&}$!^GO&dy{XhFwbLn`(TZ9*`1sS&d@r zNg!}BWVXVX)_jzwtcb?~z?YX)7sdW7#}Ye4T99$w68{=abHJ(FM$!=(u_XqQZLXsr z;|n=QTC7#zCa{&DoNfIQYYvMv=VDQtAu%M`ycRvliO4jr73a}Uzr!l1(Rh+3m&c;< zNq8BW)01vcFI?fe+ux*;R`P7_?5_&rev$IN z7gs91leCSL`GDD4rgk$ZT=|r*fjXKICikt)LcS>Ho2%>HH2oP%_5=k=pXFdd$cCnZ zpSHtJ6|AKkZ);wY4PvB__xoQ4j?IrIG$5XxhQ=C;+sMm!S`nNG^vwvys0q50JLLI^ z=lQv+TcE#vXu?k#3{*M?&W)fgNV5PnBH0`+k}(qGcmCxbh6v1gq1MJu652BC(rjh6 zk8#zrI(GG9bakby&TC`*bDM}dGgK%bi%7l`sYoIsywC1#lw;~NHKGP0p&|<)JN@Ougrg%?^rFjYa>lW| zx>>&_#92z>`>H87l!J`l0x+`}ecoP5(0gCDl%^qRu`X%x!TrHDD}I$xC)+}xIyi9? zNf|pgjXw#PB zgDq>>qP{3j>>a%bvTw+C#&JLalriFds_EToSsO$I`%jJ6PHzm$zV{|zX83Yl0#aGG zC#SJ;GY@jmMdlTQZ-W~1J2(BNr)eDgO-1ou2t*QVSJjCPDOiLO*V;oT_k<8N;#gZ_ zA(yOQQfcuwsy?9}oziiV(&o6*4YE&&At@>8pQ2fA8e4}soa{erA(#1y&Ckp-tNKU8 zp_j1?E>@n#*dkkGH;6fqN>tJ}yBYco>4arrgqE%UZ}Mi@W+V{i6pj+n03sWEP1IcL z1xB~~wLJa0W#XtI^RVtc1H;PRb7U(0ZWQmC(_P4lpquCs;aA+IyfIB)a3Ge6Kf0Tw z2s+heLBO3>&1PRP77Xsc>b^rNs-P|E-*LqwUIt7KR!_K{rp!)D6GG*L0>%5qR<7#3 z07Y8PBdLG>{3?A%<2G}V)j0O$h_pF8mo;+VVs5kC1^zYRGi(>&W(4D*((mKbnzg{c zxfgxOZ&bgYj|WOOx;XgtDYvX2cG$EvM&m#`#nAmQN`G$}pR32v?#V=>?ev)4R+1?R z(lZk3XcZ_?`Yy{YoDEF(iZ6wy^+a_G6oj~15is4*St<(-r!D_YV}lc&%(1J3%9ANW zQw(*vC0B#7I9f&eMnbeiIwF1);WJ6qFdm;#9tmAgS@0#-f;m|!GcGjC{Uy_ZrYOO; zME$7z+s!}0lS=!B=3g*>;BS-uX&R`uW+M8|If&NZ)TDI3 zT{Z2J-`WtR3=TRZmFB1Epc$E+86WQWYpv1XnZWW4Qxm=sD!$Yr}ct|sjQ1e^Rn;9+Gn@NsOdp)r|lp~|+ktX)ZTKb5jP)i&mM#$SVcvqJDb`q4don{t&U_DrwuC8 zdzYBRDt$3@`eV+`>e)t2t-~A|yqnco*UpX_7e}osvzOI*8mjs8bx0j1KbqNDHgN1M z={=X<$~;Okuc79L+Ytoe_YHIuc4(m|dwWV|XbN0nvR)&F{BWUMKe@O5!*;ESDV{HXQtD>75+dr94UG=&BX9n z<+DcP=Id*9gPY(&8B8ksI9ZVSZ5_TJDek-11XF}Mr|Oj9pS6-hy3#kg+bjq8o%V2T zgiSrtz;TA+E4DpuT=86pd+k}>b9A#){?VZa2G})udku8z&>L)9Y5DV-gW!StOSbW& zoB!4wUZl#+34u%8<_X0~1WScZED=6J0`1)_Wj_9smzL93lcYO1t3Ync#n6olVjY|6 zcKC5tTaKltrV%(;{|TmYcL~v;LnfOxN1uZ|_m|p@Tj%6RyYok_! zhGR8eQ^Mi=ljVplx$7KHp_!WRbV#rhEC$()@Gv@Y^~n8-5T4> zQ*ul2ua>fH`?G&eoY}GTv22091uj8&U>Wey{jgJNVH3i({Iq0D!Yy~AQgcn>)=iWSlA#FBZcv5Zda2kJOKXrZ<0fV2wWOvluLs|iWa>Ei zfyE$Fy;bh6@^sVD=A}c$^rdQ}^)0o!E}pKkvTkR{!Do&+_gj~jnYzs!**BZm%ll^~ z=qOEfx_az2nK|eSZZ!S=mU%k3lLW za6Qy?Q*w622+S2K>Ib0F#^llZ?wW1*!+0Dqz5%7i4fD3!odS*Y^c^U*F)g=(hW5+h z23Ohfp>e}oT(Cqip~2Mbhnbu74s%Tf=}y-8Yqr=L?S)MjQxeOBEpSu?W*3xc#wQ>6N1)*bfhoEUsfNC08^}{J*B6p$ z`2SKN(+vrrb=6f_cxx>VwetI7C~5Vl1xIS-r}dy&f2M+09xrIo-uh5hsJ}jnm1|ws zzA|;!!v$-VXK^e(Nk>IlhnWV*gL&llKYM@az!%J7v0oH3-O~^!QN}=f#iM>+2w92< z23ItW{QKD7-`{`sEmaA*?)BKc>n2N$o@74 zyb7t(RQ_eZabK&0yCtwt#*4@i4F)vTQz6-JW@Bb>_BSlNRBNtd=wG% zV$d|Cnr4D%HWkP+Gxal;>E-pUGXed*PZ$rPGz4;Q`PG4a=N=i5KL}?$1g^;w^5>sD znMPLB`-CR!wG?SGll(rpM-v8@8n~%tonvdaF4pu!KMzzFKZGzgyQ+d)^>+?(wD9r- z^z7eh5?aN%8Hv&k=XXHZ{4I0k0lqi;XT+5D@0u6shHCyugs`#mK*C~&i@01+9ZVad zl8A7QM4pc`e*ot&zfZ287dwq<;v~~DYAa*NF|~h$5W&K4_Rl~>kv-2;M))M}z;n1Z z`L-GQn^^!m8gGQnlu%m=0>dFIC@cs3LEvDk>X9rfbyFUn9mt#wWWm z9-8C~y@~#rS2j)~1q*TzLK2Cqcu6)Ep6!hprxE)Nq?6IABx89%7gfWX(P-oNMzc>h z4DdfRC7TXd0K)?(>pHsOpXQ*@ zI)F1ZpfUYTaC)HzfrvBGF1@-*s!WOSjeKV(29{ne72H%$f$NM;ZY89}8SrfJ1Q*q6 zXJc2!B^tzx7d=?zpjIFKM~oI9ZDQSr8~MmSF6+D9_Uut?#wUY7NDyY)N*x3#V$f4a z)q)D2Kco{VF-vv5ra%Z8=D9~MH4p(+o86|0-m51%F~<@r+@+8ynVOSVqcoh9I1}5j zVQbFBO)pP6*fMyn|8tkhHw@rd|L;G2`gCRe|LED{=iU1MI-vgg|DTo_++l#6YZ^xa zLn;Mw?V9)oF-+w2Ak6;YPV0P>; z8^TRb_6Bgv|9sU^GyLb0|ECAfAFam!4jvtJ@_!w$DF4|abuQ{JXY=k9@g9!-8!7;m z*ze?875)^@6vuGU+;#;OvJ;+#iuQI zNXI4yel>r$c+zr5T0~&Wvo5gI!o$|POGG3lSHnaC4UYv^T2jXKQs*VFw2Vq3nJ^r) z&e>}}Ia#|xa5>Y*#jOyFV!QOb*4Tpi=QDNG&+R~l@9~sMJy;&vOk*69dz-Yh`7P7c zLNP65#(;X4}{m0L{_20F?;`(p4^vmNO8`ga{v*NR(>C*B22!;#}y(#U`CUIGhRm20vw?pWGF?>FL=zl*+%-ss+<;z$yPvR`!1m zo)@1L`cYGQI` zeq8_UZIMcoM5(0FDgt(=Wh(5c_ysMs@REIp@kts{dARnQ3Ph&yX1X-&nam$mkh4!{ z7&2Rx`9w0VK^}`Jjrpv%|0uytl_4^)Nri(A$A2vO7N4vgb6RStnBaj)J7R*LvKW-6 zakA9l(PX)~S$2{A`TT%J$&}i4nklw6+bt6b@S~GAKRq5UJuW-*S9bk)$zd%s&6pQg zH}Mu|`7Lr<+tCe30%uw9nRb{Gnt%H(dl}$@WO@+=gYPM92t#tm&W~Jf~ zqoIL&PCSkrj%lP&XAW<@MjnCg6f#+XP9ZOoqf^NE;dKgm8w$BQ1HKhlS^p2F5XEf5 zg@pF{aPI#-dbSe(d-C|{vu^!=9q{|625W zgVAqt&-}M|FrDmW|0(`d=X`J8(1-?SX+p*<0@ZssP!~z>;b271dJhLWPI?djZ|@uO z6O~M)ioALGO7#Yb6h>nWSO|2_z9+?hdV_Nnh!FN}krG;w|BtVZUcP%Zh{HDfaLE6o zr;qnnXlq_Jx_*hb%A^1*Z{NwD%t?lY?Z*S=o z?gNsa^&+Xt6u+JV`TPS!@f@?vJs7CzgTg3~m~uJ+Iq3C{P34A+cDD2ELn0v&O9;;q z|MKO_h^lFCTD+GnqwUTzDY{z?17{y))KHp6QGue#KP~Abf0gJtmCV=N}$8 zSvG`7h%-X7$JV5Ow!fQgtvRDln4YF1bJ%=&D)&Z_812P0>(Yorj_=+=GYb zh$3;3Ay;T|Ey%fTBm3P(A&3~8zlzVTf>hI9W@`f-kqKy16N&WsY9iIlOo&t`sU{K> z#G?q*a{sd?-ygkuwJFduhs>e>FG9%h^yu`{&^{TS9(_E`{(bcNRWA@+i3s}7M$dxr z-(Ea<7W7{P|9SLu-o(M)fo&?~nHNL|*`NRT;)Uw19H)KuVjMnu{`Be7=lw{@UniI* zW&{6H;PdcHMkFFrt~Q!1``UMel8L0rlm#?0SEck!0DhcVmCT0=W_FQ>)>&C&u0h`O z$}k)VFs&dO4=gV|dO(hh5mN|9Ox6 zK}J-;vnQnA4G1>dPqRo_e0R~` zvkbe60D1T@@AN%f%salI(V3n~kxr&|?V~d7(p&cBjDlX6v4|;6LQsKZqg?xpsA9pg z-k%z_V&zygIXv8)9fX}cW z^m@b~w)$$Es*I7P1eFNOSd@HTdg zv3KTX%^3FR&ujVh^W!c>OOzM(Yk`Yb2QVM}M&vnxOQwvX`aFB}=lkDSMlby5;)lHF zP=F#2xzG=bGkS#bD6ic^6!ns*-C=E$Y!xLLAYFWGuHCF~=qX;wSVo64h#@Pa~K($yF=R?=R zs=a&@$5fB|js&@$vI@hhr(87`&FiB1jk+deDv9WoS)7HyHKUQT23K&N%|(WVSQiNL zUm_(BGZA=5LUF+(K|?e1=G2_&UBObLRNK|N(sTm$`@p1_5iQv{quEkbf|d-Dc zVQyr3R8em|NM&qo0POwydK)>CD2VsJKRpGGH0Rg$j7VL4tK#H`IKdAExGzT zr=~^(GeHuqWFiYdN@BHpzkQ8;y?v7X5CHPVydZgzC_DK_l|=%901${90uh|}5e|KP za5}|Y_UCvO{At~v!^6YFm(QQW{|^rji~m19K7RG5qvx-lKYw=k?8WoLKOG(&zk2cV zPv~&%n3Q~CAu<2c;mTtbC-+D`I1HJ@lCn??b`Zi`(lPerG#>RSJD@W>A!2~O>>z|t z4~2L}2FTJ3e2EY=8X%u}*M#@&kA08L4(uO3mN@xiaC7{;|E&Kk2XhpQ`H0=+L7FcI z0hUC_Mf3vdkx-BUI*G71CB5VRVOgW_dSME$nHSGUsAp~ljd?IYQz;`cI5_Z`CvtPi zb>IDo1T*yHum6so^^XqwhfjCQU`$Cc>x(JCI-sHC?0|+s;vhKKLCC`r2W-;!u#^E& zn0iEEPKiH25#}-^ytJ85MHJw9PowfF-HgSi*YSw-ZU`5Yg#+~GzyAAC|M;kP_~+8b zoCE|5(kpB-j_5BI!p-pxj-t$;dLw-jk{)e8NM7qe%33sHggkX+Q=C2UrLq#ew=x zB*&yLZYDcw1Ai&mzZs^X#55!v7CgUYJ$2l63dA^}a3IvFWPFki1C0+N!lHoe6t-Tl zn0tClOTgqIB!97pa4Z==kerYMg{WECq{)t)M`WNDBA}i=fypYr=zrfo`hMr3+2S|z zDaikTdDm+nqe1>3K7amVLH<8~-pT*__!L?98o2Xe|5g9lQ5M!pd{;5uqvtz5oe&`h zNKEnZibgtxKZ| zHkP-T6Z9jCLm#9xdUA5{<5LueKH-Rk1c6e+$l2rYgS<&8Ep$GTVfAAQB8Ku zkGoI*4>V^nn&CMLnMAQ58OY?$BauWjL>`+(0mY$5(rG0l^bsJSV6c%=;Sh#tAU4i6 zLs;(Y?d&O=Lh;GL!NKkAZ65=&ea0u&_7Ml~-<`hsaPbC=AJyY?7!V;4C%?y(6CaJ{ zR?`{<1O@n3Z5!+jY&i|lEvJ%(lYJ!2p6~4C_9k5{iyRfX1}sE4M7t*!=-tIG`r+i_ z-NpXS9{St6%bz}ezC?dJ`Sj`J!{xg-7wF?Bbo%kb>vxy$K7P1BAAdwAAO08m`Q3-t z`-o6EB^;5vh%5XVM^r5%@zsu6^05dg>QH}+hGK;`&MLy*q|K@$zpC1`V>1%f&E!&yg1N6PEvLg;1LOgIv?1FV}gSq3!IJq zPCP04WR5Bh=m1PKxl4>nh6 zUXm;8PLrJQro@i}MGfc77yHP=A!2s9H1}Z~T}Uj+I1VmIij+?zrh!l=(Gt?HnJMIm z>bEDBoUW4=;A;S)VxeMf@Q*Q_#2mUPtCdc|Uc~%f$b53Jr~a#F!uZqvj{5V${F%=8 zWIU!JmGgDXR2^&dKiO!5Q%FC-a42cde)F`yWB-{h!KI$GWN4%W zQlRxv#i+M!ixmfyFe`(m`toUiC;dwd(67Jk=y@exkk{Y})Ly)VN%VKLS8oR)ePnf` z)FRNF^maxz()y~ z0eUz7z~nh6f`qb2D;JtmX2?X*vgV$k|MYt5H~Sq36h$7H1Cruk8iC~roeK^v1CNH1 zaK+}$;PAcuQjZGl6z|VC$gPH4+8t$E>a(5#B9p#WXwgWi)H5PMr3GIwiiP5NJG}pOeV+p-q=xJnl+3PpwpWd9FT)ugY-l*-4I29x@ZLY~2 zJz-M%xK}7LC4?9LB{8g1Qr2I z2)NOr;V-!#!Nk}*naTGDGm27Am%c&w%) zV2WCT&~OAkfHyl}*Rc9tVP%PU+fZmP?tj`UkVZ zio=_K4$v3}g4ikioL^`~1N+KaR!fE@qB65x!~C+J5jkc45ZJwBXs8ApY9XYRY{Paf zaItSpaI*ND8Cb;L6k&meMnV8M+h&k(a*O=CP?8DZ+U8SIg@PriMhN5Ch;U`4N0>`$ zj7VV&Y!s5)V6ONbsB(JOB#WpAvM}i}Ku5>PX5WxdBE?#TUK=rGao{UH>fuNcmWFL9 zKj;nQF|l z8g))y>!tJpsun&y;WHuxo)Dpi*FT=&yC355nD7hw2N|HFm#<#EIzD=tk_noLeKb~P zGYP#pI8i`vjTCR0V(w?Q4Jna7!ctihYArJ3-*PHJn@L(L9Da{UOkOL~NYNv|!NHjr zpcjXSWeYLGcXSrd5T3C(gq5F>nbM|#HZ#j&7DJCTg4rp&3HGKM_SNa zqZ0I$){N8d6>Osu`I;*y`Y$kK%f^P5RIgy1tIWDynRPWY8=AT3G5U!EL}}sbC=IoJ zWPASzod-s&W;B{qi`iNwCjBzu1Xd-<>R<>Z;UKA1Q&e!AG@AsH?)@pzY!uK%rAB@0 zsLy=D-ZeV8#hiphh@8z+wf2QB?Y2Nmf{fmr`Dc$~@4AOAWTg+QZ<3*s#s1rrgowu> zh(a2oSsX|j1q7+);HWiv4-KfCqd!_TSEOHa{cy=3MuV18?~=!42!uA|Bkb826#ad*&ZKN_?Hxq7BnW!fA-fH;>m-?8Ps451`n-Fs zXYn!TC<2aYlsdfwUMwV==_N=Zs=guf$w~6fK(RI!u*tk&1*-kru^!%Jk52Us@d63s z)HSYTQJ%Nk#(4rSf^0|P$#4he(%KkxXXX@ zNffZT!m#{z4H{U+!m^#gf%Mf}&82w8iN1yfv_RXfp`Ot}I3xjdgf&`sw7Xck$Cn@A$<_!`0I7UK|}891_3-l>0fw z=EP10%$($AZO&qzj-GWE*_F%fwf^d!_IocD#E5w9Qnfq*w1M5!_bLb%yXjOvM)n5D z*g?tsl1W{HSV_OvD&UADYO=XOG;4M{WkP#2;o23nZoh#nfaX9T02)*vGK=Kgu3-jx z6&y{CIN${PbFBzlysU0LB4fr0kgh)L`d9EZn}I%uO00pIs|XD)$qY*ROx#id&VI?~ zaN7_57-$9F2E9H?iBF`Qrd=Q%c599pGy~_I*$1PgfrV_oQ&zYTw@g_wie4wAHzUb! z%{2U4lOe(*7E3f`w_wV_j=|(cj7cFmjsTnFaM^3dbnguv{Y>Vc$T({>1ao_xO?)sQ zDC}JF9k|;K9IdJ(wgXNk2PUN?p*EYav@X3{rNjZc#-U*V?Pe502;yKtK=^K9IvI50 zFpp4}p(#6-q30yTO8XW;5w=8>)1G%t=rMS$d&$snxc0Ror}`*0eb-KOS1)PO__H8< zV4|=S76_-tI;C?r2JnjsxhR=yW|n2Ut4umPgW%%YWi%G9aqNI{HX`Yc>Rl-j2ykMJ zFY`$(VjvE4UjPlBCL_brYWT*2)zs}HJeGvt8pFO|yr@|e7t2*%6qjo$p;2+wyxgnwA^h4Fm z&@=k9hlsz0~6l|OZ5M?_4 zS)Xp`Xgy>WsXvQSTv3XvT8^QmIB+Sd^%-P!Gb*ghLD61u9}`)@z!^4QXe3z{af^Z# z?&<6b{misr^Xiuyrl8R<9@;!-WqI2&;-qJo6Y^XLgQ>Op{YP zUm55aF|l9ZRe4+!J|zQ@^%f;gWZ#hK?UaCzl5t?+8SQM!0zYwlcKo|`@ z-1ijeU6XlVJ8g#Gci1=Df-&Qa|5+rLBMC4bUGJwlMFLOph0NIKhH(8)aMy-@$|-cX zqXjoKo|-E?;FV$+S|WrDk-I3M9+iNjkf0n4O9s!NC#Qt+Y44FYP-b` z#RmmzX#3>IO9_pAtr>|}@jr0DhlU-b>;ZV=JA>fs4;KJ(!4Q6>)R0sqO5+9FIp_m|fL5~vjIzHQ;&vuNq zW3-Qr(Sp7Y%3TSIHD|WS6f1e68%s1-f0hqo&vU(k`at9@7Uvcp^CdP3R%Y`*(e{ zgC;Nq)>D&=Vj~$RP%?ytE9a3FM*quLA3{rzW1E%OfMthHq<*dn%YWv+~+ zixfgSZ^-=lqf>^L!8qLHa^{egaqmN-QM?<@a#%Yl(rAN3n zZq3T;8{$3fB{J?w9)3N+Gnj)CD)Ke^1_R&3jToN z&uTltU!>dp4Z~xYfxU!KJT5ymv2XYiI3KP_Fjt(Ca0(XWlui_d1Xx0ti&_{Osu9%` zBkWxhi2^2!x5BO*}a8$CNsJbW0oQczEMO| zZzzr;y&P60OK`)!&xsI9AvTYVu+V2>#Mw27q0H!}HH_$+$1M60OK!pJ{X+s=E3CPT zb`3rQUGL+$xr1UMK_rxXo*q)&L+vQzzK*}j==nC{B#Era#c7$r@|PIG^cF<+7kiuK z@QgZno|z5f==FySEisb=nJlTER!b+ z$ubyWm@4Xr#V?MEUqJj}ArK>RPh}o6*{|RZxIbZR5)hE&0mFW8WX@1eAKG23b?heB zbedU>h%APc<6F@ygAoR!oyF@?yU?#gv9D<`dxR4i2zF8E>7`DNoSvY0UYZNBM>a|x zI?S;2rr9X`^h~0ED^eBo$e^Y7piJWAw;bYtjvk4H8KG(nC zfco}4Jb^g3fM5ao$czc8l;aT-12nwF9AZOhIA-eqJ{iT6;l7q_l4DPMUjsII zuf`a_Q^ZuW3Vjp{c)g`Os<6F#oeiF|XGNR2{s7deo|5N1^QGDPvjq3PeQyfnT9o6aow+jC4A6!fpK~@- zmTW9~A5FFu#Sed>o`Q_eh~(7E{3aO^9>zuThW9J3fvhwbf=E8?$aO?xWAb-h90ilCnPwG`oC%k-hT5Kz?A42jUd;CQWC$ z!B1+e%rQ$EB`gd7NCPrJ2Sj=YYUm#L;19riq5j#A5_gUIv%IzXZ_k@z8fKc)5N>(M z#Wjt7QTFIOMsi2|2tR{0C#eFGd4-nsFr;g5#g;KM$sP8jx&E=i z!&Xz#^r0=^ojnsLAsL!*9L53W!5o=uX#MD2>mwF1{q$5wBw{Mf3Mj)sY3YS0&4aRu z=~cD#V7zuLmUauvc1rh=4B;C_^`&~mq>lGd>f!16XC$YbNf~I~xRVA+XI2SuqSd6+ z_wUd+z!S4ez%LiYkoLpONltb453UXn3xUa~T}fz}&8So+ zGddA4f`|jTUv|{ZS=!mFK24IL;XnRqoOK$MG9ePSHzEoqk3&n3iVk7ZhYIIpw}yT6 z1kR6%%+J`WPy2RRv?Fj9#d%^=Ct8{Pf^v9brP|HyQ7{oEz9L1%cr~k>+b2ZO%bsB% z_INTy!>kFEW<0U9e>(GjR3jTscbR$ZYK=us%xeo@sd6lWTMQE3P|iXtR?d@0V@C0` zokQQeknmV2sBfQjYe8TbA@TQj_L8`HmKaRB(c@z9#TC z4eWnKXaxK4G|6L}Kpw)NEW*-EiVF1WC}5Km{T$}%rvn*zJ^hAAJk5eK5&BrLa6d(; z5dSoxHzY*kSZTeCTc`S-0rP<=Q^|S_t-DFL+y_sYPvAS90EiPf$BA=JkD^G?z&n24 ze^&a^KONF2Tbd^+J@ogO-rxY@7MW!s`<0S#zsRyO5-+BCL^JYx8Kn8~hEK#A#> zUGxuv$aqXWNU+}aA@Li%-hB><7SL3ou|5izF2_? z=!G#*)voD)m2>8&uP=(uBzp^L9IWQ)pP)BHjR)!(#NRQW^w9;eigV)=Z)*Y)ZVjpf zbs$pZxd(Vsb!PP1=r4>p2ZS;}N4Z5dnP;*>bw+R~GOx2(_-Bc*5b=y4D$x{!)@3iQ zvprAGKlgL=l)UCt_5q4@TBh9n5`a^?U~`060B^DcI8YQw{eY+m>9nG~SfE4H>*=GN zWE+9+pb@4_X%5-R8kwer4;yFBA6&}kROUW>520EHYaF8C(NI4kPFy_6fw3=klXoua z_kzBXdGlf!?U`0_lA*VT)oMMVz-{%H3pYc;KDZ2+cWpwx%1(Ug8W}%?hHzydmS&!RChXo?hv`A3A?EWOt(rbmAc?OPZ?=+LGKmBGv*z3CNMmoB zQgJr6IrEOnKEoC0yTku(4@}nZF;FuerF}J%8>=pHrHiKAD$!ER*@-ywz(beZbFs`? z^k2NC=^89vNND#p1VDp=I$UF zO10Mx8PzZe-_v~fz}Ri}F+l2NxAWC5K@pF~^iJ`%>wR>#kKXR1%YAgdkA9~6=#1{8 zw{#y}(tUJJQ_*6aO~bb_<~Wpu_(SkX{GUvRffkwie)2A5#AIgcm5kCaacP)Ml$P7- zDpkXk^H(MJ_&vq}mGho)0jpmR_Vmnp7~0Aymc0p)qNh_f5x<9fzcbPE0xU$2jeC=1 z0Sq?(ir(B1KF>_iY=ByxG;;w?4n0^&I$grdvNPDhegYB9=}M^k85%I)U>u_6m;Egd z*GM%3FAaw|qanNpPYl!8yfueITiDn%2sDN1t5=xs?lY>*76$)kq!&4K^bfK6j z=19aNF&C1|@*0kDPb#c5?I_jLY`#{CGXraDG3%d+C7UTl4F`ecej~V9)_L$OivbV| zFN%_AEsKQ-+mqV$48v-l7jR>vY8V~`9t4wO#VV{8n*_xLGr?R;8K<6oNRvtgd-J|; z{7&XqNWvIEt^^Nr#l(YoAH55~YvLtNGkwh&C{s-`CAuIrWaue#dcv`9UJAlRmwsx! zk2GTmk&h+T7x5s4b5c7^hXHZp85X1tsw8{{cd_Pev503@R_jT?EN_{bHMZ9&`o9^A z^N9|RQ*8~&JRO(>5lI$~jG&A#$1^oFEQ5}#%aEzP=E!L+Mbb3;>Mu?clI3YE`shTR ze>mZ63>s2iC(t=k_YKq}m4lo|nk?;WaxK>WuQE;M|NX!JACX(}{=#9mxTX5ZcSY5r zhxBa?#Pz^YLr*?ll&)e?zsRiSClcu_Yq|BzrzKK9u;N&$8z@n$z=>v`{1s(+Qp+Qi zJ9?}IZPUOj@PCkSBZ2~U3t3okSfw65Df;dEDKbjypyM>NhMvML6=^_TU2lB%w2Gr! zTCHc`-&KhmZ7C>vTaY=a&7;ZJF4)J5YFzR=-p@`h$vLPNb>-hJROXmEu zJR5Qqq9MF(eNFig-LN3m?_?DZ=`Td(fct0|*|m|sK>OU&BxRoMqoF~%ukbp@aykUV zAY_Pu+OI&{pR)Nz-i@8W<8*&aqtgJ>nQD;a$_ae{YF{swFAVxQ zh8Gfh*Y<^X1{brdmS#&+1MAmWEDbg#e)+~4_LsXmUxZvpHQ5?`F#%=jG>txY)|2!qfB;?nY?ufrE6fKH6TO&IPn*ukcCht zi|AV?ov#aC!5!9m?k{zn?!I2Plg9@swP;L!{ir>a7K`)b_c|07i84cl)%5w)-u$Map=KlA zLfQ=-s08t~#N6Z+7Kx5wF1aL;*4dB>yCi|R4Is{>U|2Sno%5+P23#V(N`K8>DB2ho z6UD59fvjNVWX2>hX=(GR=ae=Ql3SYqb(>~?rP00uv};!)*Rt?*vuRNvi009)iNe}x zNmRqd6*;R_uMCQ<7ZDEpjWr-w#=XQQ2*)6zaINn+K^-#YXQ9VLHSkK>D@ z<1=c$H4$(5F2@U9jt-BXn?8lu{zZR6u9nRXQU+i0x+Rr!?+d!|6O+KrWV_BrejA+@ zB8r$vS@%ELsK#AVrWr3gK&8Xv1a7D$DUJ&ktemzqy(FK{|P*P9)_GC}>rQxI}>~~LrNQ?|OuBnK48C4SUOr5e&k~^8P zBNFGfux)KByezdPYE?BLMb$UD97ZNQHF4p7NM7|Vyd`{+dmfaAU5Lz`8BN}}r_Td# z8NVhR;=)8B)8NxIm$ew6XFCYRk&h+0kQ_@gF^ZOcMD~dV0Szagp}`J9qu8I=M6NS@ z_c=^1L+tU%Ym*s0F&megA@qKRYP2^hOOp^EERrxprL$dR;HYivCk4%BL_#T_EXbk0 z!ppv@Ok74&d;<*T|A)gl@`+As;TO{SE)sRM?K&a|`@Z!bBxvdu$ky`eXG$iG)}Rp*F&MkqS*8y6+{^8p%JC`pAWUaN($5uiRA6LY5u`CcNf^e6-54)@Y0RR? z3}yo-fZgj{r2xYurhsc<$l<4>6YNvTBxq|Vy=+D1Ih5gu9%n*iNPRyOV^|s7f=on) z&7Gj%SS4{G`9K2`_(DSz1=u5KL_Dmd#wU^w?pqwi=8S^4K&@y=OS*O)^hsQ(>5<;# z+bGP;_4;1c#r9-|sggh$uKu*R2o|+jE;dGOxTKS*gg0by6xfT@6W_ccOt#PN7d#BH zT#imcTSj3oTUUqo&Y7Q5xmdkuAJwB(xoGoHdmZhuoW)p1pY=KK_2M2fNj|*7TMQUk4>~M9dcAMf8FI4petE+m=1ZW zudo+TR{iuFL5sZNaW-x_S%pG3vkr=b8FwLc&Ys_P6?&_Wv5p?kcF$#`*13SuFk3cv zm@R|yKy08;)mPUI$<_5W>vV2X`J|V5$%BDy;BRV1Hrr4y;)Kj}jf*||B?N_QMqZpr zu25=i_1>oK&s5GW-Tv(F_rCX4<$e(=7W}`|@`)T^K;{QEm z`CnX0H5`GQ^mQ;+Xb{t&jBTr7k`7NF=dJzWb9GsF?TxGon-~lLD zXNt2gv`LlMUk`sP_UP{{nt0ke5N|n)BgHfITzMRx2uO~fd}Z2bMrv#Hehfb`CeNsV zTsR6m^~ou=o+M2ue}gJ^$!mkf=&>|tpyG*%aCu)+HM;2B6pmZrbQ&0sY%U~w3H~&f&ZSi}t%4*OGrG+wJ`aBMmov-+ghq=;Cg%ysqD{0lslf*dA08Yd2 zUV|S(S8`LRm=*)D3o3pzuLA`VGo~1m@Nl5BSlxy;h~Bt?6Nf=Mxb}XCh=qdM==(J1 zl8MDkbnw&_UY1c$N9c2JN^};iaAL;P_D_mEg!84@_8`wvNEC@-#WLSXouFC}X-jwN zC{RPa_I4@@GI<=Aq$4cG9)a5ZNs(u$)oz~zApUhwe>OWvY1mR4(WsQ|-uW-53p-Tu z1DfK{5A0$4+q5bUq@6WIMAeU)BxdZ!8l4NIigcCqH1-AR^xqu!pY>n%j-U6R z^`9j_C6(0Y1EpwP6P~{wwSV|n;^dDWGikvR7Lw!=&89B@^ux*NepwmAeVq=`6nvt| zfi3C;3n2%cQjk*$9*?-)ehfQ>U~3fu%^Klq<3#7w9H8C7cZc7-u%WdkPhjTP?+?E_ zw!cOZXXE^D&+KnJ4pTnaL+RDFKAeh$CALW}pQ^CN5;)*6lt!*$U*s+#o+SQ{7Xx%R z79CStgQfF8tfGu~t94cxhbB8_x8dK!h6^HJV~Jl={_$4vi7Ab8yZWb8#m^h<@WV@g0IK~-PdmKWZnwc_8 z0pbt3G`JvA2E=$v!z^%}W+l?Wwoxq8(c;i294g4_`+J=SM~B7h*j^Mz6OMg?7*D?9 z1Olj(;f+mVTpgnb!JeL?D&|88rCXM!IMK0g|C(Eov|A3X(#e|cP-r<1B zDQe<8NPSEwaQSp(dSTJcOQuB6LZL$7mCMjo2Xb=|(U!0u3 z>z$_0cx?)*YZBW0Bfy!=wN5|d@mBoMg1N}e?^1OyAXj|);U}e(3Mke@!Cw|izZWN` zFYJ@VG0J#Ta>P6n&0^Ts3#iLkYsa{bMW+0{sbvAhN34Hd@c{iwHF*xOV@p{k zbz(lTfS?~BC)$bj3Yy!G{th2uuUJxC5#5+z30GD?!HWHu+qQ_)8yb*Frd*OO2$oCO zWUGeg>CEljfbsZKnbzYU_IeP_JHnn>jZf!4{}8Lgefml0+X9e=x=IHFPbe~>fr(@? zkM7h|0kZ}Bv|;n%iei{g*uC)jJ)a<3yLEDTk)YCgn!H5UL?|R$&y;QJ@1(9F;}|e` zsr<{c>7UlBYnp|q?&dm zlw6`7z?G_9+1!A+5d{5%lz`O_OLvdn(jU^!Pi*bJr@HnX34O-*(JyEEDG}tiw6FI` zQeD*6p|%Ojp*BXW^zD6HNmD{HM?S+6{Y69l>) zTQQ)|`gZ~56EZN&SjS=Bk|4Oc4%uyZMOiM3)MY+%r9RY2io`VYps9qK%`}?x?5gE1 zJZZ2`X@Txcwc6}gJ{8wj$*dQC2^l;96AM33{(JVjv5=h3vfp@7oc&YW;wXX_L)mX7 z$DxR@5*k<2ctRpv7|T<0h-cA`Ekb7tu4d%m&K_jMhp1E&k(#C_O$(U9BOlmw8v68x z`Y{f6_OeCIt1Ew`l~LDNJ2-U@H~R#hYO+wj1&7M0vvrf9(b+#@mbB@!C z+hko{BwuByFdG`56k<#=DymI^?E|HtI21}U?B`=ti(8wo?V1DiXR%Q0H4FVcBsvKV zoWcVPt6B@SEC~%|>!?1tO=?6;b@{FAy-re3*X-ug?8uqKkC1Ie+Q}3#Sf+NX9VB1l zI8%`sPDww4a>u0)x6-V+PGk-CUg%hLr~AD=4-`p=y_Ub}J*Hvq$1IQ_vkW8nrbF<`WP~5O|Gn zt{K>pAmJf!Yyx2$+MtGV`GjY3tLx=7=PP$>IW~Dm;qhit_Fk(fV_UW-Ex@fz9Z1XU zTj#V6-8{ol>Uf4VK7}K35-Tk!XRrN?$JaQ=XMwP;)z?+rHDRp!pk-NVj)NY4|I9$} z)BGa40t-`p7RO4>l!on{5jkZhOXH@uyle+*R%(%rE-*(o29{7$fmbaqVQv|pXTX)z zs?Cj6$qHag)0*tI_E!aOs6E?<-yg4yiBu6s9f4>s!TD)MH;}eY9JwLs^6JFkL>tU- z{&-}b-s{DE_Uy=rvn?Yz?dJ2QWQGktf!6_Pv*C(G{JhB-yMFZpOgR*yb1k? z(XfC{ej}7Zb2Y+(df(1jP1fqU(=j--i@J_u&@iXw4Qf0uKV4p)=NUbEg0C?;SL*vY zXLtIMu!7r2OvfEDITO<}H|AYQX_nU3$8tAFYdd@B&0R#eG@8iH9{P!JqBLip;|UAJ ze*@zcgkq*Bh%xR3y1|^XIJIIj1p_mFC9P`B@En|wVBhbhSs|1%gtJK&Oq^9;ze!H( zfn-ePnJJ`z1e+1Wskqiw_GfJyWE)Fn9v{;`NP_RD%pFqdh%w%M%n2asDFQZitxP>; zEAtCQs~}n-WQfip>`5C@oOkjlJC{uH4Q1SFu9-RO7vaL(2k7Pdi3GF#og_~$H@Cmq zJ){sE!F{Pt!Jp(mi+RL!jY>PdUP1U$kD~B@r{DVT7nf^7q%EqYqvz6uK7~?enfw~5 zV?ubGM&=#v*uc)DtIT>V^2@W93ikPTw@>>!X_iVJU1t&vrSSq+FomnJjumkFSo?Hb z5|a>J?<3Nm^!L#a?UvLR{P)A%p=I&E+Qf*bxs_N$_D;Jz*|eQI$Q~@4W=@~$SYLA4 z;KsCz_AkCB5hsxTWdJ1_6G8#s??UnN8;Wh}*uDWdG){PUq)#3Q5A*ss;n}^3~Ddci+8yUOTgw&mUxBGkkZ|IJx>pnPiz&lY4P= z{2;RfrSdAZhp#x6gcbezgK^)5%qLHm;)(@~wQp`Ad$EF_;Y6n# zizx~ii*$gX`Q^lf3$o%vQjdiKLTqjbgo6oW12^G5&jWC#%o7Uc~>hJZeqLP+n@^kwPHi`sOkn2I>z?%=N60v3CthRETH@`Bw;n*d0Jt4VEU0 z`78{U`D@?83LtMvylYz=E4}x@u!H#w-2aL`+BuQ{M}i0>XlU*k;mQu6C#^5-ZDt|q zFAd0ka?#bF<5{o|ehx@EsRc`3t|*Pld;{>(KaH@l>P~KGqp_$nrX6)Oef|YC$9ydD zRa%RKrUmHiBiP*ZZ7yEP&z- zgD?)OHrS|@=;b!2Cm=uNLE^@^vhc4o{ETLW_A+Tq_36-$fR(~%BO`RpJU#8SpIOR5 zvXHvqhDg51HVyC`J)t3*(IB8EKJ%&ZcS4dsGv)|;*K9m48Rh8ka3(S%&6UkWu1trk znaE^FDw|y9W?knQ9@+3r9gw2FubLt7J!Fhb=Et5IS9;Sc4fIM!qh*?vAuyUt(tdau zprbSTL+R+CF#uRK_Ve#vyn5-n@{*xjOl1*^kx6?}xA=J+d^JGT>O;o68yr+@z2eOA zjPR7s=!~#fHXvZTU72oIrdt&jXZS8%{4r6BAEkqq4VEtW!dOc5*Dv{{#-?e`fDLI-AzH@sCS}cir$Q!Ca0APPl!JpOo!&(&LJn zF#w4dRv}4wYEp6WZvFfeIs)j9m3FMOW2GG{{R&y>yHE$Hr3$V|@IEhd5-y~?HNMuQ z3N0!^OFXvbm9Pzrwn;~6n6GJ_*e7%AvDI$ZT>c0eX8g0-7j}lPbq;&uzt!aVF`|S2&_qG7tm3vdTW6;c)IW^yT}DlJYHjaJa*&!Jsb#lc_nm zO}WzU0vyo+`k;*Gb_>A9nGlI69tBiPNfOg;B8`eeW@NDQxRA>m9%&$4Tzq)s1Vh8+ z0}NUmlSf|5NfxI0>HHKCbD5W)slKbQM)Hg(8K>uLO4B5Ju5X|mM@Q+?d7yn8g_nga zun5fElrz*Eu4Ig6={y08 zaHOl_sFPrML}nKu)WcyL_t3lZ#Uluhs?Sdi^C^szpUsN9R2W6X5#h0b2fl3yA$PTu z08)&Thj>QB&W^Ozit<;;f9gJ4_DLQzXdR%h-Dds23l^?z45ebeeEuB%e|UJ9`~UH) zm(P!1z53J9^HQ(_@>s>mJ(ABqb`aYA z7wYd0bU20>92`ujoW`SE2Ekr=3c&+!in$aA1uELz2dJ8svXB*7^$dwIJ~{9?9?OH{ z!{fu=(eZ(451lg?^a{Z1kLbh4OZ4XTyUYJ(9;@gVJUIK#ax_Q%18?RZOh~AKrT^+r zn1-BceaL)rve>?^kNJ&^3FpLr4S^09NkYkY+IrAmzp-zk z7XTo%%R=&TygNX@?iAT^u_-jClFSwnaY1$gZ4!ExhBtPArMA6UrI5m~%XLScird zje{lw>WjMi5gVYnBVP+hAEO^B3Hmd4kg5R@H0f`>oh{d(8~BSuX9?Lk92ahu6ZX%>w0u@ zw0!VRj^=Uy*5zozY`=1$lBvVpJW+T2yIUWZo?qv!&qKH^-2DsPjZfjz`KvpBbv>+g z-1s=^FU#sK8xgGzI>dvBxfVvR(>ZWnJeNt;5=+gTTG{fCW?JoR_D(hxKAmjpWK%t? zPBv9SdJx&F(XD zT6T9E7G`(1u?))H-3IFJHkO9p-MfDU)9UWsb4@$h)XAn!Hq|wL?6Rr5ckk}qi@!SF zyYCcQm$o#&?&8>|@;#eO)MBR_Q<0mBFFfS~h(~GB3sy?RRGj(gry`L5)%K{lZ(?&CuhBjpH6x&j*h>ie;vPg`Sf3QYejUGx=HXBl`A7UGsIQ0Gc81@SnMKa=?^X6?DbsC3e{shLO=q<839>dA8S|^nPx`VJ&7j|3`dZel z*sq8Y>^Ydse{*LsHFIw1#ukmC;c;tpsOS(8yQFGFQdOpkx}^w1b8k za4I=lRQ{ZdmoC;D;#9i=TUgh53vg`DtBG%^W(*lXK-RPCtQb3(Y(~pA%Nd)Jv9zz* zbVYW-jmlz80t>RGV8D>KTNk1o4RhkgRYbgy+v|4a4hk#GTa8x(eG}QJS;NKHSE`)B z*)-bj9G)^^K6+-uzf@W|(&%*T7d9IN9J-ZbSQ<^q7EWakCw)l_R;ikFsnANgyB=v? z3t7*41SuWJtRv_|DI*Lxc*%D1R4A$SPTU!ou0v(ScDZURr8dTPpfcFs95xE`4 znFcz+K&5{8ZL5;?<`P+^Jsx@s6z~@t$mf*$e4#*}o;GY`3q1v zG;MzhwE0^QSFbjAW~v>Wqjt@mIs7PhUMf*&>D!+95S@1xM$8`6(nfx3_!|>%o17kx z0idv5jyTj~#fw4u&9}xKiIO6{-c{K2Mj5MT0Sb>7%1|?^Skik548FerOKP-~Y8Mt4 zAW+*BC;M#c@bTe{X(RcOb8!FMItq~a{0RlzTbKX9Ib_t8?f2L$kSZ{|P``D%OOckB zgCIX$rwAP8dITT)a(d4bRPPqX0m!r`#?7AbIdH-zaJyfk{{89u7Gx=xu4xd4r5-ab zuRU2C(RC5{0;K+U%J+XQk(GTGHxMq6;NcMD=7%?4ZxIW(s zRhT)Xm#!ttx>3rL|7N4BoKommqDNX&>GG)2Qzd62+|32GvCzYyFgi~ASa9hRdb~XU zdT{UZptv$s+<#3COI}ZFXU=M6{cKP1ojOKB8VT)0BSNmwKeo16!m+I+juOrDk4mCQ9ypnVU~ZalbO4Z9B(G;4xp=Yw$u)p^<84a+aqB2#EVy@ zD|m^(@%YQYC}&j-af~fuKP#uILa?Bf3XtXa@SV%DXqc;k-?PhcDw6G@iYyU^@ibu{ z>V>%9_&ti{i5w~N7lI6))A3rH)$XNu=RQMC;ge-^(PvKuHr>Qhg41AS;r=Yvo&eHr zM}o=%OCj)sZ>NJ^aO%wan8MZ z{%YAiykGU>*vAN(6C+R{(@6zFCILg=2VZAeD%yA?ckfZbtMRGX(>JN@Nh&^3{Ddg{ zF{!b6@or{G-io`z|Edeo+8UgtTNTz8oh7fi*R+O@zp@SOJ$e+E0kV8t-NH|FZ6ERo zYT_%Uxa1OM|E|1nTXax)LRM_X*#Mu5RQC7IL&kNI9K?ai}-9JzbT^ z-&EfIr8v`zn-P%JTY$a9u%fhEtc%#wR{3jAr$yR!dAW2wHzRna^&!2pXA|-)F`sh2 zJq3hx*^O*t@T6y;o{RtLM7<^%_NH3kAQXv|VtuL*(Gv#!&+Q)Mk-O)&xth})F`A0E z7&eVFqz&41^{$))w?MKI0xJ(azIKt4qV41~&Z=JEj~JAwZLn-MkEvy_A2UtK{T0fK zxnU_4nHb$q#bB`z*}e0wL|BGT&?M{m^NN+pr-~IxIyv}+RLvpV@~_2#&f>O(m1^Av zt*nZ5Y}P+nL(4!_QV8uVqvu>PYXc?0+DcO($9?`R$)fo( zjstxjuGW~2KfYxV?`Orx31JA~#8b&B<71feWtus1ShRp71w;}cT}D@vkmx7-?5Rl!E}2x=9q!f4YmMo=XLNU zA=GtXtmKZk=Z{oh!gHshN=+dPu>E7rx*c1RL$=$x*YRrq-(akoT(i(#EIb@H2`}1JK_#o$VMm zW&!9#)vN`YYPyQ6bJ4%;{8Tr7hW)sNv*T8>~k^xX?^$6=4~UL8E>fB`Ht26G|}0<^j|^I`tbqD+qC1wYBF7Nl^4yQI4l%H!{WpPj{Os#q;2Uyt*i=h& zcZ-TfuZq^{Hz>zZ5Eo~W#8M}eiy-F`DwpqOAw}2N+=b+O47G86W`9n3T>IcWDZMMv_g_e8JHhAS|Y8K>a(QLZUUt zINu{}ZIz`mKG-d7Eekbd%3!|*JEcmyzXq_@SEi$ON(bclvXWIA5J|#~c!_NE|`7Z!Ppd7j)=_{?i|*VFUVkjX^#owL`1g^*QUxB07&4SjksUzPv>i zhlPaUq7ezG-N<};sLU|^x&I|RvL$oWT^inPwxMYr{Q2K=!`po+pQ%llrPN0|uCeNu zL;VG|Tz9?KxDG+}-9NlvWoiV9(v-nsYUo3avhSTQEUyE<_}PF39au4b=<7ReGNQWf~*vuPmKq`T4R=GAIZ0K=$x`71@v|H!z=iO17I-x0SA z2K-bzMz%`FOMkLkJ)XNpI{iSp{9`Ef%$ea(6ulxFjA=ZYGQtX>+W-wJcuD>YO*V88?pBr`+HT_th%L-^LJ>o5~IBUh5 ztb6~bWgSYHYdh`RhOM15=7e;pFzjz2o@4xx8Yas*uk1K^>>6mb)R$*NXm*h|UTY!m zAEW&o2bItgo4EytTy46mH#ER}bG-t__2{U(EY-G(XkEv4nW`bhtEAF(MC+3!9@= zS_~rUeVlplUxq4M>&I4w5;GB^VHoRrP@$@``mIEQq=bFXeI0F1V@~GaX9_LdysrXs*{;(WmYz zIT2m7NYqyLBEA*90U8ZA<*klz{HuQ>^M$%PdcIz~P#DdxHo@8vIj~thZYwS%+|4dm zD=t7@a(%67e-TjmRKM!HB%+8y5Ji>lHbb-ED=qUfzi_#5we95E_p9B2BAs%leow2D zn+e+qsQoygW_2V2$R$fvg<)z<{+qcB|MO!N1R%wGM!H!xmD}l6wD#0p6?u-1B~1u3 zbvd=iHAJSZF4xxl)h%ik8ZPSBrd2N^-KteDTJ8;bRskU z%{Re$vm}rG0O*!d>Z4U{tTHY;kWb54J{oI&&Tvss^sxl>VMfrca{vf~mWOa~uEfJ1 zr+N*}WXTG+&3N!W>fQCxpyr0Rnm`Nhha=cP;CB>4{*18Qw=YXMU-@?Wb@&0&19W)K zJ9Q1m(`5T_)XOpKTV}}{I~`@r@-UL{;QWmrTUNe*=x`r_kjop@&qqw6vVjnpIW~q^ zYsQ+Ew~=_57AQ&6r;1*qy>uS<=Cl0r4h;0Y&i`162o!i5-hQ7I%Ae@g59E2dz8~Mu zxM3EWXSTW>*L&Vi4&W(M`q(w1YtYa@Y?&}5ml6!2+frf{b}c6I_3JiedX{!rgjE?E zVMxANa`RV`h*BbDT=zHNm=TiJ7#k2()1q4Liw9Jvt%|!Ki#g_%R4?*Yndzd4AJ2Y@ z0G*uwHj%hHQ0Bq>nqnGd_*Q{Y#Q;fkJWo-dKEtS^s zlCct(=CAZzJZwMk+%KTsNeOBi`_K!~LvXJp1SABc4YLn?eJkqb7b}fKr^4T%&I z!jc?&(vT)l(H&nsU%kWf|!j{Iuk z4y!bKi%T1=qZD9rNwiRq!?$!FJx`kk+H>eNPIg!7i1oUD00%q~w4aJx0$9+1uQ+NZ zh;Tp5t`6H9VzFf;${0LSc`R0ac1w^rmcF$koz?u_%=WG+a;lO;P-)nV>NTF56*OgS z^PZn2NZ-Dsk{uNCS~iJlJxU*SJ3ofd38H&+eB}s5$$fsfJBIC`w zXVtYQZBv)6W5vnepP&X()I8N?sLZFi63tSk!n59p5z*6woVSrm%|3iuzVrZS2#yBU z$T_A&$DhsiTZe=F1pW!86!6WDIx>vH&%Z5Q=1A&ON9P88UfGy4od5VJ!WlRgYA-Lg zV0v-kNxs*szTZ?J$g4O8wQ zUDn3G|GnGLTTSQ}nH&u@TOb#`4B{`ojhbPd6V_IwdYi)1kpWAG` zp(Q`+TO>@@Cm%Y1cuskI$>7}0WDBoK^XW_UWJ$$+Q`uSau;@E#M7J1L#lGZE!9=n0 z(vufn*pL8vi6tgNn>N`{@El7E3hH{BXfYVlxWlazEQrrb>&VkpK)9lI|t&8lJGTY>+EYvZE$n4ZN97qhO^sjx$*1n4_?xfc9FDmeGD(HMGwkx}au|JHw}o`^HeRNF zn}i!I4uaCN3pIH-Cg7@V+(%zmOCPl847zdgO)D482@&qVwj;S~Cf>KaKr#Hs+_eJq z{Mr#P30zMB5ziGrcEokE0frWaSKG;Ky^@RjvGBb zFa6FyMuK~AmjM%8(c;Y@W_-`oZLKiCyf;@O=xZJ+8fqbHgak0vr>+$v#upk`gKC7TUo|W zPT)N_^ZJHm_?#CJPr|QEnU0X27Hm5$tSEP84`g}~uMe1PM|RJ+XSn(mJm`ihbJR;0 zYbXkjME>leb`Vjw-cohu{m~Lnh8Bm7!epuV7l$ySaWh~U&?+}%7N$!n!bk(%(e98XhpV;_-|;3162eYkVxlg?ux0y9(`C$(%*Im;z+ z^ql)JU@~O1mqh1zUU|uj(Zx_``L2o`q@-L2DELoan9Flhzn^M5EQfJX1`y0RUpt~V z?45FX4#e0M2lk)F$P$*W*ep{O5y=nIy493mb*oooX^KqCNqlQTaNBhLV}0tzhCf*5 zE}Cf}x{!h3`yOsY)s&^&c!3*F*;#w4xCe1|F781M*r0B>e|Q1lZK3mKwnUPSZ0A5z4ROHhR?{%g)%j~-4VLMpY{BH$La}c9eg9ikWJp{PZv?*iqXfHU5#G$L(bwv< zCxbItoQ{SchBzI`Ax8)6C#G8IUt-(&xNw#?a`ik9Jw8gEJr57~KjU*m%AdpNZ1O=a zLG|hX+LyuEnCzqHfxlQ~dObZKmH@r4g)aENGY>yX2S(+el?TeiD9Vs)G@Q^a<%Ars zyyw$ogOoy8@?cP;hkiDBwz_6S6_JO@(BIq(!K6=XASSb~cTDxr+U)xH z3{g*^Bl9=Y`IJaU#C30np}rKU`&jiEUjrpAW2cwc`((}c>sMmKN>s1EMy{KELa3J9 zwqi*rszoL&82)T|KiYWt4f-y)5k^qhZ*90~Devzzr)|<1N`4l|6n_3u4AvM%H_`JI zW7p`_ziyo}RPUtF7~kN+uVHDMG~y!54USsgm$>65GA?Jl-Tml<_zs}v5!`+ll_c8T zsdb|nYo_Fajtfn`j8vPI9fMjRFCf9;kYLB(ZLAcKisRGqAkDIAxzdM?#;1}^mj)s)b zzW(4u?)V~BIuFfj@HZ;UHo&2E#+9JNHuPYvnRnzAXl1*2eYe6M)w1cwucz}h{?N2q ztDkX7w8PaIMP0|NAc#WDGbK*r%UTcr}dge_4b;$60 z6Q&{#_P;hVpz}qB&5rnL2O7q;sHx!xck!UuSAbNf`!EM*+chALcm=W~ZMnbwXGy85 zq*GKsWP!&Er$r$ym2D5oWJOlij1tsK%;t48GCs;rhXSLb5``X4l`?#(p@Ky%j2+yz z=T4B~F`C`K4ViIHB3!9LMaGkG!~beUVA_l|5XWP1J3Ls9lx7R3{k;VQChI zieeo;8PZQkdkG?s(LZRd-hM8I>6hml2mDI>-8%DW8#Axr*q$NBE#J`AMyG~nGS*9-$=qwzR!~!>;cB2el`3Kz%mFEzjMYQs&?4Q<+i|Y z1CbQoL7F_E0q=C$V+>YJ@pHs2vL$TTD-0ZzA0W3l+rb6>`V zPC9opg_>{cZ*~QYl5T3C6PpS}89U=KM~`jLjX9pGjLT&flvlvEaZ5E*6nP)*&4m>M znlBOBPIoFISEaL^g#IvpG&$2WKhfR~xjrlQP$&u~p8Js}0U{0=tI$C}b;w4Hw@#%h zBcaZpsX01kf4u>_Q%{A%$%v&5igI$*!IaJ1Evd(PyyMMMccTPv^8aMMYBUWm+F+%V zw_#Y)&e(#vC}oq*xhT|J#)thj!Q3Z)+}M_%ckq91w#|hS#t={axZNQ=1ar{8 zd@g$PTbn4l+2+S4MyCGxE|O&!RWo^P%I3knm#h;r9fU#3l7Vz%$MQI5g2>n0Sv(+3lTM*+ND;s5CTyAV0E`OAp3{;0 zWp?#Xg|4KdDl*{OS6*C-!KW@>`&=!<8MQ^u2oZi~FlX$E7J;&@60}ITkN3Z+L1zWD z35aVX9>oeJ>i9woL9^GKMwV)s{B1!DYuq0wu+HG!FF4inj;zi^ZPb7J(THY)I4kSU zeSf|U2lAc_JcS@4Hncb z#+hs@x*c#hnvnw1KBG6@>cJ?V^BX~*1ANfu%ztlpR|NU*tQqQ5?t~nDgN} zNf#p`56hzINK`LT+tXr3e+50(sc@#y61Oj_KDmzCsM8~Mg=b|iUJ*zA(#RaAAaqn9 zXxImg^7=O1dkhYxuX|aZ%)~qD=2Sx&`YbLd3lP?%g`1PIpCxDAt0b*#-;50>pu0%( zb>rJr<9>U&8HJjL`+V+WgVx_5;^WhQ9Z%74{=}w3IzQ|}R?_a*rf5PtEfyXQ+O&1? zAlnVw0U4s&VNbh}hK%0Vmrf=qcvqOZh%6_${K{MU2^%LD%g`~Y^aIBroo&vYAej{>i zFJ$8rVAx?pwz-G-g4Bb_y7LZpvQ68C`iiJ*Ku^}c_Nvi8j@KjV-iz6%MUB=}3fz1} zP({FZCjK&&)O=bxuDbTSAn}q;NgrAco4Xw5ENFtiSmiCFjMT(OAW>kTB!Ya z9TTPM(^q|v${ZKEba8p9eQ%Z8lIZg7N|)%sk%0Yw5XrRM-^Qk{hq{rZlZ&WY>qe6sb>`AvTxI7gbT9`= z*1U#1uv4*N>J8yEjz9+P)7B~XZ)`Ow6-YI&jC?mpZbrV!ORTw;jReg%<~18_t?0On zr@Ib*h3y78LE!;N-Fn4$o2SRef7)k0u4s>=Iy^OY?nl252fJy_WpK7;N$fwnj5lgOIvt7J*9~dg5I>E#0Z*o%-c%r+@NKoTb>`T>wX=5oyR}rn`x~0@}agL5&blF#x)#AB}#6JnmrGitCI^k$ZJxPW$3$t}=b7ei(EtoT8(# zY>7tjrRtn${KLOU8)q?$gjM8HRpTG5?}7wHvM^cF6A7Ejda1rbO@E&DVz-*#nZDhq z6M_Rmvq!n{(fkXZXl97`y48a`)uEOp1D*Z*GB-c(#4QxJ2}vt3}^+ zc$!QTW6*C8@zS&sCDoCgXr)4^`97SCxK&hBd*R({_c8zHWj^pRX?zUql{W>|DvFQ3 zhj{KVTmb^vfWSL3UAJfTi({39dfAmSTfQ%OO#{AV zQOdJ*faMxsrnJ-HC(qKp_Hg`uF*$83#C>?E9aGUM~n* z?gjVd-C?cL;jDrX{86-N?XkeYg{$bg^HZWmhpMl3q;#0QjV$IQnM3+(jr~Dotc>)? zb%HH{D+()&#UkYCx1|hbX40|=O>tNvZbszPs8oP^f9JeKh{XE-rCitB8x+idkulGe zcq-Qz*cU>Cr~X1Hm9>6eVvet?)+tjC>73ee)galtYH@k? ziBlM*-D^{DCZ}b*@)6M8@Z08lT~6|qU%c!7coP^BVf^^N3%*F!9_hp&PB+FoT()bxhaH|`PqwLW9+m1H}ncP9V+C^mb zr+({q3ZiR;Dd)o*kp+I|+4esLZGZVVYN`-bPrzKUPF;!_UIV#HdKX+l2IOa7&+kJh z33-I)wusoDMa=(H!ljHX_9Y~0282d)M$tH9;Y#+EBP?vJ>oNXRhAn7Ou~Yg3+jd1G zO$r*J5sC1(8gtVJF@G(YF+oLJ3=`6Jl@e^()tp|Am*}x0UHQ(WTB;t1M%^(g z9b!D3l{*jksP+%kBB{Cpij6+vWt!}KP5U7oLr%L=l1UKqzP7bVECbGX@pbI5u`|w} zo2-!CHc`oErjTG>MVQ#XgjDJU>v`vRgr&t}*F;`qW!%a9vaEf>rh^bpJ3cPal94 zgKMmj*r?Hda^d6BISX(yu)m8zIBu@XsI}f)WDalxwuQ7wca0vx9)(M#qRa>nS$x6qXbm z6+Q03)G=)f3)&QW3efS~$wI$6_!V_RaCd-7xsUgBfcXM45l%OQ(vKkE9qi?i>f?C+ zu~XJI+`mn}W6cu5q~gM);u$(UxU~FRYM3J-!4*40tp-(OB-EDD4#VI34jJVr)DID3 zWUf<1FXZ=QEBLuBo$HLn4|BV5aD9cDaK$Ur_BIhc$p$|qds~E)S69nymXK}>c+8;Cu<~ET zV92ecqPLu=>z;FNzogwm^8sM6U-G6V9Ulx485e%be>f->#+J3m&rC#Cx;L_W}*TET-g+H&aOOy0X`{jSV9Aa z%(xTGRLq}KS|MY7rFz_JrMb-+4H3hB>3EGi72a~~naJn5XF!h1 zy_KK>6F59!NX1x&Kz+dx=t|@!6KRfo3Q}T2tmE!R3NJM3Yc_q2&&CY0#JO-Coel)9 z3osKZ0iM|gw_z5cMvkFopB1q6q6zkGe?-lg@=j30+$E*s_Bzh6uqE?uSI~55J)L8|b>2 z_!`|U(}kkBnQMoZ5mCc_)v~+9<9`ryV9AsZXE%ZcS-`7<^z_wwZ{QcN5S3-+%fi}? z^S`%4qAoE*E6Gx+NtjjXWA}ML32~u&J93!jbW6JYpwRx&OFcaY+5}<&i+|g^r?Syi zCN}=?Gn-p<);dRL&41RYJPkJq6W!;lq~~+f@jsriH5x=N?A42p^#}cb1*iH=|6@VE zqKcy%sdFsJ*_X&-GA}m`u(NWvqB;5EN|u}TO@~4@OXF+y9Yx;v5!^6qr`y_S_AVx1 z_r^A7Xgrw3x@8$GTkB02X{M{nk1wa}d!q~_`7b5OQ_5V~Sfv+mqNpq;p38dZtC8h2 ziGLEQ3u}QLZd8TOHJMq~qq4`U+2Dw3tt1|1vKtwnG+-@R*JXWM#nm)o&5 z>F_j|@EhZ+o>Q6cIxH=S9GwuJq!p1+&=$V`bmnXvX02h?Jcgs7|3cJc?sSqR1 zgfuH*P;fa5KbTmBg~?U({To9$NKmEYv_VS01q8t`K1Lvj$Zy`PK^o1m8IfYWbc`yM zIW*DwlBnpUa2RzSQn3U7JwtKW)=6cRyDKzRAj@pR245aIIc5NdLt}u2X5Z;!-X(x> zr^Dpvd0r3Ia8N5G=elYD9FSVoDLGJdWFrWzVr>P8(+@7Sg2r^9V)@F*SM3W!>#Zd`e=u4SXqY8lXM7H!HSb#x84jf+j5 zj-r*e9NB_$9g73l&C6#}`;w;yLoF(Amg%w*vF2qr{O?I$XhH*qHFO|q$*|tf_`9qU zY(0g$zY7t&cWas-=1KmhxHC-6pM8WYptx`2eay0^`KyR-Sa8fl=3qAtnj?8tsQGC4;=4H&QVmT}ns-dmcKUYiiE~yf*T4w0Fxd$W7)MVR9tX3}t z`p&7_CQx(#E{VuBUpp!9IVxcT#D`#0j?aQhzjQvj0rSY;F4Q)nBm4IiOrO(l&y;z4 z4sCtjXL)>@NJj|nAyE-LheFr;^%W>#*`$h*k}7#mFp1Y|5sj>aIfGBeD{S8)uRVHp z`^9Nu{{8wAld9zHt}Q4SSD=XG9S*P1Hzylq5_)zvK3OAbSK3YSsv1PZhakiT=8TFno^0_~RE8vuS3gOzR zx31WzTD$1Q2JAgE%U?Zq&ZN+nE_5YIUQUz{52~+z+i08a6=Y&#U%S{=t6-`qohA3K z>sN{6y<`wseTcOFF#Emsc+yt4k1-lvXrjteQ}xYKsAJnlbv;WE!elmYkTyczXsx1w z%Vm2^uIEs*|EbTRWkGz%U4k=Mq11K1APv>*2KP-lyt&G*vIh7~5ye;kA^0S3m1qb+lv9c~i{V zs*kkdUkQb}?U|UWKQJt(HgxB;6!}+}Lzl9H42-j{Ly6LG;lrBACOjScv|O=}roKqC zVs{AE3iUg+tr)xF-{y1iOcFh5c3@Uc(Z{r&E4^_`^rIhhdx6E2-VAbn0hppa2ejW$ z1^D)?L)ViM`5IQJ_TmXvONk*?#7H`3!>Xgl1YV<~GNu1j@UBLG-#iG3v;-ioA_&1$ zt2!}0q9)m5zFty>Vd=^r8hOOE8zx)+@#4MW5@vBwY)_Z(_rf`<%yp!lOSRga_BMUA zTw`LhKv@c7-wgIBCQZg#8%q`Nn_7;&O5MncOWq|wu8ryNbttDN>pXF7)0eyEG*c@k zsk8&Q1?%@)vs+E_Y3g}u#j(vk4cEPy(h<=FW<#%iGA%y>{OKmkgO_yo$gp;YPxT?> zn8Z1^j=Yo(xoA7W7L+R@L}_%-aC!4OeMTs0Eb3a7{nYpjyVv>|RY2}5sy+MB4Jhz{ zRKo8~4Ur*cO9Qq6)nGU@KBtnOW($aX8Ky=$vo?nkO+c02>;%!dbOO<6+=HCPONY9E zpTk*`LsY;?GB|q-$DOzBXXJCeWzsS~Z*Ob-H7BZ1)AKm5p}V4b>jgz>bvDz@;W7Y@ zU1h{#iw@57w)|@V#LA&O%j9C@5;s4!X*K^!f!^rZ_0oy{m-!)w$TzO|lhW-bdmo3^ zy=u^4c?*&>tUe(rNmG5`3<>Z;ianlRF1gL5B|mRzeaa1bn75^K(%2ZK1Sh3pyin!z z_o@L`$BCXp283&y5Yz@46nX${D}&5?S9|T`F-3wSlgR+F;O8mpAxU_FhL1pwV4a5X z+Fhu@-mg!$0OI%B7_;BAX5Ah$gM|*__36ug`BWpALbOpDe0(#;vynT^OmioM4v-VA z9JGIHd1~pAz1ISJI6d;o2@fV8j@Pv{=F3^J(_vC1VXHup=ZO?kqYhS9$`>XNy)Nl# zcXFe%KDT~rc%N$V#JxaV-`}5yD$I}8OT@KSo=uZZH<+ds_msidz zPSw~I7`08+gM&eJhmd|K6rz5!dAj_pP6=iIO7>iZjoyGBEG_y?UW8pw*&nToJ~dAc zA;ywnU#8fY7ZR5dlaFFnU@0Y1;=}A-$o9bX{&s(<=i~Ab1Uw%K z2?RdhP6w_&t}Q)%yygmg+`T>p3Vd8YWK4gwK3`nl@j&0cOb5K2t>lkO_V~6xjbC7g zw!Eu%zhu{bfOW>zqX!R8$jbAx#;NIB5*ULkHaSnW1zovY9V*M4PbcHGn^k~~0uG(( zHfHutGW43=_DFkkjcqIUs#EAAlmqe^jejh@Zry(N)jZ$izX!a(_AK8R83}&uUUYw4 zPYb=Ct~fosKVE!1Pk+3&zm;u$oC@W?d6V`c!PüU?#$0Ukh;r zIy|IbYU~Y2)j~BifxN0U>}UGB8oN0P54m6Ez<2btO_35Bd&Hyl)y`x~Jqq3}`>1bq zR?UnOv)DpcTXM5)PuB|Jj@_^KT%{rK^2wNTmN#0M6s|E<*o+k7#7qC|R0NPG8o9nPXketEWZG}a_Z8P>9Vky&BPD6wbW#e0m0;NNj0*`R41n17K zC&LFk(ZkhX>E8H*i&ZL`#F%EnoiMVVXyf3!ME94KKm6LzE|a1ANU!B3U|}>72OBde zn{RWW$)#CF0)#(P9Pkh={HU7Iru2JMvf!|Uzy`u0J5#Qpw2XhpCkP}}7V`o)o8??W z1Z-%Dmf`sBl{~?0HUD5%^@a8FJ;KfhAH``LncqmT*n2narGjzwzwO-Mu(ynl@=Vgv@LyQzEY~eAhw+A1xR{8eZ6j-ql zRoOB^4Kt(?oA@{_^Mf=vhxR(+r_{Wcv=PD+kP~r!Vu-b6Z|;m z)@SgfbF1#1EjKd$yNforKGIz12`fR(^Hq%)U(4G@oE2EP9!j&hPsAe6ivzrO4IHw`BF93^5aLG-XZ6+MV;EskIR zK`vq+$mceA-d?xU_qs55VH;3|jR}nzxngJNEyHMY%GwGtIVS#P9ai#D4Msg2zLB_iTlGl+Zag=L2^qc zuXbP8K2*P5tl)hRl?=fH`P5yu)^h4(#esi1PV8KhG|pJ{S-{|_Mm8sAJ5)JFn~c1N z?Xcs>Ze7aTq?dAiXsw&-^Kjx_#oDRntiPU4RerkTG6hDUNyCp?uzZZ1dO^q}UE9A} z=0x4)8wm*OAKBtEjxI2B{grqFqe*p!nFhJJ#TCoG zkh~oGv@saDN~hG3Jy=Iz;c6CNVClScFyeii4)AXp7r49{z%GtTn25I(s^aWJyA!!j zk@isrE{bpslWX~(1P}leswBn4&_aIO>z?HcgXn@wuTHorG0q0-_`pqY9cu1}y@rVN zbFe}t5}fA7U+4j-_hiZYA|*i@ukLVCG;PulpjJL~SA<32R~;CTdJw3aH!`PsVMJoS z{VWd6KQMM(gIA=y1Duw7CArB(4(wvHy%s4}0<1}q?-|OPhIf{s|Ctv;w}MF>e|69( zHdG*2NBl%2I2pyB36}SROke&zOSF^k54=JpICxPwP;5MTjJAI3uj5|Qo0 zJ2vM=Sg}Ey60P7PemZMLN&aVQb7UlhOm+EpVB8T+PP`CF$uEw-89_Hd3R ztu7(l->pnyS*nr`<>iR;qO3as-8n8~Q=R4!I{4$?rrxG45ir??$W#kdgl4MM#{;_b zLO9gM&uy~g4tK43zTYOGAE*gk#$xD2?P!=~I(stT?91z!m07;&&l6e}5c)5e*7YuW zHij)h(28ZMMF1zYJ%J>~m(v!;20S;|c0LF{XCA1Tfe%~$+>K@@(fw>Ywh3|dIsaMF zT4(;VAfBlf-WBn>@3`K;avF7b`j95RQ*J#2MtkS6zm}|TYx?2$8tgHNYxq*{G4?Z7 zHLdhDew4?HI=}JFhlK#O!L>y*ev)@}==&xUdlR(eO!Gp23E5{F1|#aFc2=6cZj?IzKHlN z!US{_>5b`PzQg%rKVE=PQG8Ya$rHxLbR~ITCPyYqS)-jPvmSO2AT(e2l^sfD&bxWTEgn_OhO@w-nz5{EM1wfV#M1~5+-I?qcT5>TI9^qs5m1Mmt3ZL`AI)<3^KZcRxe2ytyYZ=3h8v3T5eFVn?BD*0+R ztO+a6PnTQWRD;yg8-u=S+)DnaZI@w+5P#KqhGps(f9RKiIh{JCiM`L6jee13YUI{` zGWOj}kNN$cFs+pit>c$+zE>%CTyXxr90SUDdZFKCp~9Tc6HeK3UNEvFTt7~zb6zgk zkq_VFyuY!eR$56TJ46<^9gz$u!|08H1eaC!sFzh0d=XkOui;zN1>R7_WKKSVnzKkO zsZw9)BEFBsVUvc>t#c00cl$g*qLbfCeR<<)3_5m zaB+Gw&efgplTwMbB2lRHMg@Y|cqA9Lg!b&{%~*09>>sduqj6B4$Vs!kUxf>ImCs$Z zm48(XvCy?Q)%jZeYsOqoG%p*kHcN_od?XwX{5hQPqi`86KJRx3&T`bGbRtmk3H_;W z$76r8wdZ^0&AC(SuU&0BzyPTNZ?b;+O}+@-i_EIwI1^L}K@@!{buNpi@=r36DAA$I zcClccY`Y8C3Vn3J-RM{kG)IwDznrfeqU?RZ2sp0U5SC03$zj&Nv!0Ll>nGx#*Yjhc z_p8F!TB{Ggr;Sf-5AU1L!`;RbaZkXr&)psM`yJuOGx^7JRAAT6^!sZzn-%*6ydg!W zK_GlDw#Lum>U1MzMU5t`0d%*zUYH6hrA3$<*eNt$;9acLzz+eBL#3kiwtK&mW?+OC zo1!753nB0u7hjbD(0y&!R^&H)TPRxK5yrIknTyD^@+(2~9$``5ff{EE0-A^$>V^T9 zjSrdGvKtUIj|OhzU(2mrcg&Wv?$4 zK$pJp96b&VP|^cBi^xXBj2pa5qwkMsXv#a;%rFKh7$?cTLRES}h-_I$LPI1 ztqqCBd5}Ure=O|PP4M_Xj}p?xt}fWSak6zyeT#a#zue^%&UBJSi@UFH@guLdVC26mb_p2K>o?6=(kQV%6%o^@OzPn2zBMyZ+sn*Vcl z@XE$;m+fO)9}Gd3D`p~EVT67KYQ9TB4>j|?CA3v;0rpT=jfCBBA+~LrLi@@l2|HWlAZN2O!=<*t_0*v~ z3=d_emj6t*8ffdD+SO$?725i;bWAtQW&WVX%5gp$r2nTrVc!IH6&mp3ca+|$6eKbMy9lSAsQ=1?{v2J-Oa22whg&nLhiP zbq|fNX+Qd`#CHn@1s!g+{Wr@450BxsqzssaRIGXNn>mD3G}s`g<`iiJIBUx1u)SC1>XwyR8<+`uJRq`fdU^3_>gH zfX`$=&XGC#IgW9t;eskD8e2op19}M$hLP}C9U`0k%ZCTMn;rp8{tCmxVYmNe?Y7Ty z1EkqtYfdmK5(7dUz~zJbE6R9B!s;ta7>e#oc@Wm_B|5ooQ19g8%@$UMd&E#E~9Rmoh$ z7;ab$Nlvr6G_x|8TNc zk?Mfp!Z7QT99TDY8H&x>im>gRG>X50Eh0M_BADVp)I{}ra^_NIvsMkwPyWr%M~&I| zJPXuNDQDj?7^DV(Dg))H!*VWQ1l+pBHx=R%$26^Q^VfeJsdww$!UuJQHUY#n$~YYo zfoT1JonOH$*k8mcw3TZgvv&9mImEjZf!UMxc-W8lAWGPTGCrj} zsDbawHF42kdQb~j^ygn&k6RMx%%GY$j@H=V)SqpK$)}I}s+RpnK!e!V-Q5cWcUwgY zlSdNb0uik;Hu-g>-LQB>w4|1oSfb%rN_8G(A$26xJVf5EUW54}-$|U_^%D6H0#}j^ z=}HI;UGtIH6X09V!Q}h_j{C#mvm;qsD?pm(CMIMD4`-lMM>L(i;e}Al1AG_ZV z&0A1bw#Ke?b|@Cigi`)RlP*}NTt@YDz%oTzd z3z*Wf7lA1Yu;f803mTw;V<-P!kAW{7P}{ob$dFbvzL{wT z5UdC>J^OKWyfncoSjhgEhEHB# zw)jn6t?)mCKDT@kt0h%U345j-GUf`TZf2aJTNyeU}hVzf#aZe!HR;Vjm?G)>wAtDYk z86P=H7l$v*dt6)#HG=`#*ed#RLiiCnt+oro4~*I#>v`Bn!`I>mrDB5*kK4ezG@z&E zfMtEqECjIbCE(x~0;sn^%qcC_4DjIxUgg-l{HYMQ2`J$LU;X>HD&WAJE*woJ*?s0q zjGP5KwGj-nCHr)uz{n2nSyd9|>vz-I2W2UG&nX)gxdo*^QorOqFeR^!#9_|0#2AaJ z&=`R6P1vm=kv1kCJ8R!#`T>kjbOeD%nYZm=i)<-I7wSuvqM6FU! zc%RUN|eM zk?%1M@)gT&x>fL}($g5MI4AQ-k=e9e*ZXVvGUW^So+uYMqbrdK`ku@QeuNkBHK#n2 z-Q<|HDBl9T)h4r9i_rsqT9^*G5nw<{Hd1mxmavDHph#vT1uU{KJ8cY#me%&^lg4X{ zj$ZF5+U!$W=A#7av#uwMZKY-F^Y?T&T1;d~0^zE<3hjqnObbFiBMot#h`5z2!{EP< z_m-Vjp=IEwPS23Pm(*#Xr-{SDK7^9M#r&tjk1du7!9Hus)kyJ%bN2DWb}`}LR9E6j4;5y*Fq)skkh=3vP6=z zgtq%goUex`1DL9PX}Z#Z?_Ko*nXtt%NYOunxBb_0k!Dp=w6vNO6pcd<0t#mHuuJWFCQ$ zsjH^UA*mVCSJi25dLbI4->UpTi^xrr(a=$vbgmF}?4TRf6hg!xULTLnkp{uxvDDbU zeD7YuPVJkmLRb|sT7%esr^J(u1UA$o<4Q5MK z;7VubX-_}6)PA5waIQ2mY{{i`Dj)#z6WAAylRI85r(Aeuh&FWAp&itzBGZ$BEK039 zT&!uhq7I=VJcne2=6CJ2kf=69RynnnRTamhXgccsi49A|Vy` zO(r3ghGD@Fz<>OtLI4FdhX{dUjog(1Ahq~U&oTJe;@+NC5R3n)>C$e{XeEaoJ3hqa zkm=007e7VA$u+wpa{bCRpqFIC;biUGET%*{y-NFdQz)Ca`i^LO3t<8e72FE!!Jkkw zz>ws3Eh4^rI$IP%Prg`Vwp-*&C?n0sa-I>B`O7({`o7hepliHb!3`+%Jyu zOIBd(&eB8NN^qne7`k`q7C1YX2vjmYJrj%PLr`IS0eBdS_u9QL#S{04kbF{~F^(0| zm^qMJ?PkiZeSz-HQ;8~eWGHP!BjKS-EwI$#3$>oJaC>RT7=)xl+7wK~z*79KJ*J8_ z)i`S=+K|-eH_JQMTnLqT$y(I}nw&__Rfn4}6E{wb7KepH`m8yR&?fp*zCB^GS#K>` z5({jRpuJzoqM_yr^-hhdx-aZGAe09hOP5&q0M;e}!c#7(feV8DsNU*CPtjw5z%r7B zBdsj(;SHAMx2FHIAB{1qdZ({fL^t(&lg6_!u~_pNt8l?1vij19BA0KTsQD+lRQUZR zm&=ws=QA|r@H!m>E81cDZqjkRK))1TA5^%24-ZEJY97bE6O&IC24na=t_G-2Xh@0p z;|}9^lm&I)R*k<72h=!gO8tx?b>vxcb(_FVFwN>v4X&BTVD+G(psZL5A-F!bS+uew zO&o1D%Jdyi@1gY&%1BF^iy92T%1|yo`W!pPB6}7%E(+c9jdMq5*A+@(kV!(KT%{%E z?4x9zpbuw%UT?B00f@~2IX|Y0WxBkL}?Hw?)F;anTlZ|KXKAl&bF{12K z8sQ~Q9?+)>fuklT9+iss`#pCo+uTM)`Aj-U3D-1xfSr+08jd@e6);S#KTEoh-xhMp zkrQu*0Bq=Zb`39!9X)cNGP@=>l=F~I-GK*U6nk(|AbP_H2g~+s0o{@cu7H8KME@8<~YC{5Ydijbl)J&G8np1^#zN9JcJ2A@D8c*4=~F*DaJ_#2m(~%3BuIXDh%Jheh)aw(0&P3 zWSsh_g>3|j?=be%GwZ`80l(qQx4wi|%cmNcp|W+wnO+5K-e01YF7okd`awm?M48u) zZopMHrP6+IIHc(r8w4k@0BZ9Rx*T!PBc9k3XWHKUY=qm{h`97Jd6idNQsO=44RjBVM>%Yjqt(ywSwF~ji-h;Ue zp0~*5m%FU67_!GG{gBaxLj0JFkTlkPy-pFn08DcO8$&F>SU0w-UjA*!&`K3DH9L$V zEi-lae%*AcAMeSKC=0hi$^(|aH0!lmGw0zxA9V8_GH-G-C!L!o)QCELDmT^lk0T>r zvk^mX>!)Kb%>n_wZv=z3{ve;cc)~gTyz>5P93w^l?Ax-~)soo>3;#9k;g5Y9C@gt7Qvuie7c3SvEL7JU3B5{bF}p9>K6pa@zh&o@XzF z)Bb+h^@BITeR9|!z5~7)wg$pfTgG6*6kvxcr=VR~=%#@{epGmO)28{!MDdnnD+xqV zRp^0~DktT@1a*qvsuN11#J)7)`Rzop+dkYc{L^~Gk)gYK|C;hlzj;7AgO<3jRo#WZ zv0c+-`8*)5%3}S-Kb>a@rE%#ne$j8#;8Xe`zJeFmGXdxBa61@*A&$a_W9PH*jMyJAE@TMzEITVS;;8=_cQAY zncBF;SMG1%(YVWnUj!xcE-&qy2m|Dyc%ZG*MEqVS6O4;`P;kl~YdgABHuv5{h4W~Gc{%IpZ4#NyDW{lsQO zwIkmL?aUZv2IEJfF95xQh8Lz!U<>yWE; znh|{yse0iC4`YouyokLPv3-psd~Wk-+$m&@z9{_m(6Xn^6#C0LPHB^lYIgIUWa{m0 z`xPtv`@m1E0HCfTIhZZLN2;VQ>a4DGDMIs6O&eBTK2#` z@@9qRs>!aI0|yG9-AZRFhTFJ^_JLW7OX`ToNKo;SgEEd{Z?$0$zvUd?VTprZ?idma zPg3MXmLl6;SY4#iKt(SOKGo;CGuXY6=bmw8HZK9*59^>TQ|TtU}tsKN!j zp`2Nrpy$pFXpq5WJ?2i3h@ZZ&>#RQR*;#5M?XfN90=|bZ{pHw-u00>64Q%ujS`83~ zDaXpC1!t>wk%ZI-IOrU$VKOA*(;DBcIcGmnFf#Rkp|sp^hX_+xw+*!4rL3_V?qoE# z`wzs)(x%G@_t)`hL%2H(MK-~o<#oV%euFSgKv>&6wr#-(7*?T|*cuDgmw(nT*vhyy zKnLn4AqQ}4`N<6H3Rd2eLaEkY!%5^RJQJ!`kYlrv>liD-Iks+uNObJl3^q#|sI`H? zFL!zC%1pq{ue zX{QGAdBt`(yc*q%G~+J9@aLq3ZB<`CtxkPNit5tgvWu}}`m!2wQ;GaH=B{}q1^ugh zo05rkEkZPvx=Jh}Sp3}tYRhh|sUo}GV=%XSg?cd8!Y|j%+Yfpl>*Vf&mW0{D69i2V z6O{?(5vprwSzFxvi-?^H3irc~>G<0uW8@@aS~4M{}%5z)t{FsCu1k?tvq9{~sYI$hI;HQ9{!AQz94f&be_g zVb#h8|FS;Hbe!mSD0XQ7R>3OhTxVm*J<3<5Iz$sQ$|M3W(y(E^hGod54L!7w`EU3) z<{5rh=%M|YRMqykx%i;fUhd^USAl^&-0S6S6Ni;wf1+Ol7bPwa`o&_+1s2^WB#^UO zHBtJku|hv>saElU)SrHAs54v^Pl>k8e|o!5_+MpET4G}O3fLto?CI9PPMPGNXU%PB z3vm+_u>Bd%{G5_I?8*Via)d!GEc=o_#x4XHuhfuPV^*&+xkg!v~WywWr`52;bUeR(RHReO5(NJR6XNVMzP zD^?CBO-N{hq%<*1iaU{TqSGOMFvxcX-B_Qq$Mdv-q3l5ur!p-jmZQGcbiM> zB4Dqwo(uKI(OEAJ&ZpnaBFNx!TZ~Xyo0Ut)i(YaP(k{%7M6^5gg4@-o7E%>^o#!Bh zgjBHO(hMQ()rXZ*^k2ELD^&=wtFe}NuN>9Ho_DUF8RQEcGC3P$dpV|Fmw_h zd7qc1K6PF$cpaK?-CfGowBovCLUEosX$e@Qo$GGEjho9COGxs&siF$16|oLCXich8 zEbS^h-LmgDiYT=A&-4=7*UdR~SQ?b}{YW|{z>4CC zYi7(RK!dz6C&GH9t5TzmRvsrrXuI-cqb_UcdLjJ18F}Owc6lG?_6kKGU6}cM&U}>` zlBH3{>C^VLwWk8>>^$unF}pl(O+4v%u1@O1i4zC-7gyJftrPQ11y^yq96lX}F`A|q z8(y?H$cl*GLt{G`GfW=am>5mkI7S*(F5mtib^@P@!bd-_WZaN3FBdEDP)_Vt-ADxUHfq?rveUo#g8jf zI$5%vf__>D?S*$Gm`N;s{nJ+&vmKf?>fEvHlBXN9am@0BR!w_HF-XW=M7{b(ca0H{ z_MYJhqhWzVWO*Wi06I9xjeSaMsal0!% z*h?!?-CTiDv(B|;>ZTN;be?Xde>#mYHER}e!Fwq_7FBakkt%zHq46aqpU7%=Xiy+q z#wcBvsKORO#R?QRf5eU86Bnfke^k^QKoSiDdMQ|UB+K4kjz4a9XOT4wZqZ1W5X!~j z$1CR~9jkgU6uY%*q(Al5tyJLJL5gFbI!c)rLQ7z-a&5a@KpdxS+@Ra1!g!AHj(=!? z4U;)|e#2V5**N?(l&R_+Vt5vD$r4IW>9LuO*6`(}FgsL}Vde)&=CN)-$A-${Ep>YOCgAH!fKp8s{oOMZX3z8zq*;XjB~nOc z5MCI==4F9>0Q&G#%le7>g4Y+fNhxmh;#@K;^@RXAC0_j#<<+I1HRhehPnB{Df3F3uH7ImT4tUsqkynX98-p&=}ivxA*E zI@mG|s_CEojWQC(A}eV{XX z_fP!Z**%PXT9$)aU^;5icufJ>wXbF&*-Z5i^zjf-TdQ9ejM?r+&B?IcZyfEU#9%MO3m#4Khh)Rl$CrCn<`2qL=BM1DT9EG|SrofH;RnUd0$-NpVCj)X ze^7*@kH?}GfXQ#N43WF+Hx7}jbeK>1j-`hz5Fx z?n3ixbTgBOK0oI*2m4pb0RPz+$aitU{f5nY(1(HIw|uR9sflAhu#Dym-Y^ehL~n6L z9lSpgop*vZmp|icO<^x+(cmu8bLsmOX$fvpcQBF+ggiZ~<_oFkp&s?q#y|O$R3%HR z88v&k@AL`2i4Gd!^2Qvp#Xn=CA{Ug{MugE&pRQxLP*YYkms@OZri`HsheZEF5+@9c z+&qNjaPduFi~w~#iKmUFrLt04k9ZD`Wxsd}3TKb1Bl(6sokuui$o`IzSDl%6R(C2O zI~?1n=QfRD|CyK!F`mo-rh*eWxvuHXD{Gi|ixDtrg0_X4H#UGFODII>;T~dx#Eovh z<836>g_qu@iy4uwXIX} zP{Vt%@n&^aiO?$Q((;DrM_mH?|D>ev15t!Ks}qdqkne7%-jM7@g zw>hj(tek$UEcF9(etbxObQaQ#s>L0@-RuW;8iJg)i` z!*ven-;z3;um`0ndB&c=k@*-A&E+aS1UfFB6=yv-^p!O;NA)gr#c^f%r>ozNQ9e;S zn;*fUvJX52_pW`Zz{rGm%F133OcRqu*Ucn<9W>@3E=__G4&%7XyP-hxJw>XPTa+Z| z-HdvxEx&&W>7`}K>(f~pFMla5%2%KvCC5eApOv6u8ro_oLWD)y3|6l!HtB-21|I7| zE~KaatI|Tn2vl0YqJMrr5>Xf! zAcF*HMj*dxA__uZ#-VzU@${Fj0G&yHd#9ka)+VF1U@XRZxSWN zeD+zkXGDuG2}vx%q*xUcQo+=+Zc>q9uJdaY>rN-+Sn|LSQ-8=eD?KKUU6VVy4BIg^ zH%M~#R+3JXH|l(BA~dlMt|Edc{^IsX5lnHr$^v28L=kB>h2MM)=5D;Pq6>C~! zPc+!!{7C}T#dundFJsJ8m%qx1Dg!>B)>rd)T77cDs?;DT{n)bR1@e0dP5QAV-wt6D z0tvXd?KJJQ(%8e-ZAdr;HB`IB&acMKi-TIEP8YUbEC=oL2D3m(ndh5R$`=(Fn^msl zf)r;gj@{WB9<&8<3&#-RyJn)ImBtv*rWU{Yf06GSx}=1J{wIZdjP0D8^k|{^<63i! z#DfDniroZc!YHy4^rr71zfHrq3rJ6)%e|iy9b{l)!_~&ET!*g!2%Z2nJC4E`GC2vN zYFr5iP(lXLstJ{+M2KcLg_=SGn*{%rgAIcCAsO{Uti^ zǻtXeeI*`eHEvu$uccj^G$L)oVVyfCl^!eyjpdrMG_rnN2|FYy0&^1Z!a=en=F z1&j*1{j^4-tnfR|XDU;v!?G)v2_bdKEkq-16pJWWULo%VvX~uNM$%ad+EqWy>B; z+P^4HU8uzsLj!T%MY>++n8>0EiM}dBhw(?U*Gi~Ybv~r{ zg7CdqBp_ABG_GFVi=SO-N*P{avI`umD1}Q23+75$qHYjVAMlAQ$zD^c$T^2}e>(u$lcUMt-<1i?p0sBZz$C_T!Y7rw zeYdZvs)q7nTexBvc>mgZXdnw>YvMVYQ(|-fY&#|&!WFhn?MWc5fA9Z@M`==FW zDS?4sITm{cEOvk8%(QB*K7*NG7_mJw1j@>N^Dhv&N9m3+Voh^{+pSIT&#a9ffv_;} zaSUk%1iRYoku8`gRQxNa{IE_%*c-dpNc^xYT>Zi4_uP*ouuwR_M#+k@eGNIf9*-95EeV2T_#O(^d{Qud_z}6Lv zqug7k!5478{02;x7*mjq7XNe}NBgdiAAYL&N+#?}CBKWKMTy};Tm5Kq!w#N_vI*!i z-J$|n|5fJlpxdVGoEzB#_`=wkL||=MnzT&>1BZ+Tro6A&gr4`N0zaUa@|kdf70o~G z%sqp6Tf44owO^r+hKMM}bbR_GO&+bH{Bivt)B#%4-BvqX7{Q;wXRTKXZDP#r+S1cT z8nuNyHkIJZ)SNr4Uju4Rsh|UM>>N<_e+~GJ_gZcd38^SFL45Ql0Sf+gpQQyI980-? zul|D#JT&77$CXPCSotJD#)p;D@dcwh`(~jKm>KY-r-bqe?8r47WjW^DISc4TMCnho zta*>h&HqF9R{u@+hTT|E>)`!O_b!2yE906141<%1DuHw_T<(9Nd*A-hy-qa{(ZA{5 zpZ`wx_C5ZK?uAwTP4~Y3pXgpI^?%U4A4?A#ZpJ1Q#^Y^CD;v8-0B7z9UT73cX{DN( z?s$erjrTEdcuEHdfeZYo`eL)?~LhhVD~y22#q-{t_QRPAz91L_5eo6KCGkuw!T$FL(;_k82`5t=3_*Yli*NFvknXQ$>O zuwR>t=y&-)sisv+rUE@8sW<%6Z@5)x-}3zut>sb8X8XbjiPeMwqU5%=O(S2$aMm^eS=kQAwY{#Bq8 z&_aft0hTmd>Vy)ofBK65PJ3}tQY}CH+a!|R3B>7H^fd?TFX((zfLPao<>wXuOYx)RwSkcHA<5WE181?A=JPRF7p^&ZIMHrdT){665P!*$7Qw1%W*6O|_9D1cTD zAQ%QD>{-$K-3^PD*Y`QHCz`8HUfw8M?Q&Y?lZ9)GuIG*2RMgtaFTNkPn8?xuqE>Yl zcucvP078S3tciVzxqt_F*x$!{AgYU~2D^B6hxB`?&IY+ioe=)vTQYD_{#p8y(+b5G zAk+Kr3|XfYaBu0cA|`vId}?q0zn}HLHK!6yI5g(>w_0{t0{v_3E>2?7kMV?2_QTF< zahJl5b(GaoLN&C5*An7=d?~0dF8R47z2#yxYfeW!G_jWwA1NS=8A<$XMBuvFkym1L zVO%*kRsKW)LC2c9R6fTDx%=f8H+IB%^edqEP@>czd*4#jDHm#uRC4hqDd1P+q1y_n z^$)@#i2^77zZx?pWoAiuD)Zd+LNrJ1oJJI)oFfnI$Kqz#(?vqn31V+ma|qF6`NKTh zryGPO=TcL~@|Lwc;lb_%=r%|Kl6a{dpVOHz%QQ`(RTuZ5FSN}U#PXhwmCuRGZ* z76Q2IGz|e*B?QB3{l`xV=<_h1B82*3MB%Q%*j4VanttnMBIkv@fF;=wUV8z}gjxs1z zTh@B^kaX1gE@s>mg~aI+G(@Z%(sxZ|gl@46`5u(nj(yEvf3iST3VTGBE?ODyP@mSQ z8ib?VLn3*ivUG}vjbm+6AUx&JSi8d8OI4rg^R~ItXPLhUX#~WCl&uTrq6@xvfz)_Tx~jwT`bd2Y z2gs!LL4h%Qf1t*O_;@)JUGp#-nwfpOG?*e7bUjFQLrX#>n0A!LuPkXE-8jJ$4{3bS zn8JV~bL>%leUrgWF~jFw1!r8&X!W3}sH|OsAiTe}Rk^k-P4&}pjOSB2XRyvg2p2nT zDNZaTD_6Pv%ol=G%dBPS^jK7#6sz-gg`f= z=*>d1jAkveg_*C_a7GN$3csP8IDGga*aJ2>P`sY~!Q-vMpj;oX7JWG4U7Mf#%+52pi{}>?(=ga0Gw4wEs3@&WRIWfiP6uTyYCOpFL1W zP!TZxhU7f?z4p)pKAAlxI}o>HjDux+Ig>b|CJ1CyT@0vhvL!2pYv$>_xTH(y4h0Uz zCq|?a@_ep3R&atYCLSFKw0U%bd~Ew2H55oIKJCVB8Uf_&+Qyc_Oxk7qj*lZUJ zHy*ATnHD~r9vv0}ImktrX!JVecr{(WFPv^ZfM=s!BsXooK*LNQRmO$Ii!?4nh;{22(7`w5dXdT7epGnP!`zSa zP5IUwpQS-ci#~1c2~*)J5nFq$G(!nqqKGqqj&4)JVfa&^|Cb#AN;>+lp~2^?XGH@| zXoDqA%+dJ*vx5339 zT@&%zFML{S_)UB(p|~r$cbqx?^5WKPNC;|1Kt`y>nl;ZH!B%#rvXMF-vh|G*!qHl4 znu<~SpK#Ej-`Z0Zy1#;Lg?ZSDy7cmRmo+*wlRuUbOIS}XDv}^JQdlVfNEW)BOnaO# zK()OAb-N9L?6j_hN+HZ9fP6&T%r(ZJX*x^v7rL|5I!^S*BG}WQr46gk>Hh-}2px%STU!z{6ndNT*pJBQ;155#5 z0eEklJ$S}$*qY;@N z|C7)Ug}K{5x4#k$mWaJYO4#H6J5OWM2z4doz+sDZN+ouhHE;(+$(#7~O7kpCjsSwD>QknrrxBcmQq_>opO3~oewZ(t z+QOgVHl1kJ4y{hDO%+h#?jCDk81_mndhX=|nRDm;^SbK~Z$jtvD6xWv0<&!O1Uc^9 zv6Q)518PE2p5-Bj*1~zo;e%aU4!2W9$5P$2U`3T7molnC%o9^oIsU6YDD{d5%9Qu7 z3&jBks9KFp)O_TY zdHS)AR7AwR|3tXk-Lkz^%|(d^m);RN61eSo$GdYlIMp-jYMRX?`ks)7FJUKV@0h;j z{!-ksL$${RkxgFlr5}b)&gdzXX>GopE97yzBrwPS-$HR^m16=f)i=Wt9*wt>obE*32kfW3evCEHS={U)WVbfOqhs(L3j|k{e<=H&i&D5K*kz(Lnivt zd8Ew*ac_gDwDY@aQP+i3&g*O6Gb?IO6eBAHP}fP05e)Q^E~$+mDIw625W=A*k%~T9BV8}CzMk&biec>P9V3sQ3BJmX$_E6 zWEpeW`6TC7@qMJ8$3YrPbG@EF|1rhdE_((1XM1AXila3a=;{e2HLgnX__y->zMYUc zX1%uPV~G)fXJ;x+3J1Z0zWUuR(Lz+xh@~uB?AmFbXTCqfGn%b`*Y<`5jxN@UJs-=a zSZU6O6>Lt6T)uG^m;+m?FiCGjXFgxZ)e9?HL^!qJg;PW#a9q3g#_N&2}pSD~G+$tHF z1VK|c9l67YE3Ugmd!8}3*bnz}J9>VOCeGI8$P9}x_ics0JB-7!$6prn#(Ii^pQa#e z?wZ?iVuVPj&`a!2{W6euHz3)=eKJG`)KB0iaGE9P4O;d-4roT#oEemq^Nd1lUESVLk>0(FE2%$o{yYs2? zKb#nSktZEhl+oWInQ?y%nLoEu{M-m#ox54d-HEy6 zc`>({O%R*%?CHNRnUMl=Al2y0B}dtwV?2S@%AFD_C%ITj8>fu*ns0Tb!yV{zwsY;x zBlSR?Mut!}&W(0>!i0;OxN2fz`ir zcOQDSy!>5tW1k9zUSeeVML7kbFGWPP%InFt-uJ}9WCpbN4}F$sD;&)uVewggkchMN zUfgG^?c3;9l@c`liOO<%tfLHbM+z{YG>;>;8#Nk(#D3?XRbPagJ=l@!dw{?PWbq~lJ<$( z2f8g}Ya=kH_hD>Qm($nsvwE^DClKCF>ZL8pVQVL!>j@oza!H2;v<9>db}8yJ)h}i8q%HT3)?)Ww>04npX7?$-qC-AWOxyM7&tcYezHM zU!Ly2X1rgG@V>>q+%5eMR=L}dd4DN9kjZ>|l)>_T=6KKSs5$7!;C-(+(0Tivz@qZ5 z)y`As)Y%^&13f~M3y%(JfWIDmb!fZ z;uWQN)j@7Dq(9eZaIYrU*;%dKxl!avfBzmM=bq3Oy$NCv49nWrtp20RP%~VrvF#JB}yG zM@Npotw>v3?ybhrI<$T6*(%=dMjSmyQhbG6?lozvUxNtRgfr-17t|SGch-KEukFLu zzu$p+BAX7^Tpd&=ReY_M5am~qlJYbQ=yB4R&b5w}adIm@|Gu+6J%=-8?aa8-P7Lxh z*nKBSljt{lCE2r|31sJBo<-z?jc~+e=4|1ng>6Q%lxMo_93nhsv z+fm$WhP1bF#RV}(gU2e?*!fGuAzZ5&dlG6|(x#L|&VzPS@;tV-P7g+N;^6IL!YE;X z0!GWM;)d#CE!3)BCRvZwXLW1fQS9j;sF%o?*QmH+E=CuTc}DrxCA8H5$?;eD4;2Ya zqn|PA4)*$~+x2Kmc@izR=5d})-^O*?XTL1zF(;V?bG^W|4DW9 zM;!-)McAAt9Q^Kpr$%h|pI29j=SKE$wLO6(XE2YL0xGO^tl5?=tk89?jN9ZMhWE!o z#^NqiGeJ?`q z6AnfU4KH`|YxhLe%Q5Qki(V54eHgl{?1loW9YWcsfJqGt zO9Pr1kN*XoKw`fNUG~~$PZDC0#XRL~@qNqfr`^w!Fg8a#de9t;T6XPPZwkg!$aFbX zOMzSuo-&@9`WU@c&s{D9EeoY@YL4SQjOg-vVlC5~#EzYFwOPjC6`}!5qR>U(|+(p9ikthR8=i@ACYiv>jzYR#!frR>TSa$+=FkvQBZXgok4=9n{`Bir2X~en>q=4Zq|_jZf>xGYa!-F zbg8g%laZl7$xZsHg^wGI77j9Q!Z{iy_SQ)qH0-MrGaT%z2NVSCnw)}nSFRVV{nZcw zS?{-C;v=`ZxeCFOrw}Z8u)%uG0`s2iaBT=FUjwK6fqZpw#ZPv4sSSSCptkZ-jG@of zB54-K{g13=BSkS0gWS)eneuE)hJV=B1q-*OM#|6r`|sz^|BF5U_2$d+KVClnBN<&GYo}&0JS!EWLbxUEUYwH*SR0U*hW;jlv<*b*FBa&yS+von=&fY_dEnLPT`E z`0d}-bn?YxXjU7bIajIx*>K***is)(XJNq0zkft|xnYhnxxIm8w&h&n= zd}CjSow4mi&t+ZYCrib(NA6!w{w+Mso>iIW@AWd}SAGBf!>3o*FZ6@<)yK=1FJJ!8 zKm4Km|CcXc?*9M3zx2bFucEnnixRFD zjUb8cxt=`H6Rx6rA@8D*kkL1+DB{^j$mxOw31cP`o{gheJ1e}8}ff|Xpp5OVze>Z87Y`{v@+`|DTF=bS$IoTZ>tw9=>1?PJ99GUfj^g(zkB z^Jyw)qnu)%MfZ|xo{hhY)N+oWY|h2E0a`J|)z)N*EMi%7c77ebxju{ja(?~h`nxB8 zd-Lh9A3lGI{&xQH*)Ob|A~Hj^ZxR?2)Ler zjNl=cbKZrF_9!Dw5#swQgG!`?Eb7LXOK~A}vPo9cc zmOM%MlrIst{m*&vt9cv{PUmBqu<=Kl7fo<^qtdMZf(%dcM+035Nks*&&tMfon@DROV(aUG+A6NRPe4$iV zKYaV~H#c0}NYKSvV~$v=VB`0H|Bn@OH#gsO<4V;<6-qMx#^QOFT%1=Z%sIo)qPf;A zHRZauWltO5vctg3P1en?nZNKq%cI2guS>?{*}Ct!BG;n)w$)3w64>4PUvm|```^`b z^-&02etsA8^!t}LH#ad;to5FX|ZxW_iIe3e4e4$hIVlfn(A1>tbD(Y}g?MpnkEPJE z4B!3v>D96=za()&+JU=w3brhrb98icbaYJv0?^tS*=r z1{dB0VFD+SmF2BAu;^((e$i&h$jB5Y585RowiOj4PgaxSd!9Xk0lY?W#|yV^yOy{= z0v2DL7HGE(Ko?_H2NBVf-LinqDE0y}0+$=u-oQ3S{s?>50dj>tc3EQ;y`B2L=&f9O zGEQ#up>YHqWN}Gwj(h|$>YU2w${nHR=qIvu`S|T*7R#opdKxL228>JK!TP*_p)^+l!mgE z#W(0xtg9>mHMfQ|-!kGZeH9)g)ABe=amjqK*6VRrUJ%ceXHTUn$Nc;cMf2f+U!mn7 zuhq*Lj4?V)M$Yyjmz1@;^X>Nb*b<7Jgte`!(~3xzhY$J|*P<;aoJ_*t(Im)YOE6Zw z2@>=Zx~rpDSkS)?V~>m{7O;*E4hMZpgwcY{-rg(l2k-*I*-+=IVqOe#BK;Ay#Egz0 z+_rL}%o1|HP_6Pt*)v=9$!mp&JatlkY|Gqgev0hBjTnB#Plf$=x3`p|y?}v1VsA2-jz->RV0A2IOmqAxCMZ5+4QH@5ezhh#hEkQ4m10uIj<+x_ z#%Ke+SdA--17CL9V=dHaPv|$+2DSw!bT%;kAHH=u8`#p8iehTYdxEpt%No0A;H3<> z)WKeK9+S4_(N~P{k|#4o(&aH}Lc67)u!MeJWch8GT(&&&yy#RAD0{;aphPl@4GDeb zBD5p0&fm1m3LT03qTczY-4yCpt+5I$>(T_l_OmK8Mb;pHjz*;#Ox;Z^>20PXc^ zkCZyznp`nj94n@KSw_OfjcD>{DP^|L!naY3J2!B21J&_JI}v~PdPtYiFubWFaw&oY zVPcq>+zE_BBibQ#R!^@#Em}{`n>o-q_hG`GStidkOhP2{gJ)usbJD>itL2$f`59>> z)ZLK;MGdXGdDod%c$0H>8bQxbSX7gPVB>cXqY;Wx;2;-VO$l>Z=f)dXtl$zoWx?}s z#yHfUlJU6=^r^DN%;Sm0cfMI{F=;homc74tug_`)bM5_w>S9fY9E#F@PP@tQ4Mrp- z@rrP2R&}duTYJ)Q)<(nO;!k7LWvMnx)LTp!m_@jK=^9Ou>SDrm6&IVDkP)iP(?#6c z{TT26#xN!;yZ_sMweva~|FO5*dy4;9$xqS!pJ0KC`@a|kF4bjL;H@r`bK>Ol>P_f0 zbkSKD6LFVSxf50Qcow>c9*(CG70Tc9lE{nqD&XroPB;x3>`gZ0U*Fz=7?{Ll2m35*)D0hFHqyW6|nUM~MbZ*S-6 z{J)ByqVvCE0TTH&{D8F+#R_Zz&SWMlz`6KELD|5u?fmSgvp8f)`WkmIrua3P@ga}? z3g)Qpg-^pbIkoOyh_;z{^CJ0ZrOnU+SnS*pt*weS1aH^%@@DT<%j#@>IbF2)q1 z{V5rDj`5&BI4KUm5Y8a9bA58fm>A+(Q`^8$F?4Q*@Dq$tfG|$N59ss0e5^e8Emc*? z3x=Z@q2bjXPrX*hXvjX5|Gx8rw=qKB-x*W4Nif8C8sO}v?bR;jPs1ecgUtz*PD&Yo9k=DmWKYMjI}(>Hx*n zwGQFmEfqFlj+q%Y;d;MR*cf-!;#@NRa+&o)FIZGP51TGR(Los9)w!S%2OmH9$;>r&h!Jv!n829ep>W7e|P zne9Y*av#uhs5VduPbv5BnzE+318a3x%E6mO6IGj7@*7BMH7LsFcV6|Xo;S(NdQT9# zW`(S7;!@VlG)8KU4MQphE4smo-r_VULN!YWxSFMh=1*|PZ zoGo<|kg>5CR2BB0+NPI2IYAJUVQ*)+Gu*DuH)A+n$|HCk(XoiuUM7{<(yoLtHpvvak(0+Xjtuiu1+E;6R*&YdMr@+fn!R4!8I1ENHz{@LLWPN2ggWlo~7<6Xi}( zyR?mxH#MD84A5B)>^Lzg3gu-2Y?k?8LZp9o+`yE4$I;tea7q*ki%f}vB{Ll{mI_9xqGZ>a4 zaWz}T7a(zO&>fFPV87(oA=~oQ!p?8xVNCjdG={vVc3zY-a^yt$h>GdlH?s-eG-%Zc zYwjWhF{ZO*I#XC!B*H0%TsLB`LX^)cgddY2HN`pyadEL;CRCop`MTopC5m(1{P-2f z^R%zaB7&V0W+{@r0LbPgS{{d0%lLZg`m8&_dJwSYo{$0dX>)km9KMvzf!}z20o#JG z5wa2Vtgf|g`09Jcw!9nz$Yih!;rSIj3A$R@h`~ z$<8&C7wn)r40c!==JU6_!%uuxNqwbE>DnsiMUyo?!4X}`k{044o$-NZW!L8 zIEuqt4|`#N+~LTF*SH?dRQQwYdXzZO9}pOmx3q^sW!HF_uE0q-J=KCVyQy0CIQj_sXfr?T*sFr_Y$-!jOmI)t#j>S!B8iB0LuvQ*z-6y5mnM+%G?UegU z-gRh}FkN*K^ydoC%{pg+d@SgqlugU2KQD>%k}s7sNGv{6JT!YzD@jewlsSa8G{#vj z4u%NG=5g=mXFpYKNU7-Tg|hTD?sHb9m8^@BO?=*>xQtxd3REjIl;rn|lR@Vg7f0^W z-nD9Si_D;4w%H;)bGugJ-8>VHJUzof{|u7xENEsjOAsG-VqRV?skfH1t?)Qz1~{uV zB_U1@&|9id&=#xF7ZVv5PJF!Oh#c$91#1??T5}k0&|M{nH|TCvAkKB%UWRz6I^M0l zgy7yQPZHuuLOe-`rAUZ+$Mm(A6B&<&CxP)KFrEZP^8zE4nPy#t!q<`dA!Wp{@^@A1 zeo>{I?`nmXEG6KM)U-D(JE+lnBe$Qf)^pLAVU!)jYh~HjLsoF7EDNRiv|l&BUixCD z60VdN)QoVkf#ymA2&_1AL}u1{X&Id|$O;R^6iyi>&(Pq^p1IfkuHGGG(d1s73~JAB z#g4c5RquB*%auZ!$^Oi;rIaUY5WTxykLpFNTa)T(?p+quyW0zpJwr9sp^@(FWqFo& z<9afaYgrBl-R=VPNQ8z?kZ$!pUcN7xGS;rkDK3F6(L>B+(pu{IbZhPdKVDp%&AAPX z38`IGqPa2x~%EVytb-Hr}|w;jZ8*qP@Bvq%U+iitKh0y zut~#QBJY}uHt(b{$MQ|n@lh9YIYsI$=JMQh^$AyVS!Zas^aZ{%dv2o|BvpMcw8+&+ zjo!p$^ptg3ZG*&CM_d?Eh!a_ud=!hLHHlAKmKg?{f{aqYtw)?Cw+_ zwdP7+-yQaB!PNJ)eD|rBi-b+3#^FqohA*?+M$q#U zYnDVC-15ZW;C2H8H$)gvcEHn!nSC!#1|SRo86$9hb^z$J4me}kw!t*Ij-iV>V1N)H z$QcKo1ATybEpu=+^?gLV0Q9zdJN9uYrDh#&nmfDiX$g;uhgIwm$`__xt4UjI2jy_^av*5 zlTcKbO5}l9iaob^(WKyQJ%(7CjZyg3hb2L_nvp}YJ0=k46h_%T%o0hpdL*G#FxM+s zL+J&S4@F&hQSl;%DwahY>SYwaGspiJB<>REHAlG8Il|#Ib`b9TfQWop9<zR34N13hEjbxosvK+vj!}eei23}9!^3RS#43( zI|Iu!NJA4NW}CHnU{OK(XE6~s=l%|I>k zQV>PI4fRv~rK?Bi-~>9}%Y z)0rdED{$CNXL~n5l&$T$SM@#{J1J1k&EKuMy zf$T6fqm1^0>6JrS0P75tPGtdIRzKn@twfW9|Cv_J)g3Z1-4n9i696G zTSA7Mxac#9;Zbl~{N`;OPD~Xm!s{4ee2AdydjT3CCk$My((4Y8&q!cMo*VioE&?Y; zELq1{=z9)3V zvdf}Kk-EGwtB>%3>Staj;YKTM=XH--;Z^fHVCg!+WC8;>(G{&Lh{qPNY$qi=Ht;h4 zwCHTx=x^Zo?O^};o97@#&;@o34&I-h9vxf^DUQPrgQN4){=1{})3g3y@XP!2!}Qa4 zM+ZOlPmc%hz~8~&H?Lz9fsfWl3$!*zUf_bQNkF!y7{z$&1+W<~?e^a^xC(mPZ{3?; zys-7gG?~pTwfrlqGVv{U@KC|s`aa#P%qTT)aD`*waYJVSmv<3&~{de}@ z$G+X$d-c%*zx@XO@|PldU?+wX8;>DvJZt}Z-Cq6v_qsjazlj_f6p=FyGe9WP{14a) zBeKO-^p+4Pb_6m06vpmW?AT6>Toe!w`glt|mm?!b|N6=c_;2!zKa8hA2ak*V8cWn- zODsf7Ey;RaKz1LBA@-}aaN4#*o6fSCP7+p4gt?OKbO|Y4Jio2wHPtd)FbQLLjevC< z`qK$70#{%oEcmp;zij8f5T?XpyaNr3!dC6{7FV_lW}0#$>C%|ZL`Tt+Z-Z%Qs)dQ; zBN)65hZ0 zQFHHDwO%TJ<$uf5Y%d*IPi0l!?Yj$44~Pu92bkr~ccY`We%t_Dosdv}X&O zXia_Xx9&}kS74r9gaRqUrf6{RaI+C7JuM~bA z`nPD7JiI}7+3UWNW3f&Gdc6Oc*{*8keiL6`oD7nW=ExRR2!t}g%?^qBbbfeph5`ko zzFmlvbtRSowoCF&`yGtTRsk_yi5G@s?bO-G3 zbYjbiv6*7OrF0xThP}O4csij7{R>Wfp7pN&xV0u_M$-+Opn<$=s5Lvy&v#{yRfeTp zmoqT;Jp&gc0R{aEMoY(O!y+-e-A^^YO;hdX-GisVu-dny!-)e)VY62-IR+R92z zrx?1-y?-L_9-6vp&{6>l^L>-P88h4wl$>nl&i67)t)?WbwNApHq6`alJl-B*nzfi; zoN3Dgj8m`c&Q0sq!yZBI0g8z!Pm|^tNql@Dw$$2Li;FS@6*N-iJamcB-FZD64h5VG z27~F?3WRuOi_F0|E1zXpR~i;Q1Wbp|+&UfqRqaJSPu&4JK?Q6rA)LeGvXE*SgUVwH zKc&`eV4M5=>5!(ySUOVQ6rrE`v`nxqFS4qdgt<3a({ff_Z#NpcpFd%&%l^;r_)8Rk z-B}cXU4sI!Tc`lYvC9^LX!E5ylnn7=A zR%OZD(yfcS!sYFU^AlW>4uMWum86z>N~UMpt2HJhvSz!po4a~V$p%tT#zp`t;M7z} zL&}^Lm1@#vrA$aB%?#-p-fV5j`b=*&T$LMk%}X_zq7pMxs)r{oD@5**m^UdY+62$G z94)sIQ@Zk1;@33TR0dUKLK>EO*DuSB&lAulPNR#Kys)zQ)UyPrErzXWtd&k@lB6zn zMR~brL$g*^Zbo!Du$E;tz0Y$E9<_t&AZ>{iVjw>{0l^HFPrytHw*w=D#(M^Ue zug(VU;9E!P6m>k`OSFjszjqGqIbtceJM_qeBj_NWTARmZ0IQP-L&u+Df?~dg+n^N{ zTyZL}X4qI7T_2W!G?8AZBW!AEOk>~5PKl5!Md9mjJs(BVR?ULX(@$>DUHX9+VB}0= zG`R7i3m^ZCVsCUOI~4ILi7h+{uAqOB@CF6^+}&27Uw9J~PAPqpqjHR(YkvOw6k*dR zC0BX6%R}C6lm1)o?U4Q^aV)N54{%ZrmSv7KHIJ*Ah*2{>!k3haf-g5RV>Lgf_z(0M zP9h)K!Z8gm8U<1w|FON>-Pz8>f4uJQ>^{YRtm5bXe(S|E;WFp~60(vG{Rlc^1P0-V ze1b6oZ^LQeGRGva*&n=ZgK6NR7=!@=VGJf=jGj4RKw|G|O2QZj4?O^{V}vFsAh-i~ zF^Dk&r|&P0501dd^AT{Vo=ZPMF8Jh;@iQ{^F!&V4H((UTAW4J^ykHc@6AnU*u3_v_ zG2w*KUF= z153QJ+J6Ig;S@~Z9jk*e#YpQHeRfbpfENHKoJ76{0|!ZjRPP_gxqjDg5I?t-g303&vm zyz&w7;U_vxY&O^wdjX)r+6%5<0xahEnLZZ@fh15KPEA%A02lzPKLE!A3w+-n91mVT z`{nrJ$M+vDz%Tvt^Zx0@@zDUhKL-czPY;hTj^CdS!27qLfBG-*)A8xyOMpBwMlnF2 zqnN@T#=xVbLvH7pWED9$<~s)i_nGfa zJn2i9L#OlX#TFIw&lvajgF6sMH$b|plQAUEF}U__Q6N_Y-PI}GPTyY~4LamA0d(&J zS4bEwUHXzSgp{Lj5GK3EPN+`WxP&|Fzk1*QUpL8xu&TxN`?5K471v z45iVH4IQ7|>eAIohqq%12 zP<*&3I*+Z_JpI)BG3ozf28sd62AE*f@+;Y~#Zny~qiy9k;6gDiS_2(GP^c~u0GGh^O+F`CsbDD;qk zlQJM10L_$o=vB4v<|EAccg%rM8`qjE(tj~#)W)BarB(%KdQmKe{}aRbD%QX&ja7Ci ztL!du4U7b8_1D2px`Ig_*vvZEt!iJe4t6u^VCRw7!Oj=34)mLtrL6?E@2-&_x6j}) z`MTzOaHZXTG6@5YhT#%I^tW$pZ=Pb|@1s|!8Y6$w!Q(AfB7P zP#n-T-|@n&y1CPe-5SgL_X12Hi|EcVnyL8&2JjlW_SIeHgMp~WYxu?qCs7#i@W^KH zm_u4*Zh8bSs0nUzEeTTe9VeUyWMw*5J!iudYyf+{6aLAiNL(VAbRuo5Ed$_zm8{PsDZ66^{A2yUV8 zxd5ZdEsBfE+tpoKY-*d{HP&jo&=aI(l`SDy5|2002N>~Iq?@K z1LcanCX=oOv=ATXV^?ZYl*hHrvVfB~&m@tY@XY6K&sN?C+=?T|5^)H|h)dZi!#Not z+24Jv#cf^#OSQ4IkGXT9s9D2lTIPpKd>PnKuiuQjVoBGD+^3r{OG>W~*KX(DQ0&@s zNcP$14}BJO=__!S?P{VcP?2BNjlE2l!mVS=gBYWjC$!C76iD$ffzhuU_&1($P#F1m z;rS62SoaTBTL(3tSE#ajE~>{k2@zR8Gq6xymd}o`tR-L`XO1P2TNkKuQ4}tt6|9#g zW3rYRIVv2rn+x{zJrt1sl#I`XAKOZ{zDLSR8mL zgV$G<9c|Gd?Z$FdT|ta&>8zj6Rh5LBvGCD695oUyPbOhdGnHhsG35HdYobe6X1v>* zCE?AUA>qy5I%T}GWCpq%V{styd@1T`qW;-8Qq&4$3wu$L_ma7KHstldz4a#*u$ zX~IG`Q<^koM{6+A2vd?SP6oQfGDYX>gUD|>Io0NI<@B9y)lF93yhgXuB!(sV z3G3d*!)9vcP^Rr}aTL&#_mIbJ^El!fJcO|9~ zZO^Q7Cd`=14A{#%`YiN4=PuPke*v0KMoXX< zp!kV39-B4dY0$?XFpBxqt3SmX!8dhEopIID;Ml?GAv@>Hr?FWo?+)Gz~n*xzxaT*5aVMsKhi6_l2lymV*pPV3w$*|WO_J-SQWgx7a zmN<<=!AaBlpZ#91)9Y;8+u)Bsz~8q!+nuhxZ7szY)IipqubHenk3`m;VRzX5TFJW8 z=~7ZY5?Om+Gg*6&CIleylRvsUUn`NRNa*g^+b{p#>veWlM&F)J-`=qM6^qf?N_WD?5s*R$bnSTU=#+J#Lx>!p~+~$)1U}6lyNU-F=BBqw{_^u zVlnI5rdz|^?cOj(cLvdV~(U?Ua@)ipjCpjcdmgm#s;S@L`xaskhtsYiov%jZ-12$hJdFQ>L*)oL* z9e(l1n2)Vd1Q)M6%;8+ln)6X`O~x1D1tkC^+#0-zr&nNea}&DmoaJ&`*igWB&Yl?h zx$csGlUd7U9R`;&ItJrT6nRQl}ojS6=sbV!<1$hgNd#A<)%4R+-g@! zg%a#`0n7gFTKejzuW_4zs>LXoUF^K zkK!4y=YwlsN%mRPfr0nm;9i&J_KF>B+pt>{yD+e>f8vqHMmGlD;w@GBQcZRm+b9JV zKgj^?ObR)L#P@d+&P)qU%R+u?uhpQ~>+TM3&|S@9Sl6Z!v9xzZFw;%vO^S}GG1Dm- zi&|CH!m3?fI88GKSPS_L`YmeegSif>VNxW!YLn7?#ZVuva8A^a+d1iwZ__nPkQC3d zAu?r~hkLzmhsc*XJ%_J{;mz>dI#{~Jm9`C&npLm!`0GGqkTgMGG>|hN?I)_ zzV>!^hC|9z-z~aOa?7)3EqV=t%tH9Cs9m1>zpIJw>`Nn)8k2HlgChNL)tjT>_GcK+ zrQP5q9pUH9SgOEk(%hjRN*dJwAC*Mf5q>$eV)6e^1gk@^{ zYTc66H7uauHi3ctWws*-u~yFxB26GFT}ETz>iuePryiFXLijo|WARwq#uGD4tFr#rPH%Uwm#zP`v-ed0cO^eh z^?#r0|NdF)|1#b``W*41zX-5!X)znDSd40C&^psqsEW#Jn$r}RifJ0lfj;8}Qvn3h zBs7}({vG&z3Vm|gaD^O5*%gNq1b$L=UO2WR5BV+z zbdfWPNg3c_uz7XIC~)XPh%(BR=PDvhae(In#F0t4X~!i{ie~iyEzMqD zA67~kFh>3a2&ad?0$$8W{GA7ve$nwW6`l&~x9a7f>Ojdgkbl96UrJlH3^=RMRU#cv zA*K?L2^zInI3i`-Aqp^6QT#yEX_}GNSRo^aj0e!V^yFEZb^MJHzFS} z-Jw)j5pM*Nsu><;`w&K?1OuX%T`2n<;8g z1YouZ!u+rv$b? z<4FefnzFvgcf`l0wVXf4q%h*;qsuW$r7X^a!n!C&pB-3PF5^t5ZVh;qAwvz9&b6(7 z&r=0hT0Z2qF{gw9Rhc@Rq00M_U*!fUz*VJ{0qRZp$W&ijjK;KwFM!19WY~+LobKxj zK;Dcb@v)YkzfjPYBzP;6VJ2#5Lsm@}#C}Zy#)y+iurGK4cdG<6;G#4Pf zx?A^yqw}AS4~~YX{dY$XoegZ6?Af_ZqSFQs4{z@8i=<=}#>61>O>l{Qox-QUs{_Ge zip!{*(apoC<(p{%jF4Y4>*QuHDUdS^QH!o(#qn8*SG`DSaBoZjKh!~{y~5~p;&bhj#RfDO9Q#c@1&F? zrU9Ntlu?mu)1!zjM$tQN(HB2+dCe@#?1-=_jtZRv7{M#g_lSpZ=SSX@mpkv=YSr%) zUDH8g*57wJ-*&d`Z7UfkM_&~H!cI%F*A1*xUWtRE9X;Kq8sD;EKp1msc9P-R6*M%e ztZ8=Io>L7hN{dnJwARkbmMS=RnuK#_S#S#J&@^8zuTeP7GPAka&m|aW z7IuTYZf=F;g7=rhAH62|xVJn$Zcr}lEFu?5nBlYi$s^-%N^GtcDK$HZA1+lngz)R= zKqPvM*qFk&SpCU=Sae9F+87Fm=P*n2J4D7|G7Uh7IPF28&z4cWm*K^w`%@IUw#>U_ zJK1bxMe}G%ZddC#QerSnU{Wzbb3j&{VXZm%_%VRl1*WlYk9;VdMuh&8Oqpe+b(sX> zG80h&+esCt6+tovdUn}#2?18Pp~MsjY6d-GT+O`9k@nQpSv5#2ZVmfsCQ*Tr{ zmN``}SG{YD>_9p&uQe$lM6 zs$R>Oc||NX1U9MjH89$G@eI1RC?+08uFZ~}-0uL(D>Zty2m}8PB<%oeN5vj}9tP|} zPaRKQJ`)#gtW|Pq;rDJH22tpOFm{;-;HNPPXycgm0ojEVI}Cy-4sSgdxt(XvF4#S; z=lcRS00FOx2)uw$*&D&Yb0|Qnr%4ziK*lg&;4w&KhcBO9O$pQeQ4mhA$LuXu*Mh-x za)n}kRAQH&{3aA(dPaEmVk@^VX6Tn<1UB%SeSR$GZ`IQH8TyzX^gGhRNFSwnCH1P4 z40Xm}&MZFkJJ|G5Q2tRHbhGP@0kO|YXTSAgOlBBWg+JuG6OMAFU3CPFk6GJ#Yg7zS z&CTNwC)^Cdzv;dx_=c4Rr?buC6a$1@!Jxd3#gsLo?=_~E^H#wFbky__n1aE0AW3Vi zsKWD4L)VQF#@h3~?6A*YDehsor&&bg&y=5bL~kfPQ!Vj0wHK*Qu8Cls!p;nQBYRA| zB8x#u&2+nxhi2(|yGXhx5;y<3sP+7Zy6t7zuG2uUnX5N(>B`Plf+>oOZ$!aPw(%sdgtx8StKRH`X+S(5Y)UOhPg$#W3(cEQ&7T}& zAHXQ0AgU*+1SKxz9Wn2wQ;Fsg(Q2!962P(#bN1&}n|Dyf2NF&LeYajb6Z^4r(PBnU z3|th&$bkg8Kx8KIM!=cIF$#!!f&rV|{C%^DDYT=OsBbD>Fg}yhk$kBkl7HEe;3}Ma z;}@dYkZP9|*3ld(RMmuHnxKHhcLvH-lST5rZhTMCMJsqwM4)yp5+!J)XeCYDe0^r= z#laiKXk;A4&}?q%@|qM&Be9)!>RFV|>{C@+VKr3e7ef49Zs+BwH98Tj z$48lm?8x&>0}urb$ruvma3}n~NC=?s11*_Kj<~#~J;@faO{&Nin^elm?v~v;dn46< zqAD=+O7`(Q7*D9OQiifn^5(%gQ^tAKNXvXO1@jz*Zt)D?=8D>BrRU1$xUdpm6~1zW zEW+96#Tc_=nR3A-^dv4n9x?xLOc>fPrK2=+$0OXXP&o5*(IQ)va`nUz*OS0U*U-5G zn1nI&+4E40T<(CD$62(pc`H?$QDN?kuFJ3<@Xs%_F=j`dj*&%Me^$J|01!tvfK^69 z!L1jE!Gv!Z!pH8}Gr;XgMvIU-**jqzBZrv#5bm0cq1Xld6~x>Tos7{lpkJ7)yLcBS zA_iO`I@lB=*WfT2-Pqy|Kn-oHp$mK_3U7f5?11NIKMg+&j?Mx7<*Yv#uwN)H!*@pq zKlV?L2k+9#?fKE+S^xB~&l}NiPy6qVK>9K5>6iEChndHjE~~D(nK3+!MEWDyl$~^d z1#Emf*#WlA?&obgMpQNUXmxwrA1(Q}J%OKX;!RNQ1@wIz#c@c_Bq6YY{Rw=uK7I`7 zS!{~;H}1!TL_;TZ(F54HkCE$9HW*H0{{dj{KWKmBp8hj*!%u-9LiYjCVfHuf=|4jf z66im$iKeqg?jp4R@#9Bp<6b-((nk;U(Z`R$M+;cxc4B1~5{GhI21cdLge*qxLcB^0 zhN;I~Wss--6Wxt4u>dlaB->y5#vuK!#!wlnWXcxz`!pmd*QrsIabF**0^(!-cBfjMtDY8ir^`W*w@*BFq}FnNO!0p~ zND%H^hfM_lmdF3~dV9Ou+4#TR-JPfSzg7HjBfRqBciEZ&mSh172-~^wzP|GdWYJfv zslxn83|5kCto3QwEzKE}#G*t~0etOh%OXiH8$*vBP5>)Q;UgQVBtF87c=_Um0OZAs zH(&!_vH=z@o|p{RT+U>TWGk5NS|!h%Fh=+|c<1@P#~Gt4CO$?uoW>3svTsc!P%YA?e_}#;U~7^PQ1XIOeY{l^!$hd z7rEfz>;pH|u&R9Toj+g^5g9}H{K~2_Y&LkIMb$+u~gR0;!`aS=Wo;!eb5<>TT z=)=H4>3lhJOyBW{1);+jfhm?3-tPkn7_@y2QDdx`iZjgTm z#_$$V1wWiX;yKXw@9b-(6R4Zp4mb|@Q64)efUy@A-MM4toB*y6m_{z^#0x+eyC`OI zNfHS_$3d8#?mva`O$VG$*@+&EC>wm@LH?5oC4Lw)hJ93h*MA1N#0TSvYPnLk1V$$0CX{I(?yZ+}6c#3WZ#{ertcU0A z%NlH7TrXcQrfXhQ=EsF9N)(49&lj@mhNWK26}0E>lah$}|2|{+$C1hbz%bSYD>rmOq_Mfv@ zI;NoUg!0@6)B=AngYBzb7dfGez{A6H@IQdRT)}3ZkTJWhhjA%c^OmW6>k@z2`2|qT zX%LpVs##Dzz{Y71Z&#sIEdeifH(Q9;4Z2&gvRD+Fw*UvwElBPs4$p33+Z1kFKK*-2 zYvK1t6MB4+1f^XVsLANq0L?%$zmdH>JUnl66U6ctWNM4kwp%w~d#oRZH}p>;4;uWY z$BXq8Hm9LWb<%%@Q{ccLNy_y56vcP67YeU5O@nX*@HmXQj|dy&_)J%A`>vbW+J(!Z zh}V=#7)vn36mch<`Ys@dD!O+pT@}~KF;Z#*^X{i#7N2`4kWuI+dZshQB%Ihz=uamB z-lx0v8>u1Eu8z-MQaIiu1wWWmjco^^Jx0)F-d{d|QPjCn#OiqA7HzgK=jvtty%SEN zFhBuOjco1wRm2tdX1((dRgj*^;S;e^$>-?~@II+G<2 z4|F-?1Cee!Ibn(VdNDVcWNVW;7>6@@o_K;>k&~+9|Z6cZjePdsln{+1T?V%?6hp)*aqQq{+c)ce5}}?JEeuF3lA=&aJf-*oJ4c(O*(M z3pzeu*+N&F+_ArGJ3yc82x9yxj9uW2DPU~hR(U^aP9Bwe?~+_0Rdd&1vBmVjYhs(v zRnN?(tXZI#W_BA_Q?;B6lyugY#ura^;jCnBs5POEF3|VGPc~gLju$~6Jm)Lqxq8K7 zS)RY355h>4WnRGX33P=h*nQ1hY!y(-ZqR`YO7n5wL6!9c)Zr2{an-Ci0|xtjB&s0oc&GynEd~u z&~-f=PnkRL)zrO4WFc?Ba{s^Wo!;x6wEtgkd$;@K|F@E#d$a$anFT7m0nbABP<`}0 z`)Gai42}dFz@!HV94GMehXCF}&u6LgGj&E<6E8TI3IlUCbG=)0e_6dkD<)&8?Zd7c zuZeXhQD ze-}2h4qRAdU$4Z^A28+E3xf-9f-r%T$Z#<)>gmfGRu(tmsV)-aai5;bkjtD1L_Fw^ z2>N7v#~!%|dognLN9c2e9D>}l(8crta|9@aUpYCz$op9)rL>~Z_nf<}+pYzy8!vDz zU>QYByKNvtF|F#5W>Zhx(BQQf>ycd%SVdO{NeTE`!xkm|&kWp7rn`C;aI&DP8*2;5 zN-rlmW?B|lIpH8`6|YMC8f(3?x1%{jjDwM#hFeI47F!~pq_|jD@ULQRW1-JDy4IWJ^LTe9_d+1Id z^J1PRp{q1OJ?gik-C_@BxCRzucYZ)54NO6VZ)S8|)yS(rtdxkJi12a)zhO7p25lC5 zE;@iQ?yxdnq3@#@cX%<97)2rWNEqME`Xzzajp{%uS%#&;HWK9~v!z>#P3=24VS&GR zdWDGvEC!q<31o@;XGvpAIS~uXG~FdF?ei@%iMFmFMk0!POO4c_BU!+*?Qlw>scJ0R zbutaxqE;>A*c3|Ddoru#l<=n$O-s~?Twu%;6IN3-&tX<~dwXK(`pg7P!uYPK-g|rR zJiUAR4^QRyRUpHZuv~7_8d@<`zt3Xt*7MOdI>HX*@fxy7gB2s_z7PDn^DrcDJs;sa zOwh#Qi^z(nK_8!n0evf;QAjd1hPl&Oo#n++VVprSws;PKIso`avtF0t|Ky!U2nR5(H+xfHnJg4s~dXh^Wz8Qlr{jja2*OR$Dg|KVV_A=8! zJY8}=af}iV3Ktpgpxx+6z6~rG1fi&Hxd3olFKP64}?|Mv?AbZc^W`Jr7#p5id{Ma>AcY2z-_8f-B z8C^=n`g(3^qR>^DIhHG&DsW%YN|%v^r@0l+n9Q&u+a;?}h%S?}bDgQG6&YvfpG{a` zlpm(%%C}laxU;t{a2C_w6u|8=QNWXpadA_3;gvFq6yTwY5?j0+O@9h3I2w6@N6M6J zg=mzhSpOSd^^-3v=8A;A@ENLQMNK!a=sTvo9g{OD=}yrtq9?$-T3TUSx(Q2B!Bh`+DYJ%1ARWZ>R$F4S4s2AZ4O3pA&9-@ZM z`soFhJ>auLcAeSE>ihF}%Gb0f;Jd)Fg(p~Y#IfxuMlrT|f-H7Y<<%oZVX-atnl)6N z3Y$ajM5ORiMv1gVq}n*46TafS9Fcf_Ip-I-_t$};ESYF74rNsah1J^=m^ne)w=#P0hVGC%Tz|Z#sQ*6A@Mx1QbL7;HnYq7 zzr(8r&16M7+?v_RL~7{b!?FN;9)ec(xr|7H%$`>XL=x(dVA>cHq%`a`nR%_`Q$d0y z3Bya!V$CFlG;DIcm4(mAnr>2jrzeOM1?G99EW*ukiGpc~X7R^zg>IqX7V;_~athQd znZLbevcMk@IpJTNcm&1JukUH5!hTVV0tXFyvyM1OcQA9d!UWY+&O$+)GJfSvW>hy) zPn28r$??I_>EOr$)-6xCr-7A@NEI`9ZwTwkk*(s;HM}qm79U!zx>oy+W>~+rq*$)&jwW`RlBf#_^Y}^TU1=nf5$$ncWjaWXU6Gop;X`%{-4`>uQL9h-Pf;ndr$tKtN1DN z|D4J1lPdln*SI6p6ykPt!+@y`rX?3@+DRw1zSiE+1OA@`=vb|&Ualdx&7@@-Eol3q&515=lAn`PCz~U>?o?rNly? z+OP{P^chbVlYRQJ{Z&?W`PGbP%#wXj5^YKNplIvh&4xCGIXCAT;YzTwl8wpxmzOy>ZqVIJ(XD<-%6%X@GMky|noOc0nMQuq-J4iLRA+#Wfjg@{ zgxCuRx;Ed{F&HbtBk^%SUhOiJG?+UVJ?+q(wAoBI>gH=hX${Kn02jra+(lI5GJGkE z9g6Z$lrhSQ5Z-WDb=Wf$_&yAMK9%W4T@&IvkA*ldHLFm!tV+DIGryC;dq852PP&Z| z?cGO0TWJ@+{zjDxi>`=xM9;$a50=z}a;B^b!o12Ly_+SB?>T6=mv7ZgndMkHCB|Qh ziP|{w`_>r1mffDh(&aL#lWqs*5{+ZAioutWsC8(wc0;TV0~GPwe>6g z?{C&6$9?nPp%(z_rKLkx>e-OJNL%_e-O6ba!&SQ%%=-IWu1blJ*juWcq|ME8vOs5% zmFR~oN#syu^pbHRvq{a@8F{#;OUKVm}+FP@=Qrv2Ogl9WJ-Ruuro%ynw&KzB(i3M|2W_U zV=hhxonu^FhfKiPA%0R5kNDV#5(h}YqdQCr1dyU#F(c8sn)OyWCB z(V{+PhpcW-CI4)0Dg;@blxzy<1=jARHv+!`+cgDfZCT*AzX38v!6mo^0I;eu)*DOJ zmH99@Iv=uhwJJfaN=Xa;4*tG*9ixb{Z)ZIKkV>on5YY#^p>6)m z{wFy5Z~^QoXx%Hs9^SO>C2kLmR%(OGk#||dYqRflbLC#-`rXICQr&$O zS?f&xKk*fG8Z7@`<^S_)r?;1_|KIDqe)9iW#ZQ6%k6?icpC3^w;XGWGOMktZ@NsF` zY$vYk_CN4kVR!2%b;^+wR>cmtD84Fj1AvkDLmW;c)s>YE zm*-D|&_$TOlKt_=ETyqUf4Af%)Dv&c;y9BQL4RKUQdM9v%TVb?p~r4kEp&_cFDy+Y z+mY#C5uH_fY9{<%)$yS>VJ}z?Z}!iYA6_$u2W1G-a;#~d5Wi1D0_1uGR}xq{6{aq*LWG}r#6CbgJUH6}XWvTz~` zREVV{8nN*7>fgwzl?%5FFYzwz!#D%X^Ef|Nd%rJDk^FNn^fgvC*KDz7DD@{h#bQfH;#&Gs3u9D4qJ|6rb*fCWPTaCRz8x}s=gr%qO1 zRo$tt+4^9f;&s{>*3HTVtWPWgtV%&?2%xN)!vLHs%Gai$jCh=yHH};r=ca+(uy=U9 zqxh5HeiGcP7TkYwZGZiR`?_iUW{Uk;wEtyp2~XPl(093Z66)0E&s4{;y*`zcYNTz$Lo8*Y&IJg*`cq8Q8In~bpsn{`y{SO$$ zxOUh9AFe+*`M~RW&FOQe4Q%kdn}brR9t)zexYOw`RLe(kZP!CK&Vl~v{GNts02;zP z+iOuQ+Va@%K-Izxt4r=_*pBee(Dz*WSw;Sp%z$qP>chDwBQYXSCk9ZgjC&7HyxqH;}+-U8cY6#Sn3*rp%OIL%g@g%=ZS z``T{ySe3P#Jm=AW$z4QGH}50(`;`8|6F(hl6PhlH#*zaZOk@A853g}OF~PpMI2owV z>L)7T?2QqT+}KF~^`HO>xZfHKO1aTtPg(1ecfK@*6$S ze?C4q;$h=XI6;_ea`c^KCtfQe9I=N{=)MF9V-ye%`u-hzc=rB~^`Hf0AAC4J8GblF z*|#>Zby=4@G7|s8`AId$a4bY>N(`nLxqyu0aC$usrz8u@>HEW@;ql?{;N9WA#lzZd z?D;4lGO~RGgVw!-`(f+0yA^~k8j7-fm)Tk80I>G&`p2giN2mSMgQMZ$(aF)p5glfD zc7F8s_@DdF`Dp(H{FOFt2)0~wyG2Djus;E7<9Qb&(e{Eg);nfz}>$-bauSY#Jdi~1X>%Q7{;CA=wTjw?W)){TT z-urIH?R|IkY758C)^)gb^DW+rZdkesZW$Mu7CP6VTz?THV{nE1@RP)GLKQ^;H5rR- z(gh*MM6=vpf=k{l*t&)BmJ-QZN*3@z6wQAO!yB;K2KOwl1Ix?!nKuD|gi~h>Sh3Pn zd-e-*WwU8OJRgW5xqGX-!TLP8RW&B{^{;N2=K{4J+2CY~S6q0WM1iRbYV2ok}KJj@+Fkme01v$(# z+W!iy);+&1dt*OXU>`iUdfVI9bMPDZ;}7HOUH&>vWY#2^K{MJ9?HaRE#5!-iz{6w4 zI}ZjD~QKpS-=7QPtQqRZUU#FHCCj~>S4dv+kRGH}JH z04SlIXh6yF_FJ25`dTr+!DtJWoC?PEFQMRbtV?FVitcR5FOq&W=y1#2uGsRy| zruY+SBWq-Yg&3olm)Xgx-y#k0rt4i(wcQDCQG7R~OJj&+>N0-5&ZNdOGKsyc#(F*q@XO*`L*|K|1P*Ym*{p$)r`O6OwAy zu5?DA%nY8hO!31p3|t?@p!E;XIypW)I(`2f9G#!@hN&j%-hdnAj_A8LV6)Y2gV1rN zag1C53Gk`7YxS(;GAgM{2QI$>dYz0hf<773GY3GQJpzI-u>XVNkP0G?JjY#%0_>3~TM6J(7-Q67 z-5dv)An3jX|DIw3K0%K#*vJ@3_X#>U%kMd5P8|$)ig!nuJAZ*5yBDD!N@|gi9?N0` z-8)KMeh*+Er_I+Eux;A0O;2z(e|4t}|9lj~$Mj@~+zyZc>;a6NFmN&8<>3K|@91-Q z4ZWb#=~(=Vn;G5rF2N-;xVQ6m^j7-JN_nL8oH{?-e;Rv~W#TEyV0-@I^z``jhd1C| z7LiAy^?&a4HFJ)WNgdV($ zTgz4>PXa4xk?Q6_zK!D0K^Sv%)Oyzm(Yo*2CSp9KTE0C#IocO>FL*%-_Vq(j@gh@9 zf;ZvtGY_U#X4hq{&X4+stkH1r;o#tCFxcM~!+rzK5p=oixw>Qjz64xu0SG1@#&mv< z-k(qjMHeDfC&CdJdA=kcXB$@CBjOimY-%D4{036@WwR9m`TO5ND^lNn0}exW#Vsf; zj4TvhtQzsEB>w?cOLd(sM#74PgaPq_DbjA|QeChcK-I(67T9{Qz<=*&x}B|G;TOWT z|KOUfl~lzLE)Y^v3leJVx9-*NZ|n{Ha4GJ$sK!J$Oo)ApsvyGfM-`NV^Zq+~@MGWJ z>-Ma?>e_D0QKU{Xj1ivtWWTjZr5kj74keGXOaTk*2CG)Nyn?|=T%ZG*r3 zB|8Q^T@&W#wcq*&<(bm=;2ZEh0FZ5Rc;i z&>pzQfQw>Qii$ulz`$aY0l0W8ef3$9aN@rQ*B z!b79e45B7J^KEY8%igDe5Y#GcUp&1Dk>tlzfaNG9Ht;u~b)Oj|LqwA}?PglABUtL0 zCJXpXoQ9w1Y={}4j7LFAHRA7`8ZadJH#*QAn}bnEqcy)xS>@ zTYe_wl=0YECSw)B%S5c;p5&DJjnLy*jYDx%lImRQj4I{P;qiI$EuLOs^!pSAM5wD6 zxQHN!GWQt8NHk+c5(+BU{Dv6$BLFdQLuWcc0d4IC%9|LDCx~>s$<~!0UT@t@uTUHy zg0SrcA@N3cTbjk7&hhtBo;c5s2K%i|(F-#c*}nrDrJ$0X(2gH;2ip>2DBs7dMJ9b$ zKfj$t`Q6b!SLc=XGi<3?z3ly{foY^>hb`Jt0W|ZP3N^wRx0+MG5g(rv%12qdpX#HGT}W_=lFC7Ziui5f1z9SOQsii z!L>y{pejQ5*~rU5L1Dvpn4k%uBxL|7WH;RrurEMM0s-hkWMzc|@Yf#r1Hex=;Q2jc zIMC`nJa0ea&|9s0(TTJf-e*Z^K#0Nu1TZ{QhhJGFopFm2`W*4y*wkw&w%!QH3n8J? zK|p7Sk%8gWME{+v05<_evPKNhM-XGGIIhnIolerR zCOh=gwwG*sdtK=zpfaiaS+_l%40?EFag);Wa;c_Dljo6w^sJyKDByROKYjTA==}8P z;%LAF1NocYCAd6$e>i-9et3M^KiO~H>tBBJ%?tbC5?J4#zyImze0Y3%c=XTxOY}L4 zK}-7z{1tRBEgskZ{`Bqf5Buz5QSHTw#&>YyOZR~RBGX73aoFZ}2`-(82M}FBj0EST zzouf1kMUq-Z>LLxwNx+X;+H--K@gK+uQ%KoZqHKtZ{cZT_)FoX8BXZ)Z@_6tcv6N@ z7y}6{xb5{iJDu&nUV_Uwx&gMJj!q9Canwy?3U3kfNk7o0jvd|Qevx_(QhUZFxcqB08-ufIJ9wmk~t2_!(U!^kTaU-*yYln?!B6|G&1|j|2RbMwU@M*m%H<-lK6SisD_y*I%YhvyR#{f;AHnm! zp2zeJ_#VL+#o&2slOj~VV-nt=pbac(5o_IRdxI4JKfWJaJiIZ!I(vV9F{F$)c-VrG zCo{g_bVq8FdH6>ZBSP+YsELgE-AJN?Z^84A)(yJ*XuWw3{s2_;J;z&}7uFkKecb%@ z|E%9W{`F(K^J42`ck6lk5^Un%ry*5P_&;V=pb+&{mRZU-NgRDfka0OyA;xI$ROr#! zeJBn%tx7qRuvpFpmf^p3P_rw9>AGm#o=AVxcW+TlJdFCT8zYP}p(>pX%d}^$cS+k-rCRP%xFVVyu zMwU$=h)R!gE~T^eawFd^;C?zeCp zau#d!nUkw5AXyJR;;j#;#22phvRQU%%C;1Zm&u<$Lm%tj@I?R>54sOFH=*n1Uu>OSG`voI#5k?g7A(eEo7zFR=4B=oJULlgL!OcpbA zmYVVEFy+=b#5I-nWTYQMO#XN9{?xpKq!*%qJ_A->nTOg|Cqv>WZ0T$vBk%Kt$T(gn zC^91P@DRm%H3jn=XS%kmf?TcW_Z%3ORSe>OvgoZOw}2cuGip(C;Kc+9&oDH+IC^(> z(!V&;_qYtS`UX@We*U_@xq*u$km^=UWxFU$ey-5?1RqFSz-0iLw-C1~aJtXxYew-|6y9DcsDDs^&W+b>Qlr?mOg zDdi05HPXpb@I0yHPb&G7O8%shKdIzTD*2O2z6zDxP^Dl^^ziyO<5Ho%I2m+~@sUhU zTCEE)K*a%BE=ysYo@88d{YcmCq}iad%zj&d4!E8ZI@}0E}@9 z88%JbS;kl674^KRip~$r&Fbe;FZuD};_NIAN$7RV099klZgN43SrxHA;FnlGv%&LVRLi+Z$_$)ym?u)5O{h0@9kIJ z?QW+2_v^h^-KYBBtN6Jus{hScV5qS`MIrDc^PSiPSm?@^C)h+FlES8=Fm%GnmMV~w z2tbku0_`j1_}y%RUp6bp>Y8+2h#Rr%5mN{ee^XlPhF|=MVh+V&UtF!*1{Q(wH6mx? z&rGbB#YC+ItVnGp*2TdYeGx^;22&)WwMHfP%Q=F;(SE0NK(XLIW@qFwpzk&$dsLM!nf0 zhp(n%mMt71CkctQc=1Hlg&#uqd+5W!Nvi)h5$epSvw~RXMh`+W1vF161_?!)jBl>) ztVsQ=4B6J$)JpSqJK>e;nHSO52mB~_%ml#n%J=a2G$iK;x_5nP2(&n-TaMQDGz^$j zK|V{_QEMKBbJ2jx3yv-xB;VJt7h_8b&i4G3C?5L&^YpXOPucmOioz=)3Ky{fl%M~* zyF1)+6x+=D+&7!bps70&tqPjywIqjZw$ij^ z@{T486y0)wrPF*KZ-fQXsi~Xr(?QdBR;ud&m#IgYdc|@#ZnsSr30zUB=P)vZZjw+u ziL@3&Suu)SWjhiog1)3uwSL6jT@S#8c7JV5zDUa=50v9F^G&Yd*_>U{FG0(rA2aXh z0YMSi+)Uie`9FW~E89B#i>BQ_(mvr)=mv&jfc35->iS55mRE2PG90V~{x>f{>sEJ> zPp*ayCnTMV^!KeB(7J8TNs)e|EnmZdnz^qsuq9>J!Kq*|*YgFv2Lw&#z3b1`G_Tv2 z&U1yg*swU1Nsh%Y;tRY3#I<}C8(Q)^+YN9B`q3D6(y2YhAtvIcUivB*neyC$F7m2Y zkCKlj81>E?UMfYySh|c#(;y06ThKr(o}4wWSl|l810H81Z9nE18*Wz41=&=3*w)yQ zCNL`PF1C_OKFRr#!RY}8?X7KSfK^zdh5coSo+1&gz}d1CQJ zS=<~q`NZLCz~OXio)~;l2G8E*J+b;4vO1rnCuTRY0KRpWkxlt4znPS*1Ntd$dBRS~o+P=~`+3lB6$8F|br1-2*C)QGdnOrCobyyjPxXw1xsPwQQsbFaY z`Ql8KioIE8>nHa9YS_Dmee?@r?>Wtsio1WjxHx-a?yrWqt4*U{5N|JRp-kL#QawHK z`&Yy7b?l>$%<)Z8@zC$ACOyRl8N$c;`0N zE;~r0%J{2{08arNPe1ehl-Peob*@FNzm@qPdfU4@S^Mu!Z}-XmyNaK3`)|Sm71m#| zq4atCwKD#uiqogS?C?U*tF@p$k{;BELZha4ZK7BOM9l}YE>Vv$^I}%Jfm0Gr=$kaA z7vT*(k`;AQ^3jum@br`aDcS!;Hk+mI|GPWgz1;r)>goP>B|qi+f5HOw_J0wDzqb3o zDM8aJH-8kkQRoE~wfNO$$Z~1iLf@ES3Og~3crK`0=mRTa`K+xic6@b)6GURq!O9G! z5+iZMep%#~&V%G|^X$YW-R zEXrD<&4YPV)(1%JR>jwwk~J|WOG~bHrp=Q93el(yUuIj2yD9*+{?Juomsa`Ta*!}a zCKj%lzl%weA}1oKcZ0)U5y69dWgcnjmvF1(inXx{S}|T}uBC44i4l@Wky$&=Y+|-X zGEP8HK*e3*0^vL1t&cB!*S;>hF8N~$_NN@SS<8~RND3+FQ9>L)G5efMO=HNMQ3eka z(-&H@^tlDYFmrdYE)CREx$^yEpEBqd5(H?f0M?DBva(;H{4ZR8^U3`BuUh`!+27sG zIt4A>EPa%q+HGt=D!MJo$h0N!tA&y344e}nEHYrl*j z{RQ1~=r|O!?v*&mBktvk+%&GdoR$WjFtQxGMpj7-87b8Y#b&U4>;VBDB8UrCbJDsP za6woT;X^fue4!W{7vZZW0d=&Rvr8aPB*0r3dbL}VwFtA}qQMe*IGRYcOCrJA9lL0- zP~@L|h>SGsupIT*%R@Z$-AvF{ihJYvb)hM&9_|F!UdpaOA2{L~*NfX1Lu9z1`A9Pz zuZt0D;!{+>A&$VAPg2wNFvAfy<#e@0QC$iRq=h zbex|nJGZcsaRkxGle8x1W=u(fu7TJvGee1UOqL6j9epWe63=_F)B&jA32f`;hs z4P?#;T>bBF9sBto|7ZL6miWg*=jp-c=D)UYK8-)U`SjDL%TMQ@e!-vK;7>o{PnY=9 zId1-|aW&gqj=+--c{CVw%-{8tuE&C&oN{(OBOgm~M9kwQmp`m3fE#&|P=~MtTA_2B zM%R=PZF_9L-Z693|;pF*ltiA{o88I(npy= zjzI%Yv2z|~&yFsvQhZ3eTa$kX(2u~ATPxk|b8(RLZr>AX>4&_c;AX-F1+{W$XAPXF z;xHnxa#h@Acki*eOAdl5xJ&Na67Eu$0))B;wjIRjZF?MfgWQRt@0Dd7FWB?&YAN9P zqfAWI0G`?pLGmr5H9k5ONU94{gQGcg29Bn>WLEA;0WX~7zu~p*N%_)a5 zx|NU`gHfTvrek#GaE6Lwcnadt>b_`8t?7#Sf7L)ug-OTHsJK`E`@8#puCkhJ+_S$d zj7yl0Q|)**?bXlg!FIQfW`Fg++oMn8PqbM&b@9=9&%RK1FG7IaYJ8_bH%{*iwgq#H z*(OKjwzzyi?h{!lW+Q5(PU@dC-!#*G+br0^D@%*I*w7=vyyJ!K_msUY0m_Y*cCgni zzph{d+uJU_l@L`k`OG>kNdEC%MC>v2@gNi276%1AGG01V^lZ-0pELIda^@bKBvhAadlUc{niCEPr2DGt80CmkRy1SD<{#~gsq zpSNt=-gEhryaG&+~}Gp)?G>T!IPt0jSo@4?J8 zq4Rey`l71z<4i@e?^YPN9EiDQ^7FgiRT%jB)z4c z1`~%}>WQFf9CIB7Vc=fIGw{j|f&5^_+&|x0@eB)?t8qy`3|tpe5`~=WTt}|B&9K0v z4D++ZJVutB2{pypBGW=Fk8hvo3Eyfl?}j7txx9hl=?FPDG#W4GR!Y77l>;W7kVdt# zm6>6}Q6E@EGn#pCR%fA}k&5e&S&5Kk<$s(A>~a9CP3FG_UNlB45l$Kd#oH>yjp;dI zx+&yb>UDn_jK_hWOuzORbv9lMNL5CA)ux$$HI)r)vK56QhlsPMZqv7!q~xvr4%cR= z?co7(?j4V-0P$Kjfu-Po6S(}dPH=d*pBC)Y@*F9!lU{7<5F9dUO<`A>JcncpO_=fI zo>cAsgle^%Sov99LyBxiW%F9(e8gR{7r0gyp(4PR0n-9Vs!J8NA_8T>%$X^wZntZN zff!EvBV^79EeHXXy*3T&09O?Yjw9@2b{hB$Vv)UXK!1fEb~!GSBFr0OA=AmV*x?(9IKI!u_Oy)sYJ)YDiGFYSbEi0 z`TXZOGAAM}R&g(b$|JvUPoO(S;IHxEn%*(jPM8QX%}Qx6AcOKGn4}P;fb|dR5mj!m zON?z?9RwC6YxrR=z zlD$r66uamY654VCpOL`x_#RI(+}8d==EJ}E@#M6benp^jbMg@qlj`~WBAU!8&fbT%#R(L|QQSjDHbd78nVjDURqWp<%O@bw( zWG(upfVgHBbZ~_IA=sfa#|b#3)VbDJVElRXHu^LRU|i{M15sA(l~nJ>&$w zOI5)2VGLv%Wj#UGUYf2Z_X!CCW;?Lu5TnKgW@uakfz}PW7kDVZhao*qlQzS8vQ>R6vtxIwIIxPdg?)38SG;@yv5sG=#c(c z!C__QgcQ;r@@3ZJIgSF#IAxmQ@-xgU?r0_!S_)NWKFdq5uAOF?*_#bCOfPdY=5>oT z*_Bh2gjH+#iW-xdSQtUkKv7xPRg|t^0@%y@u%;0{o~E4S8zD-Fs)e=ZXW*7AM(Be9 zhUEu7QYr3?=UG;=VpPSqZFGg8zh=LD)a1!`5E;B6GAvr>z>> zvoM>LqkNiU*P{3@^cs(GEpNYpVp$8Mb?OCC@(4O3)Wd%jY`AR~q3|>a@8?+5r20s0 zX0`m)ozinDSkh|Tm%;)xm3J`)ZlTUa1xA$-LN=MpwP=Yx^5TESt7J55Bj&VY6x8-O zO&G~=teL~HaoC>4?>1q?0tclz?kyy3%@?|uQ4`UtXsqi5t!-H;Cg;nUJqT?!heHun z*Yh>hD=$9{l`o2@8J`_hv&&Pq`I;c;zVp4bVA8zV>Er1vgIB&Xyn1URZa16+CNYR< z7E4?852tow7&E?%d~ri|Mh}M5KP>QIXs}mNY1%CDWAOe;h{fqYn{TQ;#FVMy-A6v? z2p7cc)}HsX1<(6g`MjUcH}99dUsI3k%=3M|;Q2l;pKrG__d=Vp92XTAwCvr^g7MJp zlp0fFQQ6%D!RqVtY|?QzF2-!D`Md>9GY=a zM^Chx-QsnNpfI4A1*DD!eF-Ou4^6HWjmOY;Gus}+Uij{5(TJJx-{>54E-TRBvvnyFYF(mjF zduWJUCDU3Y@=xe{DmYPLDkRzBClZL8L4{3t&$ouEUdo-yUo2GLUP$~<)lhYKpW2>U zXwe%b|La%z7N*)%Xwg}vT@0UYw)%5PK3bahV6vpUrp&kkc{D$b$Ej-F-`n5qN7(HT zv0GC#HJR3X?EZv{TpxTbEQ*+|Y#erwELf2hEK=hqxAAnqIt5vr8pEnDxINMYCJhK~T(YYO(xOHF%qgI$Q0fJjLA#qdCn9wi5BnI9Ftx>%?1k zJ+m{dme|zarhpVx9^(@#y-Hi!Qz%>Fi zL=GNcXZo*wHH2I4u(M}}ttHrqKS0GXAi?(``$|RrCnw?@_ZJ=gvBwc(_1Vj(7=kNE;AlwO$4mQZQ#9Ge!z1w$b>u9Z`Oy0==o*pvWw~Gxe3&sM%B#b z{aK!>X&I`fK4zk77Klx2lbfPC9Yp3>k6k7CbPZWP^i&XUU1>d^d~S+JMLoGh;LVm^ zBAwl_)=L#ff0(sE(4*~qZIano^}Og$B0r&NGmW#NHYlmenm^8cK_bzdo4-~r?TO;l z;{}qHntL0k@7}(A_0#){lgoD({od)ttMf}>H6HZx7@sZvyFBal-@bd1 zyh&}pO<*DawvN%3gg0mY?XR#j7<8)SU&fPy>BMy;YB6Kuw5FqJ^57Xy*0j7xvQu8B zLzuTH(j*(dp!>oG5`QIcXRrEEL|>0r0whFE%MV=icK*UFs+>vx_oV zjx$%zetV_6=-VsZifcU8MRX=jI8NF&&vbVdJ>8vouQD#>9>zxk!`Jbx+nKU>{h(664KaQj{6txG>1|8b=FI zQ1b-#EqLOBClu`b^Y2~o2~gyM-!0ny-}Kh9Eim?kg2uKB8EPJZ_U{&7D}+EhB!ScJ zwg+yz`wszzmBV2&BZ2y5naK*6(Ylz&M3qh-dMEBJA`DY>;<^M;nyCWR68dOkTNfXj zbJ1EvAakqp4Fh)tKZK-UMZ48fI^lQp|Q&cq!h} zQVZ0{xD`;=W02IlGsJbodY6k54Rqpc3m9{Dq5?{rDlkP&;O!!@k0CO~zDP3o6M+so zM+A%5M8R|tKk@cXLEYdiXS~a$YG^08;+kMSmx&b;)MLSds{@^$YtBHl|64kt^0HT#SY zjh`xzpWqW15)=Y~tSfMJmCFdp6+aBU z7s!M6X`a!-0BnuMS_Pjaxl==(`0I2Q=66dISeynTf-Xk{(NW;Jb$ZHvqot6yJbWvx z@9VWmlFL7{?tpK81I$d&20_eC(PjXwKvTbObCI;!RTWKViHn3cSKunf;}y6PyF(*0 z+lH|KZIjTkq3e=kE*8316*BgAF4a(rgib3A2urKt)eZ=r-ea}SA;8rh>D8M5bj@Po zFtMb35r5SBiHpzjj|+KMWQ>ZD5qmY`PfekucF?GD!m|4iK}tEz1qG^?bsZ?KGUT-F z1h&X94_wqN4k#7M8ka{j{Y|*-@cJDQ#d6f$l_o!t@CGVGrgrLVp&8u31!S_Fl*7rxP9~gZ?XZPtjfuonIDh6^TN(dBH^%f;`nka#&p zHndxpc5mR|2G$~8(Q?7mEBl;{e1GBJeueZaaIzubx&%x@rxy8URL=}@)@VZ18KE&G zXox8z_qFCGKeMYspVZQDE6&E}00p zHCeK%j4^rv(iHS>B3n$h()M~?7AVOVQ!`JDIkzO3o7yC%dz|=;W zdo`EhUvlawtjr{l{}|usc+ZvA3$Y@Y1pXNLMd53?>0ImIFH|kjb8jxe$dO`gVf388 z9kZe8b)f1WwRPFh_H49Wrn%Rn@c8Q`kvKt=(+B^Sg`PH?#QW4V$rt%QaO|BB0`KGQ z7kTn!vAIFy+=!eyBf$oj<>?*P%8E5PHCQe}{)D|okh1>HPJgH0sbL(}O<{w8IC?3C z2EDDDUwC{wMP7!Y`VZC_Apto8mm>t?$$(p#&jf5gp-q4(@B`ol{tyvBqc98zLoWE; zzYG9$927FZMwkME>CIC>A|J330#P_5&_w_aA@%{+o%|u!qQqQ}Imuo9?pu7SWi|nI zal2e8ic{|-^B0ye9Qc=bj3|TSFrPX{rkzQ?pvV&r=6nX8c=K2b9L>=SbY`21iy*>Y z@-{JLM4<~A>M;Tt8s6*n43$?V>6)O>!w#et=l~1eLhNzz=t6tital^9$Yuk>khVoi zn;Y!A7O;#Rn@0a@xT%P)se!L4uejHhe`Jrs+)`3$ zEc(c71FSG`-v|RBS0c^>4?Fi3u+AZYo`*ckpphEb6y0J+tkF4NimK2Wqa0CO19{0T zc>;MZiR0AY{6z#gnNpzd2TTAn!yqTd$Av!nsgfOykaI($aoTNt{jnZHt6al)s0tsG zr6f12GHF7|uB(}7VU}x`=eeR>lULq!txd^>%&#VlB%BE6k>~ZKH^$No8RjAw@h{pJ zO?i>eC?q}&t-i{BJON^7)`6xO=ahg%zYM<6&V}k)Fkoze|IY~d8FhEFfAhwqWDV1bjcpPP$@pbSJsn1~z z%n=aCX9h+xXVA`r{(_;jWRUnL2D?GGLyz7#J-3r9iH8B!4TofYT zMZSYkWrA3vT~!>9-mrd>*w|nvgVbMQuS80$h}pt}ggqzslj4JC$wK{!;4nU!&|2N@JJSHBgIFOJP^(-GX+KcLY#W#tAiOWM+gq_r-4 zxh~G)<%?HH6F3WHRPFte(3uh5zjTD^$kSDtq=Ei$NhnPz)ekVODg+}A|bSp!>P;MRssYg?khYMsr5s=1*l z>}gSW@)@2AI<0*jFGB9r|4;`KkwpwxBS_p5ZNycg_($!9Q6#hSp0>mvq&wFnQnaP2i&Ba+P&~p!;v$!8_kU*~Gb% zPdP3wBC0v>)Ksj=bEEh#1hmZk6D9AmepD@G4^mnsF4y>6+=MJVFTz_#+4uGKaqLi; zg{)==(@k-4$4_|cEcfKe`(M`R2#W7;uh8MR%EVCx9>>i&x}5mUn7bFIkoTclYb2ZKzt&o_2mu18`QBkpL}BNGX!G#1JJ)bEOO;KU`Pg zq+S5pnn)-54W|-^yJ3&2=Q3HfMJkK0r=W4GCu22zh$U;1!%3B&S>4>4Y|0$NyWS1@ zC~TQogQ4|tg#7nDg$&aH<`SN1M@+umZrrxiA892A)5vJr5DPkP+_rL0bH>KZVwYwY znJwpW&FvWDc7d1T1Pf7FFcmLfmkn4~K3?77H5=ytw)|f_)pmS8gSPu>62qXyLT>?M zbUK~R!QP(uZ>Q5S|GU%K;s5UL9q#Szc6RsoI)CeQ_YXSVzk$vI#-8|#D1+p0ow>)# zPVNi&ae8b20DeL~B9I{$@a>>-vTzcxzz^*THgFQTn7s~$L+lS*mjwD$-tkG}0?O|h z=a_`f2QclO^j<3+9W1A|vUX0Zqc&&6n*L_(ZhyDV&DvFP@CMS*Cvw2SH1nH*;9`MM z;m3k}k>d(gR?=-AUHLc5oL(H|yWM~-$HT~HZ{XdJ(O`f`5C4VYQ(gUMyL)hWc(~I& zh%@rmn6m7(KZbYxYtgSzH@NIjHDc-UoXM-lvobD+IqqrJzZ~l~NgK`TmuNBBEvPoi=qB|G$!y60jgiSCQnY8FnI} zPpc0lWEnuK>^7oBaxowh9+5||al{ttC`3enWW~TQG6=g$*YTEQ^C;I-8md(4s~7!l zrKP*ZB^JK&aEN*gGTMs!b&X3bSy9Fq-YPL`$A^e&+s9mm&^}zZ!(xhR!s!Z;A}kdH7@b?^aq`XbkT_K7z%>XZ|DXS6?U<6Uh6|riTvuVBQiz9G2y8 z5cyCQFXbkv3DNnR)n;?qFEwW>Lris(tH&%rlT`@7$<(s(2EYBn)D^nlrHJdtv zrsJ@`Q_l&RAD)Wng~~z8h*peSO`;NmmTk*nQfzSzQo@}~se}S0s{1uBzvm}7u7%jL zImV;coMs7Kq?4F1+k_eGVto-a&b+T=#szSCfpb#;Y}GyJ8pnIeT%?@eSJURB@f}uv z_co`L&Qy<|^Y3#K++vCY|5usvyWX-FA}P2YCW`3pZO62O87WlW@UJdh795B>>gFO$IZCp8S!C?rtyPepQZL-$7 z82;vFx`TwF5k*X$Du&swu^69&g#<_8U882+U^#yHvZ;Ve>a~@ zN5|oG2oucsl`jy0XkX^8S`E9;A}I&TyywBTj#hn@7Joq0N7<~{nhE}CPl{Lx`!WxU z{oOsTWU=h1nPPcd;54-@1e|B2WJH~??YplZt1E zS(ARMD0A)`?TZ=AD4Blh8YDIT6}~~^zPJ>j8HC~yC$J;=Z5cC?Z&jB?{77MIdTFHe zh{z0CAdu8w`E-R1E3*c)+6=kHG${C4H34ULIQo!MY4Onxl2RB}BSnD#BPTt!H%lub8sS09!}eUgDJD-72SC>oQzv zhKba?wWMGOC-4W;-E^*fqm34NWDoZD`qy(S+!Aifyw{!FGs$YPc`&XG%RvHDg>@lm zQ;ywoa!&ka6DG{=Lj);Bq_}8}bsYqr1sd1O$xS|Kg_li?^Tn;x7Spbj){I!MYYooy zy^L7ucnr>}rX6Iqb^SS@>>RSu3fRm@coUL2W&kiXTbYkw6gG{|wXa*F>~}fsxS)>$ zee5dE&7%4p#|d}1%4$8K7PyWW$TUg@#}tTht~AJ!9_H15M$@?;>Jfmta}AvldVz_! zReoP<@hfj!uHstu!L!}Ii%I{mAKdhx)j2yjD=j`dEXoM>he;-qH02B5cOtEF_GFP6 zL)-*s&EnwZh5*q#HcY_H14hlHq^)Vemd&T8BhlY<3`=KqOA-wxCO&EO51#J`WIX4{ z=yn#oWPHN7W zD)KQovGs!y+F^BS^f$4ZU1k|9SUWe_YcvTdr#*&h9Y`e|tjzctWjI|FT4inE`YV zc=*hvWC7D;d+pfJoDx7Q?6pao$$?*Bqmf4_{D< zzt@5TAVOQG1VM&+2)R8(Zjn*Nt^Cq^L*<~Mr8cL=Ao4sPju9wJ@YN8M=0op=EU9R; z+g-vwEKb;|!Y9^%x2{yX}}sg+3{!70+J%-If2%jyXj_Ou5utJ4?5#th%UQ z6QuSNx5amBirfay;!#xPA)=m-*CL_Q;(x`{Xo9aJMP*9AC+-;g{Lin9ZWov5QfzC9 zp}hMwMu%k*l{rIBNs!}Nr=_Lb=t7kzO6GUJ$B-Q=SYMuswJp8gTQt}r=PFv$hjmDWn8~S%DP*NF)^>4 zC(RilGVaOPs$y*eIRvqa78|?1QV?1aN7cC|Og!el7P+y?cUP?T)as_$EZCm;rkJ5IEh;UT13o1Yy&LII zeFMXqu-EBj66k5`JoF`n31;FGR3rF_Og1?&Xh7JB7mgsR>O-x zK^}@KwyWAqPL7|XMM`iuA(hkQo@AamIsazzRIE%L(ZfY<6#jzlFN1T)MnxQeqpGU< z>YU45YYmMpSGA6ry}6RLlw*GL3t2b)LP=y8jgM`*)*&P!m#*bpEj{Jq1X>(MV3hkVbmt?7>2>FGQlK@90DxEB+ zGbBu)3el0GXlZ<+jL6DEc&y&gz z>S~wqb+?Sm1&VmQ(5tV8f3B1D7tHD{+m5mF799%f$?b}WSeU)B=9^$78wIyO`l)T z7M){ivVvaxbwvTxLT(V-HfEfv$paQx78Djys>*fpV&M52TQti zp#ixx^cU>1$LDGJ6G&$zbDczHN2@jc-l%fNQ`r6W5V52j{$KP zY{u1mwdp@!Vh?4mGA}Fiw(b(7NNbA_*fwHL+pum=<(Ixd9%T4d%`)$kUQSAYQUI2X z=IricscU!M4VbKq>~Rc3zCyN$e9R3aeb)ugZ_xdc+%_?Il1u2Y>3kyr%y>98RJE5s z9~bc@lfWZ*!AnRh?@pa0BgY)v3dK&;B{cD>m{{ZHOJX|WAIfC2(gSTtuI{4Ewv?sH zZr}A>r)oA48w@XB_gb%LK6z0&gIJ=cX`0+T^VB6^X=QBY(ezq(f^kvrjtN^J7xR~e z_!)(v<*h)Tf3pO{Iav2J`=SUZ1q-OdHB&Hht>Q*SPKVs(DHoyeGzg_1OWKc{G4-Ut zwGzwyoN{T~fh~uyL_GCqTa0NXV=gI`1Rsr3Pmb1hpzWmQbt*tw(l(Ki;io5SvOzXf zGcyoks*8i7nuN~oQWE+JF}@`As0WwdCdd)i&f4Ann4S72_g#R}x5Y+F1{zrB%uBd1 zQVPs`Yy7y&SW9{la!CVcc*T-XJFAfL7`tdAzf9b(C3`g!gtLNkXNlbAYY>3+$xo@E zJ=V_COQ9Ctomp0?zUdT4&LEaXd%`QU7~OO-kR?iduFvf5UXI~86Ipp0_%!g)g!Ok()i9tOb6r_UPZg^$M05ZVeJOvF8%S^#u z3#lVDN31o2_TwYDnjd0X1W@(u6p5{>2zk*Wlbl7l9d5MrDwrC{Rnn9#R;MNYXFX23 z6$Sp%DSHhL`wZn5OhK_5nyF4Y>EltN%$2+G}))NZiGGni^2YuS7%sqL#g7S`|% zW9Cdq(t|EnA2V!{QZg^FOHO@ZPa9G1uac4XpNgCN#d#4@&aMNa`2MzdL++CcI@&qF zyDZRhGuMZpdy5Fe6uIYtGy!HBNI9wlEI)A3xfH50O_*1BU3~=UFX%oGQ!{r&eSOE2 zVRws}UL}21A81n%Uw*hp;A4xu{#m;2OV`>~760NTHb!}KK4nzHoO-7TnTs?Qn)jQh zQ;i!GQZKgBEa$vfgsw21@@(uBeS$^SkOVx7i%H05*b$dI`(wmLfolP4#8}wBh7>y` z^?@63-0$wxxwTqNNhSbq#Q4S4SCn&34Q!QU)tWdp`F+Wxw5!uu<*7)cncp(O>A2n* zF}+#BQ-qY>1TV5VOtv^oMOw+AbCTBXW0BTwDQQidn*6?+wCd+eOvd{vvK^K%>@~3X zgyA=A?g_(6iVVZYH1yPGjvG5qg`KDN8gDE-8w-zl41|lUNm-GTXg#bu#W~qFMxHOt z$WtWv6?7z=yq9Pk$_g%zXe#WoZc4}3{hrqxmB zWOLOd>fC=U>fE2xP_FUcm^ES4t#oDeiEOB#N?_0gCC(c?f8hoSI^)mBc z*nPcENaUypEQFV7Wyk==GN1_Y6L^=(x#+Eueo%S^>55^i%2DgWf4 zCY`8Uc!EM^_)IMKv|oK|yg18as;jrv#bUm_o*r09KDJ!fghWlv@9{R{#=o{)|5{lM zr%g!qx z%x}a8mg1m_Qj=DX=?j~Mi*B4^6;81k*M8$1+c?L}(?cVXr5_+0Pua#(_Nbn+6?($H zxD#*V5?icGtc(e6d}H6LZ_F%I{*5}wijc4{FWIEdzi?OCgy~K1FPqrmBiQLDADkP5 z{Q?WTMFN6TQ7^1@NuW<<5K*e*E(gik6yMGq8TAc;Zn{mV*^@pBQL%V=4@uZrf| zEcg!`dnVq?cEQ)NJ5IfbGDN^@gw$rJz57>Q(7@`FdWkN_fD_b%k zA1XuNCIB6CHz<(GTIV;!PG=Gk^UrH4vm1sFRgLZoG-#dBUJwySr)EkXSrn^V9#q!Z zTy%l#1|``Fp-R9eqNL}d>usiM@rwQmJ?yU2QV6Lysf`lLca)?8p0SrCiki**V^LLn zvC=L^1i3vH5I97q1i8p(7<#mILeKo$U!f77!e}{51bY zDy)+=I5J;@VvZccYdKyJxqT`z(1)V;zKo{JNYQ0-Ow59dVAL^`1HS4*13NpNodemR z7w_4n%wBSYnP;DaF*AD;_^J=Hvp-Y~Mvx$PX>0#iL{OiKF=oa=4$>?Rj44!osN(?n zx3`ega?l79j!sH-3J(^r&%BqPIxU!Xnh)qnpsX@-t2T-IwfxkP2Zb&iW^(r)Rxh|Ch7>Siri4UW8tfU|h$9T6B=tojzz*I4Kv0 z_~fiEiLfx1zLz$x=`t~o0V$*Z4Cx8q5vS0H1S48$CzU&@Sr{?!$aK*=JH0r&Tq<1@ zt&T|-8U4~+u6WDW*{MrdsdZVXlmF-a#aX}i^U1~8i$`9r8tQj#y(2-`l7zN08d$nw z-QVdP?DqS8t|&t6BXV|!DWmhA&Be!ZGRQ2aav_)*;Wamf37=;~l!Lu~pG%KHZTE9hIb}WEiGI333-fTDo zxyuS^(A4rVKczF~nx^nGWrunipIY_8IO`Y@^0X@^%||ataH7;BFZhTE*rw4nWn{(> z;#AtO@JGj5oodx}s?5#>JEX#yv*sLU6 zMV`qVx~wwRWKCX4f~XMS`oHqsT0lJsAm)l5?3JuSZT6tVwI-SnJ-k$hxr_;&)x4Ylj`CE7IaBpw7v%A07`CF%Z&^%MBTU<6G_&Q<%0iNs*z#&0sjC@900Q3+NeZPHo`Reox46uiQ zi>dqwx!@yaqb)YV6nqTG4HyIjK-a~5Q0M{d4+1ilAP_W!#O0g93Br4Vha(1pk3J%F zgu~X>C7(d=Wef!cqEj&*3&4MZNI|bnRL%b>_!SY#huCR#wzhc#OTDt1{{Z(v1jg_l zaA6^$Nb48fIVfZR`@jjtp@*UGpm;(_?=2t(=RE}1T#f`#OaKG}pfv-KZEXPnMvR3= z?e@oyA6rmB*$T+89Z#zL`qk;#+uoVYA>DfKdx%n?0-#)QeGgz5df0*29s(Zx$d^g1 zhFD_k1FrUBfA|zowZ>ceTBHbyfx^^StiT7*2i8dsyy{ut$CKWx-qWprzq2+%fn;L1ijGwbXr?K zwBz$4$H#eNdklR%kRq%+lasScHn2cTvhBy-!SnqJ_&*oi<^S6-#5QG+MRcB%U;_W& z>vVTb{=d`db`LlFe-*!nhYk1NaQ|IAQQ!3F6G0or}gt;4QjEWD5XsdjYfi z)4*rwjtMLzQwjsujvLsHY+;p6M_?nS6+DJRbRK!0G~!d)Ec^6Ge5iuwCSfVDFDfM2 zYULjuKzu%HE1#~qXspJTi>$-gA}9Q5WABTCxW z*l#mDMnS}q7gl$tVLC<@ovrkdkJKNxfftR@ zn;`P#GN&-a33SHdok>p5(jh7dGoghEO)XXuk-B0D$>b0st1K6r|KMk6HjgJ;k8?0}v#{*A+n)5i#E(WD=Ppc*}c- zF>yT=N(5$L98t#KBEZFepv3>D;3EQ%(r7GZKoQ?6lBy}-+iQ&YLPH8dNEjyqiWn0k zXbc!!BmV!Y&$>EH{M2COiGq`pnrz6pcEIeNU3=H=6zVvM$A?ex=vW(qjauU2()1cW z3EPviSiWkrQEaLe8}IVny(9%9YcOh~Za{HWdNQQE(;mFwZX%mhLt&{I0 zvyyJah)812%;f*vX%Ak#>>XQ279a?^z$T`W7T(y(^l^(x;PbQJzJ&yHj-$2~_;2vv z+e3mvU|FECJ;1&T#C3TY80}K%pki=y0c!)j$LDB`|==3YLbz>Vjqae9z_6fj`H{kmR zLG7T?{rtWDg|@Y;zuPgt!il3k=+TyL z=TjS&GRV*%@+e|Sdh5feL7U%W{;KUiPMqxCzQvILMFS5_Z3wEi|Lk=3_p|=r zot?eijs0g8zm5NQZ5;j=)O7O(^c`e&W8p%$zHb9Gi=6(K}G|}q?l0elH`UZwpX7nbolugA-tSi7e<)c|e1B*At zunKX-BbUufeUup?UW2JYi$Bz%YySXZA7ercvh>W4>haOBlYF?&Ad+mj1g=3_0r*U=LppKU8DDRxzU0xak;g8gB$nGxT_m}-8q z37^iN0rr9Q)H27N&R93mR`&@o68R3;-%HGP=@RI2#F|7V0AZoC7kL5WTB8vE_p zt&Q408G#{4X|u<*QgC*0q1$M(ueY1vA+LQqBjns@ZTb1l&rca_WVCl8;+YG{pV&bt z_Kz|IDk&$U>c;$(Er1WDzT(b$sZQSG^zgthOk_la&T>Nx)$tT1h z86x&YPDn~QS(b&0X(RKr!6oiX;m9~T2C=Fo#CE}7ZLV@{6X?5dWoA&Y+cZfm_4mkP zL!8*OUQ60?)h)+TFA-&6j3|Xe^j{YEq_q!8;6_eC=UOMdv(xt%uP*=7Kfic)`R?@H z>*Mp+C$HXKp8d~dv9~V2*(~t)zk`M*;DY00Q9lKx?mXkT%#SG!hJLU2+VDtw6Na6t z^JH2@L(B`k3ApL9G*95;@p#8>T%5dp@$QW-GeZXc`@g~WXYXEq5B>?-Y#g?EOTLj> ze^Nu5GKJ|>h!C>F5wOewt*5!>13a{jGTrDMwHyyp%DXDqyP{2Nj0p)y>y7x2OgEF1 zv(1bMfF-34OUCCIq?m6@kT5rL$*DDfqQ4_xbqhL$^oF*^@UG;2hTC2T0i#@fX-P{9 z2Zuvrnl@5xs$e{W*)6(1=wT>OB=|_+d-rxMN=%$v@~wQHZ-0aC`O@7Y!Vsxk*rXM0 z{dmvN2_cYc|LV(J$3lT!PSm}~=Vx!qrZ&^3)uVcW+-dytb`Y|* zSg}}v5LJ6=+ktVphA9D?v-i9ZRnb5SC6i_!iyR>dSl|R6hb+g>Cr@+6Zi?i;L~<5= zmpOe*a?6l|Twr5h(RN04%&L+@tNNHqJ2Iha7o6qObe6?)yODo1 zxw}jpTH1e}>e`KhXY~QjQ>odZdR7Ny+fb?BU%Wm}jS3>C$hK};5N?#0i9Nk252*6w z$fUZ7aw>9xNTWkprjo=<6PsOC8Lo;k;$$V@^XE1Uv1A6Zox81Qn(D@j^q+T-#V=ME0$)UbD`t`v zsJOJ;%^O}`Aj(K^zkqrD4|s9*`t0&7hQ8f+Fd4&Vs~GT%_M*qtd8j}IDxD!mQZN`$ z#B6>LOINEYF(o(l78RVe38|X+n;8EyQ^b$?n{fYY_weu_lmF*%zq85zvy$H?{$~^a zvx)zi9RFhk`7AAOgBoa)v|$s(ux3dcW_6a9k$b$QifQ}v=N7$n_@qm-F4oj#wyR>@ zGW)x!QfhN`rx`0eO2zqFMbc{dFNtS~ODc=N7Uf{AEfrSFf8Fk3H+%no_i(qnk^ffl z+sJ<#`EMitmF54cpY{u&4@oC6vlKRdV7*Q1-Rl9th2h_ejKhs(${Y`;!iFDn@r|gt z5j7WdiGI3RRm0wh7`e|yoO*!+J@F1BdTceiR>5lp$FbGeF-({MdUVuGhpi>+`p%w`=wzt#fpv%SO7*$s01LRSZdGsB)5DCpQND}db8ua;*`8O%( z#(U$Eu?myXDg*Fc@DwyS&l3ex)s2dzN`6Yxaq4^iSQXs4Km(9>H*j7g<$)a%j?sKvqy*K0XGLM7_UVZbdLABQ#s>=8J*UB?uFmC9Mu`e=VMuZB@ zf^5v(yd=3AqFg#z#`sL}Cz4XC^R}T(t3pC{7`u!vtY8J&n z@9fw+_MNSAYlsk9zJ00#p=;2e1dZ!&0=Ai`aMJWP((%sjAoHXE8- zA6~B%BcVqwE z*ncP5f2X|OEel7~F9jhY3X~M0?v(1uLo!O3-a0mG3=vBwk(f5(&QgJE%Fu<{R_4-^ zVq;(4*q7HUlwqOuCuS%=k!(sO@n%NWc#C*bOZFFErI$EBMoQO5O;~}h1QcB~mZbq@ z5^PKXOwX4AMxG0306roR2X4nj*Rizi#%KU8y2j8?DJvVlT?{&NBHUG+?{n!? zhu72ss%v$mc^U;V&z`37E7Ke5$p3yIx!|l}z!Ty>I-P@Vw*JGx;imrEN`4#peK$TIgPM~~c#BfW`xFk2$ z3u$Ej1Q@~NUNjisJ7Be}dZpm3+$7H5y~t*q62QMC!T2Z>mVi9>0u7Eb!3^U0Ib@?F z5bsa180B#_%PLNRRFY1u?*2;;4h5I8ETGlXPc0d;naxD~ep{ub0Ig4{LBlMeZ)Bb- z8SWTZwgU)a$QKDDuJ0M5$Im*zb^t{~EgP$i?-t%~k2Wwf-!#Q45X;W+e^m@uJ!gapTG$WCP;h)fS9 zNpn(5iIMgwJN&~#(XKX70*V!MU@GY#mxf1+wGcd=aXU`tEF&1os?d5NII`19Y+Gu_o&2POlze3dy zI-X2DpZL`IUsEe{vcazDf;T6qEM+#Aa%7^CipJ3KYz~Ozh^SWklBO|e1mHe+RqS`yV@eKR+A^xq@YM zP4FAAk`njUQ()PS1^!TtAQ{r55;aoAf2!J_T8n70);*ZLN4qJu`NCc z@`YrPE|ibqT^}P)K!0a7g_7u+1@ld!Xl!qT%s8M64DJ6b$9G1z zjf1#rqPRGo`^&>rYl_J7oNY?7uUJOrY)sU)LvG7@ggEO-`riOK_l}2buG5E8)O^r? z6Z3x^?q&Uddk35P4=ed?^uKk~|2F==b%_66lCGp!>e?3h(iI_1K`PgeHjcW-jqB~5 zUHtm$^sF!}wqD?Qr@{|d;sbnm0OP3GUe5Sl^aT<8M4*Gt5y64mlf~J=PA053>pi?f zW&T4Q6ky--nYs9OMi5k?hda=|g`}PA%63Rlj|E{%0}23-0^5_7p4IywbPbEkaQ47> z|8o%B^f=igw?@mC*vE8)+^v<*HlR#^Sw7#mMfr^57Io&Vw@qfP=yhI?PP!vEcT@j)B|oA60k8lK zP|8X3>wo|(LJI_7QFF1Uzr8#b@;-_D zB#cw*2M29MB~VgHzBjI4_s&mF&yE}04rHM5VD|sHoouIO{_D$kznr}-{gMSY$S?Tn z^yKvH;_^8EL9Tv_?v@Gr9;WQrvWnjmB+deQtl1>YfH(O*A6p5m#zXw}vjuFA0jq0) z;(~$F(~)%Mh^-E;5fFzH8$lm*b2S4iohkYppg%;%jctBbfJQQi4Z1oO11=&!Pokr- zP0wg(t|Raxf&>xJco3BH*)sBk^Pl}c;HR@o(0E8Th;&-rc2hzWxxWjY zUNO1Tws&n8vxLkc(!k9O1UTd?z?ZoZ&ouQVsvBdTcJj5bKjbI-Z=F9{I0X6b6x}v( z2pZ}ytK9vV^{NR|!$<6SoXAMz%OaSRC4Cirz{LdpbOx$q5x&Ljers!nT9VauBv)5u za7`)rvmd7_z?Iu>C5ia$%mv?>>Tnef#t-sb@6(s#N{etcaHyBs zD&APxu=w)(3{#hAt0Kth>K0B-nH9AMS5tX#8akbqQft%dqNuf;ULS*Es|l@6MZ&4c ztEj5rGHVKMsA(0{R770H>+(OqS5hj(w(VkDM9)yE3(OJ|_3KKv-b9Eh5)i!y#f@TRNwGY+uCYxB6eT|IZIx#1G5aeSd$eg|7DZ^86JzIS$UY)MS< ze;?Ud;Q7bUB1r9XV?+U^$lX9AhVQq1kx4we3WAJa}J~&8Pu_u zCJx|?HS^)2;OH$jm==y52SpSft?}8}azz1NNqxm7cLkc1k+gkHf*VBWX0gA8#TGSK z=%OswUt{&muiOe&+y1k>`kx1T-CX@o{-2HgX9d5F{bytU+1P)|>_2>|XEXveS7ZfR zdA-rxnXtBrj5j8kjY(#9lg!b^AhR*Zd|?I|W8aBO8bK%+q9V*MQRl9z^P=?WluONF z-`L=8)#idV((=D<^b-HYm@DHw9L|HKjYg)YKYc=E3Wh6O7yPpSFYT zh+&Vmms4^zE|;1<(f;}K*~#n6pZ{~**sdo?D|V()bPyr}8FE|cvlhK|TB`bD%L^Rn z9X;DecJg9nSQHTCaVTJz1%sl$W#CVB%#X9U;;-O;x-gK% zWJa~?r#)^r!NZmT+;`w2^2IrzcF9x0_$j=VCyoH#30#!2^6(jK}C zk;9Pt4=@ZEXgo-?eNI|@ABEpP1=kS+A0Y*@HRm>yky;LX%^S>SLZS?<@{5JmojsO1}_x~@V{%>tP-sGrLs_^yHcBSSQtM6Zx^1c++ zecip~$z9zoeU!W$4n1jH~vbt@tw zfNhTg%8I$_tP@BfmL%5a5cd;SY#H0Mcx!zA{Jl8`r2@sk4-o@}oqv@c)5jKFH@^k^ zCg^`5KkTogp?w|su7{RU|F?6vznAm>b~pLISM%HGe;fVpTh;%zRPX};TbFz-MXFIJ zA_V!&y9Wb^JqoUo1NmwP0|3EwGz1?y|J{U(H!=Z;XH36VIOqn1;7-Aq(u5pln zxB=G!|3-k0g2;14KGW2z;RQn~S97Q{Gbj|E7pTk$aGG+Uz_=`r4gOH2d z)i}=KV1Rwh?&WO4z&$Y@fP^2thzRzFJ!gd6$ix2d)zA-;$7grQiA3&W&G#&j+Y?@) zfE*e2^)Y15=yejwp#OCHyqVvdBBbhLh15C&c_y#EE=9|5yduA=a-Run_PQG2>< zb3|=x#N4V(3OpS_f?S*La}Dw0^K-~XN1z>1(iW}Snz*W^z>It1UAUN(^l}SH+r!ss zAKHj>8do+~5;j*7mUAUx=Boj52PC`!;v59>90Ybyx}n)_6eTUsfTDX(OqxIukpAb*k1aafF47qrA~3)L|2JVdG|dh?8m0tKx)18{kP8k-fqtSzqhmT|F7h?vHxuBKi{zZr*;C!%)$9fR%#}PlNfBOwI9*SFk2DXntM`+fWU~&C}0BroLAP9V?A_m;Rj4;Nl`xoL?yKk(Pxgsi5!RC^b1sV&q z{68*2m&t5Dn^NSv1g8tVz=w$r=-QDi~#{a*P-*?~~GKPpx zg=QeuUphChBkTz+D}>Gs93tA<`VI&`DUHHV6se*kxb4b*y8dom+#wK4sJg(n@RRRmkoY8d;RXG*4SO} z7}fiKw|j8V$?X4~gT4LD{$IuKJ8(LJ{t$V=aO=eLxGW)z299`2r9}u+ph!EZ#Oel4 z#05JfZrUZLkk*#4zer;ZmrbrAmG*+)e&MnWOo#hpJE`f6Pzas)xwzJh{C2n1X?5Do zEv}to3Wms+*U-TAJ@`%Zf>GMX5VKJvuSAcrkEuhV!JzHPX3f^t*4B65f!qDo^H%pc zu)$7eXW#C0?e5;zci(*nPFxqcTR+JEf~!PMX$dm|y%Ht@?Xim6;4egM2lPZts$hF# znZqX-fHCypP~2D@p)}kzkz>B6sp!<=Lf*dx+YQ)gItWN&8A0w-K9*323r0&nze?7T z3*XA>7n0x>^ZBcy^n66u4Eq+xvi}qz>m>51Q#(S z%WJ3s0TjCkIFO`W0S1SBnXhhlTDz?SduOk;+uFSnvwey0_$dzfT6204m7l4H9V8>N zBoxUgPDEKSP8J@FAQgM$Dx&D67u{U}#&yFhal=6E%9qLxcLfHK?+EGUqloa5(O-Zv zBDnx$qCZbYgo{Gxd(SzmCD37rP(i*<92_R%&Xjl*Q8*MaXbHML63iD0`=PMLh-GeV zi7Edk*xa*1=9pMEgaE>2emkKUVHKop28U@g*;P}r%ssoiWAAkMATiJUPN%5vVuW+z z6947Q5mOpTbGX>+d`vNCCQ;uz>AeO`gpwjF3YF{JizZFN2 z6A*$N=H0g>6c=b5+#**;$l>A;a;PJudsvE)AHWN#aY`FDMx5(W77)Igj_^Hjvh@R> zll}-hBgrORG(aWog;dRglwv~?IEd1gj{Pze94rn62RaHm&nr;yURZ0ywl#Nc(qXc- zjU8QQLi>xG(0)3huDw$}A%n=_HTE#O=L-_Vn^H4)3%ZsDb1o+RU#=)Av!ifGpo{E3gX{P-QLZARZNjRyiR_Gz#AkHS)G@WUI85ysn0i*R^nSpQ z^fe6GRcYMag6Ab6J*_vyI)wA#T?|oWVAJ5cET^(72(056%OZOBi5)k>{$& z;Hz`(jLzbE>eEsjmR)&RcI#}moyB2d$H2r+1qq#slR_;z2U{9{%?aAM3D%iUcX9LS z8uRIzD|?bMiCBwC7fPIq$S$dgj1DnSg` zeTZD}I)Ltv(1X5%h|Z@IH8m;o4qcZZN)ZLy=oa~aGb#^(z(-BVZ-A;ZE<`)2K~ZOf z#xTj#B|szL4e!?vT)w6OiAh;7bN*7A@})@)K+(|l&@J-BTgssS*Z;@fyKc8}V~v9S zn@@p{{`y4BB1@Ef4Ns@fD6;IRW6K&z?tFbb84;`kNwkWE>H!C^U%Fk{BI4p`{YYz!~oXYQpV2L1jeu&q2vpm(n9Y= z(6z-13MWv*zt+1FS1dzLG~`gwVNHT`Z5Yuiik?y_(FY}y0(?MJ;kZ*hW%H|9Vf`?6 zz6O5>bdMop#TP6(rG;cK%K}gmZl;+~0{G<}AQOR8gGNH6gc49s6*QAMPpP~3-j-6; zdQ?Jli#aROB`MfIvVzl;|IDi5e`4CN!nyksEM8P_?(v#ipnAE{Ja1ab_PkeY5&bKN(SS_61!5VvAXkG>wV7g$I8FqV$_E_)? z(PFcgEh{OuHL)=VI)bfza@SqR%QW59-}UOSz0gR!ym%7K|6eSvu|ewHToz(sy=; z5U#$GHKOa9BB|uyO-guXE=`;O&!nPhswXh+qbS@VgvP1_HBwP#a3(=J3X?J)z)Ztg z8oeQ_j;5!ci5u)ERL6SR6Z~b&(BP#vaXF3kU4ZbA8u4!El2Gg>a8V3yjZueGb!)-9 z=$|-H5OXsQ^)~k>(RzV)_|0Jd*~T=X!bk5KM?z$^3?jp^xvN}ckImy=4cR^any@?- zOMNBY&k#)tc7IavlMuRVRX~T8BoXFvMb5&jS*?o#&&b$0X6Z|6OwjwWL;MZ}+|XCD z+OIxsbFVu`s|s1rD@{ODMJa9ssknW5Mn7%>&p0yElxQs0zZri!ON2FjEnHtP{(*#( zPtzN^Gz0*$Y*NYk#-Yaq!s?T%Il^&EN)0SAH0}^Rx!+#3+8^P_uTl?>JhNF`hXJ11UEc~CJ9q^qx%I0j~EfvKr>A( zAlWJ)I_T9^8|KTD|LoYi+HRG=i=Hv5F2o^14lY2T;Z#awto3-2d2LQP5!oQ&@(P7R zw0Sq~2rZ8N%nH#*9e!V$r#_el%QstE}>q?rOA~EpN_40u3!=qavFbr@L)Fw0dY|?>}@GG z$E$U9_oudSd-7tix1larGaUhJ<=7g{nG*&*l#>!+!ZbIk3eKcIuo8ocp)1h-ga5tT zK|ve`N8XSCsr>j~QK^5EJJ1b2b{m@)s0!W6O8CZiu zW$CqX!J&Xp4u`-XBy*AJMw;%#qF~p1QK&+V$O*VREc@1jfu)Jz{lE%oY{yoGk5vQ$ ze|F81>cLJ$qBlD!WAsnZ&;BAN)}%wxM^j6fdaC+XGWT$_)(VT9bH=7zh1PO95!ase z)GH@9EKQ?2*BSH`Y2ZXP|H`ph(E5+O!S=(~KQ+6kLJM5()ow*t%S8e^?)ggF2{8_w z(ozF{&C(^ngy#8aA(V(kIz|MrO15z=zt^~m`)x9rA2}2po3ag3CJhZ91M`615gJ5c zV^9}NX{=>aux!<|W4ZBpi*6s@N--M^ZyMia_{!GS_paaA`SW@UJ9g!uHv91hIz03B zb{&Gpnu4{5Wt!hFSPWMUGG}DYHN7*-cUE1CK2uyYc$LG)|&yf@C0J4Ys3%F-H91p3zcX}aAK{Nnx$r!PXoslEx; znFFhGrj;hm)?;>^KvCLcgMEYodcpHdvq7u?h6p0@TwKtqb>Ei&_#!le>UGzwd1VG( zBSw6|17at4!55nGU*uyG(_~aVMkE0HPeX_l*)=PaH9BZ%SqU-|7OHk?{h&qP8_CQ8 z0!?+`fYBn{H=*t}EE5T<2~F0$M`V2>1==z|ilZ6HX(1Wm%5)Rz!$Fy~(0q$zs?1@1 zc%CLg=o3a_K~pAUecV@V<$ZDBFG9oY@cCf>>8;KT30zPndT(r8kDf$((ca#;)eA;5 zxdnsxM3X?OK~~4cX$Z3L^C@t3hP{A$4kQ!2`GBKv7L!S-$ee2YVuc!8k3O0ao?X+F zCj@ewqH1v5?T&kHT8k#k$(W*nV;qt1gz+ablo%MZ1o~wOUbNP&z>6Br3CWS~oS`VL=oMZq z`bJ_2%VGxV;U{-SGpqT3vR79_eNFyKK_O{PG|;p-W7Ba%p9;5`mVT8tNghLUxM%dt z9^Z8%+{_;D_rim8Uv~W$p^*gyxU$oss#8<3{ zoU$yOGfX+~RaC+vfxC6!29c&SoQa|{&7qV`KbubYgW!I|& zAp8DRAr_$vCXFGy+_({f#~-Sx2sw2k1$h20OdO)BEBioK`npjCzTlu*0T;T1IYRn8(BEW2@z^>C>S=vAJbP&);9*tLadL=Ae)+z? z4feQUDA=8(VzT?qls>1=Up#q1_xD-M_V=Dn*yCqOviE#CWKZJ#2^|iH`_t#UvWRzQ z0#cUHoCkindo<1Gbl*L>G|Cf=rkA+dnRxW(={L^@Z=MZ@7_VAT!v|99Rw^TMAq1M8 ztSL9)*IE+DV&>^N?DLJ#`}Nf|f>h*2$&(Z!_d6hpDyk8(QIbACCSOL{-AT z`g~S%&*2^VmgYaOi3;TnNc}MoB`5VrdG!PeiHo>I#sUkq+GCq$G|b0g46Bh zpBwLx0UjK&&?}>oWY~jIIeQ-BzTCeL>8xoPB+u!SztF6t#ggm~hfh|1bW4sKpcEHJXK&BR!O6=olgz7kXXO3)QJ(Y^6w3iXys4@da5E})m z)UwEhwEpqjK%a+u)HS_yVJVXA@Sf4a-ms!i5)R^^D8N-+|K0~}AH_sZ7Vq&DK%l_z zK5*dE zwhZ8HN2QXAf`J3`8%o~_2lMn>{x?x}$&M)Cx1!q%cO4W73BTq^srxEO zh#!vOU`5PjJrNV&nYD;;*+jK-&~q5dzdvKcv6;+FsD!>|`|j+a#t^%~27RY-_Np#p8n;t_H~Bk@RdebzTjDcJ_ThpU zjP5d~_JF{B@3Wd|RMt?2TMqeN9bm z{0OEtb9BK{HxvdPc{9E=AhBw)qLjW{oB>JC)^xE$Gr~U7MV^9*)w#eLQTHIvS(fmR zWWrK$)ALYx$qIgr;l3ImvRlUhJw`hW%<4@~2m?ED=Y_rl4i*KseiKNm^iZ%}QwUqs z(z7Q9EP+zwG$jSQ=CGCh&{WwcETt1s*uO+!w>dmbE~N{IdYJ;~Q*tvGDI5wS3O?f* zO!6W>u10n*{~)HQAhGc;7p+ET#nV$`>NzabNGkgr$%J6Z>d^P+hCV$5>=C=W&Vt5DQvdvBVK2%^g{mi%CAqjLWdiTe$)gHL>cR2t_Cf z&#EsD?vHSdzjn*EC-7F5Cj_9TkBi!%p+-MuK*=Y|$~gWIO7@QuYmR`)I~RCeYlb&C zen^P+Bl23aReIP%w|tjl^t{B&)!=HYFcTcJkSasnkpMuT_nRz{i<35aD%Bib&QwWL zi+(qvNRu0`c@2zA1=?{9e}Z0RrUfUlq^VjCrUhet!i$1k3&>B}xXo?)SWo~OubRGQ z2Xl?b4NB+9d0tLZ9;Zul|ncZqVak zgH9=g=>F^P&W=fOOC?s>@L69Z3Pe4U<648=ThJ@kN0$%H<=F{=94)30;Vy_|Y1%jc z=Zjnv3OB~l0mCR8t`NwKT^T5*VUJwO;XF^ZxGA!9iBQ(G%S$tB23(AJ_$1^CTdk5{AjE zPRiu`JkW^f0oOYX{xXHUkXH>riB4-5m9e-gt-ntM{4gg>T;_^$) zKjGhyxj3aavgArHHDxoG-oj4a^8_`jxQ@V~$p|Jcji~MW2@*^%?Xv8CEPzvmatL}^ zRZO%jlNCm5Nud21GgqGFs_=F|4`iQhk~#-NOlpA0=b&rSASFl&o; zNKui0xnPR&tZ(_| zK!gYBAX_#T7YytM^az2Ol-%vuH`v|RWHDiyZ|Vok1fZz$$IYzG`;OM;Qzxla&JC%j z?E@xf%(XcyAbJ2CP4tO_D2B>PnpbrdXh}~KEw}$h@Y7q}#T@ZnqS!};eqB`BF*M5^ zCP)oVS3m+|Yf9CX}h=^{V;dRzPW5J1M|GTthGg=u&u*4D=$GZf`PCEYL=s=ZqSEQ}DCQ zDrjh+5*9bm%ma$jPRU2pKzP+0N_9HsYyrhuR&?|3+Mr3Ie=oGW6Jli0i=DcG&?YCL zkIj4c zLKxX{g(wng=iE{Hn=wuI18tt4K*L&9xrH6qjg>469#zybPEx5!0+kJU3c`-D1fZs(}*W6rCwR;sQ%r>{q>D{_$4n}piuyNG5s zm7tzxfH2qvvaX4>KH~Q$Lg|m3^~ObYXrW9W+Zl*=`Wk_$ftRyniK(}uk3p~{W+3D) zP(i9#vkHqVU;+{uCQxxl3<$3Sh%d3ykUfko;8{d2ECV7j1EAxh6TvXx1z7IDA_P&V zXi!7;#hNkbg2{lRky;?cv@PaOQJDA|g^jC4Q~cH7#Z*@eWeV$|QlJk%Y$+u9qs0`On@9X(e@<9S^~4O??1tDDUkQ9`iYR*Kl3{)-FlBFQ()T<0KHcL4;8}|Cn+TE|H za-HVqR(#(^vh?I;g^<$OE$onr&{)adn(9V#OcAlHp#Q{fS;}o#kKS?E zTDqXKst#X&ZCwJqbAWMd3#`vP(Tpvc5;OyYI$cgv+o`3{F5f4i1=`H@E$;4W2!*c+ zx&Y16(U=mS@GQuWQgu{760p`LZfB*JoeD(QnGnehPea||6_HBhIpoIBJVB{^P7?Hj zNNu_gbmGX`JwalzSZL%8;ei7)+3N!yY6iWoh%h>`bz|XLbDQNt(RmPz>6&M(7~4VTN+_8!peKFf zv`tN_GvkQcx72S5c*hnQSMEGI>uqZ1PQ)ZNS}5RKb~V}2oG+SMOtMHLUvXJ6_ppe3 zFK)CXgrcMa7{D{=*sl*fTCy~-hB%(vm_SO6um%(a7}Kh9-Qcx#!_98)P-p^uMI zqV}75@zo=;WooSKHj+;Qhhr>Cwr{@{CRnyw@RSu;RtlxLzL(^U6F$r0R7fQHlY+)q zOi9xH@Ke_dDJhNZZMU?@1XR^XeSst$k)4+!`^xzX1ZUKC{vSQe0|a8KFS+mLVWflL z+74{9`mD%hrszj!2nC@YC*Z>n3WlwXp43utXp49wB?cpb*j3F(%_ z^@m-kSH%*dX>ivj9%?wh=xH)4xi74Xkh6AIr=Iaj4qC)>er+kGHzs~qE|<%n$Ojv( zT(h$N1kGK|$c?Hgl6o~o-Nh#qRIEz=$LdL9ln@Fa*jcZTC?y|1YVQDf@PsQZo}bbDBLthV0BkU_ammp>APiHLFU(2 zKab0l7AEOUODERA;d1Hdum8XQ=l_-DLp6PuzO3&UU;Ntfe2Cl0bN`AZgU;yaL%7<3Vi}pE)wmVOB}2sf2lk8UfSRCFk%eMH_(W z0fvM2Nx_W23&g4hi4H3!F%L^fH&%&l)=zfv!(IRVK)_Mkl`NeO=0d|}_sWIZ2EPu> zr@g47kJ}x7ItQf^-n<4DAB+#SwG51+>jUhwo+r89i}s#G?SbW)C~kyE{=Vy)`-pP$ z9fYS_Gvc90Sf}$f`O_!F>Z*dVR&4t-jBtj09VB7ybbN^Nh>ZXIEy3KZgWMvp<(f8LBK*08 z$L@+_U2`A>yHrX(%Lchf1`xaX$S!R_vt&Rs#RqP&QK$3u z*QUP9=RsvNEYGiN=#pe_HGyFfmWGn zCLl@v{4KfOe;hrIhBe@JI^*%U^Up4(BYaCgepgPXtT^XCv+ii`+4JYm_xGOlyS704 z2+A|LzmKk2ru1blyQ8d3(|#9yF<5e1@GRyzO&f16M9yRP)Iy~@>Ov$zM$>M;3wJ48 zA>Gm5e!u&Vl9lYGM*3sj=$fW)Wq0&+I5e*+^FC$8`J5I>ceFQr^5W_9XZ>!FDDf55 z)BuP76&Bybtf&PV+r+lE@p_#OL{}QlAuAUXv~o?B`dIGp41WVhK@o=z8WxZSjZCIV zk5>yOrBUQo&zartR+yMA-zpr;7`;yC2#tzp)JOYbcqaO=9B+NM2U3z7Mr1jgF^Ohb z?6I#|3sl3x@qq+3aBx5o&oO2m6i@hpKgGep1;z(n*gWTT0Alg7HPG`1<{{wdN7E1m zgA_!a8P}1yFNl_7`jW}ggIV?+gU2<0ia7!MWE{{drvLWgn&Y1u5XpGj4vz+%*e*aC z!}U6yH(Y|{CwC7usWnZJ9fM8)-vU@@(sAd7BH4S8MdDDw0wG)MHWp`(##WbQ2kCV> zKU8nhj4sfz!-goT;65H#@71?ZJ=A6K8tZdBM*hd;fpQ5j`%Xq_yfcGZbL!ZDZrp&G zzt37h=dZY}0?!ZA>vZ(xIkSaBO>~#Bn*003e}VZDHBBHHyGfU>1O(Cuz^djQvfsMg zwi|q_3vU|`KtL9ey@S%zSMoPobmkpv_V6EIO_qg;cl6f4p}O&rs@0g9)? z;c8g4vMk$&Nb9gQUSmN&LZuCgC3eKr7JLDG2sjVJZy*FF(5;3im<0ipP3%C9tQ9N` zCT*+GXpB|^LhznUp@ESB+KxghX687U>Hw7h_h#%2tA7WqhRIUuogtkMs7<==tkd{W zEjP6p+j)CJ@nqwu1yv2fN?ILQMpl+Z&In0^7Ata8l0gIv_0KWivdvE(R9k}_K1ejj zmh?6AlwTTHnibg`!=}uttLn)m8S9&9y!Iwi^ZQ2;H3!+RB9d7(*(z}vs^Q#C--Jw4 zs8O;x8h7>0GzebQ2}@GKf5k}{d=k9sDE}{HrMW`dwzI!@OE(i{lQ@W>9g*y zO-Zi3@zcHiZoey8TrhRUrrnV%P&|MN6Wx9n{~dk!>DQ_lrRI^ISyY+UHukAy7&yaN z%^8zP8I2;IRDDG6OrgxGlQ8-2P5&lcr&l#X2&NK+x7M4cU86A6 zOip*;t9t3-0@s5pwj^D_Ht!f9)Qcx?bLg|}4uifp1ewz5ed{SY)m?!5lVIpP`5kUz%( z9i3@Hqb5(GLpuVfmq;$5r3rfu?D}XtG4M($2+lsV4WjKK*DL^VecT z-e=YgOkqWqJY{AYCUYg1P={R=81w;Za%csrH-v^}gq?{4&!6>dYi#(3pX?T!31X$& z``+M6=O|17D;wBSEPxVd)5J{6grp)4)CQQd?G02)x%Wv2ed_}rcuQhs7A@c=Ap6oZ z4cCI1u%y+Xzz+4vc(IJGUdYHqnT(t%qDkDmQ3pkU`(K*w)mrpTHU&?#Y;_xF0ykzE z)Oa|#1}L5NrMtmcddP4NSqlhl+1?0Kar=b5ZirYcOxzcdV!QgERO_i^i;pbucHo-u zjA~+{u>5_Q+iR)nP=h^V+E~R|cwbe)a<_}iV8sCR=NxLvaFOj+x?CyanUA}pfBxF< zW+Gu)zKaVg=a;Dv`6c)Xc1KTt?RR0=ybvFkm#C(~kBa;Xf595sm$rs>rIErqEYP_C zgkZ^KDrT3G&GbqyCD;R>J>MI?c=7B>zY8YKOIxU0WS3g5u(R144u}12{qxHO{n#Dt zKYQ`y@zWS$tG)w?$|)#_DxChx!rGkI;vg9GHI%f%STJ2xW>(h;>mMs=X7N(VAui z`nJyHB4cE(`5VJpaV4?Az~v=N#f-G5%kYWye zFc^uKaf&oq55r`nZz-IaHOOK;gZg^0fRND)`|JobMh{2wHF;+j!%~_{CW+)(jD$9& zQkgEX!dFXW9L)JpDdh@j?@Loa=9=3JG78kD!L|i|8oKAMG91+05}M?o*Sz6x^~d0Q zrg7vFuNzS;_28~5YQj>cXW=xNN|2}I?C8~q+=UJ_&%~oTvNfy?wbNkMwk7;Gy=(T$ zz|aEQ&p9G5T^+I!@Q?1=h6Gba-|g!!>aD9)ysYz$?qd8Gyr!DBl!0Qj`upu}-j0WwDyHip|46b-iz`9Gb~fA$O|s-eRF)zU`w-qkR5AK?yazo_=G=q zf%%N70mv>a@qxGhD^IDKiemAtw~#z?EATTMFjW1n+8@(lchv3n?H}jfKj5D$KpL5* z+XJl~q1Wly%uF7>O&xo8^&HQ)WldW%6kIQ0aB;!xS8QoA@PbHe)})_uX{`2Zl9`qh|heIjWbGbwL%k2zuLMif^zy}2Ro{FPNsi2TsVEGcnhX#OrWjt z2rV9_b~I*4@$m6D=2E7imZ+(ktfI=Q#cmxrYU4O0Ng(|Xx;?|~hqh!e7J0uYw{W{! zjqnb8q~fT)K{Kn>^?)g>j#4%yQqXxA@?^T-u_tNwjiAYQG^JU>iXONlqH57i*BFLP ziB7Y3E|G~{_C|=O7qztw(4DuCNBuY=@3M4B#&*%h|HCakX2lpYqgg8?*yzj5nDT7~ z-sD;f3z8+?SKWIC7?uu=f0loP(h;x;L3#2z0?;bGz)a7zS5C(nksm1}t{7P#pi(jt zE=Bf@B|lA}!eqK6>|@Rf4&3LQ&mh4PRp5Y)>9X}`5^}M`S4=_rs)$%s~eBbkgPD2UeB~*YW@Z8_-?Kfy%rs=6jdA#h7y2sNKp-!=AOBcfKOlWU+bceFi z{jQ=j&1i;qELM{CqiqEULI1|<3m%`kr*JBRs@59kzS4Up)mQyW<_0dw_#nNZOWESr zRe@7=g&t_TdhcE!u4A*GXSLAS z2r~BIs=hBLnjadG4+r|PQ@~-_5L!PmJt4D5SX=w*b`_mTsBud^&@?4w_L&_HY!BFT z1F0|*1$8+u#!(1cjlw8s+`De5-hZ#t(SI42Vrk7h5ImxB%J_l?Zi0{?0*H;nM9!qk zrSxgx=!(iK>D(+Bgr3{9^2M&k>;a59$RXt*8(7bX7W1=rAv5CG#pC@@cj_m$dV>&h= zotQYdG{?#+YnzNJL(TB%-&z?N_so&LHba(X4vnNmcU6o2u0W$r_clGP9zXt7|)Z5u% zG#>-mOb)?g>Y!9}r$+2|H6&mrEzzbf^+8q3u=!es!x#HM_1E@|^M5gX@p$Dr*Dc^z zVN#3YGr%|fv9 zy8JAN+yNkwy8mE=O~y20oL)|-4Fi{No5U_-#aGh93>}?iL@*sjX1=!JCKM~z*w|%A z4GayOYTP(Y?%ddXDWEr|l40Z~=4f-eDyw^r$U9$;9s*pHop^oR`bbb-J3%+mAa9qA zNtboq;J6OC98`=PGdQ$4)7H0s)wb)7w!O`IjBr~uG$umLgFHrA5^Se)Zj#p1-x2A? zQZ=nywYCSqU_@9)>Mq`#yFip3m-?7bE#t1=b4k1cztvE_F~whVoK-3#-O&R80LH1& zvqODuAq}e03+O%9tKR|D^Ma~)PH3eW$ZEF6F^cLo&czPW7VKxivegG`UR&Qy(K9JT=NH27I%hmn%I-Tz?E>0^vlq5U! zijq^^!D%5rHgf*C3+;EQY7;IF2HV~?LiaBHQe`7QW#9hw1isZkZ!#&hb!>T8ZXF-V zN;|W#qKEa|gV~mi;jvv7V$Gl-PvI_^8dn%{6HVq}_)QD*fFnM{s@fPM#}jQf|HsYw z7kRwBi5Gd?>vYae4+C)-E-fxe1{Fc=2Bb?P@bO8yQj-2m{YvYxt*TtM2a4)Ay-w#G z9uRA0_&gf=-%=A4?&o%L0H-ef?;9~2r0kldw<#o2F?*xiK?d8YfXqmA#usv-!fJ3IC!T7k#RwD+<^tYzRii#IOAjL z3LEvVJFzJsyQA*op{)3oY|{bgcITgs9e*;BuydBOZRAA^`__WGNEngux5=3Cx%uX| zlV-k}L7|agUjJX(Rjo1G=0d7VQ=a1T?_v^dE1Cbwf!2ieH@?}D6X~jP8dD3sDjOf= zBDt`r3|T1YRubH9I&QDiIq-k^5`H@-dyq-t>YcWFR-vd7+m#CaioU7w#SD~Z1_D#A zMJv-DUBf=S)osW*TTsm}%b#{0>92S;8%X=CXR8-$`nEd030;pg8?NuH>+a~oPyH@r zS{!xt`UYlwn0XU&n;nWwv5%0Y<=3Cu9|w0?LF21~8(Kh}CkXr}obvi%J zSw@O7%dl=IS(K^bdCG|X0P>=lQXp8nR!`n!Gq0qof;--mN|WB#l)!X6vF_7m=7m@S zmnPWAXwppui$Xc?ej3M+I~pE$XH0c*$e`3=L@oqoq0(deqGjG|$!28o-}E5_VQfY@ zz(FG9L%)Tq3FVPuLSqXwe7;^EUWIlQGq$_4)v=7W2eYz~8pnGc5h)|zK}5g-x&<6!8r)U7 z5`WJl-(NlLzt(2GP41-Le+w6qB=*V$OdXSgNhrzH)ZzInH^k|!%()RBnkEFR2i*et-XUl^?sYn+B5^xPe07wlnu$Z z<}%lUszuB=FM+srf@fG3V2m}09XE-^x?8${nhR3NMn90B1mYwD-hqg$ZG6%k-*Fkd zfLiDf^~pLF7K2P!DsCckfi}mkcOA^NfEbv5Wj8u*H@=bqs4ZVc)0lR1^-diwJIwWD&EEPFqKW5oAFGPkH!>KD|W^4{Y-CxY&8jDQw zgxQp@K+_Fh4ERU-Oy^XXUEc+Vu`cveVHN&p%rs@@^THk9;6SoR|JZ zYxYbF*j8vo@OrB-!y&>T(*?a^;9>xg_xh|cnm`pM-IOdu!qQgAa!Ec+QW01@D&W(v zc2yn^upp5%(NRWhrBY-;*&36Z7{sLs1MV^-(=ttA5;7uCb93b4;BBBXzQ)+p?OatMe8R?pK=nh~Z!$W5g& zP4~jH;#n9yX){xVfayEYmA^Z z%&}r%Y<0W(KzYu60CR&JT?h$$(2OzPYaTD8W7|7hh9Bv4-Xini3C@=$N;tFCbg7{k zZPNEv@{avR?z3&f){o>wV`(d*r2?|=HqV(YGlJ@{df8$W@=b?UUDia?vNJeewhElefH2Uh_V=;C*t+HB|tSKyJS_7WVP$ zk`^>mj3r}D7Rmo9&H<2hs@QkY)!;zyA-td;vBVtDEEHVjE5G3lit)+e)&D4I%GGjU zG`0He?ju~yfI?d}r)n@`N)FI+%aQ>d{6ok=oKh(VVmg?)MU$_|(KRcU!Ga8kH86b1 zPwI{(NJCh@x4K6W`5G%$tn9BJ?ksi$BQU+DmR)b*wkkyIb^;b{A-U@M(e!m;iaa`5 zxXgl(ml|S4`a>SkIh z0o5|kD}7&xE0#HnQzZqVv;0+TOEt^J7S+_NM_Q|}t{HgN=&S1ktbx$B*S2P8z57N1 z3h9K5a;0v^GIE0Ji5#3B4-UgZR~K-t>RZ-0PHU2)MfR8$GV(?IYQ4U_Hk3yBEw4roVa#Y*5OGvr2U^jAeIgUk3L9{SM^>&+s4KJO>nUOg zAR2Tm*Lg*=fGz!vF$ZU6n%NmJU#u`XxZscf~$n5!yYO_(Nm z$nypLU<+cM%I>4|Rb`f2B=+sYRFk5dLgi1mu*3E%oU0-dUJ{^jl}_Cu3Nk(q`j9z` zBX{Y;>l*x=K&HKF1jEBViCu6>K zz=k{BUfW#3!1`B_mJ9Y)Q=zS*Lu0VU9NVc>@ZCerZ_}yqjH^S-?jCPBtJ=l`Hzz+S z<#HlEZn}moWJkMw#OACq+uiMx2Byb2=!)WDk@`*(`4p_G^|>{-f;&$@vpy^J267Xn zL5qggsc}Jtfb!(OfwDlaDAW|7qWVs10^dbVM-cY4*$q|OUO?01%CiSVu9ne1?U+m@ zD8BIIZO3`(ZlgDrQI%IV?CWFBV#ShI=U-|uZUW71`8bt#-kC2*oY&6d^O5dLkmlC$ zf2YjZldFssf@$aNY)=_!85K=(4~*BL~z}rNV+2=z92!{ zXg;4t*xI`O5(IATJbov1|2~B7g0q4p=SmcG#tvybXTPOmcGuZ`@}awBpf7X;H=Wh* z2lC(KK&mq1+3bs+x>Zy7w4-Hu`x57;KJ@R0ql-JiO09kULz@|=}VT<rW_%_pO ztQzOeDK=b8e#M~-UE0D=gCrcT7Qi?hd2EAuf5YiGYNp47EhXbvF${>#iWLJ*^6W!W zlqtKz&U^vrLRvWZ+a?u(8i+Jg+&#Gq)HB5&3i82F;CU3x_}>QbSXGU>_)3K#%FWY9qkQ=6;HO++Z^GT4~ST1#9pU!h$^mey@6g6#;svf^a-~7 zohvq2`^*4-&WfgU&qjwU3PApl@Cb%A&Qie>;{pTOKgnT`$4dz!a|qL+aUrA(;>&=% z_sPNkmVL-@C^AWyikmJ^E3j%KSZ$$r<89;hIvw=ft{yo33cX&&QcTsjPsaKqlGV zXt$*$ZX*HJy0QMHa!=i!Myj$@Q%?0TrBa@3!+m$%V7*S~wEoP;D}6~uP;-2Cx`Vu6 zYym|cb|2Y?pkP^71utBM?3v z$P%JszXSr+hu#$QSlMQ~6U8xloz6+Qm|%IGMqKeuB_ptpIP@Xfwm3ON8M}^dL~+Fm z72$N#8y8-K0 zo5Ysmsn(C&+{x?x=yCLHu>T}_96jEAM@?yrFNLGk;al+Yo8gQ7%~zA>g_wS+wS6n}d&`ki1dj6PUpT5*S%`| zO?hrb3svU8TWxj9!8l+9`+I2%frFM84hWclbKL~+dBK>%XBlJ3mWn6ch~g?0G?BZx z!2bw?DY^r2MoYX{c%seeyqx`EwCo)L+yAl)8c1nKF4MzOe5jN}D7S0X2KA+E^HoX2yL zmr9acFC{Kh8eGZxKG-p-@pgR?(SwRy9j78d`;+7L9)Q01NV*VX-=~wWw<%hGEJA{{P^|7(b-#~ znFX2>@}1^v+?>FP!)#ANq`saYrBk{zL35Sy=2Vh7EfSJ2nxs5q_R3xGL=P*bWGxCs zgq$6{8m+sALW84GqWfR{Asy)X$lXW!p8+nq7~ncIa(+Gy0A9m2;F4!w8q zhv84rf_^-|VmI5}ncK(T%p|zBrw4MI+jI`?T8s_L=xjXT&75WLGf5SfQ@-u|MR%J? zlZiY>hh27%EpO9yx`tL+hEoZV|V|vgKm4B&M7M- zl!K1ht(DZwSD&4`*^A(&$CcUn=R&Ges^;BMw+mbx&Q+n=4=PQstiOZ>s>713wkj$V zBE&8w|5^XGKYY#gUnZha%kz*Rv)@$^>S(F~O!*9cOGTMnn#PwgjpytVJ9_%~*^B4H zZ-5uAwlaB`3$_qS|3lpj*R?YtnSvyrHYwyeiwmaC*c2cH@+x>%+eH|HkKWeR zZn5>{6@`($s{qjNF@c{5QbT_w38bDQ$5T>fuJ%zM>(J1QjM*Yr%a^rzt@?|-co`F>w{TcsBEO8wO)@ zMVQKYL=*&W2C`!d-I+Th6C@l2T$J@SVZhgS#R6=sS7TsS0HK@<$uhDt%lGvacJSkQ zpGc+GTO|6y>mQE#`YHJzi^cYVLR7~5l~FbLkPETr-qWQbdC&I+zXt0w&* zn7VTGpg@BD)5TJ9c}1WV@-mYpsUluP%(mzgy+0(c`F9w~0Z3~0a7o;T-w{zgqO8V_ zM=RIVAQm1i?y^Tsl=%{S)tp7I(=ml$2^P__1Q**72wbd4PjEG6?1m_j^H_f2ooZQ8 zW5=ovSa*feR(X~?PUE)Sf=2&3+l6bor~UeZ2TGr!*Qor)lFM_dO!X>Rqjj2R)Hfnr z(Bz6O!}6oQiOp#_Ks6`83Rt$Sv8WAmXT?Pg{6N_^X8^y1z`DWE4=A^;n$32_*Y%@5 zj1;?S4i6!cZ8G*9B(v_I`>!sUDX87KB~oAMe60hwx__KkfY29j&Tlnh=r*4#q*>RW z;MqW>YvdzVDA^tTvupMnwCVIHR22T&@3N1I6&X$2-q!Vsp?ITG8Nmo!04jFe>vY~| z`IDw8In?*wlw&={IV+gKd6UgIxNE6ZTF2o>UrAHOD8qtpDV$9x<2bgz%ji$`S7`j_ z$WCQ!_jd)PKOMkr0F6v{TLY{e08*iFX?YoNl=L727)0d45$D=#O|?C&E#&&aR@A-- z_Mi>sgBr}+$~xD;w-R)bYq@nG`k^41R$_3}mK4)0yg(N?RO*nqND~)V8wUX8S)7&$ zlZ29SOru!i-4$C#lOIoTq<_O9JVIT99$6Udjqyolm+%hNyoZ>~;?sCdg zhV!Y+K}^kB!f8soc4T8$EIt?+cITnjTdxaycu-x#Etir(Crc)_hp={pUZ-<}RlJCO zL{utk!e^ObBsjWb12-~fq<|zgSIqHh9*!V788GTs3qn&Vj4*{|cvBx$j^$W|40`ya z18-OG5GTGl*6&CD_apx)M}Aw(a2m40re1+&J<-3@)a{P{97%8ZoxG8LpwmIY5 z&Lx>JeTpg2H40weCg{P$FTp97-Xk4+*sqwr0Twh{63G{3s%XZ{kUkPhl3Ym1Cn@V| zN~70+mt!Hy**q^*MDPv(6c=dv=hBdpq;HD!gOW(!oO!{odCK5=@WtJarx;XXrDl>B zLSIC_&L+|+J&3Cc<8(53Q@cR3$s15LNLwSDOK_Orw>;zWb}6_vPJ$A zT)rQ|baKXfmB;u^C-_D#@}CSUa!u7Tlt_6(7`k2+5~Eab+eBeWCvcyfrHSkS%c}1d zjSg7rCtd2hUr3gaYfkZK==DdP&VamxCJ?b_zmjF1ivkKm4+y9$uy5k}Hi_>hOF~JR z@qd)Yc#u^R=bgVjB|9vdMIA!MJ``fyCu5dfk9*BLdRqGC3!c(~(3_%Ialt)C6404y(<)Fi`%gouLAAg3Ra5a{yc-G!?z z9CbQw`c`MKOZg!8kci}W+c7!HTSXHTBMzr*3M z{_oz?;qyQ2J$e4*$>ZVUr%#4|816lLviJNCWOz?&T>Dc>MT5e=z1?2MvwO@{TBJv9XqstjIi2o za{5Jl~+zA)yzuSHOcshCZVxK+Rd-^=t+l%*x$`WikYl&Hp*5v*BKy{y%%V z|2zGEh@VH~4U)*jYKDpxWy^LitS#KdABY%q-8e?1IxM*o+n+55yv0 zqH5a}0*yM4h!%qm&R^M?NTYPoV=4hfE^rOOat##v#E>VVZ;D4`M>px3m)+j~1c7rw zm%vD)M$z`nKE^But~wTrJmnA)?v~|7h={AQAtoT9Q&@)e-F#!Ar#g>1kMxzHN!4g~ z_vYp%qA=M=6f=9X$=x@{hes#pM{u?2FWzSC#gkOt_6@s4t?wd& zJ0{I$C7m%c)8ZmX>^UnITuRWE&@AaZ!bC1cf6`b~)B((~+i9dHX%$YO2B!r_7c*xp zO~|wm3!;gnsXuGPDjVD&T`}5a1pD(!6l7W!u-Fi*MTQCz^C7ClaMcyv1EFf95u=rf z04jcI$G)7EJYj~AgF0XCc3={J{_~%4t*9g@tiLt8#_eRl|f)~1oqg@+iASwSEtMvBRrTDy%pB>41BGJ>7J zMcB8&%?Ms&&&b_ZR0^7xFq8Pu*yL9x$9;`j;AL=ouY!sV2d7wV6d))Ybz+TW3#XY(Zq1407AKK=S&(B z{>k~)^c)A!?I17swU#XkHq%$oa<}7vfo5BS>U!ZCA5h^uf)LP7ClEnHc;=!|ngScF zo-^_TonBEZM3J+j^9yotdTgv;kPM8$0~7CQ_!UgbrH|Y-Bd{bq08*WbLXF6a;fu$1 z+yl)hEa*V8oFdh*VLP=fVw#8*m<7gME_iF`rpKqFQZ^H9*K=PEvY%bEoq=KW_lKh2U)0%5V zrTSSF#uWu?pu@G!pWIkQzIT#%v~~pDRjy@n$Cg*eGYPv0Dgg8nJ+FKic4-!h=l3n< z#2bMw!kA@71Z*Ji2rFWlPY8fer0ld{Q~oi0YEDq)g*!^#k~LYvT|0&91Vw^2AKW8U zGgGDSbwI`mRdAim&=+H3vqYgCObKu8Bj4$!`YB&%`UBYDOi-GhnK7WCJC;?*=fKnjjXLmv1c?Vpsb_DrS16AlbcJ^ z_CDw1Cjw6PR9;n)P1fXGi{>U-$KBS6;Y)wf89Szy+>P0naA4e~++3>F zIaz*y9ILO)MO(SbjXPM&0`=NupRi1peyl~ADxRk+Mv-92uQ4b<867`lT7p_dlnMu( zG8h4z!;rvfI;-I`D@2(ezYKN2He0IZaDchGcyqq;K8)#F>M8S^oXFHvI-72MChuB zS#!;BCt=zKaEuW4FTxdJ(Jaz(d65rH57nhqKKFbAE7V%>$#6}^qYyJCSA8uV05^c2 zdlx`&^Kl&5T(8DU5j|(;EVFqjHSk&%-wrx}oat!;z+JKBo#AGLA{!EL{{X8E&<-j6 z@_rz7#g?}~%IJJbJ(jX}z1Lx^*1Mb^oWHrhm>x-G8u%0J_N@MS$_uFoSCK0*mNt6HF`cP>6t?(S_RvJ#dDf*xv{7}X6Auz;>n_wIm_OQSGcMGGMn zxn{*gNY>LZ7?Ck63Q>&vWPC%5O#jQXsW8Au*rc2R5TO4N(QVAk-ii#gBH2vi3V6)f zbS}nmT!Y?Aih;}AsYuM%23|qcBp;_Ilha1+#!YTyxm0`=#wX*wd0hnmAky<(Jv@v-I!@B=xGU6Fr8QkpFT%?v7g zV0-Kqom)4+*wk^esOgSCVCVL3gibvOu?%DHnNv^1jsEASB55ECA+@Gv#+s!+wXTat zGN!2!v@Lv4YbFw(P2Oi^H`*X;herM%94tM_KPeZi;IYL-pu#9jNJv`Da?l|<&NMGa zq`PMcJJvcFk^RR{hi^GN#QgQ6joZTlKs#Z*Q|FB4m|+C`%r*6&FlQD}bD9OtZ@#ia zWHRUD7=|YNonF(o^yBx8<|v%+zwY4E*N1P!?8u^97vS0Lbo}Pw!9BAQZCtDQ9n+MN zm);3WH@4z$r>+UqFAt$UwO$rVnTrK5+eia3B!aL^6-&4qEgknGAex!)K z4tnwhB2dw&|K?fAjA=#hGW3U^2VY84Yemlxb{3^ysyP6d(@T^0{pe%NSOOX-D#4HK zk#icBWih3(7wLnEq23@OCqfy;yIU-LjTZp)#-!p4Faso3(nsxT6=+%_)2>SvX<`ZgIYTj}U>M+FBbPKJCp5nD-sKd98jw;R>4piH`gSk5oRbMtH;iRI zWb9{F2op!9d7Dvc#J_ZkJ zH3MmdZZTC_%$(CA8TTOtWeg1L*v|Mpg!JMw!Xc1~+)%u-WC5N1hT3Na5L)KKG4bODy^|otYI+s>k^^@ody-YYZmaAu*4Sl5=CLX6 z@g)fXV7r-*BXmxt55ROd@otyADK2t(5yq&yX;H|^_I&8RqU08E0ZgZj0I`(>MouG?@NzLCZ$WEg)$sghX87KxMonac zb_T|}Hc*S)b&W;#4aD{Dr&P^HWEb14__$+Ke&FzP5XbtvitX|mKsfkLRFxohjp`XJG2Z?seb7Dof?~=i< zzjivhA$l{CZg3n5mL;s{LL1%WKNF$I=v%VGvxI#l5hcT(dszUh{-2l70K7)`{LBBm zJAx(YHt>{rd&Y_!Lr6xX*WHOrfdnFH&TBP)vXm&d~E-U9yw#SdlL6n(y^& zd!*Ovk#5oLZPcAN!QD%DhLqiBUxt$3*5yjbe+vc@_tx}Mbb}q}kza@sFcaHsQZRbu z{$g3u`29{{G&RC%@DGhxl1R|0^4Q>m?A9 z*ax@>jA4BAEesO<72}i- zG9=wV#O{)AmvkFqG(7IvZ^4zs>Xf=`M(O#{R6NJfyzZvAxNE-t;?@7U#q5}!uq9&2 zFN9~RS6iZO6g+HQvu)RSrAP0zA`+k0(RBml1BoPHnpW?cGpnD9Lg~Hht$4Fz@vy=Q zVw95uiWYvlq^q9~XwJK&n-@ZfSfpLjy*NDWl5m*;xyF6TY%QEkEJF6<|)f5DXAR{}5PPNdET3>q8$~5g(yI}v=;8Rez zlkS`rN$`1NvfplUoNes-ORy-PJB|ABEEDeWku4(Ly?uY{6sXtwVv|LNN80(c$&hwL zXAC@FqZ9kO_uC_BJ^0V#m$_d*WyhtMs?Xl>90Ka^bIZ|K1ouy1xV~V;qPrR^diAe2 zfC4sc8|8O=yaPVoCrYBxZaq?N&>42KR;FF|`^J3b8ZL?{h#+?$1m2a4?1C?tRCJNo z*;3LYU754keIflOR~vS%eAm6l(R|LqmZrL~@s8{|^n!;}l`?#^0Y3WtSY7=`E_bi@ zx}v!qM9p+wT_wJdNAFR;O)E6l+rhvAjc8sB;rYz1Jl16c9~(EZQ489wq^SE zWo6U1O3`jXge{%*uyXe;$0s<%_rDjn9m=)Pu>-8JO?Hj8rMuS9+zNuVUy!bK>DdUS zL;tzf!NLX==4&P2RB0UC^W7$U0FbW0=44}1f8O@pEkwVvX}58&& zT&lF`_I@fKxNho^6`S-_|HgGz59-*Yv-&r-GeEUUP|24?9)C!-hep-)el{M}y8CoQ zs&(`^m{jZPGf}D5+d5nVy=d2JP%HPyX4*L>m29KPKJ?GD(ll?uZ)=QgU}^yq@s>%c zuM2~83A^46-VRbR>$bKxS4;O52g^d}khU4&55H(*%Nkbz{E}qS4Q*;hzv6|oXTv$< zt&jqO7I=bOgkU@09kxJz$?J1g@JqHqa1WaxtlC8!yjgP*ua2rE-M~q-omUKeTe~X_ zP2F{-E3>h8+S3hpGf+u=ilf5{Gb!*BEmq7em`GW6y^+Dk@sf4E@$lWr$9-N zSI4j4pB-ErzdO-~NzZySh`V1a3CT9xfX|up!Andqd+=t}^joY~EApp(?p(fm_wM5S z;_Tq`^8D!RuSaL+YbQ}px>qrfS(Ek-mJx3GypiTEbn?+CvCdY;vg-{jWh)nae)#>- z+k?xqqu0mh7iWLFe1G<4?NS?aU2P@X_SEfOy*|8r^X~QK(aFJgZ;oEJ&feTy^=S3a z#ggxj4o)xMon8dk;e@lne=X$x(`RqV;J+3h|9HzqS_`iK?4zXN@#g5SM=g74l4(Sk zH=$R@)C~y4L8<1^`N8=cTP$)FX^3d4<^g?pXvENSynKItbary^_NWO7sCp-*7TPW1L6G8g*QR4xW7&SF zt+{w}-aN2gv2oo_W^Lv#S9P(8zw0Tj?;)mD8 zzc_n;esT2j^6==al_te>7bsCoduyE=HisfB)CxE<^ab&dG?}z+1EufrO9S)G`Q^d; zi|+xNZNOxOGT>x|x+j2Mv1L0vuh_B)&a2Sed`o}76=?o&^tTpZUa=*@@`^3jfbtGL ze`}Z1c)VHzc+bMbD(?DWo$K zTYGa!+C3pRur{e03i<7nr>t)(P?!|51hM;VgnO|NSycNbdc{+Qcj&2k zRCRxCgL9Zo-^vj6%W)kq1T8E#)Lcb%t!6#3SVX2;-QVLt;CEW?VkJwu0cK$ASM!Nr3*0qzoSFY1((I1A*G{fEI;{KVUx*cWR zhMP8blwfW*rs0G(vb&i%y%mWTc!uK1lPBKZ=tQ$kH4JBLS~bj?d8?w73Ubh|k6XA0 z(f+>`+$&IMg}iQZPcUC8{r`6Yc?Afq5C^r#T7W-@7W?0HQ@oOT{Vr6M%j_yzL5o5Ii?CS%>D>y-S^wLk%htin@@ph%O_-p zq)5rP@Ep&4iYz;tSeH+flatTRNMJWeB5F1|K(}PZ_Wt%Y_VxBj_J;z{jlS_FQc_OL znOI~uE`>s&s!%9YEkor_5?v^3HnbmavoP8Q^~-oJwagL5cAol{rpk3_Aa{zH5T*S^Hy@Hu#0fi~zap0C{NwR1AQp6e+%=DV!1DTHsftXL?y^5jh7Bf%< z#cGpsTbh$NN)jKb#tQeg?-oDB-d97+=0UZtFtxz)n+IJlw+*g0b9wI$R@}lD%ClF8 z^@R`OPugOv1pQ)22NGWJa-xI7Fc&sg1^4t?gK2JJO!Uu%BknB*!+Ph|>h^&!)7#B| zaefxRzP{Kk#$pdN5D^YsQnoNlio0wQvOq;@To+UgYZo?|ut3e}dPya-PVRtMR9ZM$ zwT%7Qf+zj0gC*RlAgOZ#snwD5cLzBaj)r_w+_+CB*LM_)bWz+zoKEy9sI%a$(?u@Q zt{H8`3(F6L<5|b=rD3X94e*-uN zp72m`9pO>cZf7qHwVcUa?2qusws3;ek4i$`dx@NXU)MXI-*;Qz{rcg9_if|DhxW|h z^?&wS_4+@1*0ay@pZB=+$6o9Iw0?cxX?f0ksNDw$P$B@9WS7Bh^enHW=eFaOq*~i)FgNN=K325**_o%qiaYO zB$UXzoh=sNStq$_bs&LbQ%76NNa21w1S#Bt-*Mog`m%VTO z)bEG|1Tl^#j1$P-%;_MG7)QQp4&f0eklRDF5hP=lZ6BYUAMPKhEa)B;suJ;l$JHQN z(hcKRDmh%5wv+}##wQ8{PDWT|0(4n8;Go)fVPqNXg%sejgaWIPUh@cU>CW`rogiojtDn)(Z)gYpTjxSIc zPP_K)HZbz-Z)*o1LrD6ZOBkaPV3=~HQZ8#~2ZeG8GeuiT9HWAQDv65nb^F`ezS`>G zB!l8G_WddPJ;pv{D3x;!u(xYJ69lpi%17wgE{sE<0dcV;S-~a*SsA%t#6wDaPvsZ{ ztQkH)1*#9GD&_TYUzU}KmXpw!jhJDgIM2mRwT?XxKM8tdZ)i;XiB3U}{*IKTNB=H@ zDr>a;oVlhx8^|gPWEq%BllTQs{PGD6nP*@HOPykV^PsjOc|kJl#o?b}KwSlVO^?b5 z1r#I~(6wfrSg4GdnsQVr0CqOfXtVVE<+QKu*Q?UY8=~@&8i3gl86^k}h$L}?{nn#(JJlRU9^k`@>N@G4OZAZ980+LcSBnXW085`#5mPEfp(Ug-Vv? zL(rdQZolt01BzKbOQ%0cBU*>A@r3#`O}peAo?btZL(#9MNnGGQ4MslcN7%h`3SpQn zWo50(ha(7B#?yoc&M^z%4%jp#X|&=)6RZ2dX(?YnoBAxJ|7j!RvTEQw`%mX-H*f!W z{_Jc1-#hut*8kE8UsMfDl8-+SZ7^>KDs?0LOPGSzqD~~!yE(0*)I5@#ww04DEukPR zuih+`@+UEwl=#NOb5KHNXKJd#&WuW5rTf>9{aH}{kLhGp@2`3Cf9L6wohLc@-+A)< ztNrIrJ{9smNkmX7`VCD?LlO~T3;bvrRtkK@v9hmik^cwbEc=ejD4G7SEGKgImF|@%dP;N;y&|ykUU?0Qb43`WL1#gCE~UQ>suE-V^?u# z&r4!+nxO>Iz^m4R5?e~8DwM`(N#5?ROImXxVqXbtHMY!<6zCR+I{r_FL8{<5s-czD ztgJn41^s79HA|0sd3A0Ubzl+16T+#R50AMy@uasM&d_H#diKP*udSgC3k@C+B=-i# zk_*7-2kX}Tv7kXjMm!@;HcXU^R}w?%)Z7b=fNZN=J|NwOK4Uz2bYH+e5JCzu7vxMQ zYjkW05^iwAQk)>!-^yY}H)C4qwmZucj&1I71l)=@V9l}k&_G>$|KBkVA{tFmVggdl zAjXk_P+Njf{qc1}H(%(a6f&M(+`s(y`%de-U;kcL7yp0#)M-BZ()efn>ht9D(dRdx z&p)4j{*it@qMzT;&*${>DQ*07>vFZR^w8tqi)hHuv3%Fpn}~>+cmlckj039F5g5m7 zsed@L0NyH+gciaIXpPRghzBC#*7B&!N2p$TL}qU^3+G{aDAt)+(&|d>$x#;?OBzkO zvj!PW!iy*leR9!-fzIhRF##3A9L=ei+WQJM)o(|xBIHaQ)Mf!U<=TEvXtitE&`FGzv z?RKB-Jb!LgIfYlS=(eVjOXH1=cTX`r79^>1*L) zUrFX{kuLgdSVJ*?$QHYrvs&ZeDquGOlHlr<3M6;SILJCCs9tXh`1MH~lNtEpC>GJF z6hC(&b}Yp2Y;nN3Wk)UqQ9s)SlHd@)c7Phx*qkVy7g+JtzbzEAIkLZ18?DdfqL6!K&P6p|+tDLvX9n@~1OI}x3b z3s7lZ6_X!tkaVQdcZ9?AfYuQuintuUl=byzd3g$N#ty3QJ}byt`Oa2!IUUge`ylyX zNG0Z{x>Yy%l9xbG*{L|BENn;(LbaM}z?iXZPW$NG;$#m5^%CS^-HNg%)7qaFzb$~8 zS&`mz+v>}IfAIc(ncqE|mV-@UT*3S@-I1@hV-AXY?^bsaYr^Hf>*LRp&!SN|bg1;O zM_+0$C_{i+YA>}5h5lIw_GcKQM5R%p41X}Y!-TR+mgk*$TddcC30SY0w2QvB-z7kK z@uqn1!eL%DY^YxM=(U2Vj78^WXH7ay;1S-M;D8Quj*+2n<0X6epS>lK!HQ{0q^e3n zo>fGiIMQ@|XF zqc2}-tyZh{>5~pjRgVK9@u2>st(&`*jj}5TjX7JqRb%M;Eo3YW;tW0Q@xq@Lw|ma0}&kiv|5%pWS3ax5y$6YB&D$`r<P;WPR@W)VSO zzSNM8jNSu)A!2&cStg=;Ta}ij+UPS1H!07-^M@5wU-Nmqs~S5SH;D!DA*lVtr< zb?m<{Uo4I5p9;2@C9usLixiFzb0h`G%ElqT4e3am>>t)Zwzu|Aj*k!a&ri-Sj`xlZ z<_{)fA$1=ZVdY1$T>$b+W@X(syf!fXz5d&aql5h)_KpwxM=zbzw|j@jj#VHhzHl6k zmBmfR`BuCz!)!?I!QVgHJs!U9zw9ASu!mY4Y0O;!9Pj!EXA*(v$Gz7-?x|;|d;R{; zCugs+B@>9zf1$1VkOm&wo&?c$EC?6d-=Y?%77eT0^6D?QK9#@dwJeOLgH8;V=rfAL zkZ|-RGk!Wm@86?VfSj$;kvZr;{zJVk8Djdf93}_-`s;s6MJv0Cd3c3F&OlX`=$1Hm zS>8Pgu@EoI`bOE|y{rHs({Ub^3sm{n-d_J=|K#}f;hT&8$-A@tgO|<+NBQrxT@@!$ zVfr_Wfs}`I^ug(&4-VraqpDxw;T6^ihueaC355tDtK?Pe+OFb_utw}g!l`9uv7=h zFw44G*GRI1$gXoq&YdSNZ&7Cc#`I%s{)IS~<>5Fzl0{LMk1t@0sfUhHO? zEmD%!#9qqH@YdPh@v9SC4!Jl&|Mg$!n}d_r-=Ke>?PwBi%aW1@w|^5EEjhdCQBezf z$jSEOG_$1?Gk1Eq+Q?Gk+OCgvWXOVF4bS8X-!6$VkgO=>+=} zr)Xq>Kb<@Hq>6S#E|k9_QwiNQ;Su38=R7GT+TTwjvd1}|?k6=14Z~@{W|~%GY5hZ^ zM>BjtjN~E}Xl(sMq^>8zR}sX75iHLCmQQKtQ(}Sa`p{-PPcCS8DOHt8rq6e@r+J?C^n>MWwxOkm9!QxBe&jEFD zZ!x2Q(#Yq{meIG9ya_$z6a?jbdReiVvTaeaLxVQ58pK>UmTrIz0I@($zlVZEExF!= zUaF-6q?@VurB?p^;N*37r{JL$MUL3cnNRZOl#w%AM5hg9$Fsea`@KX%`PtdtDn6Ru z9N0d}+Aq@T_EyQW#Q`qTcD6zNY!Q%KAD6aPwSGX~?CTSf^Jz$W=73BV+LnEMvr&r{ zYI*2?l?==p$0Kw;Cbn|Q0ufILa#`$q2u_~NLD-OT5uqWufrB7{ut31qj2RLIgm@y; zcEpef@l62rrRoGpTh;kvK#V4iA9-&hlNmeMpGYDoI-Hb_q1~K))%PPd~6&?}M zu1OVz3MArCWvmio;`?aivjKwKncz{xiH{?CO;CuVvGp7WUhNSI$VfYqg`6ls3~msA zYqZfx;45t;R3M>{aOBf~v}^5G{foZb+ttnv_Ff$wv?pGB#G*;)*B+sLl{o*W{XX(2 z7q#|?M%(bO8c(e~_=9i5zvjVsv@QQJKgD&hoi;SU?o}LuYnP~f+ZH!r?c4SMU)8>C zM-%y-aXPAf`+wISp`S3PEEeeS)q$wV?bC0>jcRS`5xlL6bM{-UeJxz(k?mUT+xCdn zq!a>wikeHeYvd!A3X<5qm-(Nu{mpg3 zQPOgrY@&bRAjW)(b~>FWm6hiBID+DLesFfwM|;PwY)``1Cuitg|DcJ^4o=TbUcK9w zkDE~H)nWhq?C|?{@(DE1ZKGEN65mOEwQaP?#IqBLG4_2lAy{vY2%iYOJJMSm0sEC$ z5Xs$?d0##@)(BZP@s5-jz(V^Kf-7d9xT=vZipHG9qcQqUIek)rJm$u7Zf;XT)(3N!Fh6iA(?>BkZFCXu1GI9LND`msRXS zD+Y?dL)bSOwc5zRD+*4yI0A<>&ip3AoR}Xz0Nn%+RZg_8raDee{L7%Ak`vI5>adMo z>-}&T^Njbg^>uHFU3D0R}jl z-~f+cV=Ma=u{+j)HKhQB;SZ(?dJJvbn7N^nnixlQN*k&BvTSKchtX8ZK36tff7*H6 zFmBcw@us0T5)lqSNQ*J%M3@$70}V((hSa6l&$e#CnNImHEOsE~sQkvAhCS;z0GwP? zFP3d_WYdRkfP5s}r6TW$3v{Ly0ZdDQ)cQIu%8<$3e3sHe2%67{r``?$<5#ka3G?Vs z+irxJV72d*uLp4iKHA^{tUR8Lmvd?{@JKURd$!-1D$q3RKlMvf>Oczm$v}$wBIr1n zs%I)ZvIGc>D%zysCR@&k<3OZd?UIz`6JP%vB8(Jzpt)vtfVz#`FkLnYsa#MDfYZYq zC3ibB1Gc%BI(bo(7O}(#<53KmRjgtE%=lG-DS*emgc$gcq_lJi(7+5MSpW)kdRPtkqwFK)v9MEKT5$jb-KpSyy2UN?}wuQneVb1ioo4ib!&O7GU2uY+J;G35_)K zFnR}27eEf+>7@W20Us}@6=s$}+|860wxS}rGITHLeL%+8A0jraR$dm9_Q*-bWIRKZ zyieFN8zM-v%vnI)rksTV_JNLWxU2_vcqVb6v5({`u#rwuL`ghFB3&$if6<&NiW1&s z_rU@SCN#m+mz8}gBGI%(R-y`tsffr#*esk10im(63o=rdP}46ZpVC$mUCTy#(_$kT zDzLCE@#azC#sZ`~^f&>2sny7zf#ap3iF`Cj$d1*}qssyjQa5I?@TX{k`ITgSJk^ej z%0&bn1y~;*=zB{Qlqi{%bIc-yk-b*iPH_q6^y_5UW(Cewd29qq{y52XipE%=0U-h6 z#3jJV2h&VH=^_;5_m~8cFS~Ua51A6zQsK3hpJGHiZS+Q}RkGXtWcbM)vwp0EtESb` z&5X6oY_3eOJ4P0QkYpi)snX(vxjcuZh8L13#=arH8^(R_hDu!{U_lFJUeIg!*>cC2 zkL1RQO|c(MTSHDr6H(5|HG}(U1!-=s4@NB6ZIPx_2SZ861x}Z;^DrLx)b*#5P(vS2 zo9UB~a3yL5Jkg4Uy>GMC{Dc>SvRvq~M4SU}Q4_RlP0%TpO!t4l?9}xYM+`@7kx`MT zKtgSZ8Yom_wPtUEuSgS(@ihT0&j1AbXf_;5J&z$le7~vxrIV2HNKH(_2ehKBwL)Ms zW@HitYL1dCr(x*J?IsKSslu}4T^cmk$8;ieS!-~EscOW=Zo)SM;u0Y+r?5JQoCYJa zqaoDDK6~NUMFU}9-;IS0;AB99M5~8t`3h!0YKN<(ZN#*amjzCDaU-X~$htN<9Lo7m z_Cg|}k)-KlQX;DDu6TsyYhZGE<6ch%R-#*TCPWJmhTw)yEcGY#8*Z-p_(sGul0)^$ zNC^QPCBUaTL5?fVVsIc66yQQ{wbOR23&vA3EHfVy&{U%_QL0#$5{=4aHlw*q!08&( zBF|`5N;=3TDre8o3Km9T^Kg_9UxHnIBiK`{;7J>u5!*7L%qw%Dv=tycbG#ax+B4@YFN`zN%vSzv!0)(WbH6cXJ@{svHyHWDp@UC7h z*;h5xNMjM9k%U)*r}i71xHP0hGAO?HR!Qy8dyRXUxq{{%5=`W#q&D#J~xO3Qte z+`lWM4wodv*@Om?PSozvKAM#*E+J{zrrf%Z02xHJlkM5Hdgdg;G-w*V+1kRx?jV>J z24{7gbeIxEQ?9U7IyNh= zf`!~p*;aa8C0(tdFE_zG112^wrnt5)`rA|`X2S5FHZ#u_DW8!dbCgQJ zV*89Yi&(}+*R!l#dT&sIrD1NRfC6z%xSFhJOu5&RgPbOF6EHrJ8)m6k5X{@)qowcF ziz1rs;1*JOP+RH5$cKGv^C~rzEI4{?0mqtVZ1aiOz@8_+bGhHKDbn^U(V%M#EwU1t z3j2b38Pb9M6b`^KD)8coQCl+y zi&7M&y9!WS!C0>pfSlpWnhM#79)}GwZ0lUIl%PG?wPnpq0VteSWu$PTb*o4wnvODNnPjJu+X-YQ@jc1QL5g+wmvVj zHPdPqfN2qoYC@^5o;iI~^^aL3DACX-r4!#{=2t(XXy0Z+389DKuKG5TIdsB?$t!d0zu)_ z0ZwMrt}sh3I1D)pIhE=;40woQp)=BPYZqwQOO>@zfEzIm%#!9*0B0A>rO7r~F?D^; z3f5TrptZP}RkZh_jov0Gm6hI7JfJ=to*zodi^#R4T?vP3BVfn}V`nrbj8837i#f@P z7>{g|K|n@69g)B#jb?J%-OQMB6U)zBdao-*K_HL#bN~t+05{@Hh~(VDbQvM+Mxrqz zx)pHGjQC(24a}7J6gt)x0hn4m!K17VU)DA*0jYBU#G*=#Y&3AGCly0)&*_Ur~`c?jddT1G|wsA+?oE5C-_P8cxRt z9xZ`yorWYjw>}mDBd&fd8EMK!0bbB_(o>X_qo!`5`5~ClCo-p9#hE2OPUsB!a{PPP$3)v1_E= z)DRPJRlV!8cG7KBf5n1t5`O_}jhe>))0jZ6`Hc9Lg%X5dt(;we12mGc>~39IXyW>aqeSqy`cpD>`t0 zm3T<>=|gW z4V~5g_CAR|+i7>(-6y}+B@Y+9?QJ?4wZ$0Ji#BE31MH2+wl3XLg#TV&gFAS|9y6sMTw>zhov_?x;nA=aS24*;^Cm4&C zwg|DIb_Jh3*V?$R+KW6A&Y4VZ#2u|L6Y|=>4S?AN~@gc{* zZfw)x{ZS8GA{9$X%Bzm^5;sN0SiHO*~ zYN?_v3)PKwO)kJCKDE6#Vxw##As8hxk)pLh>^)4k1YfR&?rytVN+JQ{H;j3|Z70RI zxe5?1wspNmt@h}VId0r%9;wy7MgO%7x%~rLI8*u^#Hz2=eoQdaLzn;Vws*SiPOEdN z`qFeJe>_6(aU6|P;N{90Vi$U)Y};I%g#L0MSg~>^%)|amMFsy6;%NL*w%Vvke2%3K zpLn9Gu9YXOM4fIu&}?RY z^ZBJ}khlP6r`(Ezp)7ofo^DXuMkiXpVouOyI_#aN&n|)OTxL*lnZqf%%%Q4?hy-<; zL`0e%t5(}XD%yE^X$;dqD4PHfIna^`30fRbG6r>x>@CEFUqA46>k?|qgaglj$~{Hw zzK>F_qOa%Zg{<$NG|}Z`+P->`M9WBnFBIqO)0cFJNi>DjhO}>AT-wCI=k*Db2=<&Y z^X0bC7~1}YuW{~PRU)}%nI9pHjaE)9CrlRE$HeAxr8#-Fl*XAo$fhLOq<4X`{Xz7Y zI7CWqok>`gf&4a#?tEu}XNbSwGUvV?s6Uc9C)`wp*^sozi4Y{wzm+yAiyof#Anpp| z=+$u_zPEF@iIY?+aM4UpP?m3Rt19K(y9$4E0;+8mpYx)*)oO=BbeS-xO9V;q)Y3Lw zO1U9}PDi-5xDj*JC7Po8{$4{$J}`47Mv_YvWbP7Ok!cfn`(+6Lmqv?(Ux-GCv`1}p z=`tR+bPFrvc_S=+ZkJlp8RH`Oixm(FBU3tsIbWBGJ%dYtOAnav=sroSqI*SLY1o^T zw1kZh*Qa2OrX$JnY!b`TlrI2hS7fT(AVW}74OjQp$O8%b?@Tza$n+jpKt=D%Er1Y?TnP|(f%4_U^-%s5nJ!5K>FDl` z@H2fbNcTAeE<^Am&f@U!)kX)W`v8?D4(RVOK>{+%>nnr$I7?fgvdW3kIM8AAjoxBr zbR5gg(FA_eVdS*y83{z3_BDz9h=zVeFT%tiv{fKDs>|P`ITy&j~1-amZG?ge#YuLEcShNBXrmd-B85P z2@O%o5PR{d#( zeOor~^gbm?I<$FPMY2tPsw{!}=a;4fuq<26Hhq^4KRM-m4WZQU2VTEsJo{ztIlVSS(RDOU=?lL(_mHSvj?lntTI?T^~s$K(C)BgQ=8kmRjh5W zA4H5>ap8eiL(uySwU@I2=fd=Jk%D-kv$#03*S{LT9n!zu;TkZO52&wK$}))3H5NkD z9j+a_!_APEUT1OWNi|^!jA`kTMVLz5-2M$;<2U+2`#FzI8I2*)yi zxU?Z~lLkNk%hZ=D-~1&scFMe#Pp*ldy6Kb?BkTcAIlZPn8Ic3wVqfQ~QX08MM^>L! zAjkD%uDqYDOM~^ox@4kkpQp@AgYmse8>{wOuzDQC-iSo)3I6ylNWy?_bd04v7MNYP z1Xh(Va-+bhE(*{@JSHUok&h9_2f_75K{B0W34#RIl(PUF6t6Ldo0RGPSCT|w{@?#P zV+gM~+kmH4MMsTV&G@Sj1TU(_!`Vb1Pb;5hRqY6e3l7hx*Ki&9l(WHRDJRnt%++s_ ztAkCLaLSb36P&0*Sp?QGgmZ#tkTR;uwb1fis&Ft&Jq6`>z`4+6flI@9rPS3}jh%xg$r?=a5AnqsjUlAWq`z9r0x6^dg zkTZ`&?7Bn1A6?oVUn$KxO<{aS;V@p&oZhD|O~>%@ABo(hX0bA6B7!vGO-H2$cE*@{PSd#| zbTp2nwCq%f!Q3RbRhM^3SGr57!9h?)beS(8#{_~1qqBeRbNJ>%^;yR!ktOCl3 z7&gQSah0uU?Rin4SJR}r6;MPnEY1Z`s#fovB2{(SsMUUkFTnB?4$CmmMz2g{Fl9d& zCSgoUCZy=7)sMSvM&miJ01UtJ&@h0V%fwmQLLMG}8 z;3M-8VpA0L2&a_PI2&;y#4Cb5p9Vy4mo|**(mpkhGd4`Qf0HXq`%@{Qi>%9&Iu1E9 z%^9~Unq(oM9^r}~4hTdxlAQ7!#BI__lB`NQXvyC+h+!`ka^^xX8K`R2QWgW8#x2tq zPSI&@Xa^r%LOgH`zygY?aD*a;lqHEXqXm#UG-#t^7U{${$pE3YHs;E$-$dp9G5(Fp z6D^A*xEBi|B2Ny_N*A3J8#FOCwDVi@jnc)Oz6++ao%!&WSP|}W2qoPYM)7QcX~@_- z?s5Q`j*FJm1whZ+X6_RDeBXru?9PWjYeu?D=(9Z+V1HT)J6v=-Wj=K`tE*;uDxN3q z`8Rkf$^?$dVf6zQ5#v(`Vz^;Qiyao+j+pNu?P<{`>ZXDU_pa}FvKu6Y!~nZjIwUFu zKWGM9O9;A0h1?v*RE*JpL^p&4$;C$W2jL7vhGgD45>E+BE?rN0Ppxh>ZxmCRo@O}i zRiBu(hvE%qakyD9%lj%2-Im zeB;NuSy0n{B!|W3(ifae_-PRTImU9UnNnl9{r=7@%E;C<)U_5^?IUy+*)Pt1G(7CI-N+0b3t$rc5oQR=B>3beCx{|5_*Q*Iia+275W z1n&ZYBPxb;;~oynfl}mieJ$emg6R#OCX8+v`+lIWQp(k~{xRfxXw+)vE4U&VuRc@m z5=CSJaYtv^G3W%3HUKL$3$C}?h3FM?uLwu*e4ZCj82i2w<4(^x93HdiROOI#nhqx+ z6Esr(Wgaw|4c%jYYyw;@DWJ!rKV9-k&pAw}7xDjVU^rBsc- zkuxWvZp=}w<1XAylZjUkDUtdE&ZAm#p{ z%glCRjw8GQFYTmhJ*&xJboyH5Bd138Lp(r3#(U`fp6??OL5x(BS2_hvf}{ruXijb{5=qRUSX6mWXZ4d#LKB?ny_-fj#=)x3ffDM;11lMaqq z2Tq~VbwvzKn1~<|F%zVLFeg29NjPWxvWYGw{PHgihD-vhmunfywp1g5fEZG@w{<* zvW2PBlOz1nbX2$CYI2Pw&FywXMh0(IX<9^KT3A`q!N=AQrEVCUu}x~9Iez?Rwb#hvhS%7pDM!DiVC~#a?gddvl|<+Za<|+{a^*c z#BszXvTnAeb9P07gr_LZm;5xuTtc9_`kl~eNneYQtEo1ZYLoV7plI`ho6)(Pe{E|Q zNuDE|&^^{fp)*J%Eup>B!`6PPfz7;cp95!8_XtY6sTg05=FBtleoi zWlc!d+!kZS{%875i1;2^6cimrpxOw{SkMV!+4}Of#cAmU>_4>`p_VeB0 z;Mt2E@~r#xx!3Kw-H!Kkurqk-;jZ@-4?El93P+>`xu{zTLE?H;lT1Gu#W(+WiMs8b zr|nLw^G$6cxjfj2MX#183Xod09P+G89E^`dPQ-`xW{w=(VAx{ulXzx!Oi%kuwc-KV=>`Tt#f9;JyKwSh-xaqR2# zh3GYl15ZVks_*q*H+0lx7U*R3oYWpE|9G7OwUBsTw9|xxR(kYI(!(1XjcbpTuMcD$ z9%i$mTDh;R?DV9Yj^4Hu zMMADCstUX!t}oY28bCsA#&psV8km&2#%?6qwVDp=w$I`q>Y=U#qtz4g0jVLBx{36V?aN_TD-7NE8bG0&{*Y(MiB+jdL9jV zB)}5R8RcCAb`pQv#Dvjt{Ucxwi=a;ru=;>1H%w^P+T@~7Uu<4ecGQWpM+s1T>Ei^& zM&=$VR8V#enY}5H^FE{+E6*#Y30BnXd}J`p+8j(-9;3B9ifVAxxA@F%J_HAI+qEC$ zkn!&Cq3^z{A*8P^z^|I9D1Xf0?t(?cE)G>5d`g5`BM5n%h30z;?Y(^q-#NkFN#IXq z1Fxx1#8gCNVl`FKg9T`})9EA&Q}&>Ck^3tB!r`eDT#QFO^rG{k1C;~jkyCiIEB7#l zq)u!{bWkFsf|X3PVy=+kjqtV#P%m47`{a_oE(7W-0l-HDqTcsP=(k1#xauk2Y0s5( zdAQ~pa#>BOPd-9f=C2!TL&Y8nMl|?XS}^iO3%fv-5{XU?p)nH?fFUPD{^%*gMoVY4 zYx~T_zP6`?I2!B1s)BsbL)*y{RYc|EJ(SfGqmIc!EK%bt@d9MfvNF8nx^6|j(6o|* z`N(u#24yV?ahPz4pC!wRvF}fvZ%?U%%&k~xBg2@wZrAbE=1ytrezl@JPKA<0%M+*Z6Yq4=;*qe$yt2`Eh@Vs|XN zpU{BH>4cNfOy~kV469BYsG&wWg^KU98ybwDX`cqN2u`AlO=RlegR>jmgUv9+a{>{_4T^mPRC{#Kkp~LF6qL9#cH%^ru>(FqC)yN=~j=_VZ}y9w3nHh`tRCv1f?-$*t2 z^?M2_UPRA`>_x*Y7B`8ONH+lw6K-itwLk8?{&DZ(Y;XU^!&iF2fT-#rr|T>OLZSN! z4nvdrSts>lJdK%{!t|Q63BdIzVc}yWc zQ78|I>Y<=V=t%PBiORAh6%o~gED6vhejq)xO(J(2DsQKFFdCIsmP(;cc7{2S8IGgz zPAlZ><5YvapA@y2)m|_~lE0-dleDhsF6V~RC?WwwWvXRMC+xwZRH>b_Av9~jCpo?Z z<1kwveQv3#N{)ddBBGY8oNjv^J)7o`%bCz1BL248_qVVg(txxESd3dz(6xU1y{GQ9 zBo!e$YvA?Jd*o~nXs|5{J5A)YTnGJXN?|Tn|D#kj`kekiFs{}|Vm~78n8Cr7&(P0| z``+Ko%2n%55eXQp0)z)rTDUsHgNlceq%TcE;F>5S$>6_HmQAHkx52b%Y-VG|JVb48 zZcSq<;)zYt)yyglv|JMw(3-LTj zgKM<|*EFnja=BH;(O4mw31Z&ybV7+|lAu+fMlhx5jd7GxvRq`DnGLCXrL^NXY#Uak zG72PEL5g~E`-);8ox!qOqmDO?Kr3FUFS;PkM@C}W=$AY?haWppl0*(%Xi13h8k=R>}-BT+t z{r*W}39T1PgRbSX5e-b2Nm_Ebw*K|=xuP?8`P)sTPzq|Nd@^EeU)&K?qRwYQoAI)9d)@pcM1 zx*3z8_6XsmvPd{>!b)q_NF`aQlKoWKOw}|!|5s#c8IW^8s_5E!d#gk6=t$aY-&xHz z#i!2=RILOe9Yh<#YMaU?tac_sxYD0WLQnOO+{tD_I>|k-+yZAp4XK@SK6sLPnh(m= zL%X$FHgHj*zrEqW=IKPqJ|ZHMU4>plFhGXlP(+;IiLub8GDmS#IVXMKJIF8|$p}gZ z*WJ+Q6uu`oEJ(T3%vuzHCg6zP_!YQYp%I1irgwl zBpX_kFj5wK?~vy#9%b-g&hgYK);b8Tmn<$fbjwt+4M@w^TeM34P`<31+FNGpDUPwg z1QwW$ewxHh(GP!}JLPs9mhx%00Y$mRXdEC`tD8o7nOVDOznjqDEeS@^*iouTv0VrO zvmiL71f2KfSa8zyDdKI`U*=kE`4H^IpC5U0@L5s$eS%Ts1hMZszm_(08|eV&j8!!i z(lXOYBQnXCuSVQ#^jRR3JfA@Zg<+U}a5OIKV&;%$4s4O(Eiy<8z{Q?>oK%Mt(+6lt>{lV8?7`?i9gUSrzmUZ__~^sLJw~> z*{;`R6P0Nut)#tI7A0|Io4m`NNk*M9M$lDsDmb86r6L&N=Tyw7LNf%ulUVA@6rNd9 zI49j5Wu2eZN`6eGt-vwCZChc~b8p?oRg|Bd`EAVACX7vRUDIcd5Y_}~=}NW_C>PwZ zi1mpb+r#vh_5*F=zQ=u(ik`IsYc@Wyw=is#RmZ{fWSH6N%TFaG6?#F%g;QA>_Jx&1 zSiWJ5ira)Gx7@SCM->SnLrOWq(RJ^0AHKSV*rafZq zC|oTT$UOf4wDT;>|93jOPr6_E|6P0}{cV4X-Xzyk!Ex6ybMByTw}GgEP?dvzx->YE zE6Yi!e#>JKEF~IvO5aa#K!;KrO{=Q~ zYZf3XuH5Vj`&Wi7aMLx=kK_SOxhH;``M)(?!+ zKjhZOKV{yYcK(qBH@o3VvU&;rbje%Y3U@5>k~}?P0FNm)-~?YKza+EHfBzG2P!{3; z#w%!588Cz7BQYD7h1=;^bhy@~*+boB*eAjzD4>30DHgHi;RwT6Rcmf~b=5)jkkcRCmvG@=;s2+trsz>Y>Jn`+pSw$O)6E;vIgN>0?Y^#{IO)k`Lmv<}O1pVEqh>kRRzmx2 z7E+In)M1|7=s0Qn1r}GO0wm2xlkg&nL!Vr9Qv+AEbadGy#BRy9ZC*tz;LMd{zl7Q4 z$7pZU5+0a<%&snWU}7!U+vhuJ0W1!KNRKC5s9Q3vs=cM9WYUWf^~)%Hi*7l63ni=Y z`?9rYZ@wSMLdr z!&HY<9SLaJ`t6eQVp~tm_4ZP&X{nIzagL`-MP0n>92Y>)-Ya4;D~sjp3W0hVZ<+95l)6B zl1eqGn?jD0(b21So;j|y01sLfqs8}X-U?T{R&z?S}CLqDJLAh_4tMQ6&~{#e2!kwTw{2mK_2&5g2+IT+s1 zg38cheIlF7W8WPU_e#VQt!g-^F2;E0=`#^eQXAjejsd}*Yi1#P%f?==IY`$`6ITDK zMq{xxIdcwmnZlLRR13|$$-B88FUI`(WtHY|t(m^4nax2}siKRyjm6xpr`$EIq@?}S zikOfBpr0V8GDK)vxUvXx3c)xnU<+|YGhVS)>&Zjp=%|bfOpgA0%DkVFI&A26vHTT^bl^XybmyzyAqVr(d31e(iy2RY~ar;aLM>-kP@e~`PIJ6kuHuQ$li zz5yqeYLta}Ooe*u2^V>`#{~QETb0uY1an@(&`a(drsk2%h}tD(Q*34K99FfEDV5aC zT@?Qeq=Gt^Y)J1q?TXAHAFN;Mgtjdu5M~=?;mpm4|$9b)~Z6$${ z?awzh>sl)2%_=sg6rAlca8$z@{tcbFsJ7QhfW?LNK&UW(j*&5QH|)05(L;Wj&!dO* zW_ddwTT|uf&i66X)S2yj8Ra~$(CMoY4sxJT#lsd5j>5#(Jp=P_bo$zRFqdz!1Ut#=&NB4<= zH7#?AfFBQjS$_Q161aPfrkI~$Ei7;Uhl8WNvx7H>{qwV5R$3VfGP9k#?}bvDtYTA` zT6z_g;p#pYRay3q4Iyjk6<30*hqD0Jy1B?A>o2KpD(ogHrtd+|ggx-BX7laIo5SOa zfBk%}6vw~F{6XZu)^9hFRuu0|Nd!RJDp+6JPJ^?KS$%VI^5*Tq#s1sFgX6#A{3^7z zAlqL{A@@PecUgv}HO~91!?T0^^OLh*F8T*&KOOEL?CtNLygOc4`e%@+U~Os7mX=9e z{+nRIJxDi=Mu?QT{$+D`{=>WP|H8`#(E1RUjhgS0tYmAP_H@;p9-Q@0j`!Z~?e8D- z`{yS=9vuG_>A;{{u6ZIvD^kv7_eu%uD#B}D_a{G|@BMXGy+rAQTJ12$g$#mgo9J|% z@0}k0^%gfwcY@s(4(Y>K*wk~^zpxKq?f-=rHuc;GvapM1z_*;<2Y8CUx#=uBUB9P^ zG!YrvCTw~;T#Ie#?BLbu-tnuwi@jGzhsS%ThkrH0l0j?>5DRSi-cK)!lf8yRt>R2C zXT~o<)V&$;OA&NyqjWijmas@ypy+<=(d9&R>tl`zGFsw{ql%Ey6OLuv(5$P=#;XX* zXIzY`eAY}MIgck6agiu&}$b>%?l1=o3 zNlJpsh=LOU2*=nGYRT&mcXY792wC+%fJeKv{7*ZcA_yLHY`t(2W%W zq}(}*iU6#Jn>&Hlx>DAHD`k1;^>W+9dV^_(SQvM*;y^&>ZuO;OwrMW?t*;#3H4W7{ z34Ms`^LGb17mfygBeP(_mpl-jx23|dSP{R+#GkaqSSeTwVAdw9Ir|w0hhh6F9uOXo zh=?|2+Y=n%5%F4sX>KuSR~S?Xds==;HOrgR0M~kWB|Tr8Kv<;>-ZpM^Cbo@%VpB10 zTsE1oK!>?mAF1Y{xdW126u%lTg-Kn|q_JQ`okH_85D^Ya1B0P;UK6*ORe~FF&p3}b zo%G}3kbXo?3x3Cei|WsI&F%lKJJ^OUvHx2&{nOn1PrJ{b6!JfHzUF_rlMm$oJNPJR z05YV35~?%OsU%RfcS5CEaUr;u0yLd@HE^oMf!Z$yX)M%aig+4hkXp zT3P7td+j}h&m#Ok#J9=*H<$lEc~;2()ai7;^8Y*eRN4Pv&S%^HDzmdakgeEqaoq19 z_WXoIoVwN-=G+t%HpnWO#Qy2KcM5rniUq^2<4%{qnBWfnMvf|T7E zHv#?ROb4T~q9iWnZ=h5DJ0(374m-oxF24el7SbH#;A_J1h-4lvkMnt9RTiGqBQjxp z`WKwn2@L!mr*;PB*A+Bp!;#e`&pn5+oLN!rbp&!Jb9(Gd@W-%2)^O=e&x(n^35OYH zLW6X4^|F<3l}JK0W^htoD=m@MGHW8?$+w7act85z0{TBysew0k{{Q6pvx5ES`Oeq; zuXpmP(ErmppS=f2(ndc}o!^Y(UiAIQpOwG4`jJ>(6jUI>I3Xv5h>HnWaI)yLl-(fQ`$=U zRQ|SGS!9|`vin7LA)ytPeUl2G?q>n_;CM2C}{rtXF2MeE>+ z(9Y`W0f}xHzmm%C)eCi`-~CH(y~?vv8P>gQb}B18J~U90XvH+`T8UO9oFFb8SfP$t z%WK+cETI1fEF!ni{^$GuK6~0Noc}(5`c?nGi%*6AZ{~cC_pdDVV08a2omIy&uwQoD z=naYBj24HmdzT9qy*qo022;f20Q!r@L=a@E_by8>)a14jmLG{bCdv&|3qE@@GKyxT zlF>;ieG*i=s#@EDVmg_6CrMG92S-C=O;5$0mc>-lMK#Z44rb{Zrck5k#o625ek{PN zQIErx@`>)aPC{^Osxot9U@%$Oi|2Rx7RDRZ|?$mIYt}jXMMg8r(IwySoH;cb7nLCs=T6+@Wct z@dgrtI|K`E2@u>Jdbm?Fx2A5*t(u4V2j^)&?6dZ_6jIs62&)FB-NF&SYK`8{Wm01_ zYrZB7S*$72HbXqVM(Y+0m3SCr^n19Zc4_h!_06uj)5cm(7TL?tb5fKmwlwZ3KG2`3 z!0xtnuxi7|B4dSZ71%4+Z*DS?%G)w1ml{XTUq-g@s3McpC$R(eIi>JLWN~|_QA(*g zB=Jf5adGX31sVq0GNt0M)HVC3Ln#9jt2yqCAAc5LT;4|w3=h2N>`f7lwtee~OS&9* zokv{805+NHluRDrzm?Vyay3e+fNNj{rB)fr(MU~Js^^lENLDh9ElgmNW>9P3NgKVC zlB?ImxoAtbj_{LzI&Jh5^x|LEj|Ja8>&ryGFIYz?6c+XO@#ymN{+ieK)nB%CQ%|tH zCy+IFzNea_oTp}+$yObZ&6genRq^B1v#=Ys-+8qf19$-Kl@*IWu`q&wW3AJ`MjU9+Vb%jk$UBY}PjGZ`uyK z_uji-eBLk#WWEU*0Zy&M-CWyTA~zuz^X$x%1D~IKt-?VBC5Zd(&JL)gffrB{elK)} zpeMX}L98xOak8DAPvHkp;i#ZZ=>{A2Q({Xf+SP2RW5`GJvZvZ^pqkW^u*@=Uk$HF1 zUI`EPtVpf&yYqOxNTU;K#Ff5;w}wfgM~K{jI?|G*zlBPaz?@Orwdss)C+zsWIPa1cJ2>x<>5qPmgajf5{evQ(cX7vit5I!thu%O$SVQR}7 zpI}OUB=PPBv^R17JVdIdeeffoEyqpbhgVlDJNQtf6n+jS2U=qM!JxJAuwF!#Hb~e| zx#gAyg0Yhfs2ultA;JE7#L_-g8Vjt4w*A}203h#J$H9IzA7=<(;h*}#>mb4=7!&?W z#nU&x0&%9h5RucsM3^r_q0(bv&ZR$+#Bu7q1Z${~J3Mt>;Z`7uT?4t--y z57}V1SH)~a2R1wsYSulL=j5$=uP5&wySb-GW~i3u))d+|gl=27!g;Ovav8EuEEFnJ zBoXIC3UZuID3U+ze7Lbk(mNE}#)%0vx;tNF=%;_%gJ~<0g_@u=;;Pc>ERPP%eNIbK zU!OFiJPplpln0C8qiKLV>jM0yTcnyZgjuk`PYqopoboTHCvPWVzP<%P-7ufmq}7FZ z{$abMVJ=6wk)3J=D%ue|Y&T%g&6qP@g5-0GrcEs0b@|AGzHbT9VUUjU$3z>#jgWvX zNfxl6yMLtNW)5l*Ut6)mea22ms*Qo=mcoujR{VSNUb`Ho3dJ7}{_!rfXSeVAwA4v` zO7l}+2Y6_4aa&~)D=f-oK8{m8E@xJU;7m5T`7O{Um6v6Fr$9q24!1^}aa>w@B_I21 z|BHNNw^k)440k6Wb0EL;Jpx}JTM`fa6Pj55sR_s2Pw0+uAldQd#H zrzR`RQn3VYXfO*H_VseI)k?f)`OsZ|{bA5uznS+9qpk@HNo!e#_@5Gw*F6$g)FwNb zk3ceaK$AqGXPVKage~J9OM(&7IEs`i>-qA_OQZXhU7d$2Iy)>Y7|XQ{ubJg#QG(qh ztNW&}a45I)a)^(M^Yp*>#p*2|hG`4_xA(Zcnu;qKKp^m^R?L#12d*|#J zm~@LA@ZE?spicWC>fdsY$8)UhB-arWR1}lTM+BkTt9Aw0N>dYredMuoi6FEKsLbku zdC;L{dN(KaXG6tXgXBpE9kNh_tF(-HAgI?K@!4wRMNaEyrF(sm-b6Z9g2_N}cOV|= zO2U0fm|h*IqV1-JXMv|!_rllDM2Ucb`i7vcy3r=OOrlL<&SCk3r%E}VF6OhraDT$* z?zu2o9CegRuq-8=QNNEPZh+rDMo@IAojUMwxp$>udh?B>r<*%#2V4S4+X)*9Ay4dZ ztX! z1H54=gnc_Kw!KB<;9{o6qUuUR$x^*;p@7V%xUp=eOxWq`3~g8J_A~>L$-8}^E55Qx z&!InoHpIEO;^BDsV5N{~#RxDgfp5jhE=C8cxzZrYa z)V1cHdQ)8>;(va14{6rEKD$48{qiEx-SWDAf}R%mLSM5<;%zm+AGIfwvqT#~w4Gq~b}ghJvYq=73(UkHxf_;xUb;?X z#)wDs5_rblT4BFk|Ekq!^B-PUgqjuhbD{FFCt2d=E1i2WSPn@&P0D5Is+DAZ$XV*w zQDPHLEmEqY>m!2vQLc7UmRbEmvMV|c;pv+-V%svxwz^jf4f*sm>wXR5(806x zEW`;m56(Fm)?4919_aR~g~sx3U2I&R?~T}@EE$RY3kO*l|G#sPf&-w%DU5&RAhRTS z{v8MTQu_}M@~||en=SQ!a*)tqgCCCnCk|2`Py72P_M(4skZSEF|KuPKA&E`3M6VpA z$mMg7NhM4^aQ6|G1}9a?MI!UHJLq0)cNKOdcKmxs+#70k30s@k!@q+quGhFrQG9t9 z>9v90C`?~96+MHw3+T4>*mN-MUJO~2X#8F9Ulw{=?pS#2tRxv%l8QIA$abWP0!|#C zRFG8B@lM)h-!lSFnV95%a_G~TiGwZnDu|sHPiXLSR#T--+D9}b7{rB)I0D2LCyGlK zFo@svSmKJpONfYUOiiZ@dt8%fj&ro%lF5)So}RA=`$}3Jo0}s>3Qklu;2m5#NF~sx z-lN`6-7|_KI5t&8t!!j1(?FXY6V)4bHgC^El9)||E;(BbFJ>n*%)}<;U5D;|ohVP$ zi^Kc$mcQ|k?Lkh`g%UKx=21AI$?2knQ_{{F(Z*#oW>qsAlS%4R^=dIB zOaWsbsOeBHyc7`?&AZMlnumzPFs6LCa~3#NRfxwCKc<%>d<7?JLf8(_E{dw0c?s=8 zi2?F@?!E-y7v=Tr^boFYA%~~yUER^&-kX?G^`Bb2O`Mt z!9q``Ce@K7s&et({O;ilyXb(csZFA#x-c2wzRe;S4)6DtvKr=8RtDlJ+$ZSsmQqqz zYUOG>X45g23SL((2o0dltPf8)C_CEAbGge|gxpOAV^bc%SjMH2$3n_^;V%8&c?~Ln zYOfTzd#x^Dn}1$XpF%v`-OpHI;)6TQLLov+Jia~yGkpj(Ccmk($%}+XQ&HGIg+FyH zqrBk+rVX#g&j{8CRjcL2oSktRAIOD`IUAo)e}Yly0yUorg4sK$Niai2X=-!eo8{{5 z_OWN8&saF?D!35~SGp3tK$#MpbOscof9*%_O>n~GVww};60D~$pf$v~JL$&h2DUpd ziprk%F4hu)$889`PWALoL5<;v+}`s7>TyyxxdhUp;T}vxR>7yHolXGi_In+M=PUVJ zig=xatmHPSvcvlrf~^D!3Jl(20*~U?vW^{Dz@D`n0G<)>C%i`1$0Of`Q@-l5#bi^w zvrt^Tw$SH7d`>!|A_4sZ>i^n!eEaQ}xUmrIaiI5QZ|VYOB_i7XT?x0hYzAF5qAyVC zU4n8hF*)@6Ik{RKh9)++Wsqg;2Y?A)kj?f8YbWX0J@FXo7zYj^cE{^%ln$uJ@gQ`QZb|JlXa<@4S-jH`gcxRU~IsP*rb zaOxj-5EQ|<<2sYLX|Op9hZx=PmkS(ZtVr*pSWPmze}n;iV&tx&fMU9-n^O19oPjQc zx0{m(IL*MHvD@+fg(=YEY{za_Zp@yi#Gho8iO#?hd_b~8OGlFxV2_VYii7}smaUPM z>&dm&$NV!zM_7hkxN6LShR1uF7Z4etChklN!=aFu)nu8D*~;2_p;0-&kj{J2WJe)x zG~T~%sJm(83c%S+Lrr9w9{xG5uIFx#rJ`{QXQ8GF4YL;YhIxgR1aHy0_yOlMDB=V6;XyAMfQZJki=$2wo zEZs<~iz{Isg>xS?aNHvqCsY>YlNq#cE>?GBSF2NlQ~pjl*7(>oS4^5ii_AMP`Yy?G zoRUg*kO;|cd?~V`+}?VwUKr=CdR#6ZZi!nv-0Nwe&5;~I1XH2W=Oi70F$_efY|n|( z${kePb&#Lco8JMlsb}qT;+aChKdcOf5*O+!HWHi%HSI9dH(=K?TTT}~?M^Ceg*8Ul3)H2v`l2K~< z+x)%*PY=QOhQeMCSMrkzp0*!L=uH@1R5X z9u?}HNt0EdtWl4wH&~6Bev?upkoW}q z){TvypZPi@z&(Nif3(VQPIfxnHr%Q&?;=Hy9dnV65)6i=UIOgQmIh(`UV_C8EAsYk zr~O!e?A@?kH^f&1Ca*0+R>qx1gCdhidK=#&19kYW0zi?Z=B_C5EiS91`hUakrrfQ9L?Em6I?SHhd$K+L>+PLiY!Zew@3W&8@9!jHe(-7P5Fl1fy2B4pxH zc^ckHmrOJV(PC}~MLyALDHa$BF9|y7W*--Eb(%QoPiFd{kQx5fD zUte82irF?J)ltw9)6T_;k3J&5**4~7a2Ldpy7VC-_so;~fo)5;>D@cT+&7bNamPvG z-^NVR@h@OS)q?oK7W!)sM^>U__HS+oyRnUtoYKD0rcnmGUrmw4LG1mGbe0glxz$_d zOW;`#5CgMbtbjB4d_*()7S$C?zlqL?luAsixLGoNO+u<7QTr6$_G5IcL z!yUh9MdvJsXlIMb)fawXTP5#k=bR5(4DUp|lRFEPkD4wMZ>G$b`rXdh_4DK;Xd51+ z5s(-^q;!KYH45xnP?}Zi)J+R+^O_jfU=_>RB_4K$K-u)o1Qz>=rfz_surtnJ`3W|NEmFm^<5 zj)Q2I<^^U4q(oMm+eg*^k#E?lt81L&V|2Z8M*d5dmw)&c_b1HDFrCNM-U`0_@__|V=s>(+ ze8+MEke%OROsV)N@^d+|B8=o(-@<>9r;0#?SodK<;dZ*1N{AJZZy{TA=r4b0BVi-uMT8pQ zt-h0`eg+Z|qjFR1ul@FMG#E~|4quLrL624$7A!@3ul&nrxHg=j*I`U{0=1Bx35r( z{uZpzGb;tQ{AH@E*e#Ho?Pw2jTCDv>oR2G4)`b(;b&R!Eveu&TD_IU72f#4*R6p%d z-oi>JW0A}2B9BRWLsC1FR@wj1Ezbj*#$e0c)lCnAfNVeI2ZcN6qIrrE$f)^e0%qbR zHE<;TJ!LH?@rY%RA0s3(Z<_uJt@ToB@Gx}g`247_?djv4FFmZrHdW>-zzNw}Zk6Oy zaMQpGPY6hh*5d74wsI)GqY-hN|`(igl zTeK?-^PBoO9!T5yY@ue$G{=|}v!pxLq=T_;MaSv+@5zUH;{okdt9EavPBka;qx$OT z1+tbEH2X%w#>P&ht&8*yqpxGD3#Slv8)x-xDB{v?3u?&{tJv;q*`H^FVgNoI>59$c z_13;?Hg;XF%~%54jF{BW4WTkd!gwA9p=;g`UZ*0CF1aM@!hbC@z28%@?C9xfv_Vg;A+?Ijpj{GGmE+6{ede%4 zzhVdPz{;5D!$}`IANIU?k|XWU33}{h)cz=LwL2x+llar<2D2A<4I8SnCKzq43kz;x zy3Tw@h9e)pYzx|D0Z%2oK{hQjPUZuN%SJH^TMe2G3wDdXfPUj|Yd&~2YmuFcC#NWi zJEpKfG=p1y(!bG70Uge=U4kp}GWNjIoJs#fnlA#E=Z0yXmra)@8FuBo=K?I{)Z0hY z`r%F6>_6AwjC$=$vnt1sUTTiyp@%WXv7I|5F1`RCK4WSNF<$UqXqNKdx}5gE+(IJY zwxr+)VMgOc_KNjBo*O=Gh;ljN5ilN_umh;FDDPxRScvW)eN6W=f@VC<;~%_sn`5MT ze}PEB@z)QpyBK7*VC`pe@k4avIhM;CgbHRJy_JNQN%+-qn%I zyz8C4q`dCk;sXIJp}KHy72CQ=Pe)v{lMQ3`+QxfiKku;CeUj@}qqUB>h$bf*KrcA= z_V~CzP(p~HWZoHMsMoxGrDrbBJU)Z$nb;SQ*5O9 zh`OkVgI+#(sq4*@uNuRHMv`!7mAJq4Ib@^F)V8y`K1FHR9L_RfFcEdov5%r)jZXo8 z8?#aiJZ0ueFpFmeth>^$Y)lz3nNg7SRGmK;f|JJ*{!); zQvclJUf7qtH&gqp7b9k>B8RGNrwAB}d1nG2XQTUyvddYA`|7%R;i+?#en{RtxVzZD zK0APxZf%Wm)Bwt9e+30~^x` z_CC9c=|0H33viMKD(FC2bBxH42_kxckdcl}Ri#U^RD#EA;Vo)GN8@f)Ky5phRB#rBzheO}Mh z1uv1h+U$x`D!6RFd(}w5oQMlqYFfPtz7mh{sQwiW5qyd3SK?dx{6)8&HQ`z0b*Luj z{1hE9h{qS=k`GI71EM>01puYNK+AZ4Q04Tfc@dFFiJ(-pd7mROMWWn|49(rb)yyD+ z5y=m&Q54+ta+cg4MZ<_-G@EV!B*GGL%ho72xUH3mt+7-t*EI;H8ygLARqRnL}}D{&&4(gUi5ZC7=m=`~d0%kWifoQD1?ma}Qg(Mc%5b)&aEnm;Aj z(C}n%1d7im>)InExl_=EFO%pc(>An7cAOtil32xf^3|-9z#%~o$4i37#s$yr-a%*^ zg)e|G0}SlZVt66bzNG=v^Jm1q~F=LsyHD&HbsgG9uyVeuJtP0q_?0V zNHuM{&a7W~k&tZ5S@TubG{4$fptZU|;?)Kp>cA=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.3.0 +dependencies: +- condition: global.config.enabled + name: config + repository: "" + version: 1.3.0 +- condition: global.config-api.enabled + name: config-api + repository: "" + version: 1.3.0 +- condition: global.auth-server.enabled + name: auth-server + repository: "" + version: 1.3.0 +- condition: global.admin-ui.enabled + name: admin-ui + repository: "" + version: 5.3.0 +- condition: global.fido2.enabled + name: fido2 + repository: "" + version: 1.3.0 +- condition: global.scim.enabled + name: scim + repository: "" + version: 1.3.0 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: "" + version: 1.3.0 +- condition: global.casa.enabled + name: casa + repository: "" + version: 1.3.0 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: "" + version: 1.3.0 +- condition: global.persistence.enabled + name: persistence + repository: "" + version: 1.3.0 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: "" + version: 1.3.0 +- condition: global.link.enabled + name: link + repository: "" + version: 1.3.0 +- condition: global.saml.enabled + name: saml + repository: "" + version: 1.3.0 +- condition: global.kc-scheduler.enabled + name: kc-scheduler + repository: "" + version: 1.3.0 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: file://assets/icons/gluu.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: moabu +name: gluu +sources: +- https://docs.gluu.org +version: 5.3.0 diff --git a/charts/gluu/gluu/5.3.0/README.md b/charts/gluu/gluu/5.3.0/README.md new file mode 100644 index 0000000000..b481f87839 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/README.md @@ -0,0 +1,659 @@ +# gluu + +![Version: 5.3.0](https://img.shields.io/badge/Version-5.3.0-informational?style=flat-square) ![AppVersion: 5.3.0](https://img.shields.io/badge/AppVersion-5.3.0-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.3.0 | +| | auth-server | 1.3.0 | +| | auth-server-key-rotation | 1.3.0 | +| | casa | 1.3.0 | +| | cn-istio-ingress | 1.3.0 | +| | config | 1.3.0 | +| | config-api | 1.3.0 | +| | fido2 | 1.3.0 | +| | kc-scheduler | 1.3.0 | +| | link | 1.3.0 | +| | nginx-ingress | 1.3.0 | +| | persistence | 1.3.0 | +| | saml | 1.3.0 | +| | scim | 1.3.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"5.3.0-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| admin-ui.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"5.3.0-1"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.3.0-1"},"keysLife":48,"keysPushDelay":0,"keysPushStrategy":"NEWER","keysStrategy":"NEWER","lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. | +| auth-server-key-rotation.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server | +| auth-server-key-rotation.keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) | +| auth-server-key-rotation.keysStrategy | string | `"NEWER"` | Set key selection strategy used by Auth server | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| auth-server.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/casa","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| casa.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/janssenproject/jans/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnJettyRequestHeaderSize":8192,"cnMaxRamPercent":"75.0","cnMessageType":"DISABLED","cnOpaUrl":"http://opa.opa.svc.cluster.cluster.local:8181/v1","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","cnVaultAddr":"http://localhost:8200","cnVaultAppRolePath":"approle","cnVaultKvPath":"secret","cnVaultNamespace":"","cnVaultPrefix":"jans","cnVaultRoleId":"","cnVaultRoleIdFile":"/etc/certs/vault_role_id","cnVaultSecretId":"","cnVaultSecretIdFile":"/etc/certs/vault_secret_id","cnVaultVerify":false,"kcAdminPassword":"Test1234#","kcAdminUsername":"admin","kcDbPassword":"Test1234#","kcDbSchema":"keycloak","kcDbUrlDatabase":"keycloak","kcDbUrlHost":"mysql.kc.svc.cluster.local","kcDbUrlPort":3306,"kcDbUrlProperties":"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4","kcDbUsername":"keycloak","kcDbVendor":"mysql","kcLogLevel":"INFO","lbAddr":"","quarkusTransactionEnableRecovery":true},"countryCode":"US","customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","email":"team@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.3.0-1"},"lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"salt":"","state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1200Mi"},"requests":{"cpu":"1000m","memory":"1200Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| config-api.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1200Mi"},"requests":{"cpu":"1000m","memory":"1200Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1200Mi"` | Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1200Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnMessageType | string | `"DISABLED"` | Message type (one of POSTGRES, REDIS, or DISABLED) | +| config.configmap.cnOpaUrl | string | `"http://opa.opa.svc.cluster.cluster.local:8181/v1"` | URL of OPA API | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.cnVaultAddr | string | `"http://localhost:8200"` | Base URL of Vault. | +| config.configmap.cnVaultAppRolePath | string | `"approle"` | Path to Vault AppRole. | +| config.configmap.cnVaultKvPath | string | `"secret"` | Path to Vault KV secrets engine. | +| config.configmap.cnVaultNamespace | string | `""` | Vault namespace used to access the secrets. | +| config.configmap.cnVaultPrefix | string | `"jans"` | Base prefix name used to access secrets. | +| config.configmap.cnVaultRoleId | string | `""` | Vault AppRole RoleID. | +| config.configmap.cnVaultRoleIdFile | string | `"/etc/certs/vault_role_id"` | Path to file contains Vault AppRole role ID. | +| config.configmap.cnVaultSecretId | string | `""` | Vault AppRole SecretID. | +| config.configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. | +| config.configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. | +| config.configmap.kcAdminPassword | string | `"Test1234#"` | Keycloak admin UI password | +| config.configmap.kcAdminUsername | string | `"admin"` | Keycloak admin UI username | +| config.configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | +| config.configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may be using "public" schema). | +| config.configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name. | +| config.configmap.kcDbUrlHost | string | `"mysql.kc.svc.cluster.local"` | Keycloak database host uri | +| config.configmap.kcDbUrlPort | int | `3306` | Keycloak database port (default to port 3306 for mysql). | +| config.configmap.kcDbUrlProperties | string | `"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"` | Keycloak database connection properties. If using postgresql, the value can be set to empty string. | +| config.configmap.kcDbUsername | string | `"keycloak"` | Keycloak database username | +| config.configmap.kcDbVendor | string | `"mysql"` | Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. | +| config.configmap.kcLogLevel | string | `"INFO"` | Keycloak logging level | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.configmap.quarkusTransactionEnableRecovery | bool | `true` | Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. | +| config.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"team@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.salt | string | `""` | Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| fido2.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"adminUiAdditionalAnnotations":{},"adminUiEnabled":false,"adminUiLabels":{}}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"authServerAdditionalAnnotations":{},"authServerEnabled":true,"authServerLabels":{},"authServerProtectedRegister":false,"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedToken":false,"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"authzenAdditionalAnnotations":{},"authzenConfigEnabled":true,"authzenConfigLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeEnabled":true,"deviceCodeLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingEnabled":true,"firebaseMessagingLabels":{},"lockAdditionalAnnotations":{},"lockConfigAdditionalAnnotations":{},"lockConfigEnabled":false,"lockConfigLabels":{},"lockEnabled":false,"lockLabels":{},"openidAdditionalAnnotations":{},"openidConfigEnabled":true,"openidConfigLabels":{},"u2fAdditionalAnnotations":{},"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerEnabled":true,"webfingerLabels":{}},"lockEnabled":false},"auth-server-key-rotation":{"customAnnotations":{"cronjob":{},"secret":{},"service":{}},"enabled":true,"initKeysLife":48},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"casaAdditionalAnnotations":{},"casaEnabled":false,"casaLabels":{}}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnConfiguratorConfigurationFile":"/etc/jans/conf/configuration.json","cnConfiguratorCustomSchema":{"secretName":""},"cnConfiguratorDumpFile":"/etc/jans/conf/configuration.out.json","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"customAnnotations":{"clusterRoleBinding":{},"configMap":{},"job":{},"role":{},"roleBinding":{},"secret":{},"service":{},"serviceAccount":{}},"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","configApiServerServiceName":"config-api","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"configApiAdditionalAnnotations":{},"configApiEnabled":true,"configApiLabels":{}},"plugins":"admin-ui,fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"fido2WebauthnAdditionalAnnotations":{},"fido2WebauthnEnabled":false,"fido2WebauthnLabels":{}}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kc-scheduler":{"enabled":false},"lbIp":"22.22.22.22","link":{"appLoggers":{"enableStdoutLogPrefix":"true","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"service":{},"virtualService":{}},"enabled":false,"ingress":{"linkAdditionalAnnotations":{},"linkEnabled":true,"linkLabels":{}},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"persistence":{"customAnnotations":{"job":{},"secret":{},"service":{}},"enabled":true},"saml":{"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":false,"ingress":{"samlAdditionalAnnotations":{},"samlEnabled":false,"samlLabels":{}},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","customAnnotations":{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"secret":{},"service":{},"virtualService":{}},"enabled":true,"ingress":{"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{}},"scimServiceName":"scim"},"serviceAccountName":"default","storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiAdditionalAnnotations | object | `{}` | Admin UI ingress resource additional annotations. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.admin-ui.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `true` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server-key-rotation.initKeysLife | int | `48` | The initial auth server key rotation keys life in hours | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.cnCustomJavaOptions | string | `""` | passing custom java options to auth-server. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerAdditionalAnnotations":{},"authServerEnabled":true,"authServerLabels":{},"authServerProtectedRegister":false,"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedToken":false,"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"authzenAdditionalAnnotations":{},"authzenConfigEnabled":true,"authzenConfigLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeEnabled":true,"deviceCodeLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingEnabled":true,"firebaseMessagingLabels":{},"lockAdditionalAnnotations":{},"lockConfigAdditionalAnnotations":{},"lockConfigEnabled":false,"lockConfigLabels":{},"lockEnabled":false,"lockLabels":{},"openidAdditionalAnnotations":{},"openidConfigEnabled":true,"openidConfigLabels":{},"u2fAdditionalAnnotations":{},"u2fConfigEnabled":true,"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigEnabled":true,"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryEnabled":true,"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerEnabled":true,"webfingerLabels":{}}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| global.auth-server.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| global.auth-server.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| global.auth-server.ingress.authzenAdditionalAnnotations | object | `{}` | authzen config ingress resource additional annotations. | +| global.auth-server.ingress.authzenConfigEnabled | bool | `true` | Enable endpoint /.well-known/authzen-configuration | +| global.auth-server.ingress.authzenConfigLabels | object | `{}` | authzen config ingress resource labels. key app is taken | +| global.auth-server.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| global.auth-server.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| global.auth-server.ingress.lockAdditionalAnnotations | object | `{}` | Lock ingress resource additional annotations. | +| global.auth-server.ingress.lockConfigAdditionalAnnotations | object | `{}` | Lock config ingress resource additional annotations. | +| global.auth-server.ingress.lockConfigEnabled | bool | `false` | Enable endpoint /.well-known/lock-server-configuration | +| global.auth-server.ingress.lockConfigLabels | object | `{}` | Lock config ingress resource labels. key app is taken | +| global.auth-server.ingress.lockEnabled | bool | `false` | Enable endpoint /jans-lock | +| global.auth-server.ingress.lockLabels | object | `{}` | Lock ingress resource labels. key app is taken | +| global.auth-server.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| global.auth-server.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| global.auth-server.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| global.auth-server.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| global.auth-server.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.auth-server.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| global.auth-server.lockEnabled | bool | `false` | Enable jans-lock as service running inside auth-server | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.cnCustomJavaOptions | string | `""` | passing custom java options to casa. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaAdditionalAnnotations":{},"casaEnabled":false,"casaLabels":{}}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.casa.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnConfiguratorConfigurationFile | string | `"/etc/jans/conf/configuration.json"` | Path to configuration schema file | +| global.cnConfiguratorCustomSchema | object | `{"secretName":""}` | Use custom configuration schema in existing secrets. Note, the secrets has to contain the key configuration.json or any basename as specified in cnConfiguratorConfigurationFile. | +| global.cnConfiguratorCustomSchema.secretName | string | `""` | The name of the secrets used for storing custom configuration schema. | +| global.cnConfiguratorDumpFile | string | `"/etc/jans/conf/configuration.out.json"` | Path to dumped configuration schema file | +| global.cnDocumentStoreType | string | `"DB"` | Document store type to use for shibboleth files DB. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets. Leave as this is a sensible default. | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with hybrid|sql. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.cnSqlPasswordFile | string | `"/etc/jans/conf/sql_password"` | Path to SQL password file | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.cnCustomJavaOptions | string | `""` | passing custom java options to config-api. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiAdditionalAnnotations":{},"configApiEnabled":true,"configApiLabels":{}}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config-api.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| global.config-api.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| global.config-api.plugins | string | `"admin-ui,fido2,scim,user-mgt"` | Comma-separated values of enabled plugins (supported plugins are "admin-ui","fido2","scim","user-mgt","jans-link","kc-saml") | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. vault|aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.cnCustomJavaOptions | string | `""` | passing custom java options to fido2. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigEnabled":false,"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"fido2WebauthnAdditionalAnnotations":{},"fido2WebauthnEnabled":false,"fido2WebauthnLabels":{}}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2AdditionalAnnotations | object | `{}` | fido2 ingress resource additional annotations. | +| global.fido2.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fido2.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| global.fido2.ingress.fido2Enabled | bool | `false` | Enable endpoint /jans-fido2 | +| global.fido2.ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| global.fido2.ingress.fido2WebauthnAdditionalAnnotations | object | `{}` | fido2 webauthn ingress resource additional annotations. | +| global.fido2.ingress.fido2WebauthnEnabled | bool | `false` | Enable endpoint /.well-known/webauthn | +| global.fido2.ingress.fido2WebauthnLabels | object | `{}` | fido2 webauthn ingress resource labels. key app is taken | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.kc-scheduler.enabled | bool | `false` | Boolean flag to enable/disable the kc-scheduler cronjob chart. | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.link.appLoggers | object | `{"enableStdoutLogPrefix":"true","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.link.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.link.appLoggers.linkLogLevel | string | `"INFO"` | cacherefresh.log level | +| global.link.appLoggers.linkLogTarget | string | `"STDOUT"` | cacherefresh.log target | +| global.link.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | cacherefresh_persistence_duration.log level | +| global.link.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | cacherefresh_persistence_duration.log target | +| global.link.appLoggers.persistenceLogLevel | string | `"INFO"` | cacherefresh_persistence.log level | +| global.link.appLoggers.persistenceLogTarget | string | `"FILE"` | cacherefresh_persistence.log target | +| global.link.appLoggers.scriptLogLevel | string | `"INFO"` | cacherefresh_script.log level | +| global.link.appLoggers.scriptLogTarget | string | `"FILE"` | cacherefresh_script.log target | +| global.link.cnCustomJavaOptions | string | `""` | passing custom java options to link. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.link.customAnnotations | object | `{"deployment":{},"destinationRule":{},"horizontalPodAutoscaler":{},"pod":{},"podDisruptionBudget":{},"service":{},"virtualService":{}}` | Add custom annotations for kubernetes resources for the service | +| global.link.enabled | bool | `false` | Boolean flag to enable/disable the link chart. | +| global.link.ingress | object | `{"linkAdditionalAnnotations":{},"linkEnabled":true,"linkLabels":{}}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.link.ingress.linkAdditionalAnnotations | object | `{}` | link ingress resource additional annotations. | +| global.link.ingress.linkLabels | object | `{}` | link ingress resource labels. key app is taken | +| global.link.linkServiceName | string | `"link"` | Name of the link service. Please keep it as default. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.saml.cnCustomJavaOptions | string | `""` | passing custom java options to saml. DO NOT PASS JAVA_OPTIONS in envs. | +| global.saml.enabled | bool | `false` | Boolean flag to enable/disable the saml chart. | +| global.saml.ingress | object | `{"samlAdditionalAnnotations":{},"samlEnabled":false,"samlLabels":{}}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.saml.ingress.samlAdditionalAnnotations | object | `{}` | SAML ingress resource additional annotations. | +| global.saml.ingress.samlLabels | object | `{}` | SAML ingress resource labels. key app is taken | +| global.saml.samlServiceName | string | `"saml"` | Name of the saml service. Please keep it as default. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.cnCustomJavaOptions | string | `""` | passing custom java options to scim. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigEnabled":false,"scimConfigLabels":{},"scimEnabled":false,"scimLabels":{}}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| global.scim.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.ingress.scimLabels | object | `{}` | SCIM ingress resource labels. key app is taken | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.serviceAccountName | string | `"default"` | service account used by Kubernetes resources | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| kc-scheduler | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/kc-scheduler","tag":"1.3.0-1"},"interval":10,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for synchronizing Keycloak SAML clients | +| kc-scheduler.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| kc-scheduler.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| kc-scheduler.customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. | +| kc-scheduler.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| kc-scheduler.dnsConfig | object | `{}` | Add custom dns config | +| kc-scheduler.dnsPolicy | string | `""` | Add custom dns policy | +| kc-scheduler.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| kc-scheduler.image.pullSecrets | list | `[]` | Image Pull Secrets | +| kc-scheduler.image.repository | string | `"ghcr.io/janssenproject/jans/kc-scheduler"` | Image to use for deploying. | +| kc-scheduler.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| kc-scheduler.interval | int | `10` | Interval of running the scheduler (in minutes) | +| kc-scheduler.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| kc-scheduler.resources.limits.cpu | string | `"300m"` | CPU limit. | +| kc-scheduler.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| kc-scheduler.resources.requests.cpu | string | `"300m"` | CPU request. | +| kc-scheduler.resources.requests.memory | string | `"300Mi"` | Memory request. | +| kc-scheduler.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| kc-scheduler.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| kc-scheduler.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| kc-scheduler.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| kc-scheduler.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| link | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/link","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1200Mi"},"requests":{"cpu":"500m","memory":"1200Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Link. | +| link.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| link.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| link.customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| link.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| link.dnsConfig | object | `{}` | Add custom dns config | +| link.dnsPolicy | string | `""` | Add custom dns policy | +| link.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| link.hpa.behavior | object | `{}` | Scaling Policies | +| link.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| link.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| link.image.pullSecrets | list | `[]` | Image Pull Secrets | +| link.image.repository | string | `"ghcr.io/janssenproject/jans/link"` | Image to use for deploying. | +| link.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| link.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| link.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http liveness probe endpoint | +| link.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| link.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http readiness probe endpoint | +| link.replicas | int | `1` | Service replica number. | +| link.resources | object | `{"limits":{"cpu":"500m","memory":"1200Mi"},"requests":{"cpu":"500m","memory":"1200Mi"}}` | Resource specs. | +| link.resources.limits.cpu | string | `"500m"` | CPU limit. | +| link.resources.limits.memory | string | `"1200Mi"` | Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. | +| link.resources.requests.cpu | string | `"500m"` | CPU request. | +| link.resources.requests.memory | string | `"1200Mi"` | Memory request. | +| link.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| link.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| link.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| link.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| link.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| link.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","path":"/","tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.3.0-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. | +| persistence.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| saml | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/saml","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1200Mi"},"requests":{"cpu":"500m","memory":"1200Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | SAML. | +| saml.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| saml.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| saml.customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| saml.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| saml.dnsConfig | object | `{}` | Add custom dns config | +| saml.dnsPolicy | string | `""` | Add custom dns policy | +| saml.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| saml.hpa.behavior | object | `{}` | Scaling Policies | +| saml.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| saml.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| saml.image.pullSecrets | list | `[]` | Image Pull Secrets | +| saml.image.repository | string | `"ghcr.io/janssenproject/jans/saml"` | Image to use for deploying. | +| saml.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| saml.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| saml.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http liveness probe endpoint | +| saml.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| saml.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http readiness probe endpoint | +| saml.replicas | int | `1` | Service replica number. | +| saml.resources | object | `{"limits":{"cpu":"500m","memory":"1200Mi"},"requests":{"cpu":"500m","memory":"1200Mi"}}` | Resource specs. | +| saml.resources.limits.cpu | string | `"500m"` | CPU limit. | +| saml.resources.limits.memory | string | `"1200Mi"` | Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. | +| saml.resources.requests.cpu | string | `"500m"` | CPU request. | +| saml.resources.requests.memory | string | `"1200Mi"` | Memory request. | +| saml.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| saml.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| saml.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| saml.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| saml.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| saml.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1200Mi"},"requests":{"cpu":"1000m","memory":"1200Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| scim.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1200Mi"` | Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1200Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/app-readme.md b/charts/gluu/gluu/5.3.0/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.3.0/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.3.0/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..d408620d1b --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.3.0 +description: Admin GUI. Requires license. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/admin-ui +type: application +version: 5.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/README.md b/charts/gluu/gluu/5.3.0/charts/admin-ui/README.md new file mode 100644 index 0000000000..6a087b933b --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/README.md @@ -0,0 +1,58 @@ +# admin-ui + +![Version: 5.3.0](https://img.shields.io/badge/Version-5.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.3.0](https://img.shields.io/badge/AppVersion-5.3.0-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"5.3.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ca2a6e5fcb --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "destinationRule") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "admin-ui" "customAnnotations" "destinationRule" }} +{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "destinationRule") | indent 4 }} +{{- end }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..3cf941b56f --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,26 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "podDisruptionBudget") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "admin-ui" "customAnnotations" "podDisruptionBudget" }} +{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "podDisruptionBudget") | indent 4 }} +{{- end }} +{{- end }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..caa29f02dc --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,42 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "virtualService") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "admin-ui" "customAnnotations" "virtualService" }} +{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "virtualService") | indent 4 }} +{{- end }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..d848ebba40 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,135 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "deployment") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "admin-ui" "customAnnotations" "deployment" }} +{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "deployment") | indent 4 }} +{{- end }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if or (.Values.global.istio.ingress) (index .Values.global "admin-ui" "customAnnotations" "pod") }} + annotations: + {{- if .Values.global.istio.ingress }} + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + {{- if index .Values.global "admin-ui" "customAnnotations" "pod" }} + {{ toYaml (index .Values.global "admin-ui" "customAnnotations" "pod") | indent 4 }} + {{- end }} + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) (.Values.customCommand) }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 12 }} + {{- else }} + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + {{- end}} + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: {{ .Values.global.cnConfiguratorConfigurationFile }} + name: {{ .Release.Name }}-configuration-file + subPath: {{ .Values.global.cnConfiguratorConfigurationFile | base }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + - name: {{ .Release.Name }}-configuration-file + secret: + secretName: {{ .Release.Name }}-configuration-file diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..ddab887099 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,42 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "horizontalPodAutoscaler") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "admin-ui" "customAnnotations" "horizontalPodAutoscaler" }} +{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "horizontalPodAutoscaler") | indent 4 }} +{{- end }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..303eeff701 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/service.yml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "service") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "admin-ui" "customAnnotations" "service" }} +{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "service") | indent 4 }} +{{- end }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..294eb3b4de --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,26 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "admin-ui" "customAnnotations" "secret") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "admin-ui" "customAnnotations" "secret" }} +{{ toYaml (index .Values.global "admin-ui" "customAnnotations" "secret") | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.3.0/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..6e4fef7cf3 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/admin-ui/values.yaml @@ -0,0 +1,94 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 5.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] +# -- Add custom pod's command. If passed, it will override the default conditional command. +customCommand: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..7723b3cffb --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: Responsible for regenerating auth-keys per x hours +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server-key-rotation +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..5acbabc8ba --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/README.md @@ -0,0 +1,51 @@ +# auth-server-key-rotation + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server | +| keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) | +| keysStrategy | string | `"NEWER"` | Set key selection strategy used by Auth server | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..ad66e8a3c8 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,97 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server-key-rotation" "customAnnotations" "cronjob") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server-key-rotation" "customAnnotations" "cronjob" }} +{{ toYaml (index .Values.global "auth-server-key-rotation" "customAnnotations" "cronjob") | indent 4 }} +{{- end }} +{{- end }} +spec: + schedule: "@every {{ .Values.keysLife }}h" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + {{- if or (.Values.customScripts) (.Values.customCommand) }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 18 }} + {{- else }} + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 20}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} + {{- end}} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}", "--opts", "key-strategy:{{ .Values.keysStrategy }}", "--opts", "privkey-push-delay:{{ .Values.keysPushDelay }}", "--opts", "privkey-push-strategy:{{ .Values.keysPushStrategy }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..f632dec806 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server-key-rotation" "customAnnotations" "service") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server-key-rotation" "customAnnotations" "service" }} +{{ toYaml (index .Values.global "auth-server-key-rotation" "customAnnotations" "service") | indent 4 }} +{{- end }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..1848dafc44 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,25 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server-key-rotation" "customAnnotations" "secret") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server-key-rotation" "customAnnotations" "secret" }} +{{ toYaml (index .Values.global "auth-server-key-rotation" "customAnnotations" "secret") | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..d8f13105e9 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,64 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Set key selection strategy used by Auth server +keysStrategy: NEWER +# -- Delay (in seconds) before pushing private keys to Auth server +keysPushDelay: 0 +# -- Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) +keysPushStrategy: NEWER +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] +# -- Add custom job's command. If passed, it will override the default conditional command. +customCommand: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/.helmignore b/charts/gluu/gluu/5.3.0/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..9fccce758d --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/README.md b/charts/gluu/gluu/5.3.0/charts/auth-server/README.md new file mode 100644 index 0000000000..c46f9efa79 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/README.md @@ -0,0 +1,60 @@ +# auth-server + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..5e2ef08c41 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,112 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "auth-server.customJavaOptions"}} +{{ $custom := "" }} +{{- $cnCustomJavaOptions := index .Values.global "auth-server" "cnCustomJavaOptions" }} +{{- $custom := printf "%s" $cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" ( mul (mulf $memory 0.41) 1 ) -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory (mulf $memory 0.49)) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..6f854ba895 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server" "customAnnotations" "destinationRule") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "customAnnotations" "destinationRule" }} +{{ toYaml (index .Values.global "auth-server" "customAnnotations" "destinationRule") | indent 4 }} +{{- end }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..fddf0fb1c8 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,26 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server" "customAnnotations" "podDisruptionBudget") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "customAnnotations" "podDisruptionBudget" }} +{{ toYaml (index .Values.global "auth-server" "customAnnotations" "podDisruptionBudget") | indent 4 }} +{{- end }} +{{- end }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..b2e6271b0e --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,58 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server" "customAnnotations" "virtualService") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "customAnnotations" "virtualService" }} +{{ toYaml (index .Values.global "auth-server" "customAnnotations" "virtualService") | indent 4 }} +{{- end }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..0a225feefc --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,184 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server" "customAnnotations" "virtualService") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "customAnnotations" "virtualService" }} +{{ toYaml (index .Values.global "auth-server" "customAnnotations" "virtualService") | indent 4 }} +{{- end }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "lockConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-lock-config" + match: + - uri: + prefix: "/.well-known/lock-server-configuration" + rewrite: + uri: "/jans-auth/v1/configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "lockEnabled" -}} + - name: "{{ .Release.Name }}-istio-lock" + match: + - uri: + prefix: "/jans-lock" + rewrite: + uri: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authzenConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-authzen-config" + match: + - uri: + prefix: "/.well-known/authzen-configuration" + rewrite: + uri: "/jans-auth/restv1/authzen-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..75c34a47f7 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/deployment.yml @@ -0,0 +1,230 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server" "customAnnotations" "deployment") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "customAnnotations" "deployment" }} +{{ toYaml (index .Values.global "auth-server" "customAnnotations" "deployment") | indent 4 }} +{{- end }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if or (.Values.global.istio.ingress) (index .Values.global "auth-server" "customAnnotations" "pod") }} + annotations: + {{- if .Values.global.istio.ingress }} + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + {{- if index .Values.global "auth-server" "customAnnotations" "pod" }} + {{ toYaml (index .Values.global "auth-server" "customAnnotations" "pod") | indent 4 }} + {{- end }} + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + - name: CN_AUTH_JAVA_OPTIONS + value: {{ include "auth-server.customJavaOptions" . | trim }} + {{- include "auth-server.usr-envs" . | indent 10 }} + {{- include "auth-server.usr-secret-envs" . | indent 10 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) (.Values.customCommand) }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 12 }} + {{- else }} + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..0f518036c5 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,42 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server" "customAnnotations" "horizontalPodAutoscaler") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "customAnnotations" "horizontalPodAutoscaler" }} +{{ toYaml (index .Values.global "auth-server" "customAnnotations" "horizontalPodAutoscaler") | indent 4 }} +{{- end }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..c2cd7c48a0 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/service.yml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server" "customAnnotations" "service") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "customAnnotations" "service" }} +{{ toYaml (index .Values.global "auth-server" "customAnnotations" "service") | indent 4 }} +{{- end }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..47e456c964 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,26 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "auth-server" "customAnnotations" "secret") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "customAnnotations" "secret" }} +{{ toYaml (index .Values.global "auth-server" "customAnnotations" "secret") | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/auth-server/values.yaml b/charts/gluu/gluu/5.3.0/charts/auth-server/values.yaml new file mode 100644 index 0000000000..427cc71e9e --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/auth-server/values.yaml @@ -0,0 +1,98 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [] +# -- Add custom pod's command. If passed, it will override the default conditional command. +customCommand: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/casa/.helmignore b/charts/gluu/gluu/5.3.0/charts/casa/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.3.0/charts/casa/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/casa/Chart.yaml new file mode 100644 index 0000000000..60e3bc6483 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: Jans Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Jans Server. +home: https://gluu.org/docs/casa/ +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/casa/ +- https://github.com/JanssenProject/jans/docker-jans-casa +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/casa/README.md b/charts/gluu/gluu/5.3.0/charts/casa/README.md new file mode 100644 index 0000000000..a3b98184b5 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/README.md @@ -0,0 +1,64 @@ +# casa + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/casa"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..62ff8b809c --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/templates/_helpers.tpl @@ -0,0 +1,122 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "casa.customJavaOptions"}} +{{ $custom := "" }} +{{ $custom = printf "%s" .Values.global.casa.cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" ( mul (mulf $memory 0.41) 1 ) -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory (mulf $memory 0.49)) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.3.0/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..2af899c7f7 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.casa.customAnnotations.destinationRule) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.casa.customAnnotations.destinationRule }} +{{ toYaml .Values.global.casa.customAnnotations.destinationRule | indent 4 }} +{{- end }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.3.0/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..f0c65ee819 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,26 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.casa.customAnnotations.podDisruptionBudget) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.casa.customAnnotations.podDisruptionBudget }} +{{ toYaml .Values.global.casa.customAnnotations.podDisruptionBudget | indent 4 }} +{{- end }} +{{- end }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.3.0/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..587d54986b --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,43 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.casa.customAnnotations.virtualService) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.casa.customAnnotations.virtualService }} +{{ toYaml .Values.global.casa.customAnnotations.virtualService | indent 4 }} +{{- end }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /jans-casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.3.0/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..c890312be9 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/templates/deployment.yaml @@ -0,0 +1,147 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.casa.customAnnotations.deployment) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.casa.customAnnotations.deployment }} +{{ toYaml .Values.global.casa.customAnnotations.deployment | indent 4 }} +{{- end }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if or (.Values.global.istio.ingress) (.Values.global.casa.customAnnotations.pod) }} + annotations: + {{- if .Values.global.istio.ingress }} + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + {{- if .Values.global.casa.customAnnotations.pod }} + {{ toYaml .Values.global.casa.customAnnotations.pod | indent 8 }} + {{- end }} + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: CN_CASA_JAVA_OPTIONS + value: {{ include "casa.customJavaOptions" . | trim }} + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) (.Values.customCommand)}} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 14 }} + {{- else }} + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- end}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.3.0/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..2eb7e05fd2 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/templates/hpa.yaml @@ -0,0 +1,42 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.casa.customAnnotations.horizontalPodAutoscaler) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.casa.customAnnotations.horizontalPodAutoscaler }} +{{ toYaml .Values.global.casa.customAnnotations.horizontalPodAutoscaler | indent 4 }} +{{- end }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.3.0/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..55c4af94e7 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/templates/service.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.casa.customAnnotations.service) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.casa.customAnnotations.service }} +{{ toYaml .Values.global.casa.customAnnotations.service | indent 4 }} +{{- end }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.3.0/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29ace0189f --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,26 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.casa.customAnnotations.secret) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.casa.customAnnotations.secret }} +{{ toYaml .Values.global.casa.customAnnotations.secret | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/casa/values.yaml b/charts/gluu/gluu/5.3.0/charts/casa/values.yaml new file mode 100644 index 0000000000..6e5685d30a --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/casa/values.yaml @@ -0,0 +1,109 @@ +# -- Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/casa + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] +# -- Add custom pod's command. If passed, it will override the default conditional command. +customCommand: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..d0f0a793da --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: Istio Gateway +home: https://docs.gluu.org/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/cn-istio-ingress +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..1e5d831782 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/README.md @@ -0,0 +1,23 @@ +# cn-istio-ingress + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + diff --git a/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..13434720ad --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,37 @@ +{{- if not .Values.global.istio.gateways }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/.helmignore b/charts/gluu/gluu/5.3.0/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..2766dfa6a1 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config-api +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/README.md b/charts/gluu/gluu/5.3.0/charts/config-api/README.md new file mode 100644 index 0000000000..d4edaa74d6 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/README.md @@ -0,0 +1,63 @@ +# config-api + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..9359661af8 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,112 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "config-api.customJavaOptions"}} +{{ $custom := "" }} +{{- $cnCustomJavaOptions := index .Values.global "config-api" "cnCustomJavaOptions" }} +{{- $custom := printf "%s" $cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" ( mul (mulf $memory 0.41) 1 ) -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory (mulf $memory 0.49)) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..b4fe0dae99 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "config-api" "customAnnotations" "destinationRule") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "config-api" "customAnnotations" "destinationRule" }} +{{ toYaml (index .Values.global "config-api" "customAnnotations" "destinationRule") | indent 4 }} +{{- end }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..116dcf6e9b --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,26 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "config-api" "customAnnotations" "podDisruptionBudget") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "config-api" "customAnnotations" "podDisruptionBudget" }} +{{ toYaml (index .Values.global "config-api" "customAnnotations" "podDisruptionBudget") | indent 4 }} +{{- end }} +{{- end }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..3f5841c5b3 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,43 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "config-api" "customAnnotations" "virtualService") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "config-api" "customAnnotations" "virtualService" }} +{{ toYaml (index .Values.global "config-api" "customAnnotations" "virtualService") | indent 4 }} +{{- end }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.3.0/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..53315cc354 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/templates/deployment.yaml @@ -0,0 +1,134 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "config-api" "customAnnotations" "deployment") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "config-api" "customAnnotations" "deployment" }} +{{ toYaml (index .Values.global "config-api" "customAnnotations" "deployment") | indent 4 }} +{{- end }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if or (.Values.global.istio.ingress) (index .Values.global "config-api" "customAnnotations" "pod") }} + annotations: + {{- if .Values.global.istio.ingress }} + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + {{- if index .Values.global "config-api" "customAnnotations" "pod" }} + {{ toYaml (index .Values.global "config-api" "customAnnotations" "pod") | indent 4 }} + {{- end }} + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: CN_CONFIG_API_JAVA_OPTIONS + value: {{ include "config-api.customJavaOptions" . | trim }} + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) (.Values.customCommand) }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 14 }} + {{- else }} + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- end}} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.3.0/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..902fffe0c7 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/templates/hpa.yaml @@ -0,0 +1,42 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "config-api" "customAnnotations" "horizontalPodAutoscaler") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "config-api" "customAnnotations" "horizontalPodAutoscaler" }} +{{ toYaml (index .Values.global "config-api" "customAnnotations" "horizontalPodAutoscaler") | indent 4 }} +{{- end }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.3.0/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..d550d0413f --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/templates/service.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (index .Values.global "config-api" "customAnnotations" "service") }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if index .Values.global "config-api" "customAnnotations" "service" }} +{{ toYaml (index .Values.global "config-api" "customAnnotations" "service") | indent 4 }} +{{- end }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/config-api/values.yaml b/charts/gluu/gluu/5.3.0/charts/config-api/values.yaml new file mode 100644 index 0000000000..b82c7f503e --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config-api/values.yaml @@ -0,0 +1,103 @@ +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] +# -- Add custom pod's command. If passed, it will override the default conditional command. +customCommand: [] diff --git a/charts/gluu/gluu/5.3.0/charts/config/.helmignore b/charts/gluu/gluu/5.3.0/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.3.0/charts/config/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/config/Chart.yaml new file mode 100644 index 0000000000..0a2801395a --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/config/README.md b/charts/gluu/gluu/5.3.0/charts/config/README.md new file mode 100644 index 0000000000..3948407834 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/README.md @@ -0,0 +1,115 @@ +# config + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnMessageType | string | `"DISABLED"` | Message type (one of POSTGRES, REDIS, or DISABLED) | +| configmap.cnOpaUrl | string | `"http://opa.opa.svc.cluster.cluster.local:8181/v1"` | URL of OPA API | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.cnVaultAddr | string | `"http://localhost:8200"` | Base URL of Vault. | +| configmap.cnVaultAppRolePath | string | `"approle"` | Path to Vault AppRole. | +| configmap.cnVaultKvPath | string | `"secret"` | Path to Vault KV secrets engine. | +| configmap.cnVaultNamespace | string | `""` | Vault namespace used to access the secrets. | +| configmap.cnVaultPrefix | string | `"jans"` | Base prefix name used to access secrets. | +| configmap.cnVaultRoleId | string | `""` | Vault AppRole RoleID. | +| configmap.cnVaultRoleIdFile | string | `"/etc/certs/vault_role_id"` | Path to file contains Vault AppRole role ID. | +| configmap.cnVaultSecretId | string | `""` | Vault AppRole SecretID. | +| configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. | +| configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | +| configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may using "public" schema). | +| configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name | +| configmap.kcDbUrlHost | string | `"mysql.kc.svc.cluster.local"` | Keycloak database host | +| configmap.kcDbUrlPort | int | `3306` | Keycloak database port (default to port 3306 for mysql). | +| configmap.kcDbUrlProperties | string | `"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"` | Keycloak database connection properties. If using postgresql, the value can be set to empty string. | +| configmap.kcDbUsername | string | `"keycloak"` | Keycloak database username | +| configmap.kcDbVendor | string | `"mysql"` | Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. | +| configmap.kcLogLevel | string | `"INFO"` | Keycloak logging level | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| configmap.quarkusTransactionEnableRecovery | bool | `true` | Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"team@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| salt | string | `""` | Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..c10074117b --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/_helpers.tpl @@ -0,0 +1,107 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{ toJson $newList }} +{{- end }} + +{{/* +Create AWS shared credentials. +*/}} +{{- define "config.aws-shared-credentials" }} +{{- $profile := .Values.configmap.cnAwsProfile }} +{{- if not $profile }} +{{- $profile = "default" }} +{{- end }} +{{- printf "[%s]\naws_access_key_id = %s\naws_secret_access_key = %s\n" $profile .Values.configmap.cnAwsAccessKeyId .Values.configmap.cnAwsSecretAccessKey }} +{{- end }} + +{{/* +Create AWS config. +*/}} +{{- define "config.aws-config" }} +{{- $profile := .Values.configmap.cnAwsProfile }} +{{- if not $profile }} +{{- $profile = "default" }} +{{- end }} +{{- if ne $profile "default" }} +{{- $profile = printf "profile %s" .Values.configmap.cnAwsProfile }} +{{- end }} +{{- printf "[%s]\nregion = %s\n" $profile .Values.configmap.cnAwsDefaultRegion }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.3.0/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..e7f90c8d58 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,50 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.clusterRoleBinding) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.clusterRoleBinding }} +{{ toYaml .Values.global.config.customAnnotations.clusterRoleBinding | indent 4 }} +{{- end }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: {{ .Values.global.serviceAccountName }} + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.3.0/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..e29454216c --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/configmaps.yaml @@ -0,0 +1,457 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.configMap) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.configMap }} +{{ toYaml .Values.global.config.customAnnotations.configMap | indent 4 }} +{{- end }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl | quote }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix | quote }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile | quote }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion | quote }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile | quote }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile | quote }} + {{- if or (ne .Values.configmap.cnAwsProfile "") (ne .Values.configmap.cnAwsProfile "default") }} + AWS_PROFILE: {{ .Values.configmap.cnAwsProfile | quote }} + {{- end }} + # [aws_envs] END + {{- end }} + # [vault_envs] Envs related to Hashicorp vault + {{ if eq .Values.global.configSecretAdapter "vault" }} + CN_SECRET_VAULT_ADDR: {{ .Values.configmap.cnVaultAddr | quote }} + CN_SECRET_VAULT_VERIFY: {{ .Values.configmap.cnVaultVerify | quote }} + CN_SECRET_VAULT_ROLE_ID_FILE: {{ .Values.configmap.cnVaultRoleIdFile | quote }} + CN_SECRET_VAULT_SECRET_ID_FILE: {{ .Values.configmap.cnVaultSecretIdFile | quote }} + CN_SECRET_VAULT_NAMESPACE: {{ .Values.configmap.cnVaultNamespace | quote }} + CN_SECRET_VAULT_KV_PATH: {{ .Values.configmap.cnVaultKvPath | quote }} + CN_SECRET_VAULT_PREFIX: {{ .Values.configmap.cnVaultPrefix | quote }} + CN_SECRET_VAULT_APPROLE_PATH: {{ .Values.configmap.cnVaultAppRolePath | quote }} + # [vault_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if (eq .Values.global.cnPersistenceType "hybrid") }} + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + {{ if or (eq .Values.configmap.cnCacheType "REDIS") (eq .Values.configmap.cnMessageType "REDIS") }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + {{- end }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled}} # CASA + CN_CASA_APP_LOGGERS: {{ .Values.global.casa.appLoggers + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature + CN_DUO_ENABLED: "false" + CN_SQL_PASSWORD_FILE: {{ .Values.global.cnSqlPasswordFile }} + CN_CONFIG_API_PLUGINS: {{ index .Values "global" "config-api" "plugins" | quote }} + {{- if .Values.global.saml.enabled }} + QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY: {{ .Values.configmap.quarkusTransactionEnableRecovery | quote }} + KC_LOG_LEVEL: {{ .Values.configmap.kcLogLevel | quote }} + KC_DB: {{ .Values.configmap.kcDbVendor | quote }} + KC_DB_USERNAME: {{ .Values.configmap.kcDbUsername | quote }} + KC_DB_SCHEMA: {{ .Values.configmap.kcDbSchema | quote }} + KC_DB_URL_HOST: {{ .Values.configmap.kcDbUrlHost | quote }} + KC_DB_URL_PORT: {{ .Values.configmap.kcDbUrlPort | quote }} + KC_DB_URL_DATABASE: {{ .Values.configmap.kcDbUrlDatabase | quote }} + KC_DB_URL_PROPERTIES: {{ .Values.configmap.kcDbUrlProperties | quote }} + {{- end }} + CN_LOCK_ENABLED: {{ index .Values "global" "auth-server" "lockEnabled" | quote }} + CN_OPA_URL: {{ .Values.configmap.cnOpaUrl | quote }} + CN_MESSAGE_TYPE: {{ .Values.configmap.cnMessageType | quote }} + CN_CONFIGURATOR_CONFIGURATION_FILE: {{ .Values.global.cnConfiguratorConfigurationFile | quote }} + CN_CONFIGURATOR_DUMP_FILE: {{ .Values.global.cnConfiguratorDumpFile | quote }} + +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + import base64 + + from jans.pycloudlib import get_manager + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + def b64encode(value): + return base64.b64encode(value.encode()).decode() + + manager = get_manager() + + # returns empty string if not found + ssl_cert = manager.secret.get("ssl_cert") + if ssl_cert: + ssl_cert = b64encode(ssl_cert) + + # returns empty string if not found + ssl_key = manager.secret.get("ssl_key") + if ssl_key: + ssl_key = b64encode(ssl_key) + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert or key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error( + "No certificate or key was found in secrets." + "This can happen when the ssl certificate for the domain is able to be pulled." + "In that scenario the ssl_cert will be pulled from the domain provided" + ) + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.configMap) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.configMap }} +{{ toYaml .Values.global.config.customAnnotations.configMap | indent 4 }} +{{- end }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.configMap) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.configMap }} +{{ toYaml .Values.global.config.customAnnotations.configMap | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.3.0/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..88d235df22 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/load-init-config.yml @@ -0,0 +1,106 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.job) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.job }} +{{ toYaml .Values.global.config.customAnnotations.job | indent 4 }} +{{- end }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 12 }} + {{- else }} + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} && /usr/bin/python3 /scripts/tls_generator.py + {{- else }} + /app/scripts/entrypoint.sh load && /usr/bin/python3 /scripts/tls_generator.py + {{- end }} + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + {{- end}} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.3.0/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.3.0/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..76d639ae1e --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/rolebinding.yaml @@ -0,0 +1,28 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.roleBinding) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.roleBinding }} +{{ toYaml .Values.global.config.customAnnotations.roleBinding | indent 4 }} +{{- end }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.global.serviceAccountName }} # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.3.0/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..795fa35936 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/roles.yaml @@ -0,0 +1,24 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.role) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.role }} +{{ toYaml .Values.global.config.customAnnotations.role | indent 4 }} +{{- end }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.3.0/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..4e5e6921a0 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/secrets.yaml @@ -0,0 +1,66 @@ +{{- if not .Values.global.cnConfiguratorCustomSchema.secretName -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-configuration-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.secret) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.secret }} +{{ toYaml .Values.global.config.customAnnotations.secret | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +stringData: + {{ .Values.global.cnConfiguratorConfigurationFile | base }}: |- + { + "_configmap": { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_email": {{ .Values.email | quote }}, + "orgName": {{ .Values.orgName | quote }}, + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") | quote }}, + {{- if .Values.global.saml.enabled }} + "kc_admin_username": {{ .Values.configmap.kcAdminUsername | quote }}, + {{- end }} + "init_keys_exp": {{ index .Values "global" "auth-server-key-rotation" "initKeysLife" }} + }, + "_secret": { + "admin_password": {{ .Values.adminPassword | quote }}, + "redis_password": {{ .Values.redisPassword | quote }}, + {{ if or ( eq .Values.global.cnPersistenceType "sql" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "sql_password": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + "vault_role_id": {{ .Values.configmap.cnVaultRoleId | quote }}, + "vault_secret_id": {{ .Values.configmap.cnVaultSecretId | quote }}, + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + "google_credentials": {{ .Values.configmap.cnGoogleSecretManagerServiceAccount | quote }}, + {{- end }} + {{ if or (eq .Values.global.configAdapterName "aws") (eq .Values.global.configSecretAdapter "aws") }} + "aws_credentials": {{ include "config.aws-shared-credentials" . | b64enc | quote }}, + "aws_config": {{ include "config.aws-config" . | b64enc | quote }}, + "aws_replica_regions": {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson | b64enc | quote }}, + {{- end }} + {{- if .Values.global.saml.enabled }} + "kc_db_password": {{ .Values.configmap.kcDbPassword | quote }}, + "kc_admin_password": {{ .Values.configmap.kcAdminPassword | quote }}, + {{- end }} + "encoded_salt": {{ .Values.salt | quote }} + } + } +{{- end -}} diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/service.yaml b/charts/gluu/gluu/5.3.0/charts/config/templates/service.yaml new file mode 100644 index 0000000000..880ccc649c --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/service.yaml @@ -0,0 +1,32 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.service) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.service }} +{{ toYaml .Values.global.config.customAnnotations.service | indent 4 }} +{{- end }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/serviceaccount.yaml b/charts/gluu/gluu/5.3.0/charts/config/templates/serviceaccount.yaml new file mode 100644 index 0000000000..265c99f2ea --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if not (eq .Values.global.serviceAccountName "default") -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.global.serviceAccountName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.serviceAccount) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.serviceAccount }} +{{ toYaml .Values.global.config.customAnnotations.serviceAccount | indent 4 }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.3.0/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..4e62b454df --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,79 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.secret) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.secret }} +{{ toYaml .Values.global.config.customAnnotations.secret | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.configMap) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.configMap }} +{{ toYaml .Values.global.config.customAnnotations.configMap | indent 4 }} +{{- end }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.config.customAnnotations.secret) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.config.customAnnotations.secret }} +{{ toYaml .Values.global.config.customAnnotations.secret | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.3.0/charts/config/values.yaml b/charts/gluu/gluu/5.3.0/charts/config/values.yaml new file mode 100644 index 0000000000..9b6a69fdd2 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/config/values.yaml @@ -0,0 +1,207 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +# -- Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. +salt: "" +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # [vault_envs] Envs related to Hashicorp vault + # -- Vault AppRole RoleID. + cnVaultRoleId: "" + # -- Vault AppRole SecretID. + cnVaultSecretId: "" + # -- Base URL of Vault. + cnVaultAddr: http://localhost:8200 + # -- Verify connection to Vault. + cnVaultVerify: false + # -- Path to file contains Vault AppRole role ID. + cnVaultRoleIdFile: /etc/certs/vault_role_id + # -- Path to file contains Vault AppRole secret ID. + cnVaultSecretIdFile: /etc/certs/vault_secret_id + # -- Vault namespace used to access the secrets. + cnVaultNamespace: "" + # -- Path to Vault KV secrets engine. + cnVaultKvPath: secret + # -- Base prefix name used to access secrets. + cnVaultPrefix: jans + # -- Path to Vault AppRole. + cnVaultAppRolePath: approle + # [vault_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. + quarkusTransactionEnableRecovery: true + # -- Keycloak logging level + kcLogLevel: INFO + # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. + kcDbVendor: mysql + # -- Keycloak database username + kcDbUsername: keycloak + # -- Password for Keycloak database access + kcDbPassword: Test1234# + # -- Keycloak database schema name (note that PostgreSQL may using "public" schema). + kcDbSchema: keycloak + # -- Keycloak database host + kcDbUrlHost: mysql.kc.svc.cluster.local + # -- Keycloak database port (default to port 3306 for mysql). + kcDbUrlPort: 3306 + # -- Keycloak database name + kcDbUrlDatabase: keycloak + # -- Keycloak database connection properties. If using postgresql, the value can be set to empty string. + kcDbUrlProperties: "?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4" + # -- URL of OPA API + cnOpaUrl: http://opa.opa.svc.cluster.cluster.local:8181/v1 + # -- Message type (one of POSTGRES, REDIS, or DISABLED) + cnMessageType: DISABLED +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: team@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] +# -- Add custom job's command. If passed, it will override the default conditional command. +customCommand: [] diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/.helmignore b/charts/gluu/gluu/5.3.0/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..90421bcf48 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://docs.gluu.org/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/fido2 +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/README.md b/charts/gluu/gluu/5.3.0/charts/fido2/README.md new file mode 100644 index 0000000000..b3b84e68e1 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/README.md @@ -0,0 +1,61 @@ +# fido2 + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..650a4e31e7 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,111 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "fido2.customJavaOptions"}} +{{ $custom := "" }} +{{ $custom = printf "%s" .Values.global.fido2.cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" ( mul (mulf $memory 0.41) 1 ) -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory (mulf $memory 0.49)) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.3.0/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..a997669234 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/templates/deployment.yml @@ -0,0 +1,142 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.fido2.customAnnotations.deployment) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.fido2.customAnnotations.deployment }} +{{ toYaml .Values.global.fido2.customAnnotations.deployment | indent 4 }} +{{- end }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if or (.Values.global.istio.ingress) (.Values.global.fido2.customAnnotations.pod) }} + annotations: + {{- if .Values.global.istio.ingress }} + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + {{- if .Values.global.fido2.customAnnotations.pod }} + {{ toYaml .Values.global.fido2.customAnnotations.pod | indent 4 }} + {{- end }} + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + - name: CN_FIDO2_JAVA_OPTIONS + value: {{ include "fido2.customJavaOptions" . | trim }} + {{- include "fido2.usr-envs" . | indent 10 }} + {{- include "fido2.usr-secret-envs" . | indent 10 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) (.Values.customCommand) }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 12 }} + {{- else }} + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..d3d7fe5303 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.fido2.customAnnotations.destinationRule) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.fido2.customAnnotations.destinationRule }} +{{ toYaml .Values.global.fido2.customAnnotations.destinationRule | indent 4 }} +{{- end }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..71d15312d9 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,26 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.fido2.customAnnotations.podDisruptionBudget) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.fido2.customAnnotations.podDisruptionBudget }} +{{ toYaml .Values.global.fido2.customAnnotations.podDisruptionBudget | indent 4 }} +{{- end }} +{{- end }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..4f6cfb8991 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,73 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.fido2.customAnnotations.virtualService) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.fido2.customAnnotations.virtualService }} +{{ toYaml .Values.global.fido2.customAnnotations.virtualService | indent 4 }} +{{- end }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.fido2.ingress.fido2ConfigEnabled }} + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.fido2.ingress.fido2Enabled }} + - name: {{ .Release.Name }}-istio-fido2 + match: + - uri: + prefix: "/jans-fido2" + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.fido2.ingress.fido2WebauthnEnabled }} + - name: {{ .Release.Name }}-istio-webauthn + match: + - uri: + prefix: "/.well-known/webauthn" + rewrite: + uri: /jans-fido2/restv1/webauthn/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.3.0/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..b222609a16 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/templates/hpa.yaml @@ -0,0 +1,42 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.fido2.customAnnotations.horizontalPodAutoscaler) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.fido2.customAnnotations.horizontalPodAutoscaler }} +{{ toYaml .Values.global.fido2.customAnnotations.horizontalPodAutoscaler | indent 4 }} +{{- end }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.3.0/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..092ca69103 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/templates/service.yml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.fido2.customAnnotations.service) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.fido2.customAnnotations.service }} +{{ toYaml .Values.global.fido2.customAnnotations.service | indent 4 }} +{{- end }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.3.0/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..0568add708 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,26 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.fido2.customAnnotations.secret) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.fido2.customAnnotations.secret }} +{{ toYaml .Values.global.fido2.customAnnotations.secret | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/fido2/values.yaml b/charts/gluu/gluu/5.3.0/charts/fido2/values.yaml new file mode 100644 index 0000000000..c21e232d1f --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/fido2/values.yaml @@ -0,0 +1,97 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] +# -- Add custom pod's command. If passed, it will override the default conditional command. +customCommand: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/kc-scheduler/.helmignore b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.3.0/charts/kc-scheduler/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/Chart.yaml new file mode 100644 index 0000000000..c9002e7823 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: Responsible for synchronizing Keycloak SAML clients +home: https://jans.io +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- Keycloak +- SAML +kubeVersion: '>=v1.22.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: kc-scheduler +sources: +- https://github.com/JanssenProject/jans/docker-jans-kc-scheduler +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/kc-scheduler/README.md b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/README.md new file mode 100644 index 0000000000..b7d87ac9a1 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/README.md @@ -0,0 +1,48 @@ +# kc-scheduler + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +Responsible for synchronizing Keycloak SAML clients + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.22.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"ghcr.io/janssenproject/jans/kc-scheduler"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| interval | int | `10` | Interval of running the scheduler (in minutes) | +| lifecycle | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/_helpers.tpl new file mode 100644 index 0000000000..5cf07a22fe --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kc-scheduler.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kc-scheduler.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kc-scheduler.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "kc-scheduler.labels" -}} +app: {{ .Release.Name }}-{{ include "kc-scheduler.name" . }} +helm.sh/chart: {{ include "kc-scheduler.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "kc-scheduler.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "kc-scheduler.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/cronjobs.yaml b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/cronjobs.yaml new file mode 100644 index 0000000000..a879b86520 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/cronjobs.yaml @@ -0,0 +1,98 @@ +{{ if and (index .Values "global" "kc-scheduler" "enabled") (.Values.global.saml.enabled) -}} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "kc-scheduler.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: kc-scheduler + release: {{ .Release.Name }} +{{ include "kc-scheduler.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "@every {{ .Values.interval }}m" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "kc-scheduler.name" . }} + {{- if or (.Values.customScripts) (.Values.customCommand) }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 18 }} + {{- else }} + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 20}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} + {{- end}} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "kc-scheduler.usr-envs" . | indent 16 }} + {{- include "kc-scheduler.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + restartPolicy: Never + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/service.yaml b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/service.yaml new file mode 100644 index 0000000000..e32662e04a --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kc-scheduler.fullname" . }} + labels: +{{ include "kc-scheduler.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "kc-scheduler.name" . }} + type: ClusterIP +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8c6cb6075a --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "kc-scheduler.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.3.0/charts/kc-scheduler/values.yaml b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/values.yaml new file mode 100644 index 0000000000..401de0aed6 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/kc-scheduler/values.yaml @@ -0,0 +1,56 @@ +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/kc-scheduler + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Interval of running the scheduler (in minutes) +interval: 10 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} +additionalAnnotations: {} +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [] +# -- Add custom job's command. If passed, it will override the default conditional command. +customCommand: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/link/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/link/Chart.yaml new file mode 100644 index 0000000000..54f2db21ec --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/link/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: Jans Link +home: https://jans.io +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- link +kubeVersion: '>=v1.22.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: link +sources: +- https://github.com/JanssenProject/jans/jans-link +- https://github.com/JanssenProject/jans/docker-jans-link +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/link/README.md b/charts/gluu/gluu/5.3.0/charts/link/README.md new file mode 100644 index 0000000000..b33d8580f6 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/link/README.md @@ -0,0 +1,63 @@ +# link + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +Jans Link + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.22.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"ghcr.io/janssenproject/jans/link"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the link if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the link if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-link"` | The name of the link port within the link service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/charts/link/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/link/templates/_helpers.tpl new file mode 100644 index 0000000000..f4d7564d49 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/link/templates/_helpers.tpl @@ -0,0 +1,111 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "link.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "link.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "link.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "link.labels" -}} +app: {{ .Release.Name }}-{{ include "link.name" . }} +helm.sh/chart: {{ include "link.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "link.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "link.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "link.customJavaOptions"}} +{{ $custom := "" }} +{{ $custom = printf "%s" .Values.global.link.cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" ( mul (mulf $memory 0.41) 1 ) -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory (mulf $memory 0.49)) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "link.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "link.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/link/templates/deployment.yaml b/charts/gluu/gluu/5.3.0/charts/link/templates/deployment.yaml new file mode 100644 index 0000000000..f2d01e6b1c --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/link/templates/deployment.yaml @@ -0,0 +1,133 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "link.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.link.customAnnotations.deployment) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.link.customAnnotations.deployment }} +{{ toYaml .Values.global.link.customAnnotations.deployment | indent 4 }} +{{- end }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "link.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "link.name" . }} + release: {{ .Release.Name }} + {{- if or (.Values.global.istio.ingress) (.Values.global.link.customAnnotations.pod) }} + annotations: + {{- if .Values.global.istio.ingress }} + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + {{- if .Values.global.link.customAnnotations.pod }} + {{ toYaml .Values.global.link.customAnnotations.pod | indent 4 }} + {{- end }} + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "link.topology-spread-constraints" . | indent 8 }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "link.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: CN_LINK_JAVA_OPTIONS + value: {{ include "link.customJavaOptions" . | trim }} + {{- include "link.usr-envs" . | indent 12 }} + {{- include "link.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) (.Values.customCommand) }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 14 }} + {{- else }} + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- end}} + ports: + - containerPort: 9091 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "link.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "link.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/link/templates/hpa.yaml b/charts/gluu/gluu/5.3.0/charts/link/templates/hpa.yaml new file mode 100644 index 0000000000..6de2a8ad3d --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/link/templates/hpa.yaml @@ -0,0 +1,42 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "link.fullname" . }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.link.customAnnotations.horizontalPodAutoscaler) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.link.customAnnotations.horizontalPodAutoscaler }} +{{ toYaml .Values.global.link.customAnnotations.horizontalPodAutoscaler | indent 4 }} +{{- end }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "link.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/link/templates/link-destination-rules.yaml b/charts/gluu/gluu/5.3.0/charts/link/templates/link-destination-rules.yaml new file mode 100644 index 0000000000..3326931482 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/link/templates/link-destination-rules.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-link-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.link.customAnnotations.destinationRule) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.link.customAnnotations.destinationRule }} +{{ toYaml .Values.global.link.customAnnotations.destinationRule | indent 4 }} +{{- end }} +{{- end }} +spec: + host: {{ index .Values "global" "link" "linkServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/link/templates/link-pdb.yaml b/charts/gluu/gluu/5.3.0/charts/link/templates/link-pdb.yaml new file mode 100644 index 0000000000..59e5285c3a --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/link/templates/link-pdb.yaml @@ -0,0 +1,26 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "link.fullname" . }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.link.customAnnotations.podDisruptionBudget) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.link.customAnnotations.podDisruptionBudget }} +{{ toYaml .Values.global.link.customAnnotations.podDisruptionBudget | indent 4 }} +{{- end }} +{{- end }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "link.name" . }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/link/templates/link-virtual-services.yaml b/charts/gluu/gluu/5.3.0/charts/link/templates/link-virtual-services.yaml new file mode 100644 index 0000000000..913625c88e --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/link/templates/link-virtual-services.yaml @@ -0,0 +1,43 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "link" "ingress" "linkEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-link + namespace: {{.Release.Namespace}} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.link.customAnnotations.virtualService) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.link.customAnnotations.virtualService }} +{{ toYaml .Values.global.link.customAnnotations.virtualService | indent 4 }} +{{- end }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-link + match: + - uri: + prefix: /jans-link + route: + - destination: + host: {{ index .Values "global" "link" "linkServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 9091 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/link/templates/service.yaml b/charts/gluu/gluu/5.3.0/charts/link/templates/service.yaml new file mode 100644 index 0000000000..cb3ff5e4bf --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/link/templates/service.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "link" "linkServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.link.customAnnotations.service) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.link.customAnnotations.service }} +{{ toYaml .Values.global.link.customAnnotations.service | indent 4 }} +{{- end }} +{{- end }} +spec: + ports: + - port: 9091 + name: tcp-{{ include "link.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "link.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/link/values.yaml b/charts/gluu/gluu/5.3.0/charts/link/values.yaml new file mode 100644 index 0000000000..07eb249bbf --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/link/values.yaml @@ -0,0 +1,106 @@ +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/link + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the link port within the link service. Please keep it as default. + name: http-link + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the link if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the link if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] +# -- Add custom pod's command. If passed, it will override the default conditional command. +customCommand: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.3.0/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..60d48e9644 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: Nginx ingress definitions chart +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/nginx-ingress +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..ec33adb2ee --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/README.md @@ -0,0 +1,34 @@ +# nginx-ingress + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"enabled":true,"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"path":"/","tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| nameOverride | string | `""` | | diff --git a/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..f26d29ee9b --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "admin-ui" "ingress" "adminUiLabels" }} +{{ toYaml (index .Values.global "admin-ui" "ingress" "adminUiLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if index .Values.global "admin-ui" "ingress" "adminUiAdditionalAnnotations" }} +{{ toYaml (index .Values.global "admin-ui" "ingress" "adminUiAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..736d96483c --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,127 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "authServerLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authServerLabels") | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "authServerProtectedTokenLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authServerProtectedTokenLabels") | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if index .Values.global "auth-server" "ingress" "authServerAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authServerAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "authServerProtectedTokenAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authServerProtectedTokenAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "authServerLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authServerLabels") | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "authServerProtectedRegisterLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authServerProtectedRegisterLabels") | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if index .Values.global "auth-server" "ingress" "authServerAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authServerAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "authServerProtectedRegisterAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authServerProtectedRegisterAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..4ff76d9a30 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,1127 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "openidConfigLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "openidConfigLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if index .Values.global "auth-server" "ingress" "openidAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "openidAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "deviceCodeLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "deviceCodeLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if index .Values.global "auth-server" "ingress" "deviceCodeAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "deviceCodeAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "firebaseMessagingLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "firebaseMessagingLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if index .Values.global "auth-server" "ingress" "firebaseMessagingAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "firebaseMessagingAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "uma2ConfigLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "uma2ConfigLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if index .Values.global "auth-server" "ingress" "uma2AdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "uma2AdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "webfingerLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "webfingerLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if index .Values.global "auth-server" "ingress" "webfingerAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "webfingerAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "webdiscoveryLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "webdiscoveryLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if index .Values.global "auth-server" "ingress" "webdiscoveryAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "webdiscoveryAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.scim.ingress.scimConfigLabels }} +{{ toYaml .Values.global.scim.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.global.scim.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.global.scim.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.scim.ingress.scimLabels }} +{{ toYaml .Values.global.scim.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.global.scim.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.global.scim.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "config-api" "ingress" "configApiLabels" }} +{{ toYaml (index .Values.global "config-api" "ingress" "configApiLabels") | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if index .Values.global "config-api" "ingress" "configApiAdditionalAnnotations" }} +{{ toYaml (index .Values.global "config-api" "ingress" "configApiAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "u2fConfigLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "u2fConfigLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if index .Values.global "auth-server" "ingress" "u2fAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "u2fAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.fido2.ingress.fido2ConfigLabels }} +{{ toYaml .Values.global.fido2.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.global.fido2.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.global.fido2.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2Enabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2 + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.fido2.ingress.fido2Labels }} +{{ toYaml .Values.global.fido2.ingress.fido2Labels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "fido2" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.global.fido2.ingress.fido2AdditionalAnnotations }} +{{ toYaml .Values.global.fido2.ingress.fido2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-fido2 + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2WebauthnEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webauthn + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.fido2.ingress.fido2WebauthnLabels }} +{{ toYaml .Values.global.fido2.ingress.fido2WebauthnLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/webauthn/configuration +{{- if .Values.global.fido2.ingress.fido2WebauthnAdditionalAnnotations }} +{{ toYaml .Values.global.fido2.ingress.fido2WebauthnAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webauthn + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.link.ingress.linkEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-link + labels: + app: {{ $fullName }}-link +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.link.ingress.linkLabels }} +{{ toYaml .Values.global.link.ingress.linkLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.global.link.ingress.linkAdditionalAnnotations }} +{{ toYaml .Values.global.link.ingress.linkAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-link + pathType: Prefix + backend: + service: + name: {{ .Values.global.link.linkServiceName }} + port: + number: 9091 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "authServerLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authServerLabels") | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if index .Values.global "auth-server" "ingress" "authServerAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authServerAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.casa.ingress.casaLabels }} +{{ toYaml .Values.global.casa.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.global.casa.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.global.casa.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.saml.ingress.samlEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-saml + labels: + app: {{ $fullName }}-saml +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.saml.ingress.samlLabels }} +{{ toYaml .Values.global.saml.ingress.samlLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "saml-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.global.saml.ingress.samlAdditionalAnnotations }} +{{ toYaml .Values.global.saml.ingress.samlAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /kc + pathType: Prefix + backend: + service: + name: {{ .Values.global.saml.samlServiceName }} + port: + number: 8083 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if and (index .Values "global" "auth-server" "lockEnabled") (index .Values "global" "auth-server" "ingress" "lockConfigEnabled") -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-lock-config + labels: + app: {{ $fullName }}-lock-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "lockConfigLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "lockConfigLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/v1/configuration +{{- if index .Values.global "auth-server" "ingress" "lockConfigAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "lockConfigAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/lock-server-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if and (index .Values "global" "auth-server" "lockEnabled") (index .Values "global" "auth-server" "ingress" "lockEnabled") -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-lock + labels: + app: {{ $fullName }}-lock +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "lockLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "lockLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/ +{{- if index .Values.global "auth-server" "ingress" "lockAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "lockAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-lock + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authzenConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-authzen-config + labels: + app: {{ $fullName }}-authzen-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if index .Values.global "auth-server" "ingress" "authzenConfigLabels" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authzenConfigLabels") | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/authzen-configuration +{{- if index .Values.global "auth-server" "ingress" "authzenAdditionalAnnotations" }} +{{ toYaml (index .Values.global "auth-server" "ingress" "authzenAdditionalAnnotations") | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/authzen-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..73fa19e61b --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/nginx-ingress/values.yaml @@ -0,0 +1,29 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: { } + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.3.0/charts/persistence/.helmignore b/charts/gluu/gluu/5.3.0/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.3.0/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..355aeec84f --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/persistence +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/persistence/README.md b/charts/gluu/gluu/5.3.0/charts/persistence/README.md new file mode 100644 index 0000000000..bb9f4194f1 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/persistence/README.md @@ -0,0 +1,51 @@ +# persistence + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customCommand | list | `[]` | Add custom job's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.3.0/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..a76cdf50ef --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/persistence/templates/jobs.yml @@ -0,0 +1,98 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.persistence.customAnnotations.job) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.persistence.customAnnotations.job }} +{{ toYaml .Values.global.persistence.customAnnotations.job | indent 4 }} +{{- end }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if or ( .Values.global.istio.enabled ) ( .Values.customScripts ) (.Values.customCommand) }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 10 }} + {{- else }} + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 12}} + {{- end }} + /app/scripts/entrypoint.sh + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + {{- end }} + {{- end}} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.3.0/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..3ffcaa3323 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/persistence/templates/service.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.persistence.customAnnotations.service) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.persistence.customAnnotations.service }} +{{ toYaml .Values.global.persistence.customAnnotations.service | indent 4 }} +{{- end }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.3.0/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..fd85d968fa --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,25 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.persistence.customAnnotations.secret) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.persistence.customAnnotations.secret }} +{{ toYaml .Values.global.persistence.customAnnotations.secret | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/persistence/values.yaml b/charts/gluu/gluu/5.3.0/charts/persistence/values.yaml new file mode 100644 index 0000000000..8d9d5f5073 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/persistence/values.yaml @@ -0,0 +1,60 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] +# -- Add custom job's command. If passed, it will override the default conditional command. +customCommand: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/saml/.helmignore b/charts/gluu/gluu/5.3.0/charts/saml/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.3.0/charts/saml/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/saml/Chart.yaml new file mode 100644 index 0000000000..4a6b24e9f6 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: Jans SAML +home: https://jans.io +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- SAML +- Keycloak +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: saml +sources: +- https://github.com/JanssenProject/jans/docker-jans-saml +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/saml/README.md b/charts/gluu/gluu/5.3.0/charts/saml/README.md new file mode 100644 index 0000000000..070e11f525 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/README.md @@ -0,0 +1,62 @@ +# saml + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +Jans SAML + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/saml"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for saml if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the saml if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-saml"` | The name of the saml port within the saml service. Please keep it as default. | +| service.port | int | `8083` | Port of the saml service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/charts/saml/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/saml/templates/_helpers.tpl new file mode 100644 index 0000000000..93ef5f1e13 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/templates/_helpers.tpl @@ -0,0 +1,122 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "saml.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "saml.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "saml.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "saml.labels" -}} +app: {{ .Release.Name }}-{{ include "saml.name" . }} +helm.sh/chart: {{ include "saml.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "saml.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "saml.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "saml.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "saml.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "saml.customJavaOptions"}} +{{ $custom := "" }} +{{ $custom = printf "%s" .Values.global.saml.cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" ( mul (mulf $memory 0.41) 1 ) -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory (mulf $memory 0.49)) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "saml.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "saml.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/saml/templates/deployment.yaml b/charts/gluu/gluu/5.3.0/charts/saml/templates/deployment.yaml new file mode 100644 index 0000000000..834d523a6e --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/templates/deployment.yaml @@ -0,0 +1,147 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "saml.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.saml.customAnnotations.deployment) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.saml.customAnnotations.deployment }} +{{ toYaml .Values.global.saml.customAnnotations.deployment | indent 4 }} +{{- end }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: saml + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if or (.Values.global.istio.ingress) (.Values.global.link.customAnnotations.pod) }} + annotations: + {{- if .Values.global.istio.ingress }} + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + {{- if .Values.global.link.customAnnotations.pod }} + {{ toYaml .Values.global.link.customAnnotations.pod | indent 4 }} + {{- end }} + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "saml.topology-spread-constraints" . | indent 8 }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "saml.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: CN_SAML_JAVA_OPTIONS + value: {{ include "saml.customJavaOptions" . | trim }} + {{- include "saml.usr-envs" . | indent 12 }} + {{- include "saml.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) (.Values.customCommand) }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 14 }} + {{- else }} + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- end}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "saml.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "saml.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/saml/templates/hpa.yaml b/charts/gluu/gluu/5.3.0/charts/saml/templates/hpa.yaml new file mode 100644 index 0000000000..be7a14c4ac --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/templates/hpa.yaml @@ -0,0 +1,42 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "saml.fullname" . }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.saml.customAnnotations.horizontalPodAutoscaler) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.saml.customAnnotations.horizontalPodAutoscaler }} +{{ toYaml .Values.global.saml.customAnnotations.horizontalPodAutoscaler | indent 4 }} +{{- end }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "saml.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/saml/templates/saml-destination-rules.yaml b/charts/gluu/gluu/5.3.0/charts/saml/templates/saml-destination-rules.yaml new file mode 100644 index 0000000000..d80b7e53ab --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/templates/saml-destination-rules.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-saml-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.saml.customAnnotations.destinationRule) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.saml.customAnnotations.destinationRule }} +{{ toYaml .Values.global.saml.customAnnotations.destinationRule | indent 4 }} +{{- end }} +{{- end }} +spec: + host: {{ .Values.global.saml.samlServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/saml/templates/saml-pdb.yaml b/charts/gluu/gluu/5.3.0/charts/saml/templates/saml-pdb.yaml new file mode 100644 index 0000000000..dba09a186a --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/templates/saml-pdb.yaml @@ -0,0 +1,26 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "saml.fullname" . }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.saml.customAnnotations.podDisruptionBudget) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.saml.customAnnotations.podDisruptionBudget }} +{{ toYaml .Values.global.saml.customAnnotations.podDisruptionBudget | indent 4 }} +{{- end }} +{{- end }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "saml.name" . }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/saml/templates/saml-virtual-services.yaml b/charts/gluu/gluu/5.3.0/charts/saml/templates/saml-virtual-services.yaml new file mode 100644 index 0000000000..ada5dca5d2 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/templates/saml-virtual-services.yaml @@ -0,0 +1,43 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.saml.ingress.samlEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-saml + namespace: {{.Release.Namespace}} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.saml.customAnnotations.virtualService) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.saml.customAnnotations.virtualService }} +{{ toYaml .Values.global.saml.customAnnotations.virtualService | indent 4 }} +{{- end }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-saml + match: + - uri: + prefix: /kc + route: + - destination: + host: {{ .Values.global.saml.samlServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8083 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/saml/templates/service.yaml b/charts/gluu/gluu/5.3.0/charts/saml/templates/service.yaml new file mode 100644 index 0000000000..37120619c9 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/templates/service.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.saml.samlServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.saml.customAnnotations.service) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.saml.customAnnotations.service }} +{{ toYaml .Values.global.saml.customAnnotations.service | indent 4 }} +{{- end }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/saml/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.3.0/charts/saml/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..fd55d1450c --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/templates/user-custom-secret-envs.yaml @@ -0,0 +1,26 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.saml.customAnnotations.secret) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.saml.customAnnotations.secret }} +{{ toYaml .Values.global.saml.customAnnotations.secret | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.3.0/charts/saml/values.yaml b/charts/gluu/gluu/5.3.0/charts/saml/values.yaml new file mode 100644 index 0000000000..1849f7a949 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/saml/values.yaml @@ -0,0 +1,112 @@ +# -- Jans SAML +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/saml + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the saml service. Please keep it as default. + port: 8083 + # -- The name of the saml port within the saml service. Please keep it as default. + name: http-saml + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for saml if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 10 +# -- Configure the readiness healthcheck for the saml if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 10 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] +# -- Add custom pod's command. If passed, it will override the default conditional command. +customCommand: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/scim/.helmignore b/charts/gluu/gluu/5.3.0/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.3.0/charts/scim/Chart.yaml b/charts/gluu/gluu/5.3.0/charts/scim/Chart.yaml new file mode 100644 index 0000000000..db287fecbc --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 1.3.0 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/scim +type: application +version: 1.3.0 diff --git a/charts/gluu/gluu/5.3.0/charts/scim/README.md b/charts/gluu/gluu/5.3.0/charts/scim/README.md new file mode 100644 index 0000000000..21b27320b7 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/README.md @@ -0,0 +1,60 @@ +# scim + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customCommand | list | `[]` | Add custom pod's command. If passed, it will override the default conditional command. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.3.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | diff --git a/charts/gluu/gluu/5.3.0/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..8aab5551ea --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/templates/_helpers.tpl @@ -0,0 +1,111 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "scim.customJavaOptions"}} +{{ $custom := "" }} +{{ $custom = printf "%s" .Values.global.scim.cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" ( mul (mulf $memory 0.41) 1 ) -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory (mulf $memory 0.49)) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.3.0/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..a6a33631d9 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/templates/deployment.yml @@ -0,0 +1,142 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.scim.customAnnotations.deployment) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.scim.customAnnotations.deployment }} +{{ toYaml .Values.global.scim.customAnnotations.deployment | indent 4 }} +{{- end }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if or (.Values.global.istio.ingress) (.Values.global.scim.customAnnotations.pod) }} + annotations: + {{- if .Values.global.istio.ingress }} + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + {{- if .Values.global.scim.customAnnotations.pod }} + {{ toYaml .Values.global.scim.customAnnotations.pod | indent 4 }} + {{- end }} + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + serviceAccountName: {{ .Values.global.serviceAccountName }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + - name: CN_SCIM_JAVA_OPTIONS + value: {{ include "scim.customJavaOptions" . | trim }} + {{- include "scim.usr-envs" . | indent 10 }} + {{- include "scim.usr-secret-envs" . | indent 10 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) (.Values.customCommand) }} + command: + {{- if .Values.customCommand }} + {{- toYaml .Values.customCommand | nindent 12 }} + {{- else }} + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- end}} + {{- if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- with (include "cn.config.schema" . | fromYaml).volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.3.0/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..0444589c36 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/templates/hpa.yaml @@ -0,0 +1,42 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.scim.customAnnotations.horizontalPodAutoscaler) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.scim.customAnnotations.horizontalPodAutoscaler }} +{{ toYaml .Values.global.scim.customAnnotations.horizontalPodAutoscaler | indent 4 }} +{{- end }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.3.0/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..a8206136f5 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.scim.customAnnotations.destinationRule) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.scim.customAnnotations.destinationRule }} +{{ toYaml .Values.global.scim.customAnnotations.destinationRule | indent 4 }} +{{- end }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.3.0/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..0c19565734 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,26 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.scim.customAnnotations.podDisruptionBudget) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.scim.customAnnotations.podDisruptionBudget }} +{{ toYaml .Values.global.scim.customAnnotations.podDisruptionBudget | indent 4 }} +{{- end }} +{{- end }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.3.0/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..50fc2dc1ee --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,59 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.scim.customAnnotations.virtualService) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.scim.customAnnotations.virtualService }} +{{ toYaml .Values.global.scim.customAnnotations.virtualService | indent 4 }} +{{- end }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/scim/templates/service.yml b/charts/gluu/gluu/5.3.0/charts/scim/templates/service.yml new file mode 100644 index 0000000000..2a3b64ff38 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/templates/service.yml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.scim.customAnnotations.service) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.scim.customAnnotations.service }} +{{ toYaml .Values.global.scim.customAnnotations.service | indent 4 }} +{{- end }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.3.0/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.3.0/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..fbae7ae10c --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,26 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if or (.Values.additionalAnnotations) (.Values.global.scim.customAnnotations.secret) }} + annotations: +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.global.scim.customAnnotations.secret }} +{{ toYaml .Values.global.scim.customAnnotations.secret | indent 4 }} +{{- end }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/charts/scim/values.yaml b/charts/gluu/gluu/5.3.0/charts/scim/values.yaml new file mode 100644 index 0000000000..386d6569af --- /dev/null +++ b/charts/gluu/gluu/5.3.0/charts/scim/values.yaml @@ -0,0 +1,96 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] +# -- Add custom pod's command. If passed, it will override the default conditional command. +customCommand: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/openbanking-values.yaml b/charts/gluu/gluu/5.3.0/openbanking-values.yaml new file mode 100644 index 0000000000..da143dec23 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/openbanking-values.yaml @@ -0,0 +1,651 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: team@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files DB. + cnDocumentStoreType: DB + # -- Persistence backend to run Gluu with hybrid|sql. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.3.0/questions.yaml b/charts/gluu/gluu/5.3.0/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.3.0/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.3.0/templates/_helpers.tpl b/charts/gluu/gluu/5.3.0/templates/_helpers.tpl new file mode 100644 index 0000000000..c284b5db6b --- /dev/null +++ b/charts/gluu/gluu/5.3.0/templates/_helpers.tpl @@ -0,0 +1,48 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create configuration schema-related objects. +*/}} +{{- define "cn.config.schema" -}} +{{- $commonName := (printf "%s-configuration-file" .Release.Name) -}} +{{- $secretName := .Values.global.cnConfiguratorCustomSchema.secretName | default $commonName -}} +volumes: + - name: {{ $commonName }} + secret: + secretName: {{ $secretName }} +volumeMounts: + - name: {{ $commonName }} + mountPath: {{ .Values.global.cnConfiguratorConfigurationFile }} + subPath: {{ .Values.global.cnConfiguratorConfigurationFile | base }} +{{- end -}} diff --git a/charts/gluu/gluu/5.3.0/values.schema.json b/charts/gluu/gluu/5.3.0/values.schema.json new file mode 100644 index 0000000000..f2936e123a --- /dev/null +++ b/charts/gluu/gluu/5.3.0/values.schema.json @@ -0,0 +1,2788 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema#", + "type": "object", + "properties": { + "admin-ui": { + "description": "Admin GUI for configuration of the auth-server", + "type": "object", + "properties": {} + }, + "auth-server": { + "description": "OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type": "object", + "properties": {} + }, + "auth-server-key-rotation": { + "description": "Responsible for regenerating auth-keys per x hours", + "type": "object", + "properties": {} + }, + "casa": { + "description": "Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type": "object", + "properties": {} + }, + "config": { + "description": "Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type": "object", + "properties": { + "adminPassword": { + "description": "Admin password to login to the UI", + "$ref": "#/definitions/password" + }, + "city": { + "description": "City of the company or individual. Used in generating the self-signed certificate", + "type": "string", + "pattern": "^[a-zA-Z]+$" + }, + "configmap": { + "description": "Configuration parameters mapped to envs in a ConfigMap", + "type": "object", + "properties": { + "cnSqlDbDialect": { + "description": "SQL dialect", + "type": "string", + "pattern": "^(mysql|pgsql)$" + }, + "cnSqlDbHost": { + "description": "SQL server address or ip", + "anyOf": [ + { + "$ref": "#/definitions/url-pattern" + }, + { + "$ref": "#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort": { + "description": "SQL server port", + "type": "integer" + }, + "cnSqlDbName": { + "description": "SQL server database name for Jans", + "type": "string", + "pattern": "^[a-z-0-9]+$" + }, + "cnSqlDbUser": { + "description": "SQL database Jans username", + "type": "string", + "pattern": "^[a-z-0-9]+$" + }, + "cnSqlDbTimezone": { + "description": "SQL database timezone", + "type": "string", + "pattern": "^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword": { + "description": "Password for user config.configmap.cnSqlDbUser.", + "$ref": "#/definitions/password" + }, + "cnCacheType": { + "description": "Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type": "string", + "pattern": "^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap": { + "description": "The name of the ConfigMap that will hold the configuration layer", + "type": "string", + "pattern": "^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount": { + "description": "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId": { + "description": "Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type": "string", + "pattern": "" + }, + "cnGoogleSecretVersionId": { + "description": "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type": "string", + "pattern": "^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix": { + "description": "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type": "string", + "pattern": "^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase": { + "description": "Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref": "#/definitions/password" + }, + "cnMaxRamPercent": { + "description": "Value passed to Java option -XX:MaxRAMPercentage", + "type": "string", + "pattern": "^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode": { + "description": "SCIM protection mode OAUTH|TEST|UMA", + "type": "string", + "pattern": "^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping": { + "description": "Specify data that should be saved in persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type": "string" + }, + "cnRedisSentinelGroup": { + "description": "Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type": "string" + }, + "cnRedisSslTruststore": { + "description": "Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type": "string" + }, + "cnRedisType": { + "description": "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type": "string", + "pattern": "^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl": { + "description": "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref": "#/definitions/url-pattern" + }, + "cnRedisUseSsl": { + "description": "Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type": "boolean" + }, + "cnSecretKubernetesSecret": { + "description": "Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type": "string", + "pattern": "^[a-z]+$" + }, + "lbAddr": { + "description": "Loadbalancer address for AWS if the FQDN is not registered.", + "$ref": "#/definitions/url-pattern" + } + } + }, + "countryCode": { + "description": "Country code. Used for certificate creation.", + "type": "string", + "pattern": "^[A-Z]+$" + }, + "email": { + "description": "Email address of the administrator usually. Used for certificate creation.", + "$ref": "#/definitions/email-format" + }, + "image": { + "type": "object", + "properties": { + "repository": { + "description": "Image to use for deploying", + "type": "string" + }, + "tag": { + "description": "Image tag to use for deploying.", + "type": "string", + "pattern": "^[a-z0-9-_.]+$" + } + } + }, + "orgName": { + "description": "Organization name. Used for certificate creation.", + "type": "string", + "pattern": "^[a-zA-Z]+$" + }, + "redisPassword": { + "description": "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref": "#/definitions/password" + }, + "resources": { + "description": "Resource specs.", + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU limit.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory limit.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU request.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory request.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + } + } + }, + "state": { + "description": "State code. Used for certificate creation.", + "type": "string", + "pattern": "^[a-zA-Z]+$" + } + } + }, + "config-api": { + "description": "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type": "object", + "properties": {} + }, + "fido2": { + "description": "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type": "object", + "properties": {} + }, + "global": { + "description": "Parameters used globally across all services helm charts.", + "type": "object", + "properties": { + "alb": { + "type": "object", + "properties": { + "ingress": { + "description": "Activates ALB ingress", + "type": "boolean" + } + } + }, + "auth-server": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "destinationRule": { + "type": "object" + }, + "podDisruptionBudget": { + "type": "object" + }, + "virtualService": { + "type": "object" + }, + "pod": { + "type": "object" + }, + "deployment": { + "type": "object" + }, + "horizontalPodAutoscaler": { + "type": "object" + }, + "service": { + "type": "object" + }, + "secret": { + "type": "object" + } + } + }, + "enabled": { + "description": "Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type": "boolean" + }, + "authServerServiceName": { + "description": "Name of the auth-server service. Please keep it as default.", + "type": "string", + "pattern": "^[a-z0-9-]+$" + }, + "appLoggers": { + "type": "object", + "properties": { + "authLogTarget": { + "description": "jans-auth.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "authLogLevel": { + "description": "jans-auth.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget": { + "description": "http_request_response target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "httpLogLevel": { + "description": "http_request_response level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget": { + "description": "jans-auth_persistence.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "persistenceLogLevel": { + "description": "jans-auth_persistence.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget": { + "description": "jans-auth_persistence_duration.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel": { + "description": "jans-auth_persistence_duration.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget": { + "description": "jans-auth_script.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "scriptLogLevel": { + "description": "jans-auth_script.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget": { + "description": "jans-auth_audit.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "auditStatsLogLevel": { + "description": "jans-auth_audit.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress": { + "description": "Endpoint control", + "type": "object", + "properties": { + "lockConfigLabels": { + "description": "Lock config ingress resource labels. key app is taken", + "type": "object" + }, + "lockConfigAdditionalAnnotations": { + "description": "Lock config ingress resource additional annotations.", + "type": "object" + }, + "lockLabels": { + "description": "Lock ingress resource labels. key app is taken.", + "type": "object" + }, + "lockAdditionalAnnotations": { + "description": "Lock ingress resource additional annotations.", + "type": "object" + }, + "openidConfigLabels": { + "description": "openid-configuration ingress resource labels. key app is taken", + "type": "object" + }, + "openidAdditionalAnnotations": { + "description": "openid-configuration ingress resource additional annotations.", + "type": "object" + }, + "deviceCodeLabels": { + "description": "device-code ingress resource labels. key app is taken", + "type": "object" + }, + "deviceCodeAdditionalAnnotations": { + "description": "device-code ingress resource additional annotations.", + "type": "object" + }, + "firebaseMessagingLabels": { + "description": "Firebase Messaging ingress resource labels. key app is taken", + "type": "object" + }, + "firebaseMessagingAdditionalAnnotations": { + "description": "Firebase Messaging ingress resource additional annotations.", + "type": "object" + }, + "uma2ConfigLabels": { + "description": "uma2 config ingress resource labels. key app is taken", + "type": "object" + }, + "uma2AdditionalAnnotations": { + "description": "uma2 config ingress resource additional annotations.", + "type": "object" + }, + "webfingerLabels": { + "description": "webfinger ingress resource labels. key app is taken", + "type": "object" + }, + "webfingerAdditionalAnnotations": { + "description": "webfinger ingress resource additional annotations.", + "type": "object" + }, + "webdiscoveryLabels": { + "description": "webdiscovery ingress resource labels. key app is taken", + "type": "object" + }, + "webdiscoveryAdditionalAnnotations": { + "description": "webfinger ingress resource additional annotations.", + "type": "object" + }, + "u2fConfigLabels": { + "description": "u2f ingress resource labels. key app is taken", + "type": "object" + }, + "u2fAdditionalAnnotations": { + "description": "u2f config ingress resource additional annotations.", + "type": "object" + }, + "authzenConfigLabels": { + "description": "authzen config ingress resource labels. key app is taken", + "type": "object" + }, + "authzenAdditionalAnnotations": { + "description": "authzen config ingress resource additional annotations.", + "type": "object" + }, + "authServerLabels": { + "description": "Auth server config ingress resource labels. key app is taken", + "type": "object" + }, + "authServerAdditionalAnnotations": { + "description": "Auth server ingress resource additional annotations.", + "type": "object" + }, + "authServerProtectedTokenLabels": { + "description": "Auth server protected token ingress resource labels. key app is taken", + "type": "object" + }, + "authServerProtectedTokenAdditionalAnnotations": { + "description": "Auth server protected token ingress resource additional annotations.", + "type": "object" + }, + "authServerProtectedRegisterLabels": { + "description": "Auth server protected token ingress resource labels. key app is taken", + "type": "object" + }, + "authServerProtectedRegisterAdditionalAnnotations": { + "description": "Auth server protected register ingress resource additional annotations.", + "type": "object" + }, + "authServerEnabled": { + "description": "Enable Auth server endpoints /jans-auth", + "type": "boolean" + }, + "openidConfigEnabled": { + "description": "Enable endpoint /.well-known/openid-configuration", + "type": "boolean" + }, + "deviceCodeEnabled": { + "description": "Enable endpoint /device-code", + "type": "boolean" + }, + "firebaseMessagingEnabled": { + "description": "Enable endpoint /firebase-messaging-sw.js", + "type": "boolean" + }, + "uma2ConfigEnabled": { + "description": "Enable endpoint /.well-known/uma2-configuration", + "type": "boolean" + }, + "webfingerEnabled": { + "description": "Enable endpoint /.well-known/webfinger", + "type": "boolean" + }, + "webdiscoveryEnabled": { + "description": "Enable endpoint /.well-known/simple-web-discovery", + "type": "boolean" + }, + "u2fConfigEnabled": { + "description": "Enable endpoint /.well-known/fido-configuration", + "type": "boolean" + }, + "lockConfigEnabled": { + "description": "Enable endpoint /.well-known/lock-server-configuration", + "type": "boolean" + }, + "lockEnabled": { + "description": "Enable endpoint /jans-lock", + "type": "boolean" + }, + "authServerProtectedToken": { + "description": "Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio.", + "type": "boolean" + }, + "authServerProtectedRegister": { + "description": "Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio.", + "type": "boolean" + }, + "authzenConfigEnabled": { + "description": "Enable endpoint /.well-known/authzen-configuration", + "type": "boolean" + } + } + }, + "lockEnabled": { + "description": "Enable jans-lock as service running inside auth-server", + "type": "boolean" + } + } + }, + "admin-ui": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "destinationRule": { + "type": "object" + }, + "podDisruptionBudget": { + "type": "object" + }, + "virtualService": { + "type": "object" + }, + "pod": { + "type": "object" + }, + "deployment": { + "type": "object" + }, + "horizontalPodAutoscaler": { + "type": "object" + }, + "service": { + "type": "object" + }, + "secret": { + "type": "object" + } + } + }, + "enabled": { + "description": "Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type": "boolean" + }, + "adminUiServiceName": { + "description": "Name of the admin service. Please keep it as default.", + "type": "string", + "pattern": "^[a-z0-9-]+$" + }, + "ingress": { + "description": "Endpoint control", + "type": "object", + "properties": { + "adminUiEnabled": { + "description": "Enable Admin UI endpoints.", + "type": "boolean" + }, + "adminUiLabels": { + "description": "configAPI ingress resource labels. key app is taken", + "type": "object" + }, + "adminUiAdditionalAnnotations": { + "description": "ConfigAPI ingress resource additional annotations.", + "type": "object" + } + } + } + } + }, + "auth-server-key-rotation": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "cronjob": { + "type": "object" + }, + "service": { + "type": "object" + }, + "secret": { + "type": "object" + } + } + }, + "enabled": { + "description": "Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type": "boolean" + } + } + }, + "awsStorageType": { + "description": "Volume stroage type if using AWS volumes.", + "type": "string", + "pattern": "^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType": { + "description": "Volume storage type if using Azure disks.", + "type": "string", + "pattern": "^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind": { + "description": "Azure storage kind if using Azure disks", + "type": "string", + "pattern": "^(Managed)$" + }, + "cloud": { + "type": "object", + "properties": { + "testEnviroment": { + "description": "Boolean flag if enabled will strip resources requests and limits from all services.", + "type": "boolean" + } + } + }, + "cnPersistenceType": { + "description": "Persistence backend to run Gluu with hybrid|sql.", + "type": "string", + "pattern": "^(hybrid|sql)$" + }, + "cnDocumentStoreType": { + "description": "Document store type to use for shibboleth files DB.", + "type": "string", + "pattern": "^(DB)$" + }, + "cnObExtSigningJwksUri": { + "description": "Open banking external signing jwks uri. Used in SSA Validation.", + "type": "string" + }, + "cnObExtSigningJwksCrt": { + "description": "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey": { + "description": "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase": { + "description": "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias": { + "description": "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type": "string" + }, + "cnObStaticSigningKeyKid": { + "description": "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type": "string" + }, + "cnObTransportCrt": { + "description": "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey": { + "description": "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase": { + "description": "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias": { + "description": "Open banking transport Alias used inside the JVM.", + "type": "string" + }, + "cnObTransportTrustStore": { + "description": "Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "clusterRoleBinding": { + "type": "object" + }, + "configMap": { + "type": "object" + }, + "job": { + "type": "object" + }, + "roleBinding": { + "type": "object" + }, + "role": { + "type": "object" + }, + "secret": { + "type": "object" + }, + "service": { + "type": "object" + }, + "serviceAccount": { + "type": "object" + } + } + }, + "enabled": { + "description": "Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type": "boolean" + } + } + }, + "configAdapterName": { + "description": "The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type": "string", + "pattern": "^(kubernetes|google|aws)$" + }, + "configSecretAdapter": { + "description": "The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type": "string", + "pattern": "^(kubernetes|google|aws|vault)$" + }, + "cnGoogleApplicationCredentials": { + "description": "Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets.", + "type": "string", + "pattern": ".*google-credentials.json\\b.*" + }, + "casa": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "destinationRule": { + "type": "object" + }, + "podDisruptionBudget": { + "type": "object" + }, + "virtualService": { + "type": "object" + }, + "pod": { + "type": "object" + }, + "deployment": { + "type": "object" + }, + "horizontalPodAutoscaler": { + "type": "object" + }, + "service": { + "type": "object" + }, + "secret": { + "type": "object" + } + } + }, + "casaServiceName": { + "description": "Name of the casa service. Please keep it as default.", + "type": "string", + "pattern": "^[a-z0-9-]+$" + }, + "enabled": { + "description": "Boolean flag to enable/disable the casa chart.", + "type": "boolean" + }, + "ingress": { + "description": "Endpoint control", + "type": "object", + "properties": { + "casaEnabled": { + "description": " Enable casa endpoints /casa", + "type": "boolean" + }, + "casaLabels": { + "description": "Casa ingress resource labels. key app is taken", + "type": "object" + }, + "casaAdditionalAnnotations": { + "description": "Casa ingress resource additional annotations.", + "type": "object" + } + } + } + } + }, + "config-api": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "destinationRule": { + "type": "object" + }, + "podDisruptionBudget": { + "type": "object" + }, + "virtualService": { + "type": "object" + }, + "pod": { + "type": "object" + }, + "deployment": { + "type": "object" + }, + "horizontalPodAutoscaler": { + "type": "object" + }, + "service": { + "type": "object" + } + } + }, + "configApiServerServiceName": { + "description": "Name of the config-api service. Please keep it as default.", + "type": "string", + "pattern": "^[a-z0-9-]+$" + }, + "enabled": { + "description": "Boolean flag to enable/disable the config-api chart.", + "type": "boolean" + }, + "appLoggers": { + "type": "object", + "properties": { + "configApiLogTarget": { + "description": "configapi.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "configApiLogLevel": { + "description": "configapi.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers": { + "type": "object", + "properties": { + "adminUiLogTarget": { + "description": "config-api admin-ui plugin log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "adminUiLogLevel": { + "description": "config-api admin-ui plugin log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget": { + "description": "config-api admin-ui plugin audit log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel": { + "description": "config-api admin-ui plugin audit log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress": { + "description": "Endpoint control", + "type": "object", + "properties": { + "configApiEnabled": { + "description": "Enable config API endpoints /jans-config-api", + "type": "boolean" + }, + "configApiLabels": { + "description": "configAPI ingress resource labels. key app is taken", + "type": "object" + }, + "configApiAdditionalAnnotations": { + "description": "ConfigAPI ingress resource additional annotations.", + "type": "object" + } + } + } + } + }, + "fqdn": { + "description": "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref": "#/definitions/fqdn-pattern" + }, + "fido2": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "destinationRule": { + "type": "object" + }, + "podDisruptionBudget": { + "type": "object" + }, + "virtualService": { + "type": "object" + }, + "pod": { + "type": "object" + }, + "deployment": { + "type": "object" + }, + "horizontalPodAutoscaler": { + "type": "object" + }, + "service": { + "type": "object" + }, + "secret": { + "type": "object" + } + } + }, + "fido2ServiceName": { + "description": "Name of the fido2 service. Please keep it as default.", + "type": "string", + "pattern": "^[a-z0-9-]+$" + }, + "enabled": { + "description": "Boolean flag to enable/disable the fido2 chart.", + "type": "boolean" + }, + "appLoggers": { + "type": "object", + "properties": { + "fido2LogTarget": { + "description": "fido2.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "fido2LogLevel": { + "description": "fido2.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget": { + "description": "fido2_persistence.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "persistenceLogLevel": { + "description": "fido2_persistence.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress": { + "description": "Endpoint control", + "type": "object", + "properties": { + "fido2ConfigEnabled": { + "description": "Enable endpoint /.well-known/fido2-configuration", + "type": "boolean" + }, + "fido2Enabled": { + "description": "Enable endpoint /jans-fido2", + "type": "boolean" + }, + "fido2WebauthnEnabled": { + "description": "Enable endpoint /.well-known/webauthn", + "type": "boolean" + }, + "fido2ConfigLabels": { + "description": "fido2 config ingress resource labels. key app is taken", + "type": "object" + }, + "fido2ConfigAdditionalAnnotations": { + "description": "fido2 config ingress resource additional annotations.", + "type": "object" + }, + "fido2Labels": { + "description": "fido2 ingress resource labels. key app is taken", + "type": "object" + }, + "fido2AdditionalAnnotations": { + "description": "fido2 ingress resource additional annotations.", + "type": "object" + }, + "fido2WebauthnLabels": { + "description": "fido2 webauthn ingress resource labels. key app is taken", + "type": "object" + }, + "fido2WebauthnAdditionalAnnotations": { + "description": "fido2 webauthn ingress resource additional annotations.", + "type": "object" + } + } + } + } + }, + "gcePdStorageType": { + "description": "GCE storage kind if using Google disks", + "type": "string", + "pattern": "^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered": { + "description": "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type": "boolean" + }, + "istio": { + "type": "object", + "properties": { + "enabled": { + "description": "Boolean flag that enables using istio side cars with Gluu services.", + "type": "boolean" + }, + "ingress": { + "description": "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type": "boolean" + }, + "namespace": { + "description": "The namespace istio is deployed in. The is normally istio-system.", + "type": "string", + "pattern": "^[a-z0-9-_/]+$" + } + } + }, + "lbIp": { + "description": "The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref": "#/definitions/ip-pattern" + }, + "nginx-ingress": { + "type": "object", + "properties": { + "enabled": { + "description": "Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type": "boolean" + } + } + }, + "distribution": { + "description": "Gluu distributions supported are: default|openbanking.", + "type": "string", + "pattern": "^(default|openbanking)$" + }, + "persistence": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "job": { + "type": "object" + }, + "service": { + "type": "object" + }, + "secret": { + "type": "object" + } + } + }, + "enabled": { + "description": "Boolean flag to enable/disable the persistence chart.", + "type": "boolean" + } + } + }, + "scim": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "destinationRule": { + "type": "object" + }, + "podDisruptionBudget": { + "type": "object" + }, + "virtualService": { + "type": "object" + }, + "pod": { + "type": "object" + }, + "deployment": { + "type": "object" + }, + "horizontalPodAutoscaler": { + "type": "object" + }, + "service": { + "type": "object" + }, + "secret": { + "type": "object" + } + } + }, + "enabled": { + "description": "Boolean flag to enable/disable the SCIM chart.", + "type": "boolean" + }, + "scimServiceName": { + "description": "Name of the scim service. Please keep it as default.", + "type": "string", + "pattern": "^[a-z0-9-]+$" + }, + "appLoggers": { + "type": "object", + "properties": { + "authLogTarget": { + "description": "jans-scim.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "authLogLevel": { + "description": "jans-scim.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget": { + "description": "jans-scim_persistence.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "persistenceLogLevel": { + "description": "jans-scim_persistence.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget": { + "description": "jans-scim_persistence_duration.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel": { + "description": "jans-scim_persistence_duration.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget": { + "description": "jans-scim_script.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "scriptLogLevel": { + "description": "jans-scim_script.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress": { + "description": "Endpoint control", + "type": "object", + "properties": { + "scimEnabled": { + "description": "Enable SCIM endpoints /jans-scim", + "type": "boolean" + }, + "scimConfigEnabled": { + "description": "Enable endpoint /.well-known/scim-configuration", + "type": "boolean" + }, + "scimConfigLabels": { + "description": "SCIM config ingress resource labels. key app is taken", + "type": "object" + }, + "scimConfigAdditionalAnnotations": { + "description": "SCIM config ingress resource additional annotations.", + "type": "object" + }, + "scimLabels": { + "description": "SCIM ingress resource labels. key app is taken", + "type": "object" + }, + "scimAdditionalAnnotations": { + "description": "SCIM ingress resource additional annotations.", + "type": "object" + } + } + } + } + }, + "storageClass": { + "description": "StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type": "object", + "properties": { + "allowVolumeExpansion": { + "type": "boolean" + }, + "allowedTopologies": { + "type": "array", + "items": { + "type": "string" + } + }, + "mountOptions": { + "type": "array", + "items": { + "type": "string" + } + }, + "parameters": { + "type": "object", + "properties": { + "fsType": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "pool": { + "type": "string" + }, + "storageAccountType": { + "type": "string" + }, + "type": { + "type": "string" + } + } + }, + "provisioner": { + "type": "string" + }, + "reclaimPolicy": { + "type": "string" + }, + "volumeBindingMode": { + "type": "string" + } + } + }, + "link": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "destinationRule": { + "type": "object" + }, + "podDisruptionBudget": { + "type": "object" + }, + "virtualService": { + "type": "object" + }, + "pod": { + "type": "object" + }, + "deployment": { + "type": "object" + }, + "horizontalPodAutoscaler": { + "type": "object" + }, + "service": { + "type": "object" + } + } + }, + "linkServiceName": { + "description": "Name of the link service. Please keep it as default.", + "type": "string", + "pattern": "^[a-z0-9-]+$" + }, + "enabled": { + "description": "Boolean flag to enable/disable the link chart.", + "type": "boolean" + }, + "appLoggers": { + "type": "object", + "properties": { + "linkLogTarget": { + "description": "cacherefresh.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "linkLogLevel": { + "description": "cacherefresh.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogLevel": { + "description": "cacherefresh_persistence.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget": { + "description": "cacherefresh_persistence_duration.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel": { + "description": "cacherefresh_persistence_duration.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget": { + "description": "cacherefresh_script.log target", + "type": "string", + "pattern": "^(STDOUT|FILE)$" + }, + "scriptLogLevel": { + "description": "cacherefresh_script.log level", + "type": "string", + "pattern": "^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress": { + "description": "Endpoint control", + "type": "object", + "properties": { + "linkEnabled": { + "description": "Enable link endpoints /jans-link", + "type": "boolean" + }, + "linkLabels": { + "description": "link ingress resource labels. key app is taken", + "type": "object" + }, + "linkAdditionalAnnotations": { + "description": "", + "type": "object" + } + } + } + } + }, + "saml": { + "type": "object", + "properties": { + "customAnnotations": { + "type": "object", + "properties": { + "destinationRule": { + "type": "object" + }, + "podDisruptionBudget": { + "type": "object" + }, + "virtualService": { + "type": "object" + }, + "pod": { + "type": "object" + }, + "deployment": { + "type": "object" + }, + "horizontalPodAutoscaler": { + "type": "object" + }, + "service": { + "type": "object" + }, + "secret": { + "type": "object" + } + } + }, + "samlServiceName": { + "description": "Name of the saml service. Please keep it as default.", + "type": "string", + "pattern": "^[a-z0-9-]+$" + }, + "enabled": { + "description": "Boolean flag to enable/disable the saml chart.", + "type": "boolean" + }, + "ingress": { + "description": "Endpoint control", + "type": "object", + "properties": { + "samlEnabled": { + "description": " Enable SAML endpoints /kc", + "type": "boolean" + }, + "samlLabels": { + "description": "SAML config ingress resource labels. key app is taken", + "type": "object" + }, + "samlAdditionalAnnotations": { + "description": "SAML ingress resource additional annotations.", + "type": "object" + } + } + } + } + }, + "cnSqlPasswordFile": { + "description": "The location of file contains password for the SQL user config.configmap.cnSqlDbUser. The file path must end with sql_password.", + "type": "string", + "pattern": ".*sql_password\\b.*" + } + } + }, + "nginx-ingress": { + "description": "Nginx ingress definitions chart", + "type": "object", + "properties": {} + }, + "persistence": { + "description": "Job to generate data and intial config for Gluu Server persistence layer.", + "type": "object", + "properties": {} + }, + "scim": { + "description": "System for Cross-domain Identity Management (SCIM) version 2.0", + "type": "object", + "properties": {} + }, + "kc-scheduler": { + "description": "Responsible for synchronizing Keycloak SAML clients", + "type": "object", + "properties": {} + } + }, + "allOf": [ + { + "$ref": "#/definitions/admin-ui-enabled" + }, + { + "$ref": "#/definitions/auth-server-enabled" + }, + { + "$ref": "#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref": "#/definitions/casa-enabled" + }, + { + "$ref": "#/definitions/config-api-enabled" + }, + { + "$ref": "#/definitions/fido2-enabled" + }, + { + "$ref": "#/definitions/nginx-ingress-enabled" + }, + { + "$ref": "#/definitions/persistence-enabled" + }, + { + "$ref": "#/definitions/scim-enabled" + }, + { + "$ref": "#/definitions/kc-scheduler-enabled" + } + ], + "definitions": { + "password": { + "anyOf": [ + { + "type": "string", + "minLength": 8, + "pattern": "", + "description": "Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors": { + "minLength": "Password minimum 6 character", + "pattern": "Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type": "string", + "maxLength": 0 + } + ] + }, + "password-pattern": { + "type": "string", + "minLength": 6, + "pattern": "", + "errors": { + "minLength": "Password minimum 6 character", + "pattern": "Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format": { + "type": "string", + "format": "email" + }, + "fqdn-pattern": { + "anyOf": [ + { + "type": "string", + "errors": { + "pattern": "Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type": "string", + "maxLength": 0 + } + ] + }, + "url-pattern": { + "anyOf": [ + { + "type": "string", + "pattern": "(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors": { + "pattern": "URL pattern is not meeting standards." + } + }, + { + "type": "string", + "maxLength": 0 + } + ] + }, + "ip-pattern": { + "anyOf": [ + { + "type": "string", + "pattern": "^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors": { + "pattern": "Not a valid IP." + } + }, + { + "type": "string", + "maxLength": 0 + } + ] + }, + "admin-ui-enabled": { + "if": { + "properties": { + "global": { + "properties": { + "admin-ui": { + "properties": { + "enabled": { + "const": "true" + } + } + } + } + } + } + }, + "then": { + "properties": { + "admin-ui": { + "required": [ + "image", + "replicas", + "resources" + ], + "properties": { + "hpa": { + "description": "Configure the HorizontalPodAutoscaler", + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "minReplicas": { + "type": "integer" + }, + "maxReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + }, + "metrics": { + "description": "metrics if targetCPUUtilizationPercentage is not set", + "type": "array" + }, + "behavior": { + "description": "Scaling Policies", + "type": "object" + } + } + }, + "usrEnvs": { + "description": "Add custom normal and secret envs to the service", + "type": "object", + "properties": { + "normal": { + "description": "Add custom normal envs to the service", + "type": "object" + }, + "secret": { + "description": "Add custom secret envs to the service", + "type": "object" + } + } + }, + "dnsPolicy": { + "description": "Add custom dns policy", + "type": "string", + "pattern": "^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig": { + "description": "Add custom dns config", + "type": "object" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "description": "Image pullPolicy to use for deploying.", + "type": "string", + "pattern": "^(Always|Never|IfNotPresent)$" + }, + "repository": { + "description": "Image to use for deploying", + "type": "string" + }, + "tag": { + "description": "Image tag to use for deploying.", + "type": "string", + "pattern": "^[a-z0-9-_.]+$" + } + } + }, + "replicas": { + "description": "Service replica number.", + "type": "integer" + }, + "resources": { + "description": "Resource specs.", + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU limit.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory limit.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU request.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory request.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else": true + }, + "auth-server-enabled": { + "if": { + "properties": { + "global": { + "properties": { + "auth-server": { + "properties": { + "enabled": { + "const": "true" + } + } + } + } + } + } + }, + "then": { + "properties": { + "auth-server": { + "required": [ + "image", + "replicas", + "resources" + ], + "properties": { + "hpa": { + "description": "Configure the HorizontalPodAutoscaler", + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "minReplicas": { + "type": "integer" + }, + "maxReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + }, + "metrics": { + "description": "metrics if targetCPUUtilizationPercentage is not set", + "type": "array" + }, + "behavior": { + "description": "Scaling Policies", + "type": "object" + } + } + }, + "usrEnvs": { + "description": "Add custom normal and secret envs to the service", + "type": "object", + "properties": { + "normal": { + "description": "Add custom normal envs to the service", + "type": "object" + }, + "secret": { + "description": "Add custom secret envs to the service", + "type": "object" + } + } + }, + "dnsPolicy": { + "description": "Add custom dns policy", + "type": "string", + "pattern": "^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig": { + "description": "Add custom dns config", + "type": "object" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "description": "Image pullPolicy to use for deploying.", + "type": "string", + "pattern": "^(Always|Never|IfNotPresent)$" + }, + "repository": { + "description": "Image to use for deploying", + "type": "string" + }, + "tag": { + "description": "Image tag to use for deploying.", + "type": "string", + "pattern": "^[a-z0-9-_.]+$" + } + } + }, + "replicas": { + "description": "Service replica number.", + "type": "integer" + }, + "resources": { + "description": "Resource specs.", + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU limit.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory limit.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU request.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory request.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else": true + }, + "auth-server-key-rotation-enabled": { + "if": { + "properties": { + "global": { + "properties": { + "auth-server-key-rotation": { + "properties": { + "enabled": { + "const": "true" + } + } + } + } + } + } + }, + "then": { + "properties": { + "auth-server-key-rotation": { + "properties": { + "usrEnvs": { + "description": "Add custom normal and secret envs to the service", + "type": "object", + "properties": { + "normal": { + "description": "Add custom normal envs to the service", + "type": "object" + }, + "secret": { + "description": "Add custom secret envs to the service", + "type": "object" + } + } + }, + "dnsPolicy": { + "description": "Add custom dns policy", + "type": "string", + "pattern": "^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig": { + "description": "Add custom dns config", + "type": "object" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "description": "Image pullPolicy to use for deploying.", + "type": "string", + "pattern": "^(Always|Never|IfNotPresent)$" + }, + "repository": { + "description": "Image to use for deploying", + "type": "string" + }, + "tag": { + "description": "Image tag to use for deploying.", + "type": "string", + "pattern": "^[a-z0-9-_.]+$" + } + } + }, + "keysLife": { + "description": "Auth server key rotation keys life in hours", + "type": "integer" + }, + "resources": { + "description": "Resource specs.", + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU limit.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory limit.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU request.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory request.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + } + } + } + }, + "required": [ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else": true + }, + "casa-enabled": { + "if": { + "properties": { + "global": { + "properties": { + "casa": { + "properties": { + "enabled": { + "const": "true" + } + } + } + } + } + } + }, + "then": { + "properties": { + "casa": { + "required": [ + "image", + "replicas", + "resources" + ], + "properties": { + "hpa": { + "description": "Configure the HorizontalPodAutoscaler", + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "minReplicas": { + "type": "integer" + }, + "maxReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + }, + "metrics": { + "description": "metrics if targetCPUUtilizationPercentage is not set", + "type": "array" + }, + "behavior": { + "description": "Scaling Policies", + "type": "object" + } + } + }, + "usrEnvs": { + "description": "Add custom normal and secret envs to the service", + "type": "object", + "properties": { + "normal": { + "description": "Add custom normal envs to the service", + "type": "object" + }, + "secret": { + "description": "Add custom secret envs to the service", + "type": "object" + } + } + }, + "dnsPolicy": { + "description": "Add custom dns policy", + "type": "string", + "pattern": "^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig": { + "description": "Add custom dns config", + "type": "object" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "description": "Image pullPolicy to use for deploying.", + "type": "string", + "pattern": "^(Always|Never|IfNotPresent)$" + }, + "repository": { + "description": "Image to use for deploying", + "type": "string" + }, + "tag": { + "description": "Image tag to use for deploying.", + "type": "string", + "pattern": "^[a-z0-9-_.]+$" + } + } + }, + "replicas": { + "description": "Service replica number.", + "type": "integer" + }, + "resources": { + "description": "Resource specs.", + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU limit.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory limit.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU request.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory request.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else": true + }, + "config-api-enabled": { + "if": { + "properties": { + "global": { + "properties": { + "config-api": { + "properties": { + "enabled": { + "const": "true" + } + } + } + } + } + } + }, + "then": { + "properties": { + "config-api": { + "required": [ + "image", + "replicas", + "resources" + ], + "type": "object", + "properties": { + "hpa": { + "description": "Configure the HorizontalPodAutoscaler", + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "minReplicas": { + "type": "integer" + }, + "maxReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + }, + "metrics": { + "description": "metrics if targetCPUUtilizationPercentage is not set", + "type": "array" + }, + "behavior": { + "description": "Scaling Policies", + "type": "object" + } + } + }, + "usrEnvs": { + "description": "Add custom normal and secret envs to the service", + "type": "object", + "properties": { + "normal": { + "description": "Add custom normal envs to the service", + "type": "object" + }, + "secret": { + "description": "Add custom secret envs to the service", + "type": "object" + } + } + }, + "dnsPolicy": { + "description": "Add custom dns policy", + "type": "string", + "pattern": "^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig": { + "description": "Add custom dns config", + "type": "object" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "description": "Image pullPolicy to use for deploying.", + "type": "string", + "pattern": "^(Always|Never|IfNotPresent)$" + }, + "repository": { + "description": "Image to use for deploying", + "type": "string" + }, + "tag": { + "description": "Image tag to use for deploying.", + "type": "string", + "pattern": "^[a-z0-9-_.]+$" + } + } + }, + "replicas": { + "description": "Service replica number.", + "type": "integer" + }, + "resources": { + "description": "Resource specs.", + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU limit.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory limit.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU request.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory request.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else": true + }, + "fido2-enabled": { + "if": { + "properties": { + "global": { + "properties": { + "fido2": { + "properties": { + "enabled": { + "const": "true" + } + } + } + } + } + } + }, + "then": { + "properties": { + "fido2": { + "required": [ + "image", + "replicas", + "resources", + "service" + ], + "type": "object", + "properties": { + "dnsPolicy": { + "description": "Add custom dns policy", + "type": "string", + "pattern": "^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig": { + "description": "Add custom dns config", + "type": "object" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "description": "Image pullPolicy to use for deploying.", + "type": "string", + "pattern": "^(Always|Never|IfNotPresent)$" + }, + "repository": { + "description": "Image to use for deploying", + "type": "string" + }, + "tag": { + "description": "Image tag to use for deploying.", + "type": "string", + "pattern": "^[a-z0-9-_.]+$" + } + } + }, + "replicas": { + "description": "Service replica number.", + "type": "integer" + }, + "resources": { + "description": "Resource specs.", + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU limit.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory limit.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU request.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory request.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + } + } + }, + "service": { + "type": "object", + "properties": { + "fido2ServiceName": { + "description": "Name of the Fido2 service. Please keep it as default.", + "type": "string", + "pattern": "^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else": true + }, + "nginx-ingress-enabled": { + "if": { + "properties": { + "global": { + "properties": { + "nginx-ingress": { + "properties": { + "enabled": { + "const": "true" + } + } + } + } + } + } + }, + "then": { + "properties": { + "nginx-ingress": { + "type": "object", + "properties": { + "ingress": { + "type": "object", + "required": [ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties": { + "additionalLabels": { + "description": "Additional labels that will be added across all ingress definitions in the format of {mylabel: \"myapp\"}", + "type": "object" + }, + "additionalAnnotations": { + "description": "Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type": "object" + }, + "hosts": { + "type": "array", + "items": { + "$ref": "#/definitions/fqdn-pattern" + } + }, + "path": { + "type": "string" + }, + "tls": { + "description": "Secret holding HTTPS CA cert and key.", + "type": "array", + "items": { + "type": "object", + "properties": { + "hosts": { + "type": "array", + "items": { + "$ref": "#/definitions/fqdn-pattern" + } + }, + "secretName": { + "type": "string", + "pattern": "^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else": true + }, + "persistence-enabled": { + "if": { + "properties": { + "global": { + "properties": { + "persistence": { + "properties": { + "enabled": { + "const": "true" + } + } + } + } + } + } + }, + "then": { + "properties": { + "persistence": { + "required": [ + "image", + "resources" + ], + "type": "object", + "properties": { + "usrEnvs": { + "description": "Add custom normal and secret envs to the service", + "type": "object", + "properties": { + "normal": { + "description": "Add custom normal envs to the service", + "type": "object" + }, + "secret": { + "description": "Add custom secret envs to the service", + "type": "object" + } + } + }, + "dnsPolicy": { + "description": "Add custom dns policy", + "type": "string", + "pattern": "^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig": { + "description": "Add custom dns config", + "type": "object" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "description": "Image pullPolicy to use for deploying.", + "type": "string", + "pattern": "^(Always|Never|IfNotPresent)$" + }, + "repository": { + "description": "Image to use for deploying", + "type": "string" + }, + "tag": { + "description": "Image tag to use for deploying.", + "type": "string", + "pattern": "^[a-z0-9-_.]+$" + } + } + }, + "resources": { + "description": "Resource specs.", + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU limit.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory limit.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU request.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory request.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else": true + }, + "scim-enabled": { + "if": { + "properties": { + "global": { + "properties": { + "scim": { + "properties": { + "enabled": { + "const": "true" + } + } + } + } + } + } + }, + "then": { + "properties": { + "scim": { + "required": [ + "image", + "replicas", + "resources", + "service" + ], + "type": "object", + "properties": { + "hpa": { + "description": "Configure the HorizontalPodAutoscaler", + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "minReplicas": { + "type": "integer" + }, + "maxReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + }, + "metrics": { + "description": "metrics if targetCPUUtilizationPercentage is not set", + "type": "array" + }, + "behavior": { + "description": "Scaling Policies", + "type": "object" + } + } + }, + "usrEnvs": { + "description": "Add custom normal and secret envs to the service", + "type": "object", + "properties": { + "normal": { + "description": "Add custom normal envs to the service", + "type": "object" + }, + "secret": { + "description": "Add custom secret envs to the service", + "type": "object" + } + } + }, + "dnsPolicy": { + "description": "Add custom dns policy", + "type": "string", + "pattern": "^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig": { + "description": "Add custom dns config", + "type": "object" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "description": "Image pullPolicy to use for deploying.", + "type": "string", + "pattern": "^(Always|Never|IfNotPresent)$" + }, + "repository": { + "description": "Image to use for deploying", + "type": "string" + }, + "tag": { + "description": "Image tag to use for deploying.", + "type": "string", + "pattern": "^[a-z0-9-_.]+$" + } + } + }, + "replicas": { + "description": "Service replica number.", + "type": "integer" + }, + "resources": { + "description": "Resource specs.", + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU limit.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory limit.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU request.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory request.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + } + } + }, + "service": { + "type": "object", + "properties": { + "scimServiceName": { + "description": "Name of the SCIM service. Please keep it as default.", + "type": "string", + "pattern": "^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else": true + }, + "kc-scheduler-enabled": { + "if": { + "properties": { + "global": { + "properties": { + "kc-scheduler": { + "properties": { + "enabled": { + "const": "true" + } + } + } + } + } + } + }, + "then": { + "properties": { + "kc-scheduler": { + "properties": { + "usrEnvs": { + "description": "Add custom normal and secret envs to the service", + "type": "object", + "properties": { + "normal": { + "description": "Add custom normal envs to the service", + "type": "object" + }, + "secret": { + "description": "Add custom secret envs to the service", + "type": "object" + } + } + }, + "dnsPolicy": { + "description": "Add custom dns policy", + "type": "string", + "pattern": "^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig": { + "description": "Add custom dns config", + "type": "object" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "description": "Image pullPolicy to use for deploying.", + "type": "string", + "pattern": "^(Always|Never|IfNotPresent)$" + }, + "repository": { + "description": "Image to use for deploying", + "type": "string" + }, + "tag": { + "description": "Image tag to use for deploying.", + "type": "string", + "pattern": "^[a-z0-9-_.]+$" + } + } + }, + "interval": { + "description": "Interval of running the scheduler (in minutes)", + "type": "integer" + }, + "resources": { + "description": "Resource specs.", + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU limit.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory limit.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "description": "CPU request.", + "type": "string", + "pattern": "^[0-9m]+$" + }, + "memory": { + "description": "Memory request.", + "type": "string", + "pattern": "^[0-9Mi]+$" + } + } + } + } + } + }, + "required": [ + "image", + "resources", + "interval" + ] + } + } + }, + "else": true + } + } +} \ No newline at end of file diff --git a/charts/gluu/gluu/5.3.0/values.yaml b/charts/gluu/gluu/5.3.0/values.yaml new file mode 100644 index 0000000000..349b6409d2 --- /dev/null +++ b/charts/gluu/gluu/5.3.0/values.yaml @@ -0,0 +1,1906 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + volumeProvisionStrategy: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 5.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] + # -- Add custom pod's command. If passed, it will override the default conditional command. + customCommand: [] +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] + # -- Add custom pod's command. If passed, it will override the default conditional command. + customCommand: [] +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Set key selection strategy used by Auth server + keysStrategy: NEWER + # -- Delay (in seconds) before pushing private keys to Auth server + keysPushDelay: 0 + # -- Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) + keysPushStrategy: NEWER + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] + # -- Add custom job's command. If passed, it will override the default conditional command. + customCommand: [] +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + # -- Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. + salt: "" + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # [vault_envs] Envs related to Hashicorp vault + # -- Vault AppRole RoleID. + cnVaultRoleId: "" + # -- Vault AppRole SecretID. + cnVaultSecretId: "" + # -- Base URL of Vault. + cnVaultAddr: http://localhost:8200 + # -- Verify connection to Vault. + cnVaultVerify: false + # -- Path to file contains Vault AppRole role ID. + cnVaultRoleIdFile: /etc/certs/vault_role_id + # -- Path to file contains Vault AppRole secret ID. + cnVaultSecretIdFile: /etc/certs/vault_secret_id + # -- Vault namespace used to access the secrets. + cnVaultNamespace: "" + # -- Path to Vault KV secrets engine. + cnVaultKvPath: secret + # -- Base prefix name used to access secrets. + cnVaultPrefix: jans + # -- Path to Vault AppRole. + cnVaultAppRolePath: approle + # [vault_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. + quarkusTransactionEnableRecovery: true + # -- Keycloak admin UI password + kcAdminPassword: Test1234# + # -- Keycloak admin UI username + kcAdminUsername: admin + # -- Keycloak logging level + kcLogLevel: INFO + # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. + kcDbVendor: mysql + # -- Keycloak database username + kcDbUsername: keycloak + # -- Password for Keycloak database access + kcDbPassword: Test1234# + # -- Keycloak database schema name (note that PostgreSQL may be using "public" schema). + kcDbSchema: keycloak + # -- Keycloak database host uri + kcDbUrlHost: mysql.kc.svc.cluster.local + # -- Keycloak database port (default to port 3306 for mysql). + kcDbUrlPort: 3306 + # -- Keycloak database name. + kcDbUrlDatabase: keycloak + # -- Keycloak database connection properties. If using postgresql, the value can be set to empty string. + kcDbUrlProperties: "?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4" + # -- URL of OPA API + cnOpaUrl: http://opa.opa.svc.cluster.cluster.local:8181/v1 + # -- Message type (one of POSTGRES, REDIS, or DISABLED) + cnMessageType: DISABLED + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: team@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] + # -- Add custom job's command. If passed, it will override the default conditional command. + customCommand: [] +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. + memory: 1200Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1200Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] + # -- Add custom pod's command. If passed, it will override the default conditional command. + customCommand: [] +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] + # -- Add custom pod's command. If passed, it will override the default conditional command. + customCommand: [] +# -- Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/casa + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] + # -- Add custom pod's command. If passed, it will override the default conditional command. + customCommand: [] +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + admin-ui: + # — Add custom annotations for kubernetes resources for the service + customAnnotations: + destinationRule: {} + podDisruptionBudget: {} + virtualService: {} + pod: {} + deployment: {} + horizontalPodAutoscaler: {} + service: {} + secret: {} + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- Admin UI ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + + auth-server: + # — Add custom annotations for kubernetes resources for the service + customAnnotations: + destinationRule: {} + podDisruptionBudget: {} + virtualService: {} + pod: {} + deployment: {} + horizontalPodAutoscaler: {} + service: {} + secret: {} + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- passing custom java options to auth-server. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + # -- Enable endpoint /.well-known/lock-server-configuration + lockConfigEnabled: false + # -- Enable endpoint /jans-lock + lockEnabled: false + # -- Lock config ingress resource labels. key app is taken + lockConfigLabels: { } + # -- Lock config ingress resource additional annotations. + lockConfigAdditionalAnnotations: { } + # -- Lock ingress resource labels. key app is taken + lockLabels: { } + # -- Lock ingress resource additional annotations. + lockAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- Enable endpoint /.well-known/authzen-configuration + authzenConfigEnabled: true + # -- authzen config ingress resource labels. key app is taken + authzenConfigLabels: { } + # -- authzen config ingress resource additional annotations. + authzenAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Enable jans-lock as service running inside auth-server + lockEnabled: false + + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: true + # — Add custom annotations for kubernetes resources for the service + customAnnotations: + cronjob: {} + service: {} + secret: {} + # -- The initial auth server key rotation keys life in hours + initKeysLife: 48 + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # — Add custom annotations for kubernetes resources for the service + customAnnotations: + destinationRule: {} + podDisruptionBudget: {} + virtualService: {} + pod: {} + deployment: {} + horizontalPodAutoscaler: {} + service: {} + secret: {} + # -- passing custom java options to casa. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files DB. + cnDocumentStoreType: DB + # -- Persistence backend to run Gluu with hybrid|sql. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # — Add custom annotations for kubernetes resources for the service + customAnnotations: + clusterRoleBinding: {} + configMap: {} + job: {} + roleBinding: {} + role: {} + secret: {} + service: {} + serviceAccount: {} + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. vault|aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # — Add custom annotations for kubernetes resources for the service + customAnnotations: + destinationRule: {} + podDisruptionBudget: {} + virtualService: {} + pod: {} + deployment: {} + horizontalPodAutoscaler: {} + service: {} + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- passing custom java options to config-api. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- Comma-separated values of enabled plugins (supported plugins are "admin-ui","fido2","scim","user-mgt","jans-link","kc-saml") + plugins: "admin-ui,fido2,scim,user-mgt" + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # — Add custom annotations for kubernetes resources for the service + customAnnotations: + destinationRule: {} + podDisruptionBudget: {} + virtualService: {} + pod: {} + deployment: {} + horizontalPodAutoscaler: {} + service: {} + secret: {} + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- passing custom java options to fido2. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- Enable endpoint /jans-fido2 + fido2Enabled: false + # -- Enable endpoint /.well-known/webauthn + fido2WebauthnEnabled: false + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- fido2 ingress resource additional annotations. + fido2AdditionalAnnotations: { } + # -- fido2 webauthn ingress resource labels. key app is taken + fido2WebauthnLabels: { } + # -- fido2 webauthn ingress resource additional annotations. + fido2WebauthnAdditionalAnnotations: { } + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # — Add custom annotations for kubernetes resources for the service + customAnnotations: + job: {} + service: {} + secret: {} + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + # -- service account used by Kubernetes resources + serviceAccountName: default + scim: + # — Add custom annotations for kubernetes resources for the service + customAnnotations: + destinationRule: {} + podDisruptionBudget: {} + virtualService: {} + pod: {} + deployment: {} + horizontalPodAutoscaler: {} + service: {} + secret: {} + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- passing custom java options to scim. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- StorageClass section. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + link: + # -- Add custom annotations for kubernetes resources for the service + customAnnotations: + destinationRule: {} + podDisruptionBudget: {} + virtualService: {} + pod: {} + deployment: {} + horizontalPodAutoscaler: {} + service: {} + # -- Name of the link service. Please keep it as default. + linkServiceName: link + # -- Boolean flag to enable/disable the link chart. + enabled: false + # -- passing custom java options to link. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- cacherefresh.log target + linkLogTarget: "STDOUT" + # -- cacherefresh.log level + linkLogLevel: "INFO" + # -- cacherefresh_persistence.log target + persistenceLogTarget: "FILE" + # -- cacherefresh_persistence.log level + persistenceLogLevel: "INFO" + # -- cacherefresh_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- cacherefresh_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- cacherefresh_script.log target + scriptLogTarget: "FILE" + # -- cacherefresh_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable link endpoints /jans-link + linkEnabled: true + # -- link ingress resource labels. key app is taken + linkLabels: { } + # -- link ingress resource additional annotations. + linkAdditionalAnnotations: { } + saml: + # — Add custom annotations for kubernetes resources for the service + customAnnotations: + destinationRule: {} + podDisruptionBudget: {} + virtualService: {} + pod: {} + deployment: {} + horizontalPodAutoscaler: {} + service: {} + secret: {} + # -- Name of the saml service. Please keep it as default. + samlServiceName: saml + # -- Boolean flag to enable/disable the saml chart. + enabled: false + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable saml endpoints /kc + samlEnabled: false + # -- SAML ingress resource labels. key app is taken + samlLabels: { } + # -- SAML ingress resource additional annotations. + samlAdditionalAnnotations: { } + # -- passing custom java options to saml. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + + # -- Path to SQL password file + cnSqlPasswordFile: /etc/jans/conf/sql_password + kc-scheduler: + # -- Boolean flag to enable/disable the kc-scheduler cronjob chart. + enabled: false + # -- Path to configuration schema file + cnConfiguratorConfigurationFile: /etc/jans/conf/configuration.json + # -- Path to dumped configuration schema file + cnConfiguratorDumpFile: /etc/jans/conf/configuration.out.json + # -- Use custom configuration schema in existing secrets. Note, the secrets has to contain the key configuration.json or any basename as specified in cnConfiguratorConfigurationFile. + cnConfiguratorCustomSchema: + # -- The name of the secrets used for storing custom configuration schema. + secretName: "" + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] + # -- Add custom job's command. If passed, it will override the default conditional command. + customCommand: [] +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. + memory: 1200Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1200Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] + # -- Add custom pod's command. If passed, it will override the default conditional command. + customCommand: [] +# -- Link. +link: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/link + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. + memory: 1200Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1200Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] + # -- Add custom pod's command. If passed, it will override the default conditional command. + customCommand: [] +# -- SAML. +saml: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/saml + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports `Mi`. Please refrain from using other units. + memory: 1200Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1200Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 10 + readinessProbe: + # -- http readiness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 10 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] + # -- Add custom pod's command. If passed, it will override the default conditional command. + customCommand: [] + +# -- Responsible for synchronizing Keycloak SAML clients +kc-scheduler: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/kc-scheduler + # -- Image tag to use for deploying. + tag: 1.3.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Interval of running the scheduler (in minutes) + interval: 10 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] + # -- Add custom job's command. If passed, it will override the default conditional command. + customCommand: [] diff --git a/charts/minio/minio-operator/7.0.0/.helmignore b/charts/minio/minio-operator/7.0.0/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/minio/minio-operator/7.0.0/Chart.yaml b/charts/minio/minio-operator/7.0.0/Chart.yaml new file mode 100644 index 0000000000..32bf6d49a7 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Minio Operator + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: operator +apiVersion: v2 +appVersion: v7.0.0 +description: A Helm chart for MinIO Operator +home: https://min.io +icon: file://assets/icons/minio-operator.png +keywords: +- storage +- object-storage +- S3 +kubeVersion: '>=1.19-0' +maintainers: +- email: dev@minio.io + name: MinIO, Inc +name: minio-operator +sources: +- https://github.com/minio/operator +type: application +version: 7.0.0 diff --git a/charts/minio/minio-operator/7.0.0/README.md b/charts/minio/minio-operator/7.0.0/README.md new file mode 100644 index 0000000000..c7e73ec3e6 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/README.md @@ -0,0 +1,45 @@ +# MinIO ![license](https://img.shields.io/badge/license-AGPL%20V3-blue) + +[MinIO](https://min.io) is a High Performance Object Storage released under GNU AGPLv3 or later. It is API compatible +with Amazon S3 cloud storage service. Use MinIO to build high performance infrastructure for machine learning, analytics +and application data workloads. + +For more detailed documentation please visit [here](https://docs.minio.io/) + +Introduction +------------ + +This chart bootstraps MinIO Operator on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Configure MinIO Helm repo +-------------------- + +```bash +helm repo add minio https://operator.min.io/ +``` + +Installing the Chart +-------------------- + +Install this chart using: + +```bash +helm install \ + --namespace minio-operator \ + --create-namespace \ + minio-operator minio/operator +``` + +The command deploys MinIO Operator on the Kubernetes cluster in the default configuration. + +Creating a Tenant +----------------- + +Once the MinIO Operator Chart is successfully installed, create a MinIO Tenant using: + +```bash +helm install --namespace tenant-ns \ + --create-namespace tenant minio/tenant +``` + +This creates a 4 Node MinIO Tenant (cluster). To change the default values, take a look at various [values.yaml](https://github.com/minio/operator/blob/master/helm/tenant/values.yaml). diff --git a/charts/minio/minio-operator/7.0.0/app-readme.md b/charts/minio/minio-operator/7.0.0/app-readme.md new file mode 100644 index 0000000000..ac0f1294a8 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/app-readme.md @@ -0,0 +1,78 @@ +# MinIO Operator + +MinIO is a Kubernetes-native high performance object store with an S3-compatible API. The +MinIO Kubernetes Operator supports deploying MinIO Tenants onto private and public +cloud infrastructures ("Hybrid" Cloud). + +## Procedure + +### 1) Verify installation the MinIO Operator +Run the following command to verify the status of the Operator: + +```sh +kubectl get pods -n minio-operator +``` + +The output resembles the following: + +```sh +NAME READY STATUS RESTARTS AGE +console-6b6cf8946c-9cj25 1/1 Running 0 99s +minio-operator-69fd675557-lsrqg 1/1 Running 0 99s +``` + +The `console-*` pod runs the MinIO Operator Console, a graphical user +interface for creating and managing MinIO Tenants. + +The `minio-operator-*` pod runs the MinIO Operator itself. + +### 2) Access the Operator Console + +Get the service-account token to access the UI: + +```sh +kubectl -n minio-operator get secret $(kubectl -n minio-operator get serviceaccount console-sa -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode +``` + +Run the following command to create a local proxy to the MinIO Operator +Console: + +```sh +kubectl -n minio-operator port-forward svc/console 9090 +``` + +Open your browser to http://localhost:9090 and use the JWT token to log in +to the Operator Console. + + + +Click **+ Create Tenant** to open the Tenant Creation workflow. + +### 3) Build the Tenant Configuration + +The Operator Console **Create New Tenant** walkthrough builds out +a MinIO Tenant. The following list describes the basic configuration sections. + +- **Name** - Specify the *Name*, *Namespace*, and *Storage Class* for the new Tenant. + + The *Storage Class* must correspond to a [Storage Class](#default-storage-class) that corresponds to [Local Persistent Volumes](#local-persistent-volumes) that can support the MinIO Tenant. + + The *Namespace* must correspond to an existing [Namespace](#minio-tenant-namespace) that does *not* contain any other MinIO Tenant. + + Enable *Advanced Mode* to access additional advanced configuration options. + +- **Tenant Size** - Specify the *Number of Servers*, *Number of Drives per Server*, and *Total Size* of the Tenant. + + The *Resource Allocation* section summarizes the Tenant configuration + based on the inputs above. + + Additional configuration inputs may be visible if *Advanced Mode* was enabled + in the previous step. + +- **Preview Configuration** - summarizes the details of the new Tenant. + +After configuring the Tenant to your requirements, click **Create** to create the new tenant. + +The Operator Console displays credentials for connecting to the MinIO Tenant. You *must* download and secure these credentials at this stage. You cannot trivially retrieve these credentials later. + +You can monitor Tenant creation from the Operator Console. \ No newline at end of file diff --git a/charts/minio/minio-operator/7.0.0/templates/_helpers.tpl b/charts/minio/minio-operator/7.0.0/templates/_helpers.tpl new file mode 100644 index 0000000000..53e96058c7 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/templates/_helpers.tpl @@ -0,0 +1,37 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "minio-operator.name" -}} + {{- default .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "minio-operator.chart" -}} + {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels for operator +*/}} +{{- define "minio-operator.labels" -}} +helm.sh/chart: {{ include "minio-operator.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- range $key, $val := .Values.operator.additionalLabels }} +{{ $key }}: {{ $val | quote }} +{{- end }} +{{- end -}} + +{{/* +Selector labels Operator +*/}} +{{- define "minio-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "minio-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/minio/minio-operator/7.0.0/templates/minio.min.io_tenants.yaml b/charts/minio/minio-operator/7.0.0/templates/minio.min.io_tenants.yaml new file mode 100644 index 0000000000..72d7e591fc --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/templates/minio.min.io_tenants.yaml @@ -0,0 +1,5745 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.5 + operator.min.io/version: v7.0.0 + name: tenants.minio.min.io +spec: + group: minio.min.io + names: + kind: Tenant + listKind: TenantList + plural: tenants + shortNames: + - tenant + singular: tenant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.currentState + name: State + type: string + - jsonPath: .status.healthStatus + name: Health + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + scheduler: + properties: + name: + type: string + required: + - name + type: object + spec: + properties: + additionalVolumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + additionalVolumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + buckets: + items: + properties: + name: + type: string + objectLock: + type: boolean + region: + type: string + type: object + type: array + certConfig: + properties: + commonName: + type: string + dnsNames: + items: + type: string + type: array + organizationName: + items: + type: string + type: array + type: object + certExpiryAlertThreshold: + format: int32 + type: integer + configuration: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + exposeServices: + properties: + console: + type: boolean + minio: + type: boolean + type: object + externalCaCertSecret: + items: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + type: array + externalCertSecret: + items: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + type: array + externalClientCertSecret: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + externalClientCertSecrets: + items: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + type: array + features: + properties: + bucketDNS: + type: boolean + domains: + properties: + console: + type: string + minio: + items: + type: string + type: array + type: object + enableSFTP: + type: boolean + type: object + image: + type: string + imagePullPolicy: + type: string + imagePullSecret: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + initContainers: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + kes: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + clientCertSecret: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + externalCertSecret: + properties: + name: + type: string + type: + type: string + required: + - name + type: object + gcpCredentialSecretName: + type: string + gcpWorkloadIdentityPool: + type: string + image: + type: string + imagePullPolicy: + type: string + kesSecret: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + keyName: + type: string + labels: + additionalProperties: + type: string + type: object + nodeSelector: + additionalProperties: + type: string + type: object + replicas: + format: int32 + type: integer + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + serviceAccountName: + type: string + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + required: + - kesSecret + type: object + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + liveness: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + logging: + properties: + anonymous: + type: boolean + json: + type: boolean + quiet: + type: boolean + type: object + mountPath: + type: string + podManagementPolicy: + type: string + pools: + items: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + labels: + additionalProperties: + type: string + type: object + name: + minLength: 1 + type: string + nodeSelector: + additionalProperties: + type: string + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + runtimeClassName: + type: string + securityContext: + properties: + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: atomic + supplementalGroupsPolicy: + type: string + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + servers: + format: int32 + type: integer + x-kubernetes-validations: + - message: servers is immutable + rule: self == oldSelf + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + volumeClaimTemplate: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + volumesPerServer: + format: int32 + type: integer + x-kubernetes-validations: + - message: volumesPerServer is immutable + rule: self == oldSelf + required: + - name + - servers + - volumeClaimTemplate + - volumesPerServer + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + poolsMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + priorityClassName: + type: string + prometheusOperator: + type: boolean + readiness: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + requestAutoCert: + type: boolean + serviceAccountName: + type: string + serviceMetadata: + properties: + consoleServiceAnnotations: + additionalProperties: + type: string + type: object + consoleServiceLabels: + additionalProperties: + type: string + type: object + kesServiceAnnotations: + additionalProperties: + type: string + type: object + kesServiceLabels: + additionalProperties: + type: string + type: object + minioServiceAnnotations: + additionalProperties: + type: string + type: object + minioServiceLabels: + additionalProperties: + type: string + type: object + type: object + sideCars: + properties: + containers: + items: + properties: + args: + items: + type: string + type: array + x-kubernetes-list-type: atomic + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + envFrom: + items: + properties: + configMapRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resizePolicy: + items: + properties: + resourceName: + type: string + restartPolicy: + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + restartPolicy: + type: string + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - devicePath + x-kubernetes-list-type: map + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + recursiveReadOnly: + type: string + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + x-kubernetes-list-map-keys: + - mountPath + x-kubernetes-list-type: map + workingDir: + type: string + required: + - name + type: object + type: array + resources: + properties: + claims: + items: + properties: + name: + type: string + request: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + volumeClaimTemplates: + items: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + status: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + allocatedResourceStatuses: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + allocatedResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + conditions: + items: + properties: + lastProbeTime: + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object + phase: + type: string + type: object + type: object + type: array + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + default: ext4 + type: string + kind: + type: string + readOnly: + default: false + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeAttributesClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + image: + properties: + pullPolicy: + type: string + reference: + type: string + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + default: default + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + default: /etc/ceph/keyring + type: string + monitors: + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + default: xfs + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + default: ThinProvisioned + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + startup: + properties: + exec: + properties: + command: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + default: "" + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + subPath: + type: string + users: + items: + properties: + name: + default: "" + type: string + type: object + x-kubernetes-map-type: atomic + type: array + required: + - pools + type: object + status: + properties: + availableReplicas: + format: int32 + type: integer + certificates: + nullable: true + properties: + autoCertEnabled: + nullable: true + type: boolean + customCertificates: + nullable: true + properties: + client: + items: + properties: + certName: + type: string + domains: + items: + type: string + type: array + expiresIn: + type: string + expiry: + type: string + serialNo: + type: string + type: object + type: array + minio: + items: + properties: + certName: + type: string + domains: + items: + type: string + type: array + expiresIn: + type: string + expiry: + type: string + serialNo: + type: string + type: object + type: array + minioCAs: + items: + properties: + certName: + type: string + domains: + items: + type: string + type: array + expiresIn: + type: string + expiry: + type: string + serialNo: + type: string + type: object + type: array + type: object + type: object + currentState: + type: string + drivesHealing: + format: int32 + type: integer + drivesOffline: + format: int32 + type: integer + drivesOnline: + format: int32 + type: integer + healthMessage: + type: string + healthStatus: + type: string + pools: + items: + properties: + legacySecurityContext: + type: boolean + ssName: + type: string + state: + type: string + required: + - ssName + - state + type: object + nullable: true + type: array + provisionedBuckets: + type: boolean + provisionedUsers: + type: boolean + revision: + format: int32 + type: integer + syncVersion: + type: string + usage: + properties: + capacity: + format: int64 + type: integer + rawCapacity: + format: int64 + type: integer + rawUsage: + format: int64 + type: integer + tiers: + items: + properties: + Name: + type: string + Type: + type: string + totalSize: + format: int64 + type: integer + required: + - Name + - totalSize + type: object + type: array + usage: + format: int64 + type: integer + type: object + waitingOnReady: + format: date-time + type: string + writeQuorum: + format: int32 + type: integer + required: + - availableReplicas + - certificates + - currentState + - pools + - revision + - syncVersion + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/minio/minio-operator/7.0.0/templates/operator-clusterrole.yaml b/charts/minio/minio-operator/7.0.0/templates/operator-clusterrole.yaml new file mode 100644 index 0000000000..7428beb4ae --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/templates/operator-clusterrole.yaml @@ -0,0 +1,183 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: minio-operator-role + labels: {{- include "minio-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - update + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - update + - list + - apiGroups: + - "" + resources: + - namespaces + - nodes + verbs: + - create + - get + - watch + - list + - apiGroups: + - "" + resources: + - pods + - services + - events + - configmaps + verbs: + - get + - watch + - create + - list + - delete + - deletecollection + - update + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - create + - update + - list + - delete + - deletecollection + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - statefulsets + - deployments + - deployments/finalizers + verbs: + - get + - create + - list + - patch + - watch + - update + - delete + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - create + - list + - patch + - watch + - update + - delete + - apiGroups: + - "certificates.k8s.io" + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: + - update + - create + - get + - delete + - list + - apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + - kubernetes.io/kube-apiserver-client + - kubernetes.io/kubelet-serving + - beta.eks.amazonaws.com/app-serving + resources: + - signers + verbs: + - approve + - sign + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - minio.min.io + - sts.min.io + - job.min.io + resources: + - "*" + verbs: + - "*" + - apiGroups: + - min.io + resources: + - "*" + verbs: + - "*" + - apiGroups: + - monitoring.coreos.com + resources: + - prometheuses + - prometheusagents + verbs: + - get + - update + - list + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - get + - update + - create + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - list + - patch + - update + - deletecollection diff --git a/charts/minio/minio-operator/7.0.0/templates/operator-clusterrolebinding.yaml b/charts/minio/minio-operator/7.0.0/templates/operator-clusterrolebinding.yaml new file mode 100644 index 0000000000..ad4add53d4 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/templates/operator-clusterrolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: minio-operator-binding + labels: {{- include "minio-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: minio-operator-role +subjects: + - kind: ServiceAccount + name: minio-operator + namespace: {{ .Release.Namespace }} diff --git a/charts/minio/minio-operator/7.0.0/templates/operator-deployment.yaml b/charts/minio/minio-operator/7.0.0/templates/operator-deployment.yaml new file mode 100644 index 0000000000..5ffbd31786 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/templates/operator-deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio-operator + namespace: {{ .Release.Namespace }} + labels: {{- include "minio-operator.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.operator.replicaCount }} + selector: + matchLabels: {{- include "minio-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "minio-operator.labels" . | nindent 8 }} + {{- include "minio-operator.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.operator.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.runtimeClassName }} + runtimeClassName: {{ . }} + {{- end }} + serviceAccountName: minio-operator + {{- with .Values.operator.securityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.topologySpreadConstraints }} + topologySpreadConstraints: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.operator.initContainers }} + initContainers: {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.digest | default .Values.operator.image.tag }}" + imagePullPolicy: {{ .Values.operator.image.pullPolicy }} + args: + - controller + {{- with .Values.operator.env }} + env: {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.operator.sidecarImage }} + - name: "OPERATOR_SIDECAR_IMAGE" + value: "{{ .Values.operator.sidecarImage.repository }}:{{ .Values.operator.sidecarImage.digest | default .Values.operator.sidecarImage.tag }}" + {{- end }} + resources: {{- toYaml .Values.operator.resources | nindent 12 }} + {{- with .Values.operator.containerSecurityContext }} + securityContext: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.operator.volumeMounts }} + volumeMounts: {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.operator.volumes }} + volumes: {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/charts/minio/minio-operator/7.0.0/templates/operator-service.yaml b/charts/minio/minio-operator/7.0.0/templates/operator-service.yaml new file mode 100644 index 0000000000..33f25fbbb1 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/templates/operator-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: operator + namespace: {{ .Release.Namespace }} + labels: {{- include "minio-operator.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 4221 + name: http + selector: + operator: leader + {{- include "minio-operator.selectorLabels" . | nindent 4 }} diff --git a/charts/minio/minio-operator/7.0.0/templates/operator-serviceaccount.yaml b/charts/minio/minio-operator/7.0.0/templates/operator-serviceaccount.yaml new file mode 100644 index 0000000000..8ae899da6e --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/templates/operator-serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: minio-operator + namespace: {{ .Release.Namespace }} + labels: {{- include "minio-operator.labels" . | nindent 4 }} + {{- with .Values.operator.serviceAccountAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/charts/minio/minio-operator/7.0.0/templates/sts-service.yaml b/charts/minio/minio-operator/7.0.0/templates/sts-service.yaml new file mode 100644 index 0000000000..51b06a5903 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/templates/sts-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: sts + namespace: {{ .Release.Namespace }} + labels: {{- include "minio-operator.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 4223 + name: https + selector: {{- include "minio-operator.selectorLabels" . | nindent 4 }} diff --git a/charts/minio/minio-operator/7.0.0/templates/sts.min.io_policybindings.yaml b/charts/minio/minio-operator/7.0.0/templates/sts.min.io_policybindings.yaml new file mode 100644 index 0000000000..1dc6be5989 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/templates/sts.min.io_policybindings.yaml @@ -0,0 +1,133 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.5 + operator.min.io/version: v7.0.0 + name: policybindings.sts.min.io +spec: + group: sts.min.io + names: + kind: PolicyBinding + listKind: PolicyBindingList + plural: policybindings + shortNames: + - policybinding + singular: policybinding + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.currentState + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + application: + properties: + namespace: + type: string + serviceaccount: + type: string + required: + - namespace + - serviceaccount + type: object + policies: + items: + type: string + type: array + required: + - application + - policies + type: object + status: + properties: + currentState: + type: string + usage: + nullable: true + properties: + authotizations: + format: int64 + type: integer + type: object + required: + - currentState + - usage + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.currentState + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + application: + properties: + namespace: + type: string + serviceaccount: + type: string + required: + - namespace + - serviceaccount + type: object + policies: + items: + type: string + type: array + required: + - application + - policies + type: object + status: + properties: + currentState: + type: string + usage: + nullable: true + properties: + authotizations: + format: int64 + type: integer + type: object + required: + - currentState + - usage + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/minio/minio-operator/7.0.0/values.yaml b/charts/minio/minio-operator/7.0.0/values.yaml new file mode 100644 index 0000000000..5d08e8f749 --- /dev/null +++ b/charts/minio/minio-operator/7.0.0/values.yaml @@ -0,0 +1,187 @@ +### +# Root key for Operator Helm Chart +operator: + ### + # An array of environment variables to pass to the Operator deployment. + # Pass an empty array to start Operator with defaults. + # + # For example: + # + # .. code-block:: yaml + # + # env: + # - name: CLUSTER_DOMAIN + # value: "cluster.domain" + # - name: WATCHED_NAMESPACE + # value: "" + # - name: MINIO_OPERATOR_RUNTIME + # value: "OpenShift" + # + # See `Operator environment variables `__ for a list of all supported values. + env: + - name: OPERATOR_STS_ENABLED + value: "on" + # An array of additional annotations to be applied to the operator service account + serviceAccountAnnotations: [] + # additional labels to be applied to operator resources + additionalLabels: {} + ### + # Specify the Operator container image to use for the deployment. + # ``image.tag`` + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v7.0.0 tag. + # The container pulls the image if not already present: + # + # .. code-block:: yaml + # + # image: + # repository: quay.io/minio/operator + # tag: v7.0.0 + # pullPolicy: IfNotPresent + # + # The chart also supports specifying an image based on digest value: + # + # .. code-block:: yaml + # + # image: + # repository: quay.io/minio/operator@sha256 + # digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983 + # pullPolicy: IfNotPresent + # + image: + repository: quay.io/minio/operator + tag: v7.0.0 + pullPolicy: IfNotPresent + ### + # Specify the sidecar container image to deploy on tenant pods for init container and sidecar. + # Only need to change this if want to use a different version that the default, or want to set a custom registry. + # ``sidecarImage.tag`` + # For example, the following sets the image to the ``quay.io/minio/operator-sidecar`` repo and the v7.0.0 tag. + # The container pulls the image if not already present: + # + # .. code-block:: yaml + # + # sidecarImage: + # repository: quay.io/minio/operator-sidecar + # tag: v7.0.0 + # pullPolicy: IfNotPresent + # + # The chart also supports specifying an image based on digest value: + # + # .. code-block:: yaml + # + # sidecarImage: + # repository: quay.io/minio/operator-sidecar@sha256 + # digest: a11947a230b80fb1b0bffa97173147a505d4f1207958f722e348d11ab9e972c1 + # pullPolicy: IfNotPresent + # + sidecarImage: {} + ### + # + # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. + # Only one array element is supported at this time. + imagePullSecrets: [ ] + ### + # + # The name of a custom `Container Runtime `__ to use for the Operator pods. + runtimeClassName: ~ + ### + # An array of `initContainers `__ to start up before the Operator pods. + # Exercise care as ``initContainer`` failures prevent Operator pods from starting. + # Pass an empty array to start the Operator normally. + initContainers: [ ] + ### + # The number of Operator pods to deploy. + # Higher values increase availability in the event of worker node failures. + # + # The cluster must have sufficient number of available worker nodes to fulfill the request. + # Operator pods deploy with pod anti-affinity by default, preventing Kubernetes from scheduling multiple pods onto a single Worker node. + replicaCount: 2 + ### + # The Kubernetes `SecurityContext `__ to use for deploying Operator resources. + # + # You may need to modify these values to meet your cluster's security and access settings. + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + fsGroup: 1000 + ### + # The Kubernetes `SecurityContext `__ to use for deploying Operator containers. + # You may need to modify these values to meet your cluster's security and access settings. + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + ### + # An array of `Volumes `__ which the Operator can mount to pods. + # + # The volumes must exist *and* be accessible to the Operator pods. + volumes: [ ] + ### + # An array of volume mount points associated to each Operator container. + # + # Specify each item in the array as follows: + # + # .. code-block:: yaml + # + # volumeMounts: + # - name: volumename + # mountPath: /path/to/mount + # + # The ``name`` field must correspond to an entry in the ``volumes`` array. + volumeMounts: [ ] + ### + # Any `Node Selectors `__ to apply to Operator pods. + # + # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Operator pods. + # + # If no worker nodes match the specified selectors, the Operator deployment will fail. + nodeSelector: { } + ### + # + # The `Pod Priority `__ to assign to Operator pods. + priorityClassName: "" + ### + # + # The `affinity `__ or anti-affinity settings to apply to Operator pods. + # + # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - minio-operator + topologyKey: kubernetes.io/hostname + ### + # + # An array of `Toleration labels `__ to associate to Operator pods. + # + # These settings determine the distribution of pods across worker nodes. + tolerations: [ ] + ### + # + # An array of `Topology Spread Constraints `__ to associate to Operator pods. + # + # These settings determine the distribution of pods across worker nodes. + topologySpreadConstraints: [ ] + ### + # + # The `Requests or Limits `__ for resources to associate to Operator pods. + # + # These settings can control the minimum and maximum resources requested for each pod. + # If no worker nodes can meet the specified requests, the Operator may fail to deploy. + resources: + requests: + cpu: 200m + memory: 256Mi + ephemeral-storage: 500Mi diff --git a/charts/redpanda/redpanda/5.9.19/.helmignore b/charts/redpanda/redpanda/5.9.19/.helmignore new file mode 100644 index 0000000000..d5bb5e6ba6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +*.go +testdata/ +ci/ diff --git a/charts/redpanda/redpanda/5.9.19/CHANGELOG.md b/charts/redpanda/redpanda/5.9.19/CHANGELOG.md new file mode 100644 index 0000000000..efd0376d7a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/CHANGELOG.md @@ -0,0 +1,313 @@ +# Changelog +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) +and is generated by [Changie](https://github.com/miniscruff/changie). + + +## v5.9.19 - 2025-01-14 +### Added +* Added `resources.limits` and `resources.requests` as an alternative method of managing the redpanda container's resources. + + When both `resources.limits` and `resources.requests` are specified, the + redpanda container's `resources` will be set to the provided values and all + other keys of `resources` will be ignored. Instead, all other values will be + inferred from the limits and requests. + + This allows fine grain control of resources. i.e. It is now possible to set + CPU requests without setting limits: + + ```yaml + resources: + limits: {} # Specified but no cpu or memory values provided + requests: + cpu: 5 # Only CPU requests + ``` + + For more details see [redpanda's values.yaml](./charts/redpanda/values.yaml). +### Changed +* `statefulset.podTemplate` no longer specifies a `"redpanda"` container. This + was unintentionally generating empty containers when `nameOverride` was used. +* Bump Redpanda operator side car container tag to `v2.3.6-24.3.3` +### Fixes +* out of range slice error when Redpanda custom resource has set `useFlux` to + `false` and `Fullname` function would return string that has less + than 49 characters. It could be caused with usage of `nameOverwrite` input + value. + +### [5.9.18](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.18) - 2024-12-20 +#### Added +#### Changed +#### Fixed +* Fixed an issue with the helm chart when SASL and Connectors were enabled that caused a volume to be mounted incorrectly. +#### Removed + +### [5.9.17](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.17) - 2024-12-17 +#### Added +#### Changed +* Default for tiered storage cache to `none` which will defer tiered storage cache path to Redpanda process. +#### Fixed +#### Removed + +### [5.9.16](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.16) - 2024-12-09 +#### Added +#### Changed +* Update sidecar container redpanda-operator container tag +#### Fixed +#### Removed + +### [5.9.15](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.15) - 2024-11-29 +#### Added +#### Changed +#### Fixed +* ability to overwrite annotation and labels in Job metadata +#### Removed +* non-existent post-upgrade-job values of the non-existent resource (removed in 5.9.6) + +### [5.9.14](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.14) - 2024-11-28 +#### Added +#### Changed +* note to indicate Core count decreasing will be possible starting from 24.3 Redpanda version +#### Fixed +* Fixed the description of `-memory` and `--reserve-memory` in docs. +#### Removed + +### [5.9.13](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.13) - 2024-11-27 +#### Added +* overriding any PodSpec fields from `PodTemplate` +#### Changed +* Bump Redpanda operator side car container tag to v2.3.1-24.3.1 +#### Fixed +#### Removed + +### [5.9.12](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.12) - 2024-11-22 +#### Added +#### Changed +* Chart version to update operator side-car container tag +#### Fixed +#### Removed + +### [5.9.11](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.11) - 2024-11-21 +#### Added +* Ability to generate Redpanda with Connector resources from go code +#### Changed +* Include all Connectors chart values in Redpanda chart values +#### Fixed +#### Removed + +### [5.9.10](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.10) - 2024-11-14 +#### Added +#### Changed +#### Fixed +* All occurrence of External Domain execution via tpl function +* Calculating Service typed LoadBalancer annotation based on external addresses (even single one) +* Fix connecting to the schema registry via rpk on nodes for versions of rpk that support a node-level rpk stanza. +#### Removed + +### [5.9.9](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.9) - 2024-10-24 +#### Added +* Strategic merge of Pod volumes and Container volumeMounts +#### Changed +* By default auto mount is disabled in ServiceAccount and Statefulset PodSpec +* Mount volume similar to auto mount functionality for ServiceAccount token when sidecar controllers are enabled +#### Fixed +* Passing console extra volume and volume mount in Redpanda chart +* implements `time.ParseDuration` in gotohelm (with limitations) +* updates the transpilation of `MustParseDuration` to properly re-serialize the provided duration +#### Removed + +### [5.9.8](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.8) - 2024-10-23 +#### Added +#### Changed +* Bump Redpanda app version +#### Fixed +* Increased the memory limits of `bootstrap-yaml-envsubst` to prevent hangs on aarch64 [#1564](https://github.com/redpanda-data/helm-charts/issues/1564). +#### Removed + +### [5.9.7](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.7) - 2024-10-14 +#### Added +#### Changed +* Bump Redpanda app version +#### Fixed +#### Removed + +### [5.9.6](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.6) - 2024-10-09 +#### Added +* Added the ability to override the name of the bootstrap user created when SASL authentication is enabled. [#1547](https://github.com/redpanda-data/helm-charts/pull/1547) +#### Changed +* The minimum Kubernetes version has been bumped to `1.25.0` +#### Fixed +* Chart render failures in tooling compiled with go < 1.19 (e.g. helm 3.10.x) have been fixed. +#### Removed +* `post_upgrade_job.*`, and the post-upgrade job itself, has been removed. All + it's functionality has been consolidated into the `post_install_job`, which + actually runs on both post-install and post-upgrade. + + The consolidated job now runs the redpanda-operator image, which may be + controlled the same way as the additional controllers: + `statefulset.controllers.{image,repository}`. + +### [5.9.5](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.5) - 2024-09-26 +#### Added +#### Changed +* Bump Redpanda container tag/application version [#1543](https://github.com/redpanda-data/helm-charts/pull/1543) +#### Fixed +* Connectors deployment [#1543](https://github.com/redpanda-data/helm-charts/pull/1543) +#### Removed + +### [5.9.4](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.4) - 2024-09-17 +#### Added +#### Changed +* Cluster configurations are no longer include in `redpanda.yaml` or the + Redpanda Statefulset's configuration hash. + + This change makes it possible to update cluster configurations without + initiating a rolling restart of the entire cluster. + + As has always been the case, users should consult `rpk cluster config status` + to determine if a rolling restart needs to be manually performed due to + cluster configuration changes. + + Cases requiring manual rolling restarts may increase as fewer chart + operations will initiate rolling restart of the cluster. +#### Fixed +* Fix initialization of configurations using RestToConfig when the passed in rest.Config contain on-disk value files. +#### Removed +* All zero, empty, or default cluster configurations have been removed from + `values.yaml` in favor of letting redpanda determine what the defaults will + be. + + Documentation of cluster configurations has also been removed in favor of + linking to Redpanda's docs. + +### [5.9.3](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.3) - 2024-09-11 +#### Added +* Add basic bootstrap user support (#1513) +#### Changed +#### Fixed +* When specified, `truststore_file` is no longer propagated to client configurations. +* If provided, `config.cluster.default_topic_replications` is now respected regardless of the value of `statefulset.replicas`. +#### Removed + +### [5.9.1](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.1) - 2024-8-19 +#### Added +#### Changed +#### Fixed +* The `truststores` projected volume no longer duplicates entries when the same + trust store is specified across multiple TLS configurations. +#### Removed + +### [5.9.0](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.9.0) - 2024-08-09 +#### Added +* `post_install_job.podTemplate` and `post_upgrade_job.podTemplate` have been + added, which allow overriding various aspects of the corresponding + `corev1.PodTemplate`. Notably, this field may be used to set labels and + annotations on the Pod produced by the Job which was not previously possible. +* `statefulset.podTemplate` has benefited from the above additions as well. + `statefulset.podTemplate.spec.securityContext` and + `statefulset.podTemplate.spec.containers[*].securityContext` may be used to + set/override the pod and container security contexts respectively. +* `appProtocol` added to the `listeners.admin` configuration +#### Changed +* The container name of the post-upgrade job is now statically set to + `post-upgrade` to facilitate strategic merge patching. +* The container name of the post-install job is now statically set to + `post-install` to facilitate strategic merge patching. +* `statefulset.securityContext`, `statefulset.podSecurityContext`, + `post_upgrade_job.securityContext`, and `post_install_job.securityContext` + have all been deprecated due to historically incorrect and confusing + behavior. The desire to preserve backwards compatibility and not suddenly + change sensitive fields has left us unable to cleanly correct said issues. + `{statefulset,post_upgrade_job,post_install_job}.podTemplate` may be used to + override either the Pod or Container security context. +#### Fixed +#### Removed + +### [5.8.15](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.8.15) - 2024-08-08 +#### Added +#### Changed +* Bump Redpanda version due to a bug in Redpanda +#### Fixed +* Fix mechanism check in superuser file creation +#### Removed + +### [5.8.14](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.8.14) - 2024-08-07 +#### Added +* unset `status` and `creationTimestamp` before rendering resource +#### Changed +* Convert connectors to go +* Bump redpanda, connectors, operator and console helm chart application version +#### Fixed +* Fix Redpanda node configuration generation, so that rpk can parse it +* Fix volume mounts in mTLS setup +* Correct boolean coalescing +#### Removed + +### [5.8.13](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.8.13) - 2024-07-25 +#### Added +#### Changed +* Updated `appVersion` to `v24.1.11` +#### Fixed +* Fixed a regression where `post_upgrade_job` would fail if TLS on the admin + listener was disabled but had `cert` set to an invalid cert (e.g. `""`) +* Fixed mTLS configurations between Redpanda and Console [#1402](https://github.com/redpanda-data/helm-charts/pull/1402) +* Fixed a typo in `statefulset.securityContext.allowPriviledgeEscalation`. Both the correct + and typoed name will be respected with the correct spelling taking + precedence. [#1413](https://github.com/redpanda-data/helm-charts/issues/1413) +#### Removed +* Validation of `issuerRef` has been removed to permit external Issuers. + [#1432](https://github.com/redpanda-data/helm-charts/issues/1432) + +### [5.8.12](https://github.com/redpanda-data/helm-charts/releases/tag/redpanda-5.8.12) - 2024-07-10 + +#### Added + +#### Changed +* `image.repository` longer needs to be the default value of + `"docker.redpanda.com/redpandadata/redpanda"` to respect version checks of + `image.tag` + ([#1334](https://github.com/redpanda-data/helm-charts/issues/1334)). +* `post_upgrade_job.extraEnv` and `post_upgrade_job.extraEnvFrom` no longer accept string inputs. + + Previously, they accepted either strings or structured fields. As the types + of this chart are reflected in the operator's CRD, we are bound by the + constraints of Kubernetes' CRDs, which do not support fields with multiple + types. We also noticed that the [CRD requires these fields to be structured + types](https://github.com/redpanda-data/redpanda-operator/blob/9fa7a7848a22ece215be36dd17f0e4c2ba0002f7/src/go/k8s/api/redpanda/v1alpha2/redpanda_clusterspec_types.go#L597-L600) + rather than strings. Too minimize the divergences between the two, we've + opted to drop support for string inputs here but preserve them elsewhere. + + Updating these fields, if they are strings, is typically a case of needing + to remove `|-`'s from one's values file. + + Before: + ```yaml + post_upgrade_job: + extraEnv: |- + - name: SPECIAL_LEVEL_KEY + valueFrom: + configMapKeyRef: + name: special-config + key: special.how + ``` + + After: + ```yaml + post_upgrade_job: + extraEnv: + - name: SPECIAL_LEVEL_KEY + valueFrom: + configMapKeyRef: + name: special-config + key: special.how + ``` + + If you were using a templated value and would like to see it added back, + please [file us an + issue](https://github.com/redpanda-data/helm-charts/issues/new/choose) and + tell us about your use case! + +#### Fixed +* Numeric node/broker configurations are now properly transcoded as numerics. + +#### Removed diff --git a/charts/redpanda/redpanda/5.9.19/Chart.lock b/charts/redpanda/redpanda/5.9.19/Chart.lock new file mode 100644 index 0000000000..11dc489851 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: console + repository: https://charts.redpanda.com + version: 0.7.31 +- name: connectors + repository: https://charts.redpanda.com + version: 0.1.14 +digest: sha256:9143ac9f8f57865b40644d32e79aa0acc4187b0b71f2ec465a129ed2a689c540 +generated: "2025-01-22T19:00:25.636094967Z" diff --git a/charts/redpanda/redpanda/5.9.19/Chart.yaml b/charts/redpanda/redpanda/5.9.19/Chart.yaml new file mode 100644 index 0000000000..b06fadd3c9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/Chart.yaml @@ -0,0 +1,38 @@ +annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v24.3.3 + - name: busybox + image: busybox:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.10.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda +apiVersion: v2 +appVersion: v24.3.3 +dependencies: +- condition: console.enabled + name: console + repository: https://charts.redpanda.com + version: '>=0.5 <1.0' +- condition: connectors.enabled + name: connectors + repository: https://charts.redpanda.com + version: '>=0.1.2 <1.0' +description: Redpanda is the real-time engine for modern apps. +icon: file://assets/icons/redpanda.svg +kubeVersion: '>=1.21-0' +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: redpanda +sources: +- https://github.com/redpanda-data/redpanda-operator/tree/main/charts/redpanda +type: application +version: 5.9.19 diff --git a/charts/redpanda/redpanda/5.9.19/LICENSE b/charts/redpanda/redpanda/5.9.19/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/redpanda/redpanda/5.9.19/README.md b/charts/redpanda/redpanda/5.9.19/README.md new file mode 100644 index 0000000000..026c51c32b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/README.md @@ -0,0 +1,1259 @@ +# Redpanda Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Helm chart. +--- + +![Version: 5.9.19](https://img.shields.io/badge/Version-5.9.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v24.3.3](https://img.shields.io/badge/AppVersion-v24.3.3-informational?style=flat-square) + +This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. + +For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.25.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.redpanda.com | connectors | >=0.1.2 <1.0 | +| https://charts.redpanda.com | console | >=0.5 <1.0 | + +## Settings + +### [affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=affinity) + +Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + +**Default:** `{}` + +### [auditLogging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging) + +Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0. + +**Default:** + +``` +{"clientMaxBufferSize":16777216,"enabled":false,"enabledEventTypes":null,"excludedPrincipals":null,"excludedTopics":null,"listener":"internal","partitions":12,"queueDrainIntervalMs":500,"queueMaxBufferSizePerShard":1048576,"replicationFactor":null} +``` + +### [auditLogging.clientMaxBufferSize](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.clientMaxBufferSize) + +Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages. + +**Default:** `16777216` + +### [auditLogging.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabled) + +Enable or disable audit logging, for production clusters we suggest you enable, however, this will only work if you also enable sasl and a listener with sasl enabled. + +**Default:** `false` + +### [auditLogging.enabledEventTypes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabledEventTypes) + +Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`]. + +**Default:** `nil` + +### [auditLogging.excludedPrincipals](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedPrincipals) + +List of principals to exclude from auditing, default is null. + +**Default:** `nil` + +### [auditLogging.excludedTopics](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedTopics) + +List of topics to exclude from auditing, default is null. + +**Default:** `nil` + +### [auditLogging.listener](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.listener) + +Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. For external listeners, use the external listener name, such as `default`. + +**Default:** `"internal"` + +### [auditLogging.partitions](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.partitions) + +Integer value defining the number of partitions used by a newly created audit topic. + +**Default:** `12` + +### [auditLogging.queueDrainIntervalMs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueDrainIntervalMs) + +In ms, frequency in which per shard audit logs are batched to client for write to audit log. + +**Default:** `500` + +### [auditLogging.queueMaxBufferSizePerShard](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueMaxBufferSizePerShard) + +Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard. + +**Default:** `1048576` + +### [auditLogging.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.replicationFactor) + +Defines the replication factor for a newly created audit log topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null` + +**Default:** `nil` + +### [auth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth) + +Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). + +**Default:** + +``` +{"sasl":{"bootstrapUser":{"mechanism":"SCRAM-SHA-256"},"enabled":false,"mechanism":"SCRAM-SHA-512","secretRef":"redpanda-users","users":[]}} +``` + +### [auth.sasl.bootstrapUser](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.bootstrapUser) + +Details about how to create the bootstrap user for the cluster. The secretKeyRef is optionally specified. If it is specified, the chart will use a password written to that secret when creating the "kubernetes-controller" bootstrap user. If it is unspecified, then the secret will be generated and stored in the secret "releasename"-bootstrap-user, with the key "password". + +**Default:** + +``` +{"mechanism":"SCRAM-SHA-256"} +``` + +### [auth.sasl.bootstrapUser.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.bootstrapUser.mechanism) + +The authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +**Default:** `"SCRAM-SHA-256"` + +### [auth.sasl.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.enabled) + +Enable SASL authentication. If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`. + +**Default:** `false` + +### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.mechanism) + +The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +**Default:** `"SCRAM-SHA-512"` + +### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.secretRef) + +A Secret that contains your superuser credentials. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets). + +**Default:** `"redpanda-users"` + +### [auth.sasl.users](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.users) + +Optional list of superusers. These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. If this list is empty, the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. Uncomment the sample list if you wish to try adding sample sasl users or override to use your own. + +**Default:** `[]` + +### [clusterDomain](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=clusterDomain) + +Default Kubernetes cluster domain. + +**Default:** `"cluster.local"` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=commonLabels) + +Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config) + +This section contains various settings supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these settings comes with some risk. Use these settings to customize various Redpanda configurations that are not covered in other sections. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. For descriptions of these properties, see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/). + +**Default:** + +``` +{"cluster":{},"node":{"crash_loop_limit":5},"pandaproxy_client":{},"rpk":{},"schema_registry_client":{},"tunable":{"compacted_log_segment_size":67108864,"kafka_connection_rate_limit":1000,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912}} +``` + +### [config.cluster](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.cluster) + +[Cluster Configuration Properties](https://docs.redpanda.com/current/reference/properties/cluster-properties/) + +**Default:** `{}` + +### [config.node](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node) + +[Broker (node) Configuration Properties](https://docs.redpanda.com/docs/reference/broker-properties/). + +**Default:** `{"crash_loop_limit":5}` + +### [config.node.crash_loop_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node.crash_loop_limit) + +Crash loop limit A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. This limit prevents a broker from getting stuck in an infinite cycle of crashes. User can disable this crash loop limit check by the following action: * One hour elapses since the last crash * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects * The startup_log file in the node’s data_directory is manually deleted Default to 5 REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit + +**Default:** `5` + +### [config.tunable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable) + +Tunable cluster properties. Deprecated: all settings here may be specified via `config.cluster`. + +**Default:** + +``` +{"compacted_log_segment_size":67108864,"kafka_connection_rate_limit":1000,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912} +``` + +### [config.tunable.compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.compacted_log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#compacted_log_segment_size). + +**Default:** `67108864` + +### [config.tunable.kafka_connection_rate_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.kafka_connection_rate_limit) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit). + +**Default:** `1000` + +### [config.tunable.log_segment_size_max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_max) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_max). + +**Default:** `268435456` + +### [config.tunable.log_segment_size_min](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_min) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_min). + +**Default:** `16777216` + +### [config.tunable.max_compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.max_compacted_log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#max_compacted_log_segment_size). + +**Default:** `536870912` + +### [connectors](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=connectors) + +Redpanda Managed Connectors settings For a reference of configuration settings, see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/). + +**Default:** + +``` +{"deployment":{"create":false},"enabled":false,"test":{"create":false}} +``` + +### [console](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=console) + +Redpanda Console settings. For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + +**Default:** + +``` +{"config":{},"configmap":{"create":false},"deployment":{"create":false},"enabled":true,"secret":{"create":false}} +``` + +### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise) + +Enterprise (optional) For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). + +**Default:** + +``` +{"license":"","licenseSecretRef":{}} +``` + +### [enterprise.license](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.license) + +license (optional). + +**Default:** `""` + +### [enterprise.licenseSecretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.licenseSecretRef) + +Secret name and key where the license key is stored. + +**Default:** `{}` + +### [external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external) + +External access settings. For details, see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/). + +**Default:** + +``` +{"enabled":true,"service":{"enabled":true},"type":"NodePort"} +``` + +### [external.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.enabled) + +Enable external access for each Service. You can toggle external access for each listener in `listeners..external..enabled`. + +**Default:** `true` + +### [external.service](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service) + +Service allows you to manage the creation of an external kubernetes service object + +**Default:** `{"enabled":true}` + +### [external.service.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service.enabled) + +Enabled if set to false will not create the external service type You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). Set this to false if you rather manage your own service. + +**Default:** `true` + +### [external.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.type) + +External access type. Only `NodePort` and `LoadBalancer` are supported. If undefined, then advertised listeners will be configured in Redpanda, but the helm chart will not create a Service. You must create a Service manually. Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. NodePort is recommended in cases where latency is a priority. + +**Default:** `"NodePort"` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=fullnameOverride) + +Override `redpanda.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image) + +Redpanda Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/redpanda","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.pullPolicy) + +The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** + +``` +"docker.redpanda.com/redpandadata/redpanda" +``` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.tag) + +The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + +**Default:** `Chart.appVersion`. + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). + +**Default:** `[]` + +### [license_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_key) + +DEPRECATED Enterprise license key (optional). For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). + +**Default:** `""` + +### [license_secret_ref](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_secret_ref) + +DEPRECATED Secret name and secret key where the license key is stored. + +**Default:** `{}` + +### [listeners](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners) + +Listener settings. Override global settings configured above for individual listeners. For details, see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/). + +**Default:** + +``` +{"admin":{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}},"http":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}},"kafka":{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}},"rpc":{"port":33145,"tls":{"cert":"default","requireClientAuth":false}},"schemaRegistry":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}} +``` + +### [listeners.admin](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin) + +Admin API listener (only one). + +**Default:** + +``` +{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.admin.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external) + +Optional external access settings. + +**Default:** + +``` +{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}} +``` + +### [listeners.admin.external.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default) + +Name of the external listener. + +**Default:** + +``` +{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}} +``` + +### [listeners.admin.external.default.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default.tls) + +The port advertised to this listener's external clients. List one port if you want to use the same port for each broker (would be the case when using NodePort service). Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. If undefined, `listeners.admin.port` is used. + +**Default:** `{"cert":"external"}` + +### [listeners.admin.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.port) + +The port for both internal and external connections to the Admin API. + +**Default:** `9644` + +### [listeners.admin.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls) + +Optional TLS section (required if global TLS is enabled) + +**Default:** + +``` +{"cert":"default","requireClientAuth":false} +``` + +### [listeners.admin.tls.cert](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.cert) + +Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs). + +**Default:** `"default"` + +### [listeners.admin.tls.requireClientAuth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.requireClientAuth) + +If true, the truststore file for this listener is included in the ConfigMap. + +**Default:** `false` + +### [listeners.http](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.http) + +HTTP API listeners (aka PandaProxy). + +**Default:** + +``` +{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.kafka](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka) + +Kafka API listeners. + +**Default:** + +``` +{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.kafka.external.default.advertisedPorts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.advertisedPorts) + +If undefined, `listeners.kafka.external.default.port` is used. + +**Default:** `[31092]` + +### [listeners.kafka.external.default.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.port) + +The port used for external client connections. + +**Default:** `9094` + +### [listeners.kafka.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.port) + +The port for internal client connections. + +**Default:** `9093` + +### [listeners.rpc](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.rpc) + +RPC listener (this is never externally accessible). + +**Default:** + +``` +{"port":33145,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.schemaRegistry](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.schemaRegistry) + +Schema registry listeners. + +**Default:** + +``` +{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [logging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging) + +Log-level settings. + +**Default:** + +``` +{"logLevel":"info","usageStats":{"enabled":true}} +``` + +### [logging.logLevel](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.logLevel) + +Log level Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`. + +**Default:** `"info"` + +### [logging.usageStats](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.usageStats) + +Send usage statistics back to Redpanda Data. For details, see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting). + +**Default:** `{"enabled":true}` + +### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=monitoring) + +Monitoring. This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. + +**Default:** + +``` +{"enabled":false,"labels":{},"scrapeInterval":"30s"} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nameOverride) + +Override `redpanda.name` template. + +**Default:** `""` + +### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nodeSelector) + +Node selection constraints for scheduling Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [post_install_job.affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.affinity) + +**Default:** `{}` + +### [post_install_job.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.enabled) + +**Default:** `true` + +### [post_install_job.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.annotations) + +Annotations to apply (or overwrite the default) to the Pods of this Job. + +**Default:** `{}` + +### [post_install_job.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.labels) + +Labels to apply (or overwrite the default) to the Pods of this Job. + +**Default:** `{}` + +### [post_install_job.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.spec) + +A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details. + +**Default:** + +``` +{"containers":[{"env":[],"name":"post-install","securityContext":{}}],"securityContext":{}} +``` + +### [rackAwareness](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness) + +Rack Awareness settings. For details, see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/). + +**Default:** + +``` +{"enabled":false,"nodeAnnotation":"topology.kubernetes.io/zone"} +``` + +### [rackAwareness.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.enabled) + +When running in multiple racks or availability zones, use a Kubernetes Node annotation value as the Redpanda rack value. Enabling this requires running with a service account with "get" Node permissions. To have the Helm chart configure these permissions, set `serviceAccount.create=true` and `rbac.enabled=true`. + +**Default:** `false` + +### [rackAwareness.nodeAnnotation](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.nodeAnnotation) + +The common well-known annotation to use as the rack ID. Override this only if you use a custom Node annotation. + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [rbac](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac) + +Role Based Access Control. + +**Default:** + +``` +{"annotations":{},"enabled":false} +``` + +### [rbac.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.annotations) + +Annotations to add to the `rbac` resources. + +**Default:** `{}` + +### [rbac.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.enabled) + +Enable for features that need extra privileges. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles. + +**Default:** `false` + +### [resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources) + +Pod resource management. +This section simplifies resource allocation for the redpanda container by +providing a single location where resources are defined. + +Resources may be specified by either setting `resources.cpu` and +`resources.memory` (the default) or by setting `resources.requests` and +`resources.limits`. + +For details on `resources.cpu` and `resources.memory`, see their respective +documentation below. + +When `resources.limits` and `resources.requests` are set, the redpanda +container's resources will be set to exactly the provided values. This allows +users to granularly control limits and requests to best suit their use case. +For example: `resources.requests.cpu` may be set without setting +`resources.limits.cpu` to avoid the potential of CPU throttling. + +Redpanda's resource related CLI flags will then be calculated as follows: +* `--smp max(1, floor(coalesce(resources.requests.cpu, resources.limits.cpu)))` +* `--memory coalesce(resources.requests.memory, resources.limits.memory) * 90%` +* `--reserve-memory 0` +* `--overprovisioned coalesce(resources.requests.cpu, resources.limits.cpu) < 1000m` + +If neither a request nor a limit is provided for cpu or memory, the +corresponding flag will be omitted. As a result, setting `resources.limits` +and `resources.requests` to `{}` will result in redpanda being run without +`--smp` or `--memory`. (This is not recommended). + +If the computed CLI flags are undesirable, they may be overridden by +specifying the desired value through `statefulset.additionalRedpandaCmdFlags`. + +The default values are for a development environment. +Production-level values and other considerations are documented, +where those values are different from the default. +For details, +see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/). + +**Default:** + +``` +{"cpu":{"cores":1},"memory":{"container":{"max":"2.5Gi"}}} +``` + +### [resources.cpu](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu) + +CPU resources. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources). + +**Default:** `{"cores":1}` + +### [resources.cpu.cores](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu.cores) + +Redpanda makes use of a thread per core model. For details, see this [blog](https://redpanda.com/blog/tpc-buffers). For this reason, Redpanda should only be given full cores. Note: You can increase cores, but decreasing cores is supported only from 24.3 Redpanda version. This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. For production, use `4` or greater. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. See https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy. + +**Default:** `1` + +### [resources.memory](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory) + +Memory resources For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources). + +**Default:** + +``` +{"container":{"max":"2.5Gi"}} +``` + +### [resources.memory.container](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container) + +Enables memory locking. For production, set to `true`. enable_memory_locking: false It is recommended to have at least 2Gi of memory per core for the Redpanda binary. This memory is taken from the total memory given to each container. The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for other container processes. So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory requests/limits in the StatefulSet. Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. + +**Default:** `{"max":"2.5Gi"}` + +### [resources.memory.container.max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container.max) + +Maximum memory count for each Redpanda broker. Equivalent to `resources.limits.memory`. For production, use `10Gi` or greater. + +**Default:** `"2.5Gi"` + +### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount) + +Service account management. + +**Default:** + +``` +{"annotations":{},"automountServiceAccountToken":false,"create":false,"name":""} +``` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.annotations) + +Annotations to add to the service account. + +**Default:** `{}` + +### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.automountServiceAccountToken) + +Specifies whether a service account should automount API-Credentials. The token is used in sidecars.controllers + +**Default:** `false` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.create) + +Specifies whether a service account should be created. + +**Default:** `false` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.name) + +The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `redpanda.fullname` template. + +**Default:** `""` + +### [statefulset.additionalRedpandaCmdFlags](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalRedpandaCmdFlags) + +Additional flags to pass to redpanda, + +**Default:** `[]` + +### [statefulset.additionalSelectorLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalSelectorLabels) + +Additional labels to be added to statefulset label selector. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [statefulset.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.annotations) + +DEPRECATED Please use statefulset.podTemplate.annotations. Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have any dedicated annotation. + +**Default:** `{}` + +### [statefulset.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.budget.maxUnavailable) + +**Default:** `1` + +### [statefulset.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumes) + +**Default:** `""` + +### [statefulset.initContainerImage.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.repository) + +**Default:** `"busybox"` + +### [statefulset.initContainerImage.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.tag) + +**Default:** `"latest"` + +### [statefulset.initContainers.configurator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.configurator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.extraInitContainers) + +**Default:** `""` + +### [statefulset.initContainers.fsValidator.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.enabled) + +**Default:** `false` + +### [statefulset.initContainers.fsValidator.expectedFS](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.expectedFS) + +**Default:** `"xfs"` + +### [statefulset.initContainers.fsValidator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.fsValidator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.setDataDirOwnership.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.enabled) + +In environments where root is not allowed, you cannot change the ownership of files and directories. Enable `setDataDirOwnership` when using default minikube cluster configuration. + +**Default:** `false` + +### [statefulset.initContainers.setDataDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.setDataDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.setTieredStorageCacheDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.tuning.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.tuning.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.livenessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.failureThreshold) + +**Default:** `3` + +### [statefulset.livenessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.initialDelaySeconds) + +**Default:** `10` + +### [statefulset.livenessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.periodSeconds) + +**Default:** `10` + +### [statefulset.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.nodeSelector) + +Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [statefulset.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAffinity) + +Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + +**Default:** `{}` + +### [statefulset.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity) + +Anti-affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults. + +**Default:** + +``` +{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100} +``` + +### [statefulset.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.custom) + +Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + +**Default:** `{}` + +### [statefulset.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.topologyKey) + +The topologyKey to be used. Can be used to spread across different nodes, AZs, regions etc. + +**Default:** `"kubernetes.io/hostname"` + +### [statefulset.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.type) + +Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + +**Default:** `"hard"` + +### [statefulset.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.weight) + +Weight for `soft` anti-affinity rules. Does not apply to other anti-affinity types. + +**Default:** `100` + +### [statefulset.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.annotations) + +Additional annotations to apply to the Pods of the StatefulSet. + +**Default:** `{}` + +### [statefulset.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.labels) + +Additional labels to apply to the Pods of the StatefulSet. + +**Default:** `{}` + +### [statefulset.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.spec) + +A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details. + +**Default:** + +``` +{"containers":[],"securityContext":{}} +``` + +### [statefulset.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.priorityClassName) + +PriorityClassName given to Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [statefulset.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.failureThreshold) + +**Default:** `3` + +### [statefulset.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.initialDelaySeconds) + +**Default:** `1` + +### [statefulset.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.periodSeconds) + +**Default:** `10` + +### [statefulset.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.successThreshold) + +**Default:** `1` + +### [statefulset.replicas](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.replicas) + +Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster) + +**Default:** `3` + +### [statefulset.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.securityContext) + +DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext. + +**Default:** + +``` +{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":101} +``` + +### [statefulset.sideCars.configWatcher.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.enabled) + +**Default:** `true` + +### [statefulset.sideCars.configWatcher.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.sideCars.configWatcher.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + +**Default:** `{}` + +### [statefulset.sideCars.configWatcher.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.securityContext) + +**Default:** `{}` + +### [statefulset.sideCars.controllers.createRBAC](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.createRBAC) + +**Default:** `true` + +### [statefulset.sideCars.controllers.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.enabled) + +**Default:** `false` + +### [statefulset.sideCars.controllers.healthProbeAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.healthProbeAddress) + +**Default:** `":8085"` + +### [statefulset.sideCars.controllers.image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.repository) + +**Default:** + +``` +"docker.redpanda.com/redpandadata/redpanda-operator" +``` + +### [statefulset.sideCars.controllers.image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.tag) + +**Default:** `"v2.3.6-24.3.3"` + +### [statefulset.sideCars.controllers.metricsAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.metricsAddress) + +**Default:** `":9082"` + +### [statefulset.sideCars.controllers.pprofAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.pprofAddress) + +**Default:** `":9083"` + +### [statefulset.sideCars.controllers.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + +**Default:** `{}` + +### [statefulset.sideCars.controllers.run[0]](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.run[0]) + +**Default:** `"all"` + +### [statefulset.sideCars.controllers.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.securityContext) + +**Default:** `{}` + +### [statefulset.startupProbe](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.startupProbe) + +Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + +**Default:** + +``` +{"failureThreshold":120,"initialDelaySeconds":1,"periodSeconds":10} +``` + +### [statefulset.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.terminationGracePeriodSeconds) + +Termination grace period in seconds is time required to execute preStop hook which puts particular Redpanda Pod (process/container) into maintenance mode. Before settle down on particular value please put Redpanda under load and perform rolling upgrade or rolling restart. That value needs to accommodate two processes: * preStop hook needs to put Redpanda into maintenance mode * after preStop hook Redpanda needs to handle gracefully SIGTERM signal Both processes are executed sequentially where preStop hook has hard deadline in the middle of terminationGracePeriodSeconds. REF: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination + +**Default:** `90` + +### [statefulset.tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.tolerations) + +Taints to be tolerated by Pods of this StatefulSet. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [statefulset.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].maxSkew) + +**Default:** `1` + +### [statefulset.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].topologyKey) + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [statefulset.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].whenUnsatisfiable) + +**Default:** `"ScheduleAnyway"` + +### [statefulset.updateStrategy.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.updateStrategy.type) + +**Default:** `"RollingUpdate"` + +### [storage](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage) + +Persistence settings. For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/). + +**Default:** + +``` +{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""},"tiered":{"config":{"cloud_storage_cache_size":5368709120,"cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false},"credentialsSecretRef":{"accessKey":{"configurationKey":"cloud_storage_access_key"},"secretKey":{"configurationKey":"cloud_storage_secret_key"}},"hostPath":"","mountType":"none","persistentVolume":{"annotations":{},"labels":{},"storageClass":""}}} +``` + +### [storage.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.hostPath) + +Absolute path on the host to store Redpanda's data. If unspecified, then an `emptyDir` volume is used. If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect. + +**Default:** `""` + +### [storage.persistentVolume](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume) + +If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and used to store Redpanda's data. Otherwise, `storage.hostPath` is used. + +**Default:** + +``` +{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""} +``` + +### [storage.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.annotations) + +Additional annotations to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.labels) + +Additional labels to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.persistentVolume.nameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.nameOverwrite) + +Option to change volume claim template name for tiered storage persistent volume if tiered.mountType is set to `persistentVolume` + +**Default:** `""` + +### [storage.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.storageClass) + +To disable dynamic provisioning, set to `-`. If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). + +**Default:** `""` + +### [storage.tiered.config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config) + +Tiered Storage settings Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). For a list of properties, see [Object Storage Properties](https://docs.redpanda.com/current/reference/properties/object-storage-properties/). + +**Default:** + +``` +{"cloud_storage_cache_size":5368709120,"cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false} +``` + +### [storage.tiered.config.cloud_storage_cache_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_cache_size) + +Maximum size of the disk cache used by Tiered Storage. Default is 20 GiB. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_cache_size). + +**Default:** `5368709120` + +### [storage.tiered.config.cloud_storage_enable_remote_read](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_read) + +Cluster level default remote read configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_read). + +**Default:** `true` + +### [storage.tiered.config.cloud_storage_enable_remote_write](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_write) + +Cluster level default remote write configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_write). + +**Default:** `true` + +### [storage.tiered.config.cloud_storage_enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enabled) + +Global flag that enables Tiered Storage if a license key is provided. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enabled). + +**Default:** `false` + +### [storage.tiered.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.hostPath) + +Absolute path on the host to store Redpanda's Tiered Storage cache. + +**Default:** `""` + +### [storage.tiered.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.annotations) + +Additional annotations to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.tiered.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.labels) + +Additional labels to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.tiered.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.storageClass) + +To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). + +**Default:** `""` + +### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tests.enabled) + +**Default:** `true` + +### [tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls) + +TLS settings. For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/). + +**Default:** + +``` +{"certs":{"default":{"caEnabled":true},"external":{"caEnabled":true}},"enabled":true} +``` + +### [tls.certs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs) + +List all Certificates here, then you can reference a specific Certificate's name in each listener's `listeners..tls.cert` setting. + +**Default:** + +``` +{"default":{"caEnabled":true},"external":{"caEnabled":true}} +``` + +### [tls.certs.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default) + +This key is the Certificate name. To apply the Certificate to a specific listener, reference the Certificate's name in `listeners..tls.cert`. + +**Default:** `{"caEnabled":true}` + +### [tls.certs.default.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default.caEnabled) + +Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates. + +**Default:** `true` + +### [tls.certs.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external) + +Example external tls configuration uncomment and set the right key to the listeners that require them also enable the tls setting for those listeners. + +**Default:** `{"caEnabled":true}` + +### [tls.certs.external.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external.caEnabled) + +Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates. + +**Default:** `true` + +### [tls.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.enabled) + +Enable TLS globally for all listeners. Each listener must include a Certificate name in its `.tls` object. To allow you to enable TLS for individual listeners, Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. See `listeners..tls.enabled`. + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tolerations) + +Taints to be tolerated by Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [tuning](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning) + +Redpanda tuning settings. Each is set to their default values in Redpanda. + +**Default:** `{"tune_aio_events":true}` + +### [tuning.tune_aio_events](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning.tune_aio_events) + +Increase the maximum number of outstanding asynchronous IO operations if the current value is below a certain threshold. This allows Redpanda to make as many simultaneous IO requests as possible, increasing throughput. When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`. For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/). + +**Default:** `true` + +## Merging Semantics + +The redpanda chart implements a form of object merging that's roughly a +middleground of [JSON Merge Patch][k8s.jsonmp] and [Kubernetes' Strategic Merge +Patch][k8s.smp]. This is done to aid end users in setting or overriding fields +that are not directly exposed via the chart. + +- Directives are not supported. +- List fields that are merged by a unique key in Kubernetes' SMP (e.g. + `containers`, `env`) will be merged in a similar awy. +- Only fields explicitly allowed by the chart's JSON schema will be merged. +- Additional containers that are not present in the original value will NOT be added. + +[k8s.smp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-strategic-merge-patch-to-update-a-deployment +[k8s.jsonmp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-json-merge-patch-to-update-a-deployment diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/.helmignore b/charts/redpanda/redpanda/5.9.19/charts/connectors/.helmignore new file mode 100644 index 0000000000..2e271ea0fc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/.helmignore @@ -0,0 +1,29 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +*.go +testdata/ +ci/ +examples/ \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/Chart.yaml b/charts/redpanda/redpanda/5.9.19/charts/connectors/Chart.yaml new file mode 100644 index 0000000000..cdb5798151 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/images: | + - name: connectors + image: docker.redpanda.com/redpandadata/connectors:v1.0.31 + - name: rpk + image: docker.redpanda.com/redpandadata/redpanda:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ +apiVersion: v2 +appVersion: v1.0.31 +description: Redpanda managed Connectors helm chart +icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg +kubeVersion: ^1.21.0-0 +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: connectors +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 0.1.14 diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/LICENSE b/charts/redpanda/redpanda/5.9.19/charts/connectors/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/README.md b/charts/redpanda/redpanda/5.9.19/charts/connectors/README.md new file mode 100644 index 0000000000..a8357bf0e8 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/README.md @@ -0,0 +1,580 @@ +# Redpanda Connectors Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Connectors Helm chart. +--- + +![Version: 0.1.14](https://img.shields.io/badge/Version-0.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.31](https://img.shields.io/badge/AppVersion-v1.0.31-informational?style=flat-square) + +This page describes the official Redpanda Connectors Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/connectors/values.yaml). Each of the settings is listed and described on this page, along with any default values. + +For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/current/deploy/deployment-option/self-hosted/kubernetes/k-deploy-connectors/). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `^1.21.0-0` + +## Settings + +### [auth](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth) + +Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster. + +**Default:** + +``` +{"sasl":{"enabled":false,"mechanism":"scram-sha-512","secretRef":"","userName":""}} +``` + +### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.mechanism) + +The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`. + +**Default:** `"scram-sha-512"` + +### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.secretRef) + +A Secret that contains your SASL user password. + +**Default:** `""` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=commonLabels) + +Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [connectors.additionalConfiguration](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.additionalConfiguration) + +A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script. + +**Default:** `""` + +### [connectors.bootstrapServers](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.bootstrapServers) + +A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster. + +**Default:** `""` + +### [connectors.brokerTLS.ca.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretNameOverwrite) + +If `secretRef` points to a Secret where the certificate authority (CA) is not under the `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`. + +**Default:** `""` + +### [connectors.brokerTLS.ca.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretRef) + +The name of the Secret where the ca.crt file content is located. + +**Default:** `""` + +### [connectors.brokerTLS.cert.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretNameOverwrite) + +If secretRef points to secret where client signed certificate is not under tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt + +**Default:** `""` + +### [connectors.brokerTLS.cert.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretRef) + +The name of the secret where client signed certificate is located + +**Default:** `""` + +### [connectors.brokerTLS.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.enabled) + +**Default:** `false` + +### [connectors.brokerTLS.key.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretNameOverwrite) + +If secretRef points to secret where client private key is not under tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key + +**Default:** `""` + +### [connectors.brokerTLS.key.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretRef) + +The name of the secret where client private key is located + +**Default:** `""` + +### [connectors.groupID](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.groupID) + +A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other. + +**Default:** `"connectors-cluster"` + +### [connectors.producerBatchSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerBatchSize) + +The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput. + +**Default:** `131072` + +### [connectors.producerLingerMS](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerLingerMS) + +The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput. + +**Default:** `1` + +### [connectors.restPort](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.restPort) + +The port on which the Kafka Connect REST API listens. The API is used for administrative tasks. + +**Default:** `8083` + +### [connectors.schemaRegistryURL](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.schemaRegistryURL) + +**Default:** `""` + +### [connectors.secretManager.connectorsPrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.connectorsPrefix) + +**Default:** `""` + +### [connectors.secretManager.consolePrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.consolePrefix) + +**Default:** `""` + +### [connectors.secretManager.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.enabled) + +**Default:** `false` + +### [connectors.secretManager.region](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.region) + +**Default:** `""` + +### [connectors.storage.remote](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.remote) + +Indicates if read and write operations for the respective topics are allowed remotely. + +**Default:** + +``` +{"read":{"config":false,"offset":false,"status":false},"write":{"config":false,"offset":false,"status":false}} +``` + +### [connectors.storage.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor) + +The number of replicas for each of the internal topics that Kafka Connect uses. + +**Default:** + +``` +{"config":-1,"offset":-1,"status":-1} +``` + +### [connectors.storage.replicationFactor.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.config) + +Replication factor for the configuration topic. + +**Default:** `-1` + +### [connectors.storage.replicationFactor.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.offset) + +Replication factor for the offset topic. + +**Default:** `-1` + +### [connectors.storage.replicationFactor.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.status) + +Replication factor for the status topic. + +**Default:** `-1` + +### [connectors.storage.topic.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.config) + +The name of the internal topic that Kafka Connect uses to store connector and task configurations. + +**Default:** + +``` +"_internal_connectors_configs" +``` + +### [connectors.storage.topic.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.offset) + +The name of the internal topic that Kafka Connect uses to store source connector offsets. + +**Default:** + +``` +"_internal_connectors_offsets" +``` + +### [connectors.storage.topic.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.status) + +The name of the internal topic that Kafka Connect uses to store connector and task status updates. + +**Default:** + +``` +"_internal_connectors_status" +``` + +### [container.javaGCLogEnabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.javaGCLogEnabled) + +**Default:** `"false"` + +### [container.resources](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources) + +Pod resource management. + +**Default:** + +``` +{"javaMaxHeapSize":"2G","limits":{"cpu":"1","memory":"2350Mi"},"request":{"cpu":"1","memory":"2350Mi"}} +``` + +### [container.resources.javaMaxHeapSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources.javaMaxHeapSize) + +Java maximum heap size must not be greater than `container.resources.limits.memory`. + +**Default:** `"2G"` + +### [container.securityContext](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.securityContext) + +Security context for the Redpanda Connectors container. See also `deployment.securityContext` for Pod-level settings. + +**Default:** + +``` +{"allowPrivilegeEscalation":false} +``` + +### [deployment.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.annotations) + +Additional annotations to apply to the Pods of this Deployment. + +**Default:** `{}` + +### [deployment.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.budget.maxUnavailable) + +**Default:** `1` + +### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.create) + +**Default:** `true` + +### [deployment.extraEnv](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnv) + +Additional environment variables for the Pods. + +**Default:** `[]` + +### [deployment.extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnvFrom) + +Configure extra environment variables from Secrets and ConfigMaps. + +**Default:** `[]` + +### [deployment.livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.livenessProbe) + +Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + +**Default:** + +``` +{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} +``` + +### [deployment.nodeAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeAffinity) + +Node Affinity rules for scheduling Pods of this Deployment. The suggestion would be to spread Pods according to topology zone. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). + +**Default:** `{}` + +### [deployment.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeSelector) + +Node selection constraints for scheduling Pods of this Deployment. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [deployment.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAffinity) + +Inter-Pod Affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + +**Default:** `{}` + +### [deployment.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity) + +Anti-affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults. + +**Default:** + +``` +{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100} +``` + +### [deployment.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.custom) + +Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + +**Default:** `{}` + +### [deployment.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.topologyKey) + +The `topologyKey` to be used. Can be used to spread across different nodes, AZs, regions etc. + +**Default:** `"kubernetes.io/hostname"` + +### [deployment.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.type) + +Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + +**Default:** `"hard"` + +### [deployment.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.weight) + +Weight for `soft` anti-affinity rules. Does not apply for other anti-affinity types. + +**Default:** `100` + +### [deployment.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.priorityClassName) + +PriorityClassName given to Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [deployment.progressDeadlineSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.progressDeadlineSeconds) + +The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. + +**Default:** `600` + +### [deployment.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.failureThreshold) + +**Default:** `2` + +### [deployment.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.initialDelaySeconds) + +**Default:** `60` + +### [deployment.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.periodSeconds) + +**Default:** `10` + +### [deployment.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.successThreshold) + +**Default:** `3` + +### [deployment.readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.timeoutSeconds) + +**Default:** `5` + +### [deployment.restartPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.restartPolicy) + +**Default:** `"Always"` + +### [deployment.revisionHistoryLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.revisionHistoryLimit) + +The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. + +**Default:** `10` + +### [deployment.schedulerName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.schedulerName) + +**Default:** `""` + +### [deployment.securityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroup) + +**Default:** `101` + +### [deployment.securityContext.fsGroupChangePolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroupChangePolicy) + +**Default:** `"OnRootMismatch"` + +### [deployment.securityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.runAsUser) + +**Default:** `101` + +### [deployment.strategy.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.strategy.type) + +**Default:** `"RollingUpdate"` + +### [deployment.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.terminationGracePeriodSeconds) + +**Default:** `30` + +### [deployment.tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.tolerations) + +Taints to be tolerated by Pods of this Deployment. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [deployment.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].maxSkew) + +**Default:** `1` + +### [deployment.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].topologyKey) + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [deployment.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].whenUnsatisfiable) + +**Default:** `"ScheduleAnyway"` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=fullnameOverride) + +Override `connectors.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image) + +Redpanda Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/connectors","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.pullPolicy) + +The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** + +``` +"docker.redpanda.com/redpandadata/connectors" +``` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.tag) + +The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + +**Default:** `Chart.appVersion`. + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +**Default:** `[]` + +### [logging](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging) + +Log-level settings. + +**Default:** `{"level":"warn"}` + +### [logging.level](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging.level) + +Log level Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`. + +**Default:** `"warn"` + +### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=monitoring) + +Monitoring. When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. + +**Default:** + +``` +{"annotations":{},"enabled":false,"labels":{},"namespaceSelector":{"any":true},"scrapeInterval":"30s"} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=nameOverride) + +Override `connectors.name` template. + +**Default:** `""` + +### [service](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service) + +Service management. + +**Default:** + +``` +{"annotations":{},"name":"","ports":[{"name":"prometheus","port":9404}]} +``` + +### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.annotations) + +Annotations to add to the Service. + +**Default:** `{}` + +### [service.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.name) + +The name of the service to use. If not set, a name is generated using the `connectors.fullname` template. + +**Default:** `""` + +### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount) + +ServiceAccount management. + +**Default:** + +``` +{"annotations":{},"automountServiceAccountToken":false,"create":false,"name":""} +``` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.annotations) + +Annotations to add to the ServiceAccount. + +**Default:** `{}` + +### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.automountServiceAccountToken) + +Specifies whether a service account should automount API-Credentials + +**Default:** `false` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.create) + +Specifies whether a ServiceAccount should be created. + +**Default:** `false` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.name) + +The name of the ServiceAccount to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `connectors.fullname` template. + +**Default:** `""` + +### [storage.volumeMounts[0].mountPath](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].mountPath) + +**Default:** `"/tmp"` + +### [storage.volumeMounts[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].name) + +**Default:** `"rp-connect-tmp"` + +### [storage.volume[0].emptyDir.medium](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.medium) + +**Default:** `"Memory"` + +### [storage.volume[0].emptyDir.sizeLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.sizeLimit) + +**Default:** `"5Mi"` + +### [storage.volume[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].name) + +**Default:** `"rp-connect-tmp"` + +### [test.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=test.create) + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=tolerations) + +Taints to be tolerated by Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_chart.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_chart.go.tpl new file mode 100644 index 0000000000..04402ab8d5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_chart.go.tpl @@ -0,0 +1,13 @@ +{{- /* Generated from "chart.go" */ -}} + +{{- define "connectors.render" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $manifests := (list (get (fromJson (include "connectors.Deployment" (dict "a" (list $dot) ))) "r") (get (fromJson (include "connectors.PodMonitor" (dict "a" (list $dot) ))) "r") (get (fromJson (include "connectors.Service" (dict "a" (list $dot) ))) "r") (get (fromJson (include "connectors.ServiceAccount" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $manifests) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_deployment.go.tpl new file mode 100644 index 0000000000..9db8224ef2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_deployment.go.tpl @@ -0,0 +1,136 @@ +{{- /* Generated from "deployment.go" */ -}} + +{{- define "connectors.Deployment" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.deployment.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $topologySpreadConstraints := (coalesce nil) -}} +{{- range $_, $spread := $values.deployment.topologySpreadConstraints -}} +{{- $topologySpreadConstraints = (concat (default (list ) $topologySpreadConstraints) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "maxSkew" ($spread.maxSkew | int) "topologyKey" $spread.topologyKey "whenUnsatisfiable" $spread.whenUnsatisfiable )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $ports := (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "containerPort" ($values.connectors.restPort | int) "name" "rest-api" "protocol" "TCP" ))) -}} +{{- range $_, $port := $values.service.ports -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" $port.name "containerPort" ($port.port | int) "protocol" "TCP" )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $podAntiAffinity := (coalesce nil) -}} +{{- if (ne (toJson $values.deployment.podAntiAffinity) "null") -}} +{{- if (eq $values.deployment.podAntiAffinity.type "hard") -}} +{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) ))) )) -}} +{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "soft") -}} +{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" $values.deployment.podAntiAffinity.weight "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) )) -}} +{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "custom") -}} +{{- $podAntiAffinity = $values.deployment.podAntiAffinity.custom -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.deployment.annotations) )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $values.deployment.replicas "progressDeadlineSeconds" ($values.deployment.progressDeadlineSeconds | int) "revisionHistoryLimit" $values.deployment.revisionHistoryLimit "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.deployment.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.deployment.annotations "labels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "automountServiceAccountToken" false "terminationGracePeriodSeconds" $values.deployment.terminationGracePeriodSeconds "affinity" (mustMergeOverwrite (dict ) (dict "nodeAffinity" $values.deployment.nodeAffinity "podAffinity" $values.deployment.podAffinity "podAntiAffinity" $podAntiAffinity )) "serviceAccountName" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "connectors-cluster" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r")) "imagePullPolicy" $values.image.pullPolicy "securityContext" $values.container.securityContext "command" $values.deployment.command "env" (get (fromJson (include "connectors.env" (dict "a" (list $values) ))) "r") "envFrom" $values.deployment.extraEnvFrom "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.livenessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.livenessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.livenessProbe.periodSeconds | int) "successThreshold" ($values.deployment.livenessProbe.successThreshold | int) "failureThreshold" ($values.deployment.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/connectors" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.readinessProbe.periodSeconds | int) "successThreshold" ($values.deployment.readinessProbe.successThreshold | int) "failureThreshold" ($values.deployment.readinessProbe.failureThreshold | int) )) "ports" $ports "resources" (mustMergeOverwrite (dict ) (dict "requests" $values.container.resources.request "limits" $values.container.resources.limits )) "terminationMessagePath" "/dev/termination-log" "terminationMessagePolicy" "File" "volumeMounts" (get (fromJson (include "connectors.volumeMountss" (dict "a" (list $values) ))) "r") ))) "dnsPolicy" "ClusterFirst" "restartPolicy" $values.deployment.restartPolicy "schedulerName" $values.deployment.schedulerName "nodeSelector" $values.deployment.nodeSelector "imagePullSecrets" $values.imagePullSecrets "securityContext" $values.deployment.securityContext "tolerations" $values.deployment.tolerations "topologySpreadConstraints" $topologySpreadConstraints "volumes" (get (fromJson (include "connectors.volumes" (dict "a" (list $values) ))) "r") )) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.env" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $env := (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_CONFIGURATION" "value" (get (fromJson (include "connectors.connectorConfiguration" (dict "a" (list $values) ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_ADDITIONAL_CONFIGURATION" "value" $values.connectors.additionalConfiguration )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_BOOTSTRAP_SERVERS" "value" $values.connectors.bootstrapServers ))) -}} +{{- if (not (empty $values.connectors.schemaRegistryURL)) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SCHEMA_REGISTRY_URL" "value" $values.connectors.schemaRegistryURL )))) -}} +{{- end -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_GC_LOG_ENABLED" "value" $values.container.javaGCLogEnabled )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_HEAP_OPTS" "value" (printf "-Xms256M -Xmx%s" $values.container.resources.javaMaxHeapSize) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_LOG_LEVEL" "value" $values.logging.level )))) -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_USERNAME" "value" $values.auth.sasl.userName )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_MECHANISM" "value" $values.auth.sasl.mechanism )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_PASSWORD_FILE" "value" "rc-credentials/password" )))) -}} +{{- end -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_ENABLED" "value" (printf "%v" $values.connectors.brokerTLS.enabled) )))) -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $ca := (default "ca.crt" $values.connectors.brokerTLS.ca.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TRUSTED_CERTS" "value" (printf "ca/%s" $ca) )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $cert := (default "tls.crt" $values.connectors.brokerTLS.cert.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_CERT" "value" (printf "cert/%s" $cert) )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $key := (default "tls.key" $values.connectors.brokerTLS.key.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_KEY" "value" (printf "key/%s" $key) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $env) (default (list ) $values.deployment.extraEnv))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.connectorConfiguration" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $lines := (list (printf "rest.advertised.port=%d" ($values.connectors.restPort | int)) (printf "rest.port=%d" ($values.connectors.restPort | int)) "key.converter=org.apache.kafka.connect.converters.ByteArrayConverter" "value.converter=org.apache.kafka.connect.converters.ByteArrayConverter" (printf "group.id=%s" $values.connectors.groupID) (printf "offset.storage.topic=%s" $values.connectors.storage.topic.offset) (printf "config.storage.topic=%s" $values.connectors.storage.topic.config) (printf "status.storage.topic=%s" $values.connectors.storage.topic.status) (printf "offset.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.offset) (printf "offset.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.offset) (printf "config.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.config) (printf "config.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.config) (printf "status.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.status) (printf "status.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.status) (printf "offset.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.offset | int)) (printf "config.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.config | int)) (printf "status.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.status | int)) (printf "producer.linger.ms=%d" ($values.connectors.producerLingerMS | int)) (printf "producer.batch.size=%d" ($values.connectors.producerBatchSize | int)) "config.providers=file,secretsManager,env" "config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider") -}} +{{- if $values.connectors.secretManager.enabled -}} +{{- $lines = (concat (default (list ) $lines) (list "config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider" (printf "config.providers.secretsManager.param.secret.prefix=%s%s" $values.connectors.secretManager.consolePrefix $values.connectors.secretManager.connectorsPrefix) (printf "config.providers.secretsManager.param.aws.region=%s" $values.connectors.secretManager.region))) -}} +{{- end -}} +{{- $lines = (concat (default (list ) $lines) (list "config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (join "\n" $lines)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.volumes" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $volumes := (coalesce nil) -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.ca.secretRef )) )) (dict "name" "truststore" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.cert.secretRef )) )) (dict "name" "cert" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.key.secretRef )) )) (dict "name" "key" )))) -}} +{{- end -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.auth.sasl.secretRef )) )) (dict "name" "rc-credentials" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.storage.volume))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.volumeMountss" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $mounts := (coalesce nil) -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "mountPath" "/opt/kafka/connect-password/rc-credentials" "name" "rc-credentials" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststore" "mountPath" "/opt/kafka/connect-certs/ca" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "cert" "mountPath" "/opt/kafka/connect-certs/cert" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "key" "mountPath" "/opt/kafka/connect-certs/key" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $mounts) (default (list ) $values.storage.volumeMounts))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_helpers.go.tpl new file mode 100644 index 0000000000..aa57f996e7 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_helpers.go.tpl @@ -0,0 +1,131 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "connectors.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.fullnameOverride)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- if (contains $name $dot.Release.Name) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.FullLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) (dict "helm.sh/chart" (get (fromJson (include "connectors.ChartLabels" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.PodLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") ) $values.commonLabels)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.ChartLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Semver" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimPrefix "v" (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.serviceAccount.create -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.ServiceName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.service.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Tag" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := (default $dot.Chart.AppVersion $values.image.tag) -}} +{{- $matchString := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}} +{{- if (not (mustRegexMatch $matchString $tag)) -}} +{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tag) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.trunc" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_helpers.tpl new file mode 100644 index 0000000000..89c888eeef --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "connectors.name" -}} +{{- get ((include "connectors.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "connectors.fullname" }} +{{- get ((include "connectors.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +full helm labels + common labels +*/}} +{{- define "full.labels" -}} +{{- (get ((include "connectors.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +pod labels merged with common labels +*/}} +{{- define "connectors-pod-labels" -}} +{{- (get ((include "connectors.PodLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "connectors.chart" -}} +{{- get ((include "connectors.Chart" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Get the version of redpanda being used as an image +*/}} +{{- define "connectors.semver" -}} +{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "connectors.serviceAccountName" -}} +{{- get ((include "connectors.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service to use +*/}} +{{- define "connectors.serviceName" -}} +{{- get ((include "connectors.ServiceName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Use AppVersion if image.tag is not set +*/}} +{{- define "connectors.tag" -}} +{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_pod-monitor.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_pod-monitor.go.tpl new file mode 100644 index 0000000000..4e12b20084 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_pod-monitor.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "podmonitor.go" */ -}} + +{{- define "connectors.PodMonitor" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.monitoring.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "PodMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" $values.monitoring.labels "annotations" $values.monitoring.annotations )) "spec" (mustMergeOverwrite (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "namespaceSelector" $values.monitoring.namespaceSelector "podMetricsEndpoints" (list (mustMergeOverwrite (dict "bearerTokenSecret" (dict "key" "" ) ) (dict "path" "/" "port" "prometheus" ))) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_service.go.tpl new file mode 100644 index 0000000000..54a7ce8a05 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_service.go.tpl @@ -0,0 +1,20 @@ +{{- /* Generated from "service.go" */ -}} + +{{- define "connectors.Service" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $ports := (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rest-api" "port" ($values.connectors.restPort | int) "targetPort" ($values.connectors.restPort | int) "protocol" "TCP" ))) -}} +{{- range $_, $port := $values.service.ports -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" $port.name "port" ($port.port | int) "targetPort" ($port.port | int) "protocol" "TCP" )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.ServiceName" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.service.annotations) )) "spec" (mustMergeOverwrite (dict ) (dict "ipFamilies" (list "IPv4") "ipFamilyPolicy" "SingleStack" "ports" $ports "selector" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "ClusterIP" )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_serviceaccount.go.tpl new file mode 100644 index 0000000000..dedade21c3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_serviceaccount.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "connectors.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.serviceAccount.annotations "labels" (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") "name" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_shims.tpl new file mode 100644 index 0000000000..c16b6d1788 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_shims.tpl @@ -0,0 +1,339 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $ptr) "null") -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $m) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $ptr) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq (toJson $a) "null") (eq (toJson $b) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.time_ParseDuration" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $unitMap := (dict "s" (1000000000 | int64) "m" (60000000000 | int64) "h" (3600000000000 | int64) ) -}} +{{- $original := $repr -}} +{{- $value := ((0 | int64) | int64) -}} +{{- if (eq $repr "") -}} +{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}} +{{- end -}} +{{- if (eq $repr "0") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $_, $_ := (list (0 | int) (0 | int) (0 | int)) -}} +{{- if (eq $repr "") -}} +{{- break -}} +{{- end -}} +{{- $n := (regexFind `^\d+` $repr) -}} +{{- if (eq $n "") -}} +{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}} +{{- end -}} +{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $n) ))) "r") | int) -1 $repr) -}} +{{- $unit := (regexFind `^(h|m|s)` $repr) -}} +{{- if (eq $unit "") -}} +{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}} +{{- end -}} +{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int) -1 $repr) -}} +{{- $value = ((add $value (((mul (int64 $n) (index $unitMap $unit)) | int64))) | int64) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.time_Duration_String" -}} +{{- $dur := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (duration ((div $dur (1000000000 | int64)) | int64))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne (toJson $manifest) "null" }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_values.go.tpl new file mode 100644 index 0000000000..9b304d4bf6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/_values.go.tpl @@ -0,0 +1,15 @@ +{{- /* Generated from "values.go" */ -}} + +{{- define "connectors.Auth.SASLEnabled" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $saslEnabled := (not (empty $c.sasl.userName)) -}} +{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.mechanism))) -}} +{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.secretRef))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $saslEnabled) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/entry-point.yaml b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/entry-point.yaml new file mode 100644 index 0000000000..b6c6467d5d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/entry-point.yaml @@ -0,0 +1,17 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.render" .) -}} diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/tests/01-mm2-values.yaml b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/tests/01-mm2-values.yaml new file mode 100644 index 0000000000..c369806c8b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/templates/tests/01-mm2-values.yaml @@ -0,0 +1,176 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- define "curl-options" -}} +{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}} +{{- end -}} +{{- if .Values.test.create -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "connectors.fullname" . }}-mm2-test + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: create-mm2 + image: docker.redpanda.com/redpandadata/redpanda:latest + command: + - /bin/bash + - -c + - | + set -xe + + trap connectorsState ERR + + connectorsState () { + echo check connectors expand status + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=status + echo check connectors expand info + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=info + echo check connector configuration + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME + echo check connector topics + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics + } + + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors + + SASL_MECHANISM="PLAIN" + {{- if .Values.auth.sasl.enabled }} + set -e + set +x + + IFS=: read -r CONNECT_SASL_USERNAME KAFKA_SASL_PASSWORD CONNECT_SASL_MECHANISM < $(find /mnt/users/* -print) + CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + if [[ -n "$CONNECT_SASL_USERNAME" && -n "$KAFKA_SASL_PASSWORD" && -n "$CONNECT_SASL_MECHANISM" ]]; then + rpk profile set user=$CONNECT_SASL_USERNAME pass=$KAFKA_SASL_PASSWORD sasl.mechanism=$CONNECT_SASL_MECHANISM + SASL_MECHANISM=$CONNECT_SASL_MECHANISM + JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + fi + + set -x + set +e + {{- end }} + + rpk profile create test + rpk profile set tls.enabled={{.Values.connectors.brokerTLS.enabled}} brokers={{ .Values.connectors.bootstrapServers }} + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + rpk profile set tls.ca={{ printf "/redpanda-certs/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) }} + {{- end }} + + {{- if .Values.connectors.brokerTLS.enabled }} + CONNECT_TLS_ENABLED=true + {{- else }} + CONNECT_TLS_ENABLED=false + {{- end }} + SECURITY_PROTOCOL=PLAINTEXT + if [[ -n "$CONNECT_SASL_MECHANISM" && $CONNECT_TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SASL_SSL" + elif [[ -n "$CONNECT_SASL_MECHANISM" ]]; then + SECURITY_PROTOCOL="SASL_PLAINTEXT" + elif [[ $CONNECT_TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SSL" + fi + + rpk topic list + rpk topic create test-topic + rpk topic list + echo "Test message!" | rpk topic produce test-topic + + CONNECTOR_NAME=mm2-$RANDOM + cat << 'EOF' > /tmp/mm2-conf.json + { + "name": "CONNECTOR_NAME", + "config": { + "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", + "topics": "test-topic", + "replication.factor": "1", + "tasks.max": "1", + "source.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }}, + "target.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }}, + "target.cluster.alias": "test-only", + "source.cluster.alias": "source", + "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "source->target.enabled": "true", + "target->source.enabled": "false", + "sync.topic.configs.interval.seconds": "5", + "sync.topics.configs.enabled": "true", + "source.cluster.ssl.truststore.type": "PEM", + "target.cluster.ssl.truststore.type": "PEM", + "source.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }}, + "target.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }}, + JAAS_CONFIG_SOURCE + JAAS_CONFIG_TARGET + "source.cluster.security.protocol": "SECURITY_PROTOCOL", + "target.cluster.security.protocol": "SECURITY_PROTOCOL", + "source.cluster.sasl.mechanism": "SASL_MECHANISM", + "target.cluster.sasl.mechanism": "SASL_MECHANISM", + "offset-syncs.topic.replication.factor": 1 + } + } + EOF + + sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json + sed -i "s/SASL_MECHANISM/$SASL_MECHANISM/g" /tmp/mm2-conf.json + sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json + set +x + sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json + sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json + set -x + + curl {{ template "curl-options" . }} -H 'Content-Type: application/json' http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors -d @/tmp/mm2-conf.json + + # The rpk topic consume could fail for the first few times as kafka connect needs + # to spawn the task and copy one message from the source topic. To solve this race condition + # the retry should be implemented in bash for rpk topic consume or other mechanism that + # can confirm source connectors started its execution. As a fast fix fixed 30 second fix is added. + sleep 30 + + rpk topic consume source.test-topic -n 1 | grep "Test message!" + + curl {{ template "curl-options" . }} -X DELETE http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME + + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors + + rpk topic delete test-topic source.test-topic mm2-offset-syncs.test-only.internal + volumeMounts: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - mountPath: /redpanda-certs + name: redpanda-ca + {{- end }} + {{- toYaml .Values.storage.volumeMounts | nindent 8 }} + volumes: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - name: redpanda-ca + secret: + defaultMode: 0444 + secretName: {{ .Values.connectors.brokerTLS.ca.secretRef }} + {{- end }} + {{- toYaml .Values.storage.volume | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/charts/connectors/values.yaml b/charts/redpanda/redpanda/5.9.19/charts/connectors/values.yaml new file mode 100644 index 0000000000..99cb3c5809 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/connectors/values.yaml @@ -0,0 +1,313 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file contains values for variables referenced from yaml files in the templates directory. +# +# For further information on Helm templating see the documentation at: +# https://helm.sh/docs/chart_template_guide/values_files/ + +# +# >>> This chart requires Helm version 3.6.0 or greater <<< +# + +# Common settings +# +# -- Override `connectors.name` template. +nameOverride: "" +# -- Override `connectors.fullname` template. +fullnameOverride: "" +# -- Additional labels to add to all Kubernetes objects. +# For example, `my.k8s.service: redpanda`. +commonLabels: {} +# -- Taints to be tolerated by Pods. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). +tolerations: [] + +# -- Redpanda Docker image settings. +image: + # -- Docker repository from which to pull the Redpanda Docker image. + repository: docker.redpanda.com/redpandadata/connectors + # -- The Redpanda version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + # @default -- `Chart.appVersion`. + tag: "" + # -- The imagePullPolicy. + # If `image.tag` is 'latest', the default is `Always`. + pullPolicy: IfNotPresent + +# -- Pull secrets may be used to provide credentials to image repositories +# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + +test: + create: true + +connectors: + # -- The port on which the Kafka Connect REST API listens. The API is used for administrative tasks. + restPort: 8083 + # -- A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster. + bootstrapServers: "" + # A comma-separated list of Schema Registry addresses in the format IP:Port or DNS:Port. The Schema Registry is a service that manages the schemas used by producers and consumers. + schemaRegistryURL: "" + # -- A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script. + additionalConfiguration: "" + secretManager: + enabled: false + region: "" + consolePrefix: "" + connectorsPrefix: "" + # -- The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput. + producerBatchSize: 131072 + # -- The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput. + producerLingerMS: 1 + storage: + # -- The number of replicas for each of the internal topics that Kafka Connect uses. + replicationFactor: + # -- Replication factor for the offset topic. + offset: -1 + # -- Replication factor for the configuration topic. + config: -1 + # -- Replication factor for the status topic. + status: -1 + # -- Indicates if read and write operations for the respective topics are allowed remotely. + remote: + read: + offset: false + config: false + status: false + write: + offset: false + config: false + status: false + topic: + # -- The name of the internal topic that Kafka Connect uses to store source connector offsets. + offset: _internal_connectors_offsets + # -- The name of the internal topic that Kafka Connect uses to store connector and task configurations. + config: _internal_connectors_configs + # -- The name of the internal topic that Kafka Connect uses to store connector and task status updates. + status: _internal_connectors_status + # -- A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other. + groupID: connectors-cluster + brokerTLS: + enabled: false + ca: + # -- The name of the Secret where the ca.crt file content is located. + secretRef: "" + # -- If `secretRef` points to a Secret where the certificate authority (CA) is not under the + # `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`. + secretNameOverwrite: "" + cert: + # -- The name of the secret where client signed certificate is located + secretRef: "" + # -- If secretRef points to secret where client signed certificate is not under + # tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt + secretNameOverwrite: "" + key: + # -- The name of the secret where client private key is located + secretRef: "" + # -- If secretRef points to secret where client private key is not under + # tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key + secretNameOverwrite: "" + +# -- Authentication settings. +# For details, +# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). +# The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster. +auth: + sasl: + enabled: false + # -- The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`. + mechanism: scram-sha-512 + # -- A Secret that contains your SASL user password. + secretRef: "" + userName: "" + +# -- Log-level settings. +logging: + # -- Log level + # Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`. + level: warn + +# -- Monitoring. +# When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. +monitoring: + enabled: false + scrapeInterval: 30s + labels: {} + annotations: {} + namespaceSelector: + any: true + +container: + # + # -- Security context for the Redpanda Connectors container. + # See also `deployment.securityContext` for Pod-level settings. + securityContext: + allowPrivilegeEscalation: false + # -- Pod resource management. + resources: + request: + # Numeric values here are also acceptable. + cpu: "1" + memory: 2350Mi + limits: + cpu: "1" + memory: 2350Mi + # -- Java maximum heap size must not be greater than `container.resources.limits.memory`. + javaMaxHeapSize: 2G + javaGCLogEnabled: "false" + +deployment: + # Replicas can be used to scale Deployment + # replicas + + create: true + # Customize the command to use as the entrypoint of the Deployment. + # command: [] + strategy: + type: RollingUpdate + schedulerName: "" + budget: + maxUnavailable: 1 + # -- Additional annotations to apply to the Pods of this Deployment. + annotations: {} + # -- Adjust the period for your probes to meet your needs. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + livenessProbe: + initialDelaySeconds: 10 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + initialDelaySeconds: 60 + failureThreshold: 2 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + + # -- Additional environment variables for the Pods. + extraEnv: [] + # - name: RACK_ID + # value: "1" + + # -- Configure extra environment variables from Secrets and ConfigMaps. + extraEnvFrom: [] + # - secretRef: + # name: my-secret + # - configMapRef: + # name: my-configmap + + # -- The maximum time in seconds for a deployment to make progress before it is + # considered to be failed. The deployment controller will continue to process + # failed deployments and a condition with a ProgressDeadlineExceeded reason + # will be surfaced in the deployment status. Note that progress will not be + # estimated during the time a deployment is paused. + progressDeadlineSeconds: 600 + + # -- The number of old ReplicaSets to retain to allow rollback. This is a pointer + # to distinguish between explicit zero and not specified. + revisionHistoryLimit: 10 + + # -- Inter-Pod Affinity rules for scheduling Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + podAffinity: {} + # -- Node Affinity rules for scheduling Pods of this Deployment. + # The suggestion would be to spread Pods according to topology zone. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). + nodeAffinity: {} + # -- Anti-affinity rules for scheduling Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + # You may either edit the default settings for anti-affinity rules, + # or specify new anti-affinity rules to use instead of the defaults. + podAntiAffinity: + # -- The `topologyKey` to be used. + # Can be used to spread across different nodes, AZs, regions etc. + topologyKey: kubernetes.io/hostname + # -- Valid anti-affinity types are `soft`, `hard`, or `custom`. + # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + type: hard + # -- Weight for `soft` anti-affinity rules. + # Does not apply for other anti-affinity types. + weight: 100 + # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + custom: {} + # -- Node selection constraints for scheduling Pods of this Deployment. + # These constraints override the global `nodeSelector` value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + nodeSelector: {} + # -- PriorityClassName given to Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + priorityClassName: "" + # -- Taints to be tolerated by Pods of this Deployment. + # These tolerations override the global tolerations value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + tolerations: [] + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + securityContext: + fsGroup: 101 + runAsUser: 101 + fsGroupChangePolicy: OnRootMismatch + terminationGracePeriodSeconds: 30 + restartPolicy: Always + +storage: + volume: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + +# -- ServiceAccount management. +serviceAccount: + # -- Specifies whether a ServiceAccount should be created. + create: false + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: false + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- The name of the ServiceAccount to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `connectors.fullname` template. + name: "" + +# -- Service management. +service: + # -- Annotations to add to the Service. + annotations: {} + # -- The name of the service to use. + # If not set, a name is generated using the `connectors.fullname` template. + name: "" + ports: + - name: prometheus + port: 9404 diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/.helmignore b/charts/redpanda/redpanda/5.9.19/charts/console/.helmignore new file mode 100644 index 0000000000..d5bb5e6ba6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +*.go +testdata/ +ci/ diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/Chart.yaml b/charts/redpanda/redpanda/5.9.19/charts/console/Chart.yaml new file mode 100644 index 0000000000..bdd47e7063 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/console:v2.8.0 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ +apiVersion: v2 +appVersion: v2.8.0 +description: Helm chart to deploy Redpanda Console. +icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg +kubeVersion: '>= 1.25.0-0' +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: console +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 0.7.31 diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/README.md b/charts/redpanda/redpanda/5.9.19/charts/console/README.md new file mode 100644 index 0000000000..63da4e6cad --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/README.md @@ -0,0 +1,353 @@ +# Redpanda Console Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Console Helm chart. +--- + +![Version: 0.7.31](https://img.shields.io/badge/Version-0.7.31-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.8.0](https://img.shields.io/badge/AppVersion-v2.8.0-informational?style=flat-square) + +This page describes the official Redpanda Console Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/console/values.yaml). +Each of the settings is listed and described on this page, along with any default values. + +The Redpanda Console Helm chart is included as a subchart in the Redpanda Helm chart so that you can deploy and configure Redpanda and Redpanda Console together. +For instructions on how to install and use the chart, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). +For instructions on how to override and customize the chart’s values, see [Configure Redpanda Console](https://docs.redpanda.com/docs/manage/kubernetes/configure-helm-chart/#configure-redpanda-console). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.25.0-0` + +## Settings + +### [affinity](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=affinity) + +**Default:** `{}` + +### [annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=annotations) + +Annotations to add to the deployment. + +**Default:** `{}` + +### [automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=automountServiceAccountToken) + +Automount API credentials for the Service Account into the pod. Console does not communicate with Kubernetes API. + +**Default:** `false` + +### [autoscaling.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.enabled) + +**Default:** `false` + +### [autoscaling.maxReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.maxReplicas) + +**Default:** `100` + +### [autoscaling.minReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.minReplicas) + +**Default:** `1` + +### [autoscaling.targetCPUUtilizationPercentage](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.targetCPUUtilizationPercentage) + +**Default:** `80` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=commonLabels) + +**Default:** `{}` + +### [configmap.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=configmap.create) + +**Default:** `true` + +### [console.config](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=console.config) + +Settings for the `Config.yaml` (required). For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + +**Default:** `{}` + +### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=deployment.create) + +**Default:** `true` + +### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=enterprise) + +Settings for license key, as an alternative to secret.enterprise when a license secret is available + +**Default:** + +``` +{"licenseSecretRef":{"key":"","name":""}} +``` + +### [extraContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraContainers) + +Add additional containers, such as for oauth2-proxy. + +**Default:** `[]` + +### [extraEnv](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnv) + +Additional environment variables for the Redpanda Console Deployment. + +**Default:** `[]` + +### [extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnvFrom) + +Additional environment variables for Redpanda Console mapped from Secret or ConfigMap. + +**Default:** `[]` + +### [extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumeMounts) + +Add additional volume mounts, such as for TLS keys. + +**Default:** `[]` + +### [extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumes) + +Add additional volumes, such as for TLS keys. + +**Default:** `[]` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=fullnameOverride) + +Override `console.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image) + +Redpanda Console Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","registry":"docker.redpanda.com","repository":"redpandadata/console","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.pullPolicy) + +The imagePullPolicy. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** `"redpandadata/console"` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.tag) + +The Redpanda Console version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags). + +**Default:** `Chart.appVersion` + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +**Default:** `[]` + +### [ingress.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.annotations) + +**Default:** `{}` + +### [ingress.className](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.className) + +**Default:** `nil` + +### [ingress.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.enabled) + +**Default:** `false` + +### [ingress.hosts[0].host](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].host) + +**Default:** `"chart-example.local"` + +### [ingress.hosts[0].paths[0].path](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].path) + +**Default:** `"/"` + +### [ingress.hosts[0].paths[0].pathType](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].pathType) + +**Default:** `"ImplementationSpecific"` + +### [ingress.tls](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.tls) + +**Default:** `[]` + +### [initContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers) + +Any initContainers defined should be written here + +**Default:** `{"extraInitContainers":""}` + +### [initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers.extraInitContainers) + +Additional set of init containers + +**Default:** `""` + +### [livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=livenessProbe) + +Settings for liveness and readiness probes. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes). + +**Default:** + +``` +{"failureThreshold":3,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nameOverride) + +Override `console.name` template. + +**Default:** `""` + +### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nodeSelector) + +**Default:** `{}` + +### [podAnnotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podAnnotations) + +**Default:** `{}` + +### [podLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podLabels) + +**Default:** `{}` + +### [podSecurityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.fsGroup) + +**Default:** `99` + +### [podSecurityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.runAsUser) + +**Default:** `99` + +### [priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=priorityClassName) + +PriorityClassName given to Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.failureThreshold) + +**Default:** `3` + +### [readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.initialDelaySeconds) + +Grant time to test connectivity to upstream services such as Kafka and Schema Registry. + +**Default:** `10` + +### [readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.periodSeconds) + +**Default:** `10` + +### [readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.successThreshold) + +**Default:** `1` + +### [readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.timeoutSeconds) + +**Default:** `1` + +### [replicaCount](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=replicaCount) + +**Default:** `1` + +### [resources](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=resources) + +**Default:** `{}` + +### [secret](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret) + +Create a new Kubernetes Secret for all sensitive configuration inputs. Each provided Secret is mounted automatically and made available to the Pod. If you want to use one or more existing Secrets, you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets. + +**Default:** + +``` +{"create":true,"enterprise":{},"kafka":{},"login":{"github":{},"google":{},"jwtSecret":"","oidc":{},"okta":{}},"redpanda":{"adminApi":{}}} +``` + +### [secret.kafka](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret.kafka) + +Kafka Secrets. + +**Default:** `{}` + +### [secretMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secretMounts) + +SecretMounts is an abstraction to make a Secret available in the container's filesystem. Under the hood it creates a volume and a volume mount for the Redpanda Console container. + +**Default:** `[]` + +### [securityContext.runAsNonRoot](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=securityContext.runAsNonRoot) + +**Default:** `true` + +### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.annotations) + +**Default:** `{}` + +### [service.port](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.port) + +**Default:** `8080` + +### [service.targetPort](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.targetPort) + +Override the value in `console.config.server.listenPort` if not `nil` + +**Default:** `nil` + +### [service.type](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.type) + +**Default:** `"ClusterIP"` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.annotations) + +Annotations to add to the service account. + +**Default:** `{}` + +### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.automountServiceAccountToken) + +Specifies whether a service account should automount API-Credentials. Console does not communicate with Kubernetes API. The ServiceAccount could be used for workload identity. + +**Default:** `false` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.create) + +Specifies whether a service account should be created. + +**Default:** `true` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.name) + +The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `console.fullname` template + +**Default:** `""` + +### [strategy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=strategy) + +**Default:** `{}` + +### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tests.enabled) + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tolerations) + +**Default:** `[]` + +### [topologySpreadConstraints](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=topologySpreadConstraints) + +**Default:** `[]` + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/examples/console-enterprise.yaml b/charts/redpanda/redpanda/5.9.19/charts/console/examples/console-enterprise.yaml new file mode 100644 index 0000000000..dc3f29197d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/examples/console-enterprise.yaml @@ -0,0 +1,94 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +image: + tag: master-8fcce39 + +resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 100m + memory: 512Mi + +console: + config: + kafka: + brokers: + - bootstrap.mybrokers.com:9092 + clientId: redpanda-console + sasl: + enabled: true + mechanism: SCRAM-SHA-256 + username: console + # password: set via Helm secret / Env variable + tls: + enabled: false + login: + google: + enabled: true + clientId: redacted.apps.googleusercontent.com + # clientSecret: set via Helm secret / Env variable + directory: + # serviceAccountFilepath: set via Helm secret / Env variable + targetPrincipal: admin@mycompany.com + enterprise: + rbac: + enabled: true + roleBindingsFilepath: /etc/console/configs/role-bindings.yaml + roleBindings: + - roleName: viewer + metadata: + # Metadata properties will be shown in the UI. You can omit it if you want to + name: Developers + subjects: + # You can specify all groups or users from different providers here which shall be bound to the same role + - kind: group + provider: Google + name: engineering@mycompany.com + - kind: user + provider: Google + name: singleuser@mycompany.com + - roleName: admin + metadata: + name: Admin + subjects: + - kind: user + provider: Google + name: adminperson@mycompany.com + +secret: + create: true + kafka: + saslPassword: "redacted" + enterprise: + license: "redacted" + login: + google: + clientSecret: "redacted" + groupsServiceAccount: | + { + "type": "service_account", + "project_id": "redacted", + "private_key_id": "redacted", + "private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n", + "client_email": "redacted@projectid.iam.gserviceaccount.com", + "client_id": "redacted", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/redacted.iam.gserviceaccount.com" + } diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.19/charts/console/templates/NOTES.txt new file mode 100644 index 0000000000..7541881fc9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/NOTES.txt @@ -0,0 +1,20 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- $notes := (get ((include "console.Notes" (dict "a" (list .))) | fromJson) "r") -}} +{{- range $_, $note := $notes }} +{{ $note }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_chart.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_chart.go.tpl new file mode 100644 index 0000000000..47f236d6ff --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_chart.go.tpl @@ -0,0 +1,13 @@ +{{- /* Generated from "chart.go" */ -}} + +{{- define "console.render" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $manifests := (list (get (fromJson (include "console.ServiceAccount" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Secret" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.ConfigMap" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Service" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Ingress" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Deployment" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.HorizontalPodAutoscaler" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $manifests) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_configmap.go.tpl new file mode 100644 index 0000000000..14673b0249 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_configmap.go.tpl @@ -0,0 +1,25 @@ +{{- /* Generated from "configmap.go" */ -}} + +{{- define "console.ConfigMap" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.configmap.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $data := (dict "config.yaml" (printf "# from .Values.console.config\n%s\n" (tpl (toYaml $values.console.config) $dot)) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roles) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $data "roles.yaml" (tpl (toYaml (dict "roles" $values.console.roles )) $dot)) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roleBindings) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $data "role-bindings.yaml" (tpl (toYaml (dict "roleBindings" $values.console.roleBindings )) $dot)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ConfigMap" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "data" $data ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_deployment.go.tpl new file mode 100644 index 0000000000..67aaf598fe --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_deployment.go.tpl @@ -0,0 +1,133 @@ +{{- /* Generated from "deployment.go" */ -}} + +{{- define "console.ContainerPort" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $listenPort := ((8080 | int) | int) -}} +{{- if (ne (toJson $values.service.targetPort) "null") -}} +{{- $listenPort = $values.service.targetPort -}} +{{- end -}} +{{- $configListenPort := (dig "server" "listenPort" (coalesce nil) $values.console.config) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $configListenPort) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_1.T2 -}} +{{- $asInt_1 := ($tmp_tuple_1.T1 | int) -}} +{{- if $ok_2 -}} +{{- $_is_returning = true -}} +{{- (dict "r" ($asInt_1 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $listenPort) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Deployment" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.deployment.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $replicas := (coalesce nil) -}} +{{- if (not $values.autoscaling.enabled) -}} +{{- $replicas = ($values.replicaCount | int) -}} +{{- end -}} +{{- $initContainers := (coalesce nil) -}} +{{- if (not (empty $values.initContainers.extraInitContainers)) -}} +{{- $initContainers = (fromYamlArray (tpl $values.initContainers.extraInitContainers $dot)) -}} +{{- end -}} +{{- $volumeMounts := (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "configs" "mountPath" "/etc/console/configs" "readOnly" true ))) -}} +{{- if $values.secret.create -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "secrets" "mountPath" "/etc/console/secrets" "readOnly" true )))) -}} +{{- end -}} +{{- range $_, $mount := $values.secretMounts -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mount.name "mountPath" $mount.path "subPath" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $mount.subPath "") ))) "r") )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (default (list ) $values.extraVolumeMounts)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.annotations )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $replicas "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" (merge (dict ) (dict "checksum/config" (sha256sum (toYaml (get (fromJson (include "console.ConfigMap" (dict "a" (list $dot) ))) "r"))) ) $values.podAnnotations) "labels" (merge (dict ) (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.podLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "imagePullSecrets" $values.imagePullSecrets "serviceAccountName" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "automountServiceAccountToken" $values.automountServiceAccountToken "securityContext" $values.podSecurityContext "nodeSelector" $values.nodeSelector "affinity" $values.affinity "topologySpreadConstraints" $values.topologySpreadConstraints "priorityClassName" $values.priorityClassName "tolerations" $values.tolerations "volumes" (get (fromJson (include "console.consolePodVolumes" (dict "a" (list $dot) ))) "r") "initContainers" $initContainers "containers" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" $dot.Chart.Name "command" $values.deployment.command "args" (concat (default (list ) (list "--config.filepath=/etc/console/configs/config.yaml")) (default (list ) $values.deployment.extraArgs)) "securityContext" $values.securityContext "image" (get (fromJson (include "console.containerImage" (dict "a" (list $dot) ))) "r") "imagePullPolicy" $values.image.pullPolicy "ports" (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ((get (fromJson (include "console.ContainerPort" (dict "a" (list $dot) ))) "r") | int) "protocol" "TCP" ))) "volumeMounts" $volumeMounts "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.livenessProbe.periodSeconds | int) "timeoutSeconds" ($values.livenessProbe.timeoutSeconds | int) "successThreshold" ($values.livenessProbe.successThreshold | int) "failureThreshold" ($values.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.readinessProbe.initialDelaySeconds | int) "periodSeconds" ($values.readinessProbe.periodSeconds | int) "timeoutSeconds" ($values.readinessProbe.timeoutSeconds | int) "successThreshold" ($values.readinessProbe.successThreshold | int) "failureThreshold" ($values.readinessProbe.failureThreshold | int) )) "resources" $values.resources "env" (get (fromJson (include "console.consoleContainerEnv" (dict "a" (list $dot) ))) "r") "envFrom" $values.extraEnvFrom )))) (default (list ) $values.extraContainers)) )) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.containerImage" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := $dot.Chart.AppVersion -}} +{{- if (not (empty $values.image.tag)) -}} +{{- $tag = $values.image.tag -}} +{{- end -}} +{{- $image := (printf "%s:%s" $values.image.repository $tag) -}} +{{- if (not (empty $values.image.registry)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s" $values.image.registry $image)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $image) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.consoleContainerEnv" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.secret.create) -}} +{{- $vars := $values.extraEnv -}} +{{- if (not (empty $values.enterprise.licenseSecretRef.name)) -}} +{{- $vars = (concat (default (list ) $values.extraEnv) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" (default "enterprise-license" $values.enterprise.licenseSecretRef.key) )) )) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $vars) | toJson -}} +{{- break -}} +{{- end -}} +{{- $possibleVars := (list (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.saslPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.protobufGitBasicAuthPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-protobuf-git-basicauth-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.awsMskIamSecretKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_AWSMSKIAM_SECRETKEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-aws-msk-iam-secret-key" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-schema-registry-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" true "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_JWTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-jwt-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-google-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.groupsServiceAccount "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH" "value" "/etc/console/secrets/login-google-groups-service-account.json" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.personalAccessToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-personal-access-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.directoryApiToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_DIRECTORY_APITOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-directory-api-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.oidc.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OIDC_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-oidc-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.enterprise.license "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "enterprise-license" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.password "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "redpanda-admin-api-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CAFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_KEYFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CERTFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-cert" )) ))) -}} +{{- $vars := $values.extraEnv -}} +{{- range $_, $possible := $possibleVars -}} +{{- if (not (empty $possible.Value)) -}} +{{- $vars = (concat (default (list ) $vars) (list $possible.EnvVar)) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $vars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.consolePodVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volumes := (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "configs" ))) -}} +{{- if $values.secret.create -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) )) (dict "name" "secrets" )))) -}} +{{- end -}} +{{- range $_, $mount := $values.secretMounts -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $mount.secretName "defaultMode" $mount.defaultMode )) )) (dict "name" $mount.name )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.extraVolumes))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_helpers.go.tpl new file mode 100644 index 0000000000..05ad609654 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_helpers.go.tpl @@ -0,0 +1,82 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "console.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.fullnameOverride "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- if (contains $name $dot.Release.Name) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.ChartLabel" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Labels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $labels := (dict "helm.sh/chart" (get (fromJson (include "console.ChartLabel" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) -}} +{{- if (ne $dot.Chart.AppVersion "") -}} +{{- $_ := (set $labels "app.kubernetes.io/version" $dot.Chart.AppVersion) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $labels (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.commonLabels)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.SelectorLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "app.kubernetes.io/name" (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.cleanForK8s" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_helpers.tpl new file mode 100644 index 0000000000..ee2ab5d9b8 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_helpers.tpl @@ -0,0 +1,25 @@ +{{/* +Expand the name of the chart. +Used by tests/test-connection.yaml +*/}} +{{- define "console.name" -}} +{{- get ((include "console.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Used by tests/test-connection.yaml +*/}} +{{- define "console.fullname" -}} +{{- get ((include "console.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Common labels +Used by tests/test-connection.yaml +*/}} +{{- define "console.labels" -}} +{{- (get ((include "console.Labels" (dict "a" (list .))) | fromJson) "r") | toYaml -}} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_hpa.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_hpa.go.tpl new file mode 100644 index 0000000000..5c3b33beda --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_hpa.go.tpl @@ -0,0 +1,25 @@ +{{- /* Generated from "hpa.go" */ -}} + +{{- define "console.HorizontalPodAutoscaler" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.autoscaling.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $metrics := (list ) -}} +{{- if (ne (toJson $values.autoscaling.targetCPUUtilizationPercentage) "null") -}} +{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "cpu" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetCPUUtilizationPercentage )) )) )))) -}} +{{- end -}} +{{- if (ne (toJson $values.autoscaling.targetMemoryUtilizationPercentage) "null") -}} +{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "memory" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetMemoryUtilizationPercentage )) )) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) "status" (dict "desiredReplicas" 0 "currentMetrics" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "autoscaling/v2" "kind" "HorizontalPodAutoscaler" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) (dict "scaleTargetRef" (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "apiVersion" "apps/v1" "kind" "Deployment" "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) "minReplicas" ($values.autoscaling.minReplicas | int) "maxReplicas" ($values.autoscaling.maxReplicas | int) "metrics" $metrics )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_ingress.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_ingress.go.tpl new file mode 100644 index 0000000000..0df05e870b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_ingress.go.tpl @@ -0,0 +1,46 @@ +{{- /* Generated from "ingress.go" */ -}} + +{{- define "console.Ingress" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.ingress.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tls := (coalesce nil) -}} +{{- range $_, $t := $values.ingress.tls -}} +{{- $hosts := (coalesce nil) -}} +{{- range $_, $host := $t.hosts -}} +{{- $hosts = (concat (default (list ) $hosts) (list (tpl $host $dot))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $tls = (concat (default (list ) $tls) (list (mustMergeOverwrite (dict ) (dict "secretName" $t.secretName "hosts" $hosts )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $rules := (coalesce nil) -}} +{{- range $_, $host := $values.ingress.hosts -}} +{{- $paths := (coalesce nil) -}} +{{- range $_, $path := $host.paths -}} +{{- $paths = (concat (default (list ) $paths) (list (mustMergeOverwrite (dict "pathType" (coalesce nil) "backend" (dict ) ) (dict "path" $path.path "pathType" $path.pathType "backend" (mustMergeOverwrite (dict ) (dict "service" (mustMergeOverwrite (dict "name" "" "port" (dict ) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "port" (mustMergeOverwrite (dict ) (dict "number" ($values.service.port | int) )) )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $rules = (concat (default (list ) $rules) (list (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "http" (mustMergeOverwrite (dict "paths" (coalesce nil) ) (dict "paths" $paths )) )) (dict "host" (tpl $host.host $dot) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "kind" "Ingress" "apiVersion" "networking.k8s.io/v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.ingress.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "ingressClassName" $values.ingress.className "tls" $tls "rules" $rules )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_notes.go.tpl new file mode 100644 index 0000000000..6b58b21ef4 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_notes.go.tpl @@ -0,0 +1,40 @@ +{{- /* Generated from "notes.go" */ -}} + +{{- define "console.Notes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $commands := (list `1. Get the application URL by running these commands:`) -}} +{{- if $values.ingress.enabled -}} +{{- $scheme := "http" -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.ingress.tls) ))) "r") | int) (0 | int)) -}} +{{- $scheme = "https" -}} +{{- end -}} +{{- range $_, $host := $values.ingress.hosts -}} +{{- range $_, $path := $host.paths -}} +{{- $commands = (concat (default (list ) $commands) (list (printf "%s://%s%s" $scheme $host.host $path.path))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list (printf ` export NODE_PORT=$(kubectl get --namespace %s -o jsonpath="{.spec.ports[0].nodePort}" services %s)` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export NODE_IP=$(kubectl get nodes --namespace %s -o jsonpath="{.items[0].status.addresses[0].address}")` $dot.Release.Namespace) " echo http://$NODE_IP:$NODE_PORT")) -}} +{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list ` NOTE: It may take a few minutes for the LoadBalancer IP to be available.` (printf ` You can watch the status of by running 'kubectl get --namespace %s svc -w %s'` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export SERVICE_IP=$(kubectl get svc --namespace %s %s --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` echo http://$SERVICE_IP:%d` ($values.service.port | int)))) -}} +{{- else -}}{{- if (contains "ClusterIP" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list (printf ` export POD_NAME=$(kubectl get pods --namespace %s -l "app.kubernetes.io/name=%s,app.kubernetes.io/instance=%s" -o jsonpath="{.items[0].metadata.name}")` $dot.Release.Namespace (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Name) (printf ` export CONTAINER_PORT=$(kubectl get pod --namespace %s $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")` $dot.Release.Namespace) ` echo "Visit http://127.0.0.1:8080 to use your application"` (printf ` kubectl --namespace %s port-forward $POD_NAME 8080:$CONTAINER_PORT` $dot.Release.Namespace))) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $commands) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_secret.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_secret.go.tpl new file mode 100644 index 0000000000..6af16b1c83 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_secret.go.tpl @@ -0,0 +1,22 @@ +{{- /* Generated from "secret.go" */ -}} + +{{- define "console.Secret" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.secret.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $jwtSecret := $values.secret.login.jwtSecret -}} +{{- if (eq $jwtSecret "") -}} +{{- $jwtSecret = (randAlphaNum (32 | int)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "kafka-sasl-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.saslPassword "") ))) "r") "kafka-protobuf-git-basicauth-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.protobufGitBasicAuthPassword "") ))) "r") "kafka-sasl-aws-msk-iam-secret-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.awsMskIamSecretKey "") ))) "r") "kafka-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCa "") ))) "r") "kafka-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCert "") ))) "r") "kafka-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsKey "") ))) "r") "kafka-schema-registry-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryPassword "") ))) "r") "kafka-schemaregistry-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCa "") ))) "r") "kafka-schemaregistry-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCert "") ))) "r") "kafka-schemaregistry-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsKey "") ))) "r") "login-jwt-secret" $jwtSecret "login-google-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.clientSecret "") ))) "r") "login-google-groups-service-account.json" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.groupsServiceAccount "") ))) "r") "login-github-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.clientSecret "") ))) "r") "login-github-personal-access-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.personalAccessToken "") ))) "r") "login-okta-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.clientSecret "") ))) "r") "login-okta-directory-api-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.directoryApiToken "") ))) "r") "login-oidc-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.oidc.clientSecret "") ))) "r") "enterprise-license" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.enterprise.license "") ))) "r") "redpanda-admin-api-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.password "") ))) "r") "redpanda-admin-api-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCa "") ))) "r") "redpanda-admin-api-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCert "") ))) "r") "redpanda-admin-api-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsKey "") ))) "r") ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_service.go.tpl new file mode 100644 index 0000000000..8fac3d4542 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_service.go.tpl @@ -0,0 +1,20 @@ +{{- /* Generated from "service.go" */ -}} + +{{- define "console.Service" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $port := (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "port" (($values.service.port | int) | int) "protocol" "TCP" )) -}} +{{- if (ne (toJson $values.service.targetPort) "null") -}} +{{- $_ := (set $port "targetPort" $values.service.targetPort) -}} +{{- end -}} +{{- if (and (contains "NodePort" (toString $values.service.type)) (ne (toJson $values.service.nodePort) "null")) -}} +{{- $_ := (set $port "nodePort" $values.service.nodePort) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.service.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" $values.service.type "selector" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") "ports" (list $port) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_serviceaccount.go.tpl new file mode 100644 index 0000000000..5a49ba3fdb --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_serviceaccount.go.tpl @@ -0,0 +1,39 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "console.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.serviceAccount.create -}} +{{- if (ne $values.serviceAccount.name "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.serviceAccount.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ServiceAccount" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.serviceAccount.annotations )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_shims.tpl new file mode 100644 index 0000000000..f0a27ce489 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/_shims.tpl @@ -0,0 +1,355 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $ptr) "null") -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $m) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $ptr) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq (toJson $a) "null") (eq (toJson $b) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.get" -}} +{{- $dict := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (hasKey $dict $key)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (get $dict $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.time_ParseDuration" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $unitMap := (dict "s" (1000000000 | int64) "m" (60000000000 | int64) "h" (3600000000000 | int64) ) -}} +{{- $original := $repr -}} +{{- $value := ((0 | int64) | int64) -}} +{{- if (eq $repr "") -}} +{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}} +{{- end -}} +{{- if (eq $repr "0") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $_, $_ := (list (0 | int) (0 | int) (0 | int)) -}} +{{- if (eq $repr "") -}} +{{- break -}} +{{- end -}} +{{- $n := (regexFind `^\d+` $repr) -}} +{{- if (eq $n "") -}} +{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}} +{{- end -}} +{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $n) ))) "r") | int) -1 $repr) -}} +{{- $unit := (regexFind `^(h|m|s)` $repr) -}} +{{- if (eq $unit "") -}} +{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}} +{{- end -}} +{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int) -1 $repr) -}} +{{- $value = ((add $value (((mul (int64 $n) (index $unitMap $unit)) | int64))) | int64) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.time_Duration_String" -}} +{{- $dur := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (duration ((div $dur (1000000000 | int64)) | int64))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne (toJson $manifest) "null" }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/entry-point.yaml b/charts/redpanda/redpanda/5.9.19/charts/console/templates/entry-point.yaml new file mode 100644 index 0000000000..01fb6d68b2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/entry-point.yaml @@ -0,0 +1,17 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.render" .) -}} diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/templates/tests/test-connection.yaml b/charts/redpanda/redpanda/5.9.19/charts/console/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..de17fb2b1d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/templates/tests/test-connection.yaml @@ -0,0 +1,22 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "console.fullname" . }}-test-connection" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "console.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "console.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/values.schema.json b/charts/redpanda/redpanda/5.9.19/charts/console/values.schema.json new file mode 100644 index 0000000000..f4f369e98a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/values.schema.json @@ -0,0 +1,323 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "required": [ + "image" + ], + "properties": { + "affinity": { + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "configmap": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "console": { + "type": "object" + }, + "deployment": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "extraContainers": { + "type": "array" + }, + "extraEnv": { + "type": "array" + }, + "extraEnvFrom": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "type": "object", + "required": [ + "repository" + ], + "properties": { + "pullPolicy": { + "type": "string" + }, + "registry": { + "type": "string" + }, + "repository": { + "type": "string", + "minLength": 1 + }, + "tag": { + "type": "string" + } + } + }, + "imagePullSecrets": { + "type": "array" + }, + "ingress": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "className": { + "type": ["string", "null"] + }, + "enabled": { + "type": "boolean" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array", + "items": { + "type": "object", + "properties": { + "path": { + "type": "string" + }, + "pathType": { + "type": "string" + } + } + } + } + } + } + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "annotations": { + "type": "object" + }, + "podAnnotations": { + "type": "object" + }, + "podSecurityContext": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + }, + "runAsUser": { + "type": "integer" + } + } + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "secret": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "enterprise": { + "type": "object" + }, + "kafka": { + "type": "object" + }, + "login": { + "type": "object", + "properties": { + "jwtSecret": { + "type": "string" + }, + "github": { + "type": "object" + }, + "google": { + "type": "object" + }, + "oidc": { + "type": "object" + }, + "okta": { + "type": "object" + } + } + }, + "redpanda": { + "type": "object", + "properties": { + "adminApi": { + "type": "object" + } + } + } + } + }, + "secretMounts": { + "type": "array" + }, + "securityContext": { + "type": "object", + "properties": { + "runAsNonRoot": { + "type": "boolean" + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "port": { + "type": "integer" + }, + "nodePort": { + "type": "integer" + }, + "targetPort": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "type": { + "type": "string" + } + } + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "create": { + "type": "boolean" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "tolerations": { + "type": "array" + }, + "initContainers": { + "type": "object", + "properties": { + "extraInitContainers": { + "type": "string" + } + } + }, + "strategy": { + "type": "object" + }, + "tests": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } +} diff --git a/charts/redpanda/redpanda/5.9.19/charts/console/values.yaml b/charts/redpanda/redpanda/5.9.19/charts/console/values.yaml new file mode 100644 index 0000000000..77ee76106b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/charts/console/values.yaml @@ -0,0 +1,281 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for console. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +# -- Redpanda Console Docker image settings. +image: + registry: docker.redpanda.com + # -- Docker repository from which to pull the Redpanda Docker image. + repository: redpandadata/console + # -- The imagePullPolicy. + pullPolicy: IfNotPresent + # -- The Redpanda Console version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags). + # @default -- `Chart.appVersion` + tag: "" + +# -- Pull secrets may be used to provide credentials to image repositories +# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + +# -- Override `console.name` template. +nameOverride: "" +# -- Override `console.fullname` template. +fullnameOverride: "" + +# -- Automount API credentials for the Service Account into the pod. Console does not communicate with +# Kubernetes API. +automountServiceAccountToken: false + +serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Specifies whether a service account should automount API-Credentials. Console does not + # communicate with Kubernetes API. The ServiceAccount could be used for workload identity. + automountServiceAccountToken: false + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `console.fullname` template + name: "" + +# Common labels to add to all the pods +commonLabels: {} + +# -- Annotations to add to the deployment. +annotations: {} + +podAnnotations: {} + +podLabels: {} + +podSecurityContext: + runAsUser: 99 + fsGroup: 99 + +securityContext: + runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 8080 + # nodePort: 30001 + # -- Override the value in `console.config.server.listenPort` if not `nil` + targetPort: + annotations: {} + +ingress: + enabled: false + className: + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as minikube. If you want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +topologySpreadConstraints: [] + +# -- PriorityClassName given to Pods. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). +priorityClassName: "" + +console: + # -- Settings for the `Config.yaml` (required). + # For a reference of configuration settings, + # see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + config: {} + # roles: + # roleBindings: + +# -- Additional environment variables for the Redpanda Console Deployment. +extraEnv: [] + # - name: KAFKA_RACKID + # value: "1" + +# -- Additional environment variables for Redpanda Console mapped from Secret or ConfigMap. +extraEnvFrom: [] +# - secretRef: +# name: kowl-config-secret + +# -- Add additional volumes, such as for TLS keys. +extraVolumes: [] +# - name: kafka-certs +# secret: +# secretName: kafka-certs +# - name: config +# configMap: +# name: console-config + +# -- Add additional volume mounts, such as for TLS keys. +extraVolumeMounts: [] +# - name: kafka-certs # Must match the volume name +# mountPath: /etc/kafka/certs +# readOnly: true + +# -- Add additional containers, such as for oauth2-proxy. +extraContainers: [] + +# -- Any initContainers defined should be written here +initContainers: + # -- Additional set of init containers + extraInitContainers: |- +# - name: "test-init-container" +# image: "mintel/docker-alpine-bash-curl-jq:latest" +# command: [ "/bin/bash", "-c" ] +# args: +# - | +# set -xe +# echo "Hello World!" + +# -- SecretMounts is an abstraction to make a Secret available in the container's filesystem. +# Under the hood it creates a volume and a volume mount for the Redpanda Console container. +secretMounts: [] +# - name: kafka-certs +# secretName: kafka-certs +# path: /etc/console/certs +# defaultMode: 0755 + +# -- Create a new Kubernetes Secret for all sensitive configuration inputs. +# Each provided Secret is mounted automatically and made available to the +# Pod. +# If you want to use one or more existing Secrets, +# you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets. +secret: + create: true + + # Secret values in case you want the chart to create a Secret. All Certificates are mounted + # as files and the path to those files are configured through environment variables so + # that Console can automatically pick them up. + # -- Kafka Secrets. + kafka: {} + # saslPassword: + # awsMskIamSecretKey: + # tlsCa: + # tlsCert: + # tlsKey: + # tlsPassphrase: + # schemaRegistryPassword: + # schemaRegistryTlsCa: + # schemaRegistryTlsCert: + # schemaRegistryTlsKey: + # protobufGitBasicAuthPassword + # Enterprise version secrets + # - SSO secrets (Enterprise version). + login: + # Configurable JWT value + jwtSecret: "" + google: {} + # clientSecret: + # groupsServiceAccount: + github: {} + # clientSecret: + # personalAccessToken: + okta: {} + # clientSecret: + # directoryApiToken: + oidc: {} + # clientSecret: + + enterprise: {} + # license: + + redpanda: + adminApi: {} + # password: + # tlsCa: + # tlsCert: + # tlsKey: + +# -- Settings for license key, as an alternative to secret.enterprise when +# a license secret is available +enterprise: + licenseSecretRef: + name: "" + key: "" + +# -- Settings for liveness and readiness probes. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes). +livenessProbe: + # initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + +readinessProbe: + # -- Grant time to test connectivity to upstream services such as Kafka and Schema Registry. + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + +configmap: + create: true +deployment: + create: true + +strategy: {} + +tests: + enabled: true diff --git a/charts/redpanda/redpanda/5.9.19/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.19/templates/NOTES.txt new file mode 100644 index 0000000000..6992f8e36d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/NOTES.txt @@ -0,0 +1,26 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $warnings := (get ((include "redpanda.Warnings" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $warning := $warnings }} +{{ $warning }} +{{- end }} + +{{- $notes := (get ((include "redpanda.Notes" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $note := $notes }} +{{ $note }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/_cert-issuers.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_cert-issuers.go.tpl new file mode 100644 index 0000000000..31f4bae116 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_cert-issuers.go.tpl @@ -0,0 +1,59 @@ +{{- /* Generated from "cert_issuers.go" */ -}} + +{{- define "redpanda.CertIssuers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_25_issuers__ := (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r") -}} +{{- $issuers := (index $_25_issuers__ 0) -}} +{{- $_ := (index $_25_issuers__ 1) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $issuers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RootCAs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_30___cas := (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (index $_30___cas 0) -}} +{{- $cas := (index $_30___cas 1) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cas) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.certIssuersAndCAs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $issuers := (coalesce nil) -}} +{{- $certs := (coalesce nil) -}} +{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $issuers $certs)) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $name, $data := $values.tls.certs -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- if (eq (toJson $data.issuerRef) "null") -}} +{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "selfSigned" (mustMergeOverwrite (dict ) (dict )) )) (dict )) )))) -}} +{{- end -}} +{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "ca" (mustMergeOverwrite (dict "secretName" "" ) (dict "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) )) )) (dict )) )))) -}} +{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list (default "43800h" $data.duration)) ))) "r")) ))) "r") "isCA" true "commonName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "kind" "Issuer" "group" "cert-manager.io" )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $issuers $certs)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_certs.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_certs.go.tpl new file mode 100644 index 0000000000..cd0fee2ec1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_certs.go.tpl @@ -0,0 +1,71 @@ +{{- /* Generated from "certs.go" */ -}} + +{{- define "redpanda.ClientCerts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}} +{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}} +{{- $ns := $dot.Release.Namespace -}} +{{- $domain := (trimSuffix "." $values.clusterDomain) -}} +{{- $certs := (coalesce nil) -}} +{{- range $name, $data := $values.tls.certs -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $names := (coalesce nil) -}} +{{- if (or (eq (toJson $data.issuerRef) "null") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.applyInternalDNSNames false) ))) "r")) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc.%s" $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc.%s" $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s" $service $ns))) -}} +{{- end -}} +{{- if (ne (toJson $values.external.domain) "null") -}} +{{- $names = (concat (default (list ) $names) (list (tpl $values.external.domain $dot))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s" (tpl $values.external.domain $dot)))) -}} +{{- end -}} +{{- $duration := (default "43800h" $data.duration) -}} +{{- $issuerRef := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.issuerRef (mustMergeOverwrite (dict "name" "" ) (dict "kind" "Issuer" "group" "cert-manager.io" "name" (printf "%s-%s-root-issuer" $fullname $name) ))) ))) "r") -}} +{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "dnsNames" $names "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration) ))) "r")) ))) "r") "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $name := $values.listeners.kafka.tls.cert -}} +{{- $_97_data_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.tls.certs $name (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil) )) ))) "r") -}} +{{- $data := (index $_97_data_ok 0) -}} +{{- $ok := (index $_97_data_ok 1) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "Certificate %q referenced but not defined" $name)) -}} +{{- end -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $certs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $issuerRef := (mustMergeOverwrite (dict "name" "" ) (dict "group" "cert-manager.io" "kind" "Issuer" "name" (printf "%s-%s-root-issuer" $fullname $name) )) -}} +{{- if (ne (toJson $data.issuerRef) "null") -}} +{{- $issuerRef = $data.issuerRef -}} +{{- $_ := (set $issuerRef "group" "cert-manager.io") -}} +{{- end -}} +{{- $duration := (default "43800h" $data.duration) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "commonName" (printf "%s-client" $fullname) "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration) ))) "r")) ))) "r") "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" $issuerRef )) ))))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_chart.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_chart.go.tpl new file mode 100644 index 0000000000..5852b10631 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_chart.go.tpl @@ -0,0 +1,63 @@ +{{- /* Generated from "chart.go" */ -}} + +{{- define "redpanda.render" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $manifests := (list (get (fromJson (include "redpanda.NodePortService" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.PodDisruptionBudget" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceAccount" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceInternal" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceMonitor" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.SidecarControllersRole" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.SidecarControllersRoleBinding" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.StatefulSet" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.PostInstallUpgradeJob" (dict "a" (list $dot) ))) "r")) -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.ConfigMaps" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.CertIssuers" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.RootCAs" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.ClientCerts" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.ClusterRoleBindings" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.ClusterRoles" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.LoadBalancerServices" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $obj := (get (fromJson (include "redpanda.Secrets" (dict "a" (list $dot) ))) "r") -}} +{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $manifests = (concat (default (list ) $manifests) (default (list ) (get (fromJson (include "redpanda.consoleChartIntegration" (dict "a" (list $dot) ))) "r"))) -}} +{{- $manifests = (concat (default (list ) $manifests) (default (list ) (get (fromJson (include "redpanda.connectorsChartIntegration" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $manifests) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_configmap.go.tpl new file mode 100644 index 0000000000..c5a75fa7ff --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_configmap.go.tpl @@ -0,0 +1,597 @@ +{{- /* Generated from "configmap.tpl.go" */ -}} + +{{- define "redpanda.ConfigMaps" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cms := (list (get (fromJson (include "redpanda.RedpandaConfigMap" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RPKProfile" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cms) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaConfigMap" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "bootstrap.yaml" (get (fromJson (include "redpanda.BootstrapFile" (dict "a" (list $dot) ))) "r") "redpanda.yaml" (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot true) ))) "r") ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapFile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $bootstrap := (dict "kafka_enable_authorization" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_sasl" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_rack_awareness" $values.rackAwareness.enabled "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64) ) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.AuditLogging.Translate" (dict "a" (list $values.auditLogging $dot (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Logging.Translate" (dict "a" (list $values.logging) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TunableConfig.Translate" (dict "a" (list $values.config.tunable) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.ClusterConfig.Translate" (dict "a" (list $values.config.cluster) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Auth.Translate" (dict "a" (list $values.auth (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TieredStorageConfig.Translate" (dict "a" (list (deepCopy (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) $values.storage.tiered.credentialsSecretRef) ))) "r")) -}} +{{- $_80___ok_1 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "default_topic_replications" (coalesce nil)) ))) "r") -}} +{{- $_ := (index $_80___ok_1 0) -}} +{{- $ok_1 := (index $_80___ok_1 1) -}} +{{- if (and (not $ok_1) (ge ($values.statefulset.replicas | int) (3 | int))) -}} +{{- $_ := (set $bootstrap "default_topic_replications" (3 | int)) -}} +{{- end -}} +{{- $_85___ok_2 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "storage_min_free_bytes" (coalesce nil)) ))) "r") -}} +{{- $_ := (index $_85___ok_2 0) -}} +{{- $ok_2 := (index $_85___ok_2 1) -}} +{{- if (not $ok_2) -}} +{{- $_ := (set $bootstrap "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (toYaml $bootstrap)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaConfigFile" -}} +{{- $dot := (index .a 0) -}} +{{- $includeSeedServer := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $redpanda := (dict "empty_seed_starts_cluster" false ) -}} +{{- if $includeSeedServer -}} +{{- $_ := (set $redpanda "seed_servers" (get (fromJson (include "redpanda.Listeners.CreateSeedServers" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r")) -}} +{{- end -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.NodeConfig.Translate" (dict "a" (list $values.config.node) ))) "r")) -}} +{{- $_ := (get (fromJson (include "redpanda.configureListeners" (dict "a" (list $redpanda $dot) ))) "r") -}} +{{- $redpandaYaml := (dict "redpanda" $redpanda "schema_registry" (get (fromJson (include "redpanda.schemaRegistry" (dict "a" (list $dot) ))) "r") "schema_registry_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "pandaproxy" (get (fromJson (include "redpanda.pandaProxyListener" (dict "a" (list $dot) ))) "r") "pandaproxy_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "rpk" (get (fromJson (include "redpanda.rpkNodeConfig" (dict "a" (list $dot) ))) "r") "config_file" "/etc/redpanda/redpanda.yaml" ) -}} +{{- if (and (and (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r") $values.auditLogging.enabled) (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) -}} +{{- $_ := (set $redpandaYaml "audit_log_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r")) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (toYaml $redpandaYaml)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RPKProfile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.external.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-rpk" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "profile" (toYaml (get (fromJson (include "redpanda.rpkProfile" (dict "a" (list $dot) ))) "r")) ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkProfile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedKafkaPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminAdvertisedList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $adminAdvertisedList = (concat (default (list ) $adminAdvertisedList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedAdminPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $schemaAdvertisedList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $schemaAdvertisedList = (concat (default (list ) $schemaAdvertisedList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedSchemaPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $kafkaTLS := (get (fromJson (include "redpanda.rpkKafkaClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $_173___ok_3 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $kafkaTLS "ca_file" (coalesce nil)) ))) "r") -}} +{{- $_ := (index $_173___ok_3 0) -}} +{{- $ok_3 := (index $_173___ok_3 1) -}} +{{- if $ok_3 -}} +{{- $_ := (set $kafkaTLS "ca_file" "ca.crt") -}} +{{- end -}} +{{- $adminTLS := (get (fromJson (include "redpanda.rpkAdminAPIClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $_179___ok_4 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $adminTLS "ca_file" (coalesce nil)) ))) "r") -}} +{{- $_ := (index $_179___ok_4 0) -}} +{{- $ok_4 := (index $_179___ok_4 1) -}} +{{- if $ok_4 -}} +{{- $_ := (set $adminTLS "ca_file" "ca.crt") -}} +{{- end -}} +{{- $schemaTLS := (get (fromJson (include "redpanda.rpkSchemaRegistryClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $_185___ok_5 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $schemaTLS "ca_file" (coalesce nil)) ))) "r") -}} +{{- $_ := (index $_185___ok_5 0) -}} +{{- $ok_5 := (index $_185___ok_5 1) -}} +{{- if $ok_5 -}} +{{- $_ := (set $schemaTLS "ca_file" "ca.crt") -}} +{{- end -}} +{{- $ka := (dict "brokers" $brokerList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $kafkaTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $ka "tls" $kafkaTLS) -}} +{{- end -}} +{{- $aa := (dict "addresses" $adminAdvertisedList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $adminTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $aa "tls" $adminTLS) -}} +{{- end -}} +{{- $sa := (dict "addresses" $schemaAdvertisedList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $schemaTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $sa "tls" $schemaTLS) -}} +{{- end -}} +{{- $result := (dict "name" (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") "kafka_api" $ka "admin_api" $aa "schema_registry" $sa ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedKafkaPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $externalKafkaListenerName := (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") -}} +{{- $listener := (ternary (index $values.listeners.kafka.external $externalKafkaListenerName) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "prefixTemplate" (coalesce nil) "tls" (coalesce nil) ) (hasKey $values.listeners.kafka.external $externalKafkaListenerName)) -}} +{{- $port := (($values.listeners.kafka.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) ((1 | int) | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedAdminPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.admin.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $externalAdminListenerName := (first $keys) -}} +{{- $listener := (ternary (index $values.listeners.admin.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalAdminListenerName) ))) "r")) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "tls" (coalesce nil) ) (hasKey $values.listeners.admin.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalAdminListenerName) ))) "r"))) -}} +{{- $port := (($values.listeners.admin.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) (1 | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedSchemaPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.schemaRegistry.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $externalSchemaListenerName := (first $keys) -}} +{{- $listener := (ternary (index $values.listeners.schemaRegistry.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalSchemaListenerName) ))) "r")) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "tls" (coalesce nil) ) (hasKey $values.listeners.schemaRegistry.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalSchemaListenerName) ))) "r"))) -}} +{{- $port := (($values.listeners.schemaRegistry.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) (1 | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedHost" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $address := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ($i | int)) -}} +{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}} +{{- $address = (printf "%s.%s" $address (tpl $values.external.domain $dot)) -}} +{{- end -}} +{{- if (le ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $address) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $address = (index $values.external.addresses (0 | int)) -}} +{{- else -}} +{{- $address = (index $values.external.addresses $i) -}} +{{- end -}} +{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}} +{{- $address = (printf "%s.%s" $address (tpl $values.external.domain $dot)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $address) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.getFirstExternalKafkaListener" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.kafka.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" (first $keys)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BrokerList" -}} +{{- $dot := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $port := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $bl := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $bl = (concat (default (list ) $bl) (list (printf "%s-%d.%s:%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") $port))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $bl) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkNodeConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") -}} +{{- $adminTLS := (coalesce nil) -}} +{{- $tls_6 := (get (fromJson (include "redpanda.rpkAdminAPIClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_6) ))) "r") | int) (0 | int)) -}} +{{- $adminTLS = $tls_6 -}} +{{- end -}} +{{- $brokerTLS := (coalesce nil) -}} +{{- $tls_7 := (get (fromJson (include "redpanda.rpkKafkaClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_7) ))) "r") | int) (0 | int)) -}} +{{- $brokerTLS = $tls_7 -}} +{{- end -}} +{{- $schemaRegistryTLS := (coalesce nil) -}} +{{- $tls_8 := (get (fromJson (include "redpanda.rpkSchemaRegistryClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_8) ))) "r") | int) (0 | int)) -}} +{{- $schemaRegistryTLS = $tls_8 -}} +{{- end -}} +{{- $_370_lockMemory_overprovisioned_flags := (get (fromJson (include "redpanda.RedpandaAdditionalStartFlags" (dict "a" (list $values) ))) "r") -}} +{{- $lockMemory := (index $_370_lockMemory_overprovisioned_flags 0) -}} +{{- $overprovisioned := (index $_370_lockMemory_overprovisioned_flags 1) -}} +{{- $flags := (index $_370_lockMemory_overprovisioned_flags 2) -}} +{{- $result := (dict "additional_start_flags" $flags "enable_memory_locking" $lockMemory "overprovisioned" $overprovisioned "kafka_api" (dict "brokers" $brokerList "tls" $brokerTLS ) "admin_api" (dict "addresses" (get (fromJson (include "redpanda.Listeners.AdminList" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r") "tls" $adminTLS ) "schema_registry" (dict "addresses" (get (fromJson (include "redpanda.Listeners.SchemaRegistryList" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r") "tls" $schemaRegistryTLS ) ) -}} +{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Tuning.Translate" (dict "a" (list $values.tuning) ))) "r")) -}} +{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Config.CreateRPKConfiguration" (dict "a" (list $values.config) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkKafkaClientTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tls := $values.listeners.kafka.tls -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}} +{{- if $tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkAdminAPIClientTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tls := $values.listeners.admin.tls -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}} +{{- if $tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkSchemaRegistryClientTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tls := $values.listeners.schemaRegistry.tls -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}} +{{- if $tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.kafkaClient" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (dict "address" (printf "%s-%d.%s" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) "port" ($values.listeners.kafka.port | int) ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $kafkaTLS := $values.listeners.kafka.tls -}} +{{- $brokerTLS := (coalesce nil) -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r") -}} +{{- $brokerTLS = (dict "enabled" true "require_client_auth" $kafkaTLS.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $kafkaTLS $values.tls) ))) "r") ) -}} +{{- if $kafkaTLS.requireClientAuth -}} +{{- $_ := (set $brokerTLS "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $brokerTLS "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- end -}} +{{- $cfg := (dict "brokers" $brokerList ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $brokerTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $cfg "broker_tls" $brokerTLS) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cfg) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.configureListeners" -}} +{{- $redpanda := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_ := (set $redpanda "admin" (get (fromJson (include "redpanda.AdminListeners.Listeners" (dict "a" (list $values.listeners.admin) ))) "r")) -}} +{{- $_ := (set $redpanda "kafka_api" (get (fromJson (include "redpanda.KafkaListeners.Listeners" (dict "a" (list $values.listeners.kafka $values.auth) ))) "r")) -}} +{{- $_ := (set $redpanda "rpc_server" (get (fromJson (include "redpanda.rpcListeners" (dict "a" (list $dot) ))) "r")) -}} +{{- $_ := (set $redpanda "admin_api_tls" (coalesce nil)) -}} +{{- $tls_9 := (get (fromJson (include "redpanda.AdminListeners.ListenersTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_9) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "admin_api_tls" $tls_9) -}} +{{- end -}} +{{- $_ := (set $redpanda "kafka_api_tls" (coalesce nil)) -}} +{{- $tls_10 := (get (fromJson (include "redpanda.KafkaListeners.ListenersTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_10) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "kafka_api_tls" $tls_10) -}} +{{- end -}} +{{- $tls_11 := (get (fromJson (include "redpanda.rpcListenersTLS" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_11) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "rpc_server_tls" $tls_11) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.pandaProxyListener" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $pandaProxy := (dict ) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api" (get (fromJson (include "redpanda.HTTPListeners.Listeners" (dict "a" (list $values.listeners.http (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api_tls" (coalesce nil)) -}} +{{- $tls_12 := (get (fromJson (include "redpanda.HTTPListeners.ListenersTLS" (dict "a" (list $values.listeners.http $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_12) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api_tls" $tls_12) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pandaProxy) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.schemaRegistry" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $schemaReg := (dict ) -}} +{{- $_ := (set $schemaReg "schema_registry_api" (get (fromJson (include "redpanda.SchemaRegistryListeners.Listeners" (dict "a" (list $values.listeners.schemaRegistry (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_ := (set $schemaReg "schema_registry_api_tls" (coalesce nil)) -}} +{{- $tls_13 := (get (fromJson (include "redpanda.SchemaRegistryListeners.ListenersTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_13) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $schemaReg "schema_registry_api_tls" $tls_13) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $schemaReg) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpcListenersTLS" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $r := $values.listeners.rpc -}} +{{- if (and (not ((or (or (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list $dot) ))) "r")) (get (fromJson (include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list $dot) ))) "r")))) ((or (and (eq (toJson $r.tls.enabled) "null") $values.tls.enabled) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $r.tls.enabled false) ))) "r")))) -}} +{{- $_ := (fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $r.tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $certName := $r.tls.cert -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls) ))) "r") )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpcListeners" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "address" "0.0.0.0" "port" ($values.listeners.rpc.port | int) )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.createInternalListenerTLSCfg" -}} +{{- $tls := (index .a 0) -}} +{{- $internal := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $internal $tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $internal.cert) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls) ))) "r") )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.createInternalListenerCfg" -}} +{{- $port := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "name" "internal" "address" "0.0.0.0" "port" $port )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAdditionalStartFlags" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $flags := (get (fromJson (include "redpanda.RedpandaResources.GetRedpandaFlags" (dict "a" (list $values.resources) ))) "r") -}} +{{- $_ := (set $flags "--default-log-level" $values.logging.logLevel) -}} +{{- if (eq (index $values.config.node "developer_mode") true) -}} +{{- $_ := (unset $flags "--reserve-memory") -}} +{{- end -}} +{{- range $key, $value := (get (fromJson (include "redpanda.ParseCLIArgs" (dict "a" (list $values.statefulset.additionalRedpandaCmdFlags) ))) "r") -}} +{{- $_ := (set $flags $key $value) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $enabledOptions := (dict "true" true "1" true "" true ) -}} +{{- $lockMemory := false -}} +{{- $_655_value_14_ok_15 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $flags "--lock-memory" "") ))) "r") -}} +{{- $value_14 := (index $_655_value_14_ok_15 0) -}} +{{- $ok_15 := (index $_655_value_14_ok_15 1) -}} +{{- if $ok_15 -}} +{{- $lockMemory = (ternary (index $enabledOptions $value_14) false (hasKey $enabledOptions $value_14)) -}} +{{- $_ := (unset $flags "--lock-memory") -}} +{{- end -}} +{{- $overprovisioned := false -}} +{{- $_662_value_16_ok_17 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $flags "--overprovisioned" "") ))) "r") -}} +{{- $value_16 := (index $_662_value_16_ok_17 0) -}} +{{- $ok_17 := (index $_662_value_16_ok_17 1) -}} +{{- if $ok_17 -}} +{{- $overprovisioned = (ternary (index $enabledOptions $value_16) false (hasKey $enabledOptions $value_16)) -}} +{{- $_ := (unset $flags "--overprovisioned") -}} +{{- end -}} +{{- $keys := (keys $flags) -}} +{{- $keys = (sortAlpha $keys) -}} +{{- $rendered := (coalesce nil) -}} +{{- range $_, $key := $keys -}} +{{- $value := (ternary (index $flags $key) "" (hasKey $flags $key)) -}} +{{- if (eq $value "") -}} +{{- $rendered = (concat (default (list ) $rendered) (list $key)) -}} +{{- else -}} +{{- $rendered = (concat (default (list ) $rendered) (list (printf "%s=%s" $key $value))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $lockMemory $overprovisioned $rendered)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_connectors.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_connectors.go.tpl new file mode 100644 index 0000000000..c9c31a95b5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_connectors.go.tpl @@ -0,0 +1,47 @@ +{{- /* Generated from "connectors.go" */ -}} + +{{- define "redpanda.connectorsChartIntegration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values -}} +{{- if (or (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.connectors.enabled false) ))) "r")) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.connectors.deployment.create false) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $connectorsDot := (index $dot.Subcharts "connectors") -}} +{{- $loadedValues := $connectorsDot.Values -}} +{{- $connectorsValue := $connectorsDot.Values -}} +{{- $_ := (set $connectorsValue "deployment" (merge (dict ) $connectorsValue.deployment (mustMergeOverwrite (dict "create" false "strategy" (dict ) "schedulerName" "" "budget" (dict "maxUnavailable" 0 ) "annotations" (coalesce nil) "extraEnv" (coalesce nil) "extraEnvFrom" (coalesce nil) "progressDeadlineSeconds" 0 "nodeSelector" (coalesce nil) "tolerations" (coalesce nil) "restartPolicy" "" ) (dict "create" true )))) -}} +{{- if (eq $connectorsValue.connectors.bootstrapServers "") -}} +{{- range $_, $b := (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $connectorsValue.connectors.bootstrapServers) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $connectorsValue.connectors "bootstrapServers" $b) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $connectorsValue.connectors "bootstrapServers" (printf "%s,%s" $connectorsValue.connectors.bootstrapServers $b)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_ := (set $connectorsValue.connectors "brokerTLS" (mustMergeOverwrite (dict "enabled" false "ca" (dict "secretRef" "" "secretNameOverwrite" "" ) "cert" (dict "secretRef" "" "secretNameOverwrite" "" ) "key" (dict "secretRef" "" "secretNameOverwrite" "" ) ) (dict "enabled" false "ca" (mustMergeOverwrite (dict "secretRef" "" "secretNameOverwrite" "" ) (dict )) "cert" (mustMergeOverwrite (dict "secretRef" "" "secretNameOverwrite" "" ) (dict )) "key" (mustMergeOverwrite (dict "secretRef" "" "secretNameOverwrite" "" ) (dict )) ))) -}} +{{- $_ := (set $connectorsValue.connectors "brokerTLS" (get (fromJson (include "redpanda.KafkaListeners.ConnectorsTLS" (dict "a" (list $values.listeners.kafka $values.tls (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $command := (list "bash" "-c" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" "set -e; IFS=':' read -r CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print));" (printf " CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-%s};" (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) " export CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM;") " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-256\" ]] && CONNECT_SASL_MECHANISM=scram-sha-256;") " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-512\" ]] && CONNECT_SASL_MECHANISM=scram-sha-512;") " export CONNECT_SASL_MECHANISM;") " echo $CONNECT_SASL_PASSWORD > /opt/kafka/connect-password/rc-credentials/password;") " exec /opt/kafka/bin/kafka_connect_run.sh")) -}} +{{- $_ := (set $connectorsValue.deployment "command" $command) -}} +{{- $_ := (set $connectorsValue.auth "sasl" (merge (dict ) $connectorsValue.auth.sasl (mustMergeOverwrite (dict "enabled" false "mechanism" "" "secretRef" "" "userName" "" ) (dict "enabled" true )))) -}} +{{- $_ := (set $connectorsValue.storage "volume" (concat (default (list ) $connectorsValue.storage.volume) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $values.auth.sasl.secretRef )) )) (dict "name" (get (fromJson (include "redpanda.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "users") ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" (get (fromJson (include "redpanda.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "user-password") ))) "r") )))))) -}} +{{- $_ := (set $connectorsValue.storage "volumeMounts" (concat (default (list ) $connectorsValue.storage.volumeMounts) (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "users") ))) "r") "mountPath" "/mnt/users" "readOnly" true )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "user-password") ))) "r") "mountPath" "/opt/kafka/connect-password/rc-credentials" )))))) -}} +{{- $_ := (set $connectorsValue.deployment "extraEnv" (concat (default (list ) $connectorsValue.deployment.extraEnv) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_PASSWORD_FILE" "value" "rc-credentials/password" )))))) -}} +{{- end -}} +{{- $_ := (set $connectorsDot "Values" $connectorsValue) -}} +{{- $manifests := (list (get (fromJson (include "connectors.Deployment" (dict "a" (list $connectorsDot) ))) "r")) -}} +{{- $_ := (set $connectorsDot "Values" $loadedValues) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $manifests) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_console.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_console.go.tpl new file mode 100644 index 0000000000..270267033a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_console.go.tpl @@ -0,0 +1,165 @@ +{{- /* Generated from "console.tpl.go" */ -}} + +{{- define "redpanda.consoleChartIntegration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.enabled true) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $consoleDot := (index $dot.Subcharts "console") -}} +{{- $loadedValues := $consoleDot.Values -}} +{{- $consoleValue := $consoleDot.Values -}} +{{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}} +{{- if (and (ne $license_1 "") (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.secret.create false) ))) "r"))) -}} +{{- $_ := (set $consoleValue.secret "create" true) -}} +{{- $_ := (set $consoleValue.secret "enterprise" (mustMergeOverwrite (dict ) (dict "license" $license_1 ))) -}} +{{- end -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.configmap.create false) ))) "r")) -}} +{{- $_ := (set $consoleValue.configmap "create" true) -}} +{{- $_ := (set $consoleValue.console "config" (get (fromJson (include "redpanda.ConsoleConfig" (dict "a" (list $dot) ))) "r")) -}} +{{- end -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.deployment.create false) ))) "r")) -}} +{{- $_ := (set $consoleValue.deployment "create" true) -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $command := (list "sh" "-c" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" "set -e; IFS=':' read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print));" (printf " KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s};" (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) " export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM;") " export KAFKA_SCHEMAREGISTRY_USERNAME=$KAFKA_SASL_USERNAME;") " export KAFKA_SCHEMAREGISTRY_PASSWORD=$KAFKA_SASL_PASSWORD;") " export REDPANDA_ADMINAPI_USERNAME=$KAFKA_SASL_USERNAME;") " export REDPANDA_ADMINAPI_PASSWORD=$KAFKA_SASL_PASSWORD;") " /app/console $@") " --") -}} +{{- $_ := (set $consoleValue.deployment "command" $command) -}} +{{- end -}} +{{- $secret_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $secret_2) "null") -}} +{{- $_ := (set $consoleValue "enterprise" (mustMergeOverwrite (dict "licenseSecretRef" (dict "name" "" "key" "" ) ) (dict "licenseSecretRef" (mustMergeOverwrite (dict "name" "" "key" "" ) (dict "name" $secret_2.name "key" $secret_2.key )) ))) -}} +{{- end -}} +{{- $_ := (set $consoleValue "extraVolumes" (get (fromJson (include "redpanda.consoleTLSVolumes" (dict "a" (list $dot) ))) "r")) -}} +{{- $_ := (set $consoleValue "extraVolumeMounts" (get (fromJson (include "redpanda.consoleTLSVolumesMounts" (dict "a" (list $dot) ))) "r")) -}} +{{- $_ := (set $consoleDot "Values" $consoleValue) -}} +{{- $cfg := (get (fromJson (include "console.ConfigMap" (dict "a" (list $consoleDot) ))) "r") -}} +{{- if (eq (toJson $consoleValue.podAnnotations) "null") -}} +{{- $_ := (set $consoleValue "podAnnotations" (dict )) -}} +{{- end -}} +{{- $_ := (set $consoleValue.podAnnotations "checksum-redpanda-chart/config" (sha256sum (toYaml $cfg))) -}} +{{- end -}} +{{- $_ := (set $consoleDot "Values" $consoleValue) -}} +{{- $manifests := (list (get (fromJson (include "console.Secret" (dict "a" (list $consoleDot) ))) "r") (get (fromJson (include "console.ConfigMap" (dict "a" (list $consoleDot) ))) "r") (get (fromJson (include "console.Deployment" (dict "a" (list $consoleDot) ))) "r")) -}} +{{- $_ := (set $consoleDot "Values" $loadedValues) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $manifests) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.consoleTLSVolumesMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $mounts := (list ) -}} +{{- $sasl_3 := $values.auth.sasl -}} +{{- if (and $sasl_3.enabled (ne $sasl_3.secretRef "")) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "%s-users" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/mnt/users" "readOnly" true )))) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $values.listeners $values.tls) ))) "r")) ))) "r") | int) (0 | int)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststores" "mountPath" "/etc/truststores" "readOnly" true )))) -}} +{{- end -}} +{{- $visitedCert := (dict ) -}} +{{- range $_, $tlsCfg := (list $values.listeners.kafka.tls $values.listeners.schemaRegistry.tls $values.listeners.admin.tls) -}} +{{- $_137___visited := (get (fromJson (include "_shims.dicttest" (dict "a" (list $visitedCert $tlsCfg.cert false) ))) "r") -}} +{{- $_ := (index $_137___visited 0) -}} +{{- $visited := (index $_137___visited 1) -}} +{{- if (or (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tlsCfg $values.tls) ))) "r")) $visited) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $visitedCert $tlsCfg.cert true) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $tlsCfg.cert) "mountPath" (printf "%s/%s" "/etc/tls/certs" $tlsCfg.cert) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $mounts) (default (list ) $values.console.extraVolumeMounts))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.consoleTLSVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volumes := (list ) -}} +{{- $sasl_4 := $values.auth.sasl -}} +{{- if (and $sasl_4.enabled (ne $sasl_4.secretRef "")) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $values.auth.sasl.secretRef )) )) (dict "name" (printf "%s-users" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}} +{{- end -}} +{{- $vol_5 := (get (fromJson (include "redpanda.Listeners.TrustStoreVolume" (dict "a" (list $values.listeners $values.tls) ))) "r") -}} +{{- if (ne (toJson $vol_5) "null") -}} +{{- $volumes = (concat (default (list ) $volumes) (list $vol_5)) -}} +{{- end -}} +{{- $visitedCert := (dict ) -}} +{{- range $_, $tlsCfg := (list $values.listeners.kafka.tls $values.listeners.schemaRegistry.tls $values.listeners.admin.tls) -}} +{{- $_178___visited := (get (fromJson (include "_shims.dicttest" (dict "a" (list $visitedCert $tlsCfg.cert false) ))) "r") -}} +{{- $_ := (index $_178___visited 0) -}} +{{- $visited := (index $_178___visited 1) -}} +{{- if (or (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tlsCfg $values.tls) ))) "r")) $visited) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $visitedCert $tlsCfg.cert true) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o420 | int) "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $tlsCfg.cert (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $tlsCfg.cert) ))) "r")) ))) "r") )) )) (dict "name" (printf "redpanda-%s-cert" $tlsCfg.cert) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.console.extraVolumes))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ConsoleConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $schemaURLs := (coalesce nil) -}} +{{- if $values.listeners.schemaRegistry.enabled -}} +{{- $schema := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.schemaRegistry.tls $values.tls) ))) "r") -}} +{{- $schema = "https" -}} +{{- end -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $schemaURLs = (concat (default (list ) $schemaURLs) (list (printf "%s://%s-%d.%s:%d" $schema (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.schemaRegistry.port | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $schema := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $schema = "https" -}} +{{- end -}} +{{- $c := (dict "kafka" (dict "brokers" (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") "sasl" (dict "enabled" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") ) "tls" (get (fromJson (include "redpanda.KafkaListeners.ConsoleTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") "schemaRegistry" (dict "enabled" $values.listeners.schemaRegistry.enabled "urls" $schemaURLs "tls" (get (fromJson (include "redpanda.SchemaRegistryListeners.ConsoleTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") ) ) "redpanda" (dict "adminApi" (dict "enabled" true "urls" (list (printf "%s://%s:%d" $schema (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) "tls" (get (fromJson (include "redpanda.AdminListeners.ConsoleTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") ) ) ) -}} +{{- if (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.connectors.enabled false) ))) "r") -}} +{{- $port := (dig "connectors" "connectors" "restPort" (8083 | int) $dot.Values.AsMap) -}} +{{- $_249_p_ok := (get (fromJson (include "_shims.asintegral" (dict "a" (list $port) ))) "r") -}} +{{- $p := ((index $_249_p_ok 0) | int) -}} +{{- $ok := (index $_249_p_ok 1) -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $c) | toJson -}} +{{- break -}} +{{- end -}} +{{- $connectorsDot := (index $dot.Subcharts "connectors") -}} +{{- $connectorsURL := (printf "http://%s.%s.svc.%s:%d" (get (fromJson (include "connectors.Fullname" (dict "a" (list $connectorsDot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) $p) -}} +{{- $_ := (set $c "connect" (dict "enabled" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.connectors.enabled false) ))) "r") "clusters" (list (dict "name" "connectors" "url" $connectorsURL "tls" (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) "username" "" "password" "" "token" "" )) "connectTimeout" (0 | int) "readTimeout" (0 | int) "requestTimeout" (0 | int) )) -}} +{{- end -}} +{{- if (eq (toJson $values.console.console) "null") -}} +{{- $_ := (set $values.console "console" (mustMergeOverwrite (dict ) (dict "config" (dict ) ))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.console.console.config $c)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_example-commands.tpl b/charts/redpanda/redpanda/5.9.19/templates/_example-commands.tpl new file mode 100644 index 0000000000..9a5c695e32 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_example-commands.tpl @@ -0,0 +1,58 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + + +{{/* +Any rpk command that's given to the user in NOTES.txt must be defined in this template file +and tested in a test. +*/}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-acl-user-create" -}} +{{- $cmd := (get ((include "redpanda.RpkACLUserCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-acl-create" -}} +{{- $cmd := (get ((include "redpanda.RpkACLCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-cluster-info" -}} +{{- $cmd := (get ((include "redpanda.RpkClusterInfo" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-create" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-describe" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicDescribe" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-delete" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicDelete" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.19/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_helpers.go.tpl new file mode 100644 index 0000000000..d14ea79bb1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_helpers.go.tpl @@ -0,0 +1,663 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "redpanda.ChartLabel" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (replace "+" "_" (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version))) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_51_override_1_ok_2 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "nameOverride") "") ))) "r") -}} +{{- $override_1 := (index $_51_override_1_ok_2 0) -}} +{{- $ok_2 := (index $_51_override_1_ok_2 1) -}} +{{- if (and $ok_2 (ne $override_1 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_1) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Chart.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_61_override_3_ok_4 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "fullnameOverride") "") ))) "r") -}} +{{- $override_3 := (index $_61_override_3_ok_4 0) -}} +{{- $ok_4 := (index $_61_override_3_ok_4 1) -}} +{{- if (and $ok_4 (ne $override_3 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_3) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.FullLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $labels := (dict ) -}} +{{- if (ne (toJson $values.commonLabels) "null") -}} +{{- $labels = $values.commonLabels -}} +{{- end -}} +{{- $defaults := (dict "helm.sh/chart" (get (fromJson (include "redpanda.ChartLabel" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/managed-by" $dot.Release.Service "app.kubernetes.io/component" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $labels $defaults)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $serviceAccount := $values.serviceAccount -}} +{{- if (and $serviceAccount.create (ne $serviceAccount.name "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $serviceAccount.name) | toJson -}} +{{- break -}} +{{- else -}}{{- if $serviceAccount.create -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- else -}}{{- if (ne $serviceAccount.name "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $serviceAccount.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "default") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Tag" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := (toString $values.image.tag) -}} +{{- if (eq $tag "") -}} +{{- $tag = $dot.Chart.AppVersion -}} +{{- end -}} +{{- $pattern := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}} +{{- if (not (regexMatch $pattern $tag)) -}} +{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tag) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (ne (toJson $values.service) "null") (ne (toJson $values.service.name) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $values.service.name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalDomain" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}} +{{- $ns := $dot.Release.Namespace -}} +{{- $domain := (trimSuffix "." $values.clusterDomain) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s.%s.svc.%s." $service $ns $domain)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSEnabled" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.tls.enabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} +{{- range $_, $listener := $listeners -}} +{{- $tlsCert := (dig "listeners" $listener "tls" "cert" false $dot.Values.AsMap) -}} +{{- $tlsEnabled := (dig "listeners" $listener "tls" "enabled" false $dot.Values.AsMap) -}} +{{- if (and (not (empty $tlsEnabled)) (not (empty $tlsCert))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $external := (dig "listeners" $listener "external" false $dot.Values.AsMap) -}} +{{- if (empty $external) -}} +{{- continue -}} +{{- end -}} +{{- $keys := (keys (get (fromJson (include "_shims.typeassertion" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $external) ))) "r")) -}} +{{- range $_, $key := $keys -}} +{{- $enabled := (dig "listeners" $listener "external" $key "enabled" false $dot.Values.AsMap) -}} +{{- $tlsCert := (dig "listeners" $listener "external" $key "tls" "cert" false $dot.Values.AsMap) -}} +{{- $tlsEnabled := (dig "listeners" $listener "external" $key "tls" "enabled" false $dot.Values.AsMap) -}} +{{- if (and (and (not (empty $enabled)) (not (empty $tlsCert))) (not (empty $tlsEnabled))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClientAuthRequired" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} +{{- range $_, $listener := $listeners -}} +{{- $required := (dig "listeners" $listener "tls" "requireClientAuth" false $dot.Values.AsMap) -}} +{{- if (not (empty $required)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.DefaultMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/etc/redpanda" )))) (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CommonMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $mounts := (list ) -}} +{{- $sasl_5 := $values.auth.sasl -}} +{{- if (and $sasl_5.enabled (ne $sasl_5.secretRef "")) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "users" "mountPath" "/etc/secrets/users" "readOnly" true )))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $certNames := (keys $values.tls.certs) -}} +{{- $_ := (sortAlpha $certNames) -}} +{{- range $_, $name := $certNames -}} +{{- $cert := (ternary (index $values.tls.certs $name) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil) ) (hasKey $values.tls.certs $name)) -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "%s/%s" "/etc/tls/certs" $name) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminTLS := $values.listeners.admin.tls -}} +{{- if $adminTLS.requireClientAuth -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "mtls-client" "mountPath" (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $mounts) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.DefaultVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "base-config" )))) (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CommonVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $volumes := (list ) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $certNames := (keys $values.tls.certs) -}} +{{- $_ := (sortAlpha $certNames) -}} +{{- range $_, $name := $certNames -}} +{{- $cert := (ternary (index $values.tls.certs $name) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil) ) (hasKey $values.tls.certs $name)) -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $name $cert) ))) "r") "defaultMode" (0o440 | int) )) )) (dict "name" (printf "redpanda-%s-cert" $name) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminTLS := $values.listeners.admin.tls -}} +{{- $cert := (ternary (index $values.tls.certs $adminTLS.cert) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil) ) (hasKey $values.tls.certs $adminTLS.cert)) -}} +{{- if $adminTLS.requireClientAuth -}} +{{- $secretName := (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- if (ne (toJson $cert.clientSecretRef) "null") -}} +{{- $secretName = $cert.clientSecretRef.name -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $secretName "defaultMode" (0o440 | int) )) )) (dict "name" "mtls-client" )))) -}} +{{- end -}} +{{- end -}} +{{- $sasl_6 := $values.auth.sasl -}} +{{- if (and $sasl_6.enabled (ne $sasl_6.secretRef "")) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $sasl_6.secretRef )) )) (dict "name" "users" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $volumes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CertSecretName" -}} +{{- $dot := (index .a 0) -}} +{{- $certName := (index .a 1) -}} +{{- $cert := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $cert.secretRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cert.secretRef.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $certName)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PodSecurityContext" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "fsGroup" $sc.fsGroup "fsGroupChangePolicy" $sc.fsGroupChangePolicy ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ContainerSecurityContext" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "runAsUser" $sc.runAsUser "runAsGroup" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.runAsGroup $sc.fsGroup)) ))) "r") "allowPrivilegeEscalation" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.allowPrivilegeEscalation $sc.allowPriviledgeEscalation)) ))) "r") "runAsNonRoot" $sc.runAsNonRoot ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_2_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_3_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_1_1" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.1-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_1_2" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.2-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.13-0,<22.4") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.10-0,<22.3") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_2_1" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.2.1-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_3_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.redpandaAtLeast" -}} +{{- $dot := (index .a 0) -}} +{{- $constraint := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $version := (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) -}} +{{- $_402_result_err := (list (semverCompare $constraint $version) nil) -}} +{{- $result := (index $_402_result_err 0) -}} +{{- $err := (index $_402_result_err 1) -}} +{{- if (ne (toJson $err) "null") -}} +{{- $_ := (fail $err) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.cleanForK8s" -}} +{{- $in := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $in))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.cleanForK8sWithSuffix" -}} +{{- $s := (index .a 0) -}} +{{- $suffix := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $lengthToTruncate := ((sub (((add ((get (fromJson (include "_shims.len" (dict "a" (list $s) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $suffix) ))) "r") | int)) | int)) (63 | int)) | int) -}} +{{- if (gt $lengthToTruncate (0 | int)) -}} +{{- $s = (trunc $lengthToTruncate $s) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s-%s" $s $suffix)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.coalesce" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- range $_, $v := $values -}} +{{- if (ne (toJson $v) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $v) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StrategicMergePatch" -}} +{{- $overrides := (index .a 0) -}} +{{- $original := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $overrideSpec := $overrides.spec -}} +{{- if (eq (toJson $overrideSpec) "null") -}} +{{- $overrideSpec = (mustMergeOverwrite (dict ) (dict )) -}} +{{- end -}} +{{- $merged := (merge (dict ) (mustMergeOverwrite (dict ) (dict "metadata" (mustMergeOverwrite (dict ) (dict "labels" $overrides.labels "annotations" $overrides.annotations )) "spec" $overrideSpec )) $original) -}} +{{- $_ := (set $merged.spec "initContainers" (get (fromJson (include "redpanda.mergeSliceBy" (dict "a" (list $original.spec.initContainers $overrideSpec.initContainers "name" "redpanda.mergeContainer") ))) "r")) -}} +{{- $_ := (set $merged.spec "containers" (get (fromJson (include "redpanda.mergeSliceBy" (dict "a" (list $original.spec.containers $overrideSpec.containers "name" "redpanda.mergeContainer") ))) "r")) -}} +{{- $_ := (set $merged.spec "volumes" (get (fromJson (include "redpanda.mergeSliceBy" (dict "a" (list $original.spec.volumes $overrideSpec.volumes "name" "redpanda.mergeVolume") ))) "r")) -}} +{{- if (eq (toJson $merged.metadata.labels) "null") -}} +{{- $_ := (set $merged.metadata "labels" (dict )) -}} +{{- end -}} +{{- if (eq (toJson $merged.metadata.annotations) "null") -}} +{{- $_ := (set $merged.metadata "annotations" (dict )) -}} +{{- end -}} +{{- if (eq (toJson $merged.spec.nodeSelector) "null") -}} +{{- $_ := (set $merged.spec "nodeSelector" (dict )) -}} +{{- end -}} +{{- if (eq (toJson $merged.spec.tolerations) "null") -}} +{{- $_ := (set $merged.spec "tolerations" (list )) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $merged) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.mergeSliceBy" -}} +{{- $original := (index .a 0) -}} +{{- $override := (index .a 1) -}} +{{- $mergeKey := (index .a 2) -}} +{{- $mergeFunc := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $originalKeys := (dict ) -}} +{{- $overrideByKey := (dict ) -}} +{{- range $_, $el := $override -}} +{{- $_514_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey) ))) "r") -}} +{{- $key := (index $_514_key_ok 0) -}} +{{- $ok := (index $_514_key_ok 1) -}} +{{- if (not $ok) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $overrideByKey $key $el) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $merged := (coalesce nil) -}} +{{- range $_, $el := $original -}} +{{- $_526_key__ := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey) ))) "r") -}} +{{- $key := (index $_526_key__ 0) -}} +{{- $_ := (index $_526_key__ 1) -}} +{{- $_ := (set $originalKeys $key true) -}} +{{- $_528_elOverride_7_ok_8 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideByKey $key (coalesce nil)) ))) "r") -}} +{{- $elOverride_7 := (index $_528_elOverride_7_ok_8 0) -}} +{{- $ok_8 := (index $_528_elOverride_7_ok_8 1) -}} +{{- if $ok_8 -}} +{{- $merged = (concat (default (list ) $merged) (list (get (fromJson (include $mergeFunc (dict "a" (list $el $elOverride_7) ))) "r"))) -}} +{{- else -}} +{{- $merged = (concat (default (list ) $merged) (list $el)) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $el := $override -}} +{{- $_538_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey) ))) "r") -}} +{{- $key := (index $_538_key_ok 0) -}} +{{- $ok := (index $_538_key_ok 1) -}} +{{- if (not $ok) -}} +{{- continue -}} +{{- end -}} +{{- $_543___ok_9 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $originalKeys $key false) ))) "r") -}} +{{- $_ := (index $_543___ok_9 0) -}} +{{- $ok_9 := (index $_543___ok_9 1) -}} +{{- if $ok_9 -}} +{{- continue -}} +{{- end -}} +{{- $merged = (concat (default (list ) $merged) (list (merge (dict ) $el))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $merged) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.mergeEnvVar" -}} +{{- $original := (index .a 0) -}} +{{- $overrides := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $overrides)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.mergeVolume" -}} +{{- $original := (index .a 0) -}} +{{- $override := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $override $original)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.mergeVolumeMount" -}} +{{- $original := (index .a 0) -}} +{{- $override := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $override $original)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.mergeContainer" -}} +{{- $original := (index .a 0) -}} +{{- $override := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $merged := (merge (dict ) $override $original) -}} +{{- $_ := (set $merged "env" (get (fromJson (include "redpanda.mergeSliceBy" (dict "a" (list $original.env $override.env "name" "redpanda.mergeEnvVar") ))) "r")) -}} +{{- $_ := (set $merged "volumeMounts" (get (fromJson (include "redpanda.mergeSliceBy" (dict "a" (list $original.volumeMounts $override.volumeMounts "name" "redpanda.mergeVolumeMount") ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $merged) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ParseCLIArgs" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $parsed := (dict ) -}} +{{- $i := -1 -}} +{{- range $_, $_ := $args -}} +{{- $i = ((add $i (1 | int)) | int) -}} +{{- if (ge $i ((get (fromJson (include "_shims.len" (dict "a" (list $args) ))) "r") | int)) -}} +{{- break -}} +{{- end -}} +{{- if (not (hasPrefix "-" (index $args $i))) -}} +{{- continue -}} +{{- end -}} +{{- $flag := (index $args $i) -}} +{{- $spl := (mustRegexSplit " |=" $flag (2 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $spl) ))) "r") | int) (2 | int)) -}} +{{- $_ := (set $parsed (index $spl (0 | int)) (index $spl (1 | int))) -}} +{{- continue -}} +{{- end -}} +{{- if (and (lt ((add $i (1 | int)) | int) ((get (fromJson (include "_shims.len" (dict "a" (list $args) ))) "r") | int)) (not (hasPrefix "-" (index $args ((add $i (1 | int)) | int))))) -}} +{{- $_ := (set $parsed $flag (index $args ((add $i (1 | int)) | int))) -}} +{{- $i = ((add $i (1 | int)) | int) -}} +{{- continue -}} +{{- end -}} +{{- $_ := (set $parsed $flag "") -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $parsed) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.19/templates/_helpers.tpl new file mode 100644 index 0000000000..a885f9dcd3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_helpers.tpl @@ -0,0 +1,368 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "redpanda.name" -}} +{{- get ((include "redpanda.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "redpanda.fullname" -}} +{{- get ((include "redpanda.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default service name +*/}} +{{- define "redpanda.servicename" -}} +{{- get ((include "redpanda.ServiceName" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +full helm labels + common labels +*/}} +{{- define "full.labels" -}} +{{- (get ((include "redpanda.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "redpanda.chart" -}} +{{- get ((include "redpanda.Chart" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "redpanda.serviceAccountName" -}} +{{- get ((include "redpanda.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Use AppVersion if image.tag is not set +*/}} +{{- define "redpanda.tag" -}} +{{- get ((include "redpanda.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* Generate internal fqdn */}} +{{- define "redpanda.internal.domain" -}} +{{- get ((include "redpanda.InternalDomain" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* ConfigMap variables */}} +{{- define "admin-internal-tls-enabled" -}} +{{- toJson (dict "bool" (get ((include "redpanda.InternalTLS.IsEnabled" (dict "a" (list .Values.listeners.admin.tls .Values.tls))) | fromJson) "r")) -}} +{{- end -}} + +{{- define "kafka-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.kafka -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "kafka-external-tls-cert" -}} +{{- dig "tls" "cert" .Values.listeners.kafka.tls.cert .listener -}} +{{- end -}} + +{{- define "http-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.http -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "schemaRegistry-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.schemaRegistry -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "tls-enabled" -}} +{{- $tlsenabled := get ((include "redpanda.TLSEnabled" (dict "a" (list .))) | fromJson) "r" }} +{{- toJson (dict "bool" $tlsenabled) -}} +{{- end -}} + +{{- define "sasl-enabled" -}} +{{- toJson (dict "bool" (dig "enabled" false .Values.auth.sasl)) -}} +{{- end -}} + +{{- define "admin-api-urls" -}} +{{ printf "${SERVICE_NAME}.%s" (include "redpanda.internal.domain" .) }}:{{.Values.listeners.admin.port }} +{{- end -}} + +{{- define "admin-api-service-url" -}} +{{ include "redpanda.internal.domain" .}}:{{.Values.listeners.admin.port }} +{{- end -}} + +{{- define "sasl-mechanism" -}} +{{- dig "sasl" "mechanism" "SCRAM-SHA-512" .Values.auth -}} +{{- end -}} + +{{- define "fail-on-insecure-sasl-logging" -}} +{{- if (include "sasl-enabled" .|fromJson).bool -}} + {{- $check := list + (include "redpanda-atleast-23-1-1" .|fromJson).bool + (include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool + (include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool + -}} + {{- if not (mustHas true $check) -}} + {{- fail "SASL is enabled and the redpanda version specified leaks secrets to the logs. Please choose a newer version of redpanda." -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "fail-on-unsupported-helm-version" -}} + {{- $helmVer := (fromYaml (toYaml .Capabilities.HelmVersion)).version -}} + {{- if semverCompare "<3.8.0-0" $helmVer -}} + {{- fail (printf "helm version %s is not supported. Please use helm version v3.8.0 or newer." $helmVer) -}} + {{- end -}} +{{- end -}} + +{{- define "redpanda-atleast-22-2-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-22-3-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-1-1" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_1" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-1-2" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-22-3-atleast-22-3-13" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-22-2-atleast-22-2-10" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-2-1" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-3-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} + +{{- define "redpanda-22-2-x-without-sasl" -}} +{{- $result := (include "redpanda-atleast-22-3-0" . | fromJson).bool -}} +{{- if or (include "sasl-enabled" . | fromJson).bool .Values.listeners.kafka.authenticationMethod -}} +{{- $result := false -}} +{{- end -}} +{{- toJson (dict "bool" $result) -}} +{{- end -}} + +{{- define "pod-security-context" -}} +{{- get ((include "redpanda.PodSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }} +{{- end -}} + +{{- define "container-security-context" -}} +{{- get ((include "redpanda.ContainerSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }} +{{- end -}} + +{{- define "admin-tls-curl-flags" -}} + {{- $result := "" -}} + {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}} + {{- $path := (printf "/etc/tls/certs/%s" .Values.listeners.admin.tls.cert) -}} + {{- $result = (printf "--cacert %s/tls.crt" $path) -}} + {{- if .Values.listeners.admin.tls.requireClientAuth -}} + {{- $result = (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path) -}} + {{- end -}} + {{- end -}} + {{- $result -}} +{{- end -}} + +{{- define "admin-http-protocol" -}} + {{- $result := "http" -}} + {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}} + {{- $result = "https" -}} + {{- end -}} + {{- $result -}} +{{- end -}} + +{{- /* +advertised-port returns either the only advertised port if only one is specified, +or the port specified for this pod ordinal when there is a full list provided. + +This will return a string int or panic if there is more than one port provided, +but not enough ports for the number of replicas requested. +*/ -}} +{{- define "advertised-port" -}} + {{- $port := dig "port" .listenerVals.port .externalVals -}} + {{- if .externalVals.advertisedPorts -}} + {{- if eq (len .externalVals.advertisedPorts) 1 -}} + {{- $port = mustFirst .externalVals.advertisedPorts -}} + {{- else -}} + {{- $port = index .externalVals.advertisedPorts .replicaIndex -}} + {{- end -}} + {{- end -}} + {{ $port }} +{{- end -}} + +{{- /* +advertised-host returns a json string with the data needed for configuring the advertised listener +*/ -}} +{{- define "advertised-host" -}} + {{- $host := dict "name" .externalName "address" .externalAdvertiseAddress "port" .port -}} + {{- if .values.external.addresses -}} + {{- $address := "" -}} + {{- if gt (len .values.external.addresses) 1 -}} + {{- $address = (index .values.external.addresses .replicaIndex) -}} + {{- else -}} + {{- $address = (index .values.external.addresses 0) -}} + {{- end -}} + {{- if ( .values.external.domain | default "" ) }} + {{- $host = dict "name" .externalName "address" (printf "%s.%s" $address .values.external.domain) "port" .port -}} + {{- else -}} + {{- $host = dict "name" .externalName "address" $address "port" .port -}} + {{- end -}} + {{- end -}} + {{- toJson $host -}} +{{- end -}} + +{{- define "is-licensed" -}} +{{- toJson (dict "bool" (or (not (empty (include "enterprise-license" . ))) (not (empty (include "enterprise-secret" . ))))) -}} +{{- end -}} + +{{- define "seed-server-list" -}} + {{- $brokers := list -}} + {{- range $ordinal := until (.Values.statefulset.replicas | int) -}} + {{- $brokers = append $brokers (printf "%s-%d.%s" + (include "redpanda.fullname" $) + $ordinal + (include "redpanda.internal.domain" $)) + -}} + {{- end -}} + {{- toJson $brokers -}} +{{- end -}} + +{{/* +return license checks deprecated values if current values is empty +*/}} +{{- define "enterprise-license" -}} +{{- if dig "license" dict .Values.enterprise -}} + {{- .Values.enterprise.license -}} +{{- else -}} + {{- .Values.license_key -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef.name checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret-name" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- dig "name" "" .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- dig "secret_name" "" .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef.key checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret-key" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- dig "key" "" .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- dig "secret_key" "" .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* mounts that are common to all containers */}} +{{- define "common-mounts" -}} +{{- $mounts := get ((include "redpanda.CommonMounts" (dict "a" (list .))) | fromJson) "r" }} +{{- if $mounts -}} +{{- toYaml $mounts -}} +{{- end -}} +{{- end -}} + +{{/* mounts that are common to most containers */}} +{{- define "default-mounts" -}} +{{- $mounts := get ((include "redpanda.DefaultMounts" (dict "a" (list .))) | fromJson) "r" }} +{{- if $mounts -}} +{{- toYaml $mounts -}} +{{- end -}} +{{- end -}} + +{{/* volumes that are common to all pods */}} +{{- define "common-volumes" -}} +{{- $volumes := get ((include "redpanda.CommonVolumes" (dict "a" (list .))) | fromJson) "r" }} +{{- if $volumes -}} +{{- toYaml $volumes -}} +{{- end -}} +{{- end -}} + +{{/* the default set of volumes for most pods, except the sts pod */}} +{{- define "default-volumes" -}} +{{- $volumes := get ((include "redpanda.DefaultVolumes" (dict "a" (list .))) | fromJson) "r" }} +{{- if $volumes -}} +{{- toYaml $volumes -}} +{{- end -}} +{{- end -}} + +{{/* support legacy storage.tieredConfig */}} +{{- define "storage-tiered-config" -}} +{{- $cfg := get ((include "redpanda.StorageTieredConfig" (dict "a" (list .))) | fromJson) "r" }} +{{- if $cfg -}} +{{- toYaml $cfg -}} +{{- end -}} +{{- end -}} + +{{/* + rpk sasl environment variables + + this will return a string with the correct environment variables to use for SASL based on the + version of the redpada container being used +*/}} +{{- define "rpk-sasl-environment-variables" -}} +{{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool -}} +RPK_USER RPK_PASS RPK_SASL_MECHANISM +{{- else -}} +REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM +{{- end -}} +{{- end -}} + +{{- define "curl-options" -}} +{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}} +{{- end -}} + +{{- define "advertised-address-template" -}} + {{- $prefixTemplate := dig "prefixTemplate" "" .externalListener -}} + {{- if empty $prefixTemplate -}} + {{- $prefixTemplate = dig "prefixTemplate" "" .externalVals -}} + {{- end -}} + {{ quote $prefixTemplate }} +{{- end -}} + +{{/* check if client auth is enabled for any of the listeners */}} +{{- define "client-auth-required" -}} +{{- $requireClientAuth := get ((include "redpanda.ClientAuthRequired" (dict "a" (list .))) | fromJson) "r" }} +{{- toJson (dict "bool" $requireClientAuth) -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.19/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_notes.go.tpl new file mode 100644 index 0000000000..cae9d21fb3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_notes.go.tpl @@ -0,0 +1,167 @@ +{{- /* Generated from "notes.go" */ -}} + +{{- define "redpanda.Warnings" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $warnings := (coalesce nil) -}} +{{- $w_1 := (get (fromJson (include "redpanda.cpuWarning" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $w_1 "") -}} +{{- $warnings = (concat (default (list ) $warnings) (list (printf `**Warning**: %s` $w_1))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $warnings) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.cpuWarning" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $coresInMillis := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}} +{{- if (lt $coresInMillis (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%dm is below the minimum recommended CPU value for Redpanda" $coresInMillis)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Notes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $anySASL := (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $notes := (coalesce nil) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `` `` `` (printf `Congratulations on installing %s!` $dot.Chart.Name) `` `The pods will rollout in a few seconds. To check the status:` `` (printf ` kubectl -n %s rollout status statefulset %s --watch` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}} +{{- if (and $values.external.enabled (eq $values.external.type "LoadBalancer")) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `If you are using the load balancer service with a cloud provider, the services will likely have automatically-generated addresses. In this scenario the advertised listeners must be updated in order for external access to work. Run the following command once Redpanda is deployed:` `` (printf ` helm upgrade %s redpanda/redpanda --reuse-values -n %s --set $(kubectl get svc -n %s -o jsonpath='{"external.addresses={"}{ range .items[*]}{.status.loadBalancer.ingress[0].ip }{.status.loadBalancer.ingress[0].hostname}{","}{ end }{"}\n"}')` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace $dot.Release.Namespace))) -}} +{{- end -}} +{{- $profiles := (keys $values.listeners.kafka.external) -}} +{{- $_ := (sortAlpha $profiles) -}} +{{- $profileName := (index $profiles (0 | int)) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Set up rpk for access to your external listeners:`)) -}} +{{- $profile := (ternary (index $values.listeners.kafka.external $profileName) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "prefixTemplate" (coalesce nil) "tls" (coalesce nil) ) (hasKey $values.listeners.kafka.external $profileName)) -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $external := "" -}} +{{- if (and (ne (toJson $profile.tls) "null") (ne (toJson $profile.tls.cert) "null")) -}} +{{- $external = $profile.tls.cert -}} +{{- else -}} +{{- $external = $values.listeners.kafka.tls.cert -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-%s-cert -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $external))) -}} +{{- if (or $values.listeners.kafka.tls.requireClientAuth $values.listeners.admin.tls.requireClientAuth) -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.crt" | base64decode }}' > tls.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.key" | base64decode }}' > tls.key` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` rpk profile create --from-profile <(kubectl get configmap -n %s %s-rpk -o go-template='{{ .data.profile }}') %s` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $profileName) `` `Set up dns to look up the pods on their Kubernetes Nodes. You can use this query to get the list of short-names to IP addresses. Add your external domain to the hostnames and you could test by adding these to your /etc/hosts:` `` (printf ` kubectl get pod -n %s -o custom-columns=node:.status.hostIP,name:.metadata.name --no-headers -l app.kubernetes.io/name=redpanda,app.kubernetes.io/component=redpanda-statefulset` $dot.Release.Namespace))) -}} +{{- if $anySASL -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Set the credentials in the environment:` `` (printf ` kubectl -n %s get secret %s -o go-template="{{ range .data }}{{ . | base64decode }}{{ end }}" | IFS=: read -r %s` $dot.Release.Namespace $values.auth.sasl.secretRef (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")) (printf ` export %s` (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Try some sample commands:`)) -}} +{{- if $anySASL -}} +{{- $notes = (concat (default (list ) $notes) (list `Create a user:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLUserCreate" (dict "a" (list $dot) ))) "r")) `` `Give the user permissions:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLCreate" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Get the api status:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkClusterInfo" (dict "a" (list $dot) ))) "r")) `` `Create a topic` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicCreate" (dict "a" (list $dot) ))) "r")) `` `Describe the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDescribe" (dict "a" (list $dot) ))) "r")) `` `Delete the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDelete" (dict "a" (list $dot) ))) "r")))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $notes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkACLUserCreate" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `rpk acl user create myuser --new-password changeme --mechanism %s` (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SASLMechanism" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne (toJson $values.auth.sasl) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.auth.sasl.mechanism) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "SCRAM-SHA-512") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkACLCreate" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk acl create --allow-principal 'myuser' --allow-host '*' --operation all --topic 'test-topic'`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkClusterInfo" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk cluster info`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicCreate" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `rpk topic create test-topic -p 3 -r %d` (min (3 | int64) (($values.statefulset.replicas | int) | int64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicDescribe" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk topic describe test-topic`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicDelete" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk topic delete test-topic`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkSASLEnvironmentVariables" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" `RPK_USER RPK_PASS RPK_SASL_MECHANISM`) | toJson -}} +{{- break -}} +{{- else -}} +{{- $_is_returning = true -}} +{{- (dict "r" `REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_poddisruptionbudget.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_poddisruptionbudget.go.tpl new file mode 100644 index 0000000000..763b7b0bdf --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_poddisruptionbudget.go.tpl @@ -0,0 +1,21 @@ +{{- /* Generated from "poddisruptionbudget.go" */ -}} + +{{- define "redpanda.PodDisruptionBudget" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $budget := ($values.statefulset.budget.maxUnavailable | int) -}} +{{- $minReplicas := ((div ($values.statefulset.replicas | int) (2 | int)) | int) -}} +{{- if (and (gt $budget (1 | int)) (gt $budget $minReplicas)) -}} +{{- $_ := (fail (printf "statefulset.budget.maxUnavailable is set too high to maintain quorum: %d > %d" $budget $minReplicas)) -}} +{{- end -}} +{{- $maxUnavailable := ($budget | int) -}} +{{- $matchLabels := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $matchLabels "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "disruptionsAllowed" 0 "currentHealthy" 0 "desiredHealthy" 0 "expectedPods" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "policy/v1" "kind" "PodDisruptionBudget" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" $matchLabels )) "maxUnavailable" $maxUnavailable )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_post-install-upgrade-job.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_post-install-upgrade-job.go.tpl new file mode 100644 index 0000000000..efbb41e8b6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_post-install-upgrade-job.go.tpl @@ -0,0 +1,123 @@ +{{- /* Generated from "post_install_upgrade_job.go" */ -}} + +{{- define "redpanda.bootstrapYamlTemplater" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $env := (get (fromJson (include "redpanda.TieredStorageCredentials.AsEnvVars" (dict "a" (list $values.storage.tiered.credentialsSecretRef (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) ))) "r") -}} +{{- $image := (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "bootstrap-yaml-envsubst" "image" $image "command" (list "/redpanda-operator" "envsubst" "/tmp/base-config/bootstrap.yaml" "--output" "/tmp/config/.bootstrap.yaml") "env" $env "resources" (mustMergeOverwrite (dict ) (dict "limits" (dict "cpu" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "100m") ))) "r") "memory" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "125Mi") ))) "r") ) "requests" (dict "cpu" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "100m") ))) "r") "memory" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "125Mi") ))) "r") ) )) "securityContext" (mustMergeOverwrite (dict ) (dict "allowPrivilegeEscalation" false "readOnlyRootFilesystem" true "runAsNonRoot" true )) "volumeMounts" (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/tmp/config/" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config/" ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PostInstallUpgradeJob" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.post_install_job.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $image := (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) -}} +{{- $job := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-configuration" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (default (dict ) $values.post_install_job.labels) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r")) "annotations" (merge (dict ) (default (dict ) $values.post_install_job.annotations) (dict "helm.sh/hook" "post-install,post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-5" )) )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_install_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "generateName" (printf "%s-post-" $dot.Release.Name) "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%.50s-post-install" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) ) (default (dict ) $values.commonLabels)) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (get (fromJson (include "redpanda.postInstallJobAffinity" (dict "a" (list $dot) ))) "r") "tolerations" (get (fromJson (include "redpanda.tolerations" (dict "a" (list $dot) ))) "r") "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "initContainers" (list (get (fromJson (include "redpanda.bootstrapYamlTemplater" (dict "a" (list $dot) ))) "r")) "automountServiceAccountToken" false "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-install" "image" $image "env" (get (fromJson (include "redpanda.PostInstallUpgradeEnvironmentVariables" (dict "a" (list $dot) ))) "r") "command" (list "/redpanda-operator" "sync-cluster-config" "--users-directory" "/etc/secrets/users" "--redpanda-yaml" "/tmp/base-config/redpanda.yaml" "--bootstrap-yaml" "/tmp/config/.bootstrap.yaml") "resources" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.resources (mustMergeOverwrite (dict ) (dict ))) ))) "r") "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "volumeMounts" (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/tmp/config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )))) ))) "volumes" (concat (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "base-config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )))) "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) )) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $job) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.postInstallJobAffinity" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.post_install_job.affinity)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.post_install_job.affinity) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.post_install_job.affinity $values.affinity)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.tolerations" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $t := $values.tolerations -}} +{{- $result = (concat (default (list ) $result) (list (merge (dict ) $t))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PostInstallUpgradeEnvironmentVariables" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $envars := (list ) -}} +{{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}} +{{- $secretReference_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $license_1 "") -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "value" $license_1 )))) -}} +{{- else -}}{{- if (ne (toJson $secretReference_2) "null") -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" $secretReference_2 )) )))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.bootstrapEnvVars" (dict "a" (list $dot $envars) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.GetLicenseLiteral" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.enterprise.license "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.enterprise.license) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.license_key) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.GetLicenseSecretReference" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.enterprise.licenseSecretRef)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" $values.enterprise.licenseSecretRef.key ))) | toJson -}} +{{- break -}} +{{- else -}}{{- if (not (empty $values.license_secret_ref)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.license_secret_ref.secret_name )) (dict "key" $values.license_secret_ref.secret_key ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_post_upgrade_job.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_post_upgrade_job.go.tpl new file mode 100644 index 0000000000..6a95bb94e6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_post_upgrade_job.go.tpl @@ -0,0 +1,87 @@ +{{- /* Generated from "post_upgrade_job.go" */ -}} + +{{- define "redpanda.PostUpgrade" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.post_upgrade_job.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $labels := (default (dict ) $values.post_upgrade_job.labels) -}} +{{- $annotations := (default (dict ) $values.post_upgrade_job.annotations) -}} +{{- $annotations = (merge (dict ) (dict "helm.sh/hook" "post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-10" ) $annotations) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-post-upgrade" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $labels) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "backoffLimit" $values.post_upgrade_job.backoffLimit "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_upgrade_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $dot.Release.Name "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%s-post-upgrade" (trunc (50 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r"))) ) $values.commonLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (merge (dict ) $values.post_upgrade_job.affinity $values.affinity) "tolerations" $values.tolerations "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-upgrade" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list "/bin/bash" "-c") "args" (list (get (fromJson (include "redpanda.PostUpgradeJobScript" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot $values.post_upgrade_job.extraEnv) ))) "r") "envFrom" $values.post_upgrade_job.extraEnvFrom "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_upgrade_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "resources" $values.post_upgrade_job.resources "volumeMounts" (get (fromJson (include "redpanda.DefaultMounts" (dict "a" (list $dot) ))) "r") ))) "volumes" (get (fromJson (include "redpanda.DefaultVolumes" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PostUpgradeJobScript" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $script := (list `set -e` ``) -}} +{{- range $key, $value := $values.config.cluster -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $value) ))) "r")) ))) "r") -}} +{{- $isInt64 := $tmp_tuple_1.T2 -}} +{{- $asInt64 := ($tmp_tuple_1.T1 | int64) -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $value false) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_2.T2 -}} +{{- $asBool_1 := $tmp_tuple_2.T1 -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $value "") ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_3.T2 -}} +{{- $asStr_3 := $tmp_tuple_3.T1 -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "[]%s" "interface {}") $value (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_6 := $tmp_tuple_4.T2 -}} +{{- $asSlice_5 := $tmp_tuple_4.T1 -}} +{{- if (and $ok_2 $asBool_1) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %t" $key $asBool_1))) -}} +{{- else -}}{{- if (and $ok_4 (ne $asStr_3 "")) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %s" $key $asStr_3))) -}} +{{- else -}}{{- if (and $isInt64 (gt $asInt64 (0 | int64))) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %d" $key $asInt64))) -}} +{{- else -}}{{- if (and $ok_6 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $asSlice_5) ))) "r") | int) (0 | int))) -}} +{{- $script = (concat (default (list ) $script) (list (printf `rpk cluster config set %s "[ %s ]"` $key (join "," $asSlice_5)))) -}} +{{- else -}}{{- if (not (empty $value)) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %v" $key $value))) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "default_topic_replications" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_7 := $tmp_tuple_5.T2 -}} +{{- if (and (not $ok_7) (ge ($values.statefulset.replicas | int) (3 | int))) -}} +{{- $script = (concat (default (list ) $script) (list "rpk cluster config set default_topic_replications 3")) -}} +{{- end -}} +{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "storage_min_free_bytes" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_8 := $tmp_tuple_6.T2 -}} +{{- if (not $ok_8) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set storage_min_free_bytes %d" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64)))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}} +{{- $service := $values.listeners.admin -}} +{{- $caCert := "" -}} +{{- $scheme := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $service.tls $values.tls) ))) "r") -}} +{{- $scheme = "https" -}} +{{- $caCert = (printf "--cacert %q" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $service.tls $values.tls) ))) "r")) -}} +{{- end -}} +{{- $url := (printf "%s://%s:%d/v1/debug/restart_service?service=schema-registry" $scheme (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") (($service.port | int) | int64)) -}} +{{- $script = (concat (default (list ) $script) (list `if [ -d "/etc/secrets/users/" ]; then` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` ` curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \` (printf ` %s \` $caCert) ` -X PUT -u ${USER_NAME}:${PASSWORD} \` (printf ` %s || true` $url) `fi`)) -}} +{{- end -}} +{{- $script = (concat (default (list ) $script) (list "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (join "\n" $script)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_rbac.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_rbac.go.tpl new file mode 100644 index 0000000000..162092626d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_rbac.go.tpl @@ -0,0 +1,116 @@ +{{- /* Generated from "rbac.go" */ -}} + +{{- define "redpanda.ClusterRoles" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $crs := (coalesce nil) -}} +{{- $cr_1 := (get (fromJson (include "redpanda.SidecarControllersClusterRole" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $cr_1) "null") -}} +{{- $crs = (concat (default (list ) $crs) (list $cr_1)) -}} +{{- end -}} +{{- if (not $values.rbac.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $crs = (concat (default (list ) $crs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list") ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "configmaps" "endpoints" "events" "limitranges" "persistentvolumeclaims" "pods" "pods/log" "replicationcontrollers" "resourcequotas" "serviceaccounts" "services") "verbs" (list "get" "list") ))) ))))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crs) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClusterRoleBindings" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $crbs := (coalesce nil) -}} +{{- $crb_2 := (get (fromJson (include "redpanda.SidecarControllersClusterRoleBinding" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $crb_2) "null") -}} +{{- $crbs = (concat (default (list ) $crbs) (list $crb_2)) -}} +{{- end -}} +{{- if (not $values.rbac.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crbs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $crbs = (concat (default (list ) $crbs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $rpkBundleName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crbs) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersClusterRole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumes") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersClusterRoleBinding" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersRole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "Role" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets/status") "verbs" (list "patch" "update") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "secrets" "pods") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets") "verbs" (list "get" "patch" "update" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumeclaims") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersRoleBinding" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "RoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "Role" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_secrets.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_secrets.go.tpl new file mode 100644 index 0000000000..d15c93613c --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_secrets.go.tpl @@ -0,0 +1,419 @@ +{{- /* Generated from "secrets.go" */ -}} + +{{- define "redpanda.Secrets" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $secrets := (coalesce nil) -}} +{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretSTSLifecycle" (dict "a" (list $dot) ))) "r"))) -}} +{{- $saslUsers_1 := (get (fromJson (include "redpanda.SecretSASLUsers" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $saslUsers_1) "null") -}} +{{- $secrets = (concat (default (list ) $secrets) (list $saslUsers_1)) -}} +{{- end -}} +{{- $configWatcher_2 := (get (fromJson (include "redpanda.SecretConfigWatcher" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $configWatcher_2) "null") -}} +{{- $secrets = (concat (default (list ) $secrets) (list $configWatcher_2)) -}} +{{- end -}} +{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretConfigurator" (dict "a" (list $dot) ))) "r"))) -}} +{{- $fsValidator_3 := (get (fromJson (include "redpanda.SecretFSValidator" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $fsValidator_3) "null") -}} +{{- $secrets = (concat (default (list ) $secrets) (list $fsValidator_3)) -}} +{{- end -}} +{{- $bootstrapUser_4 := (get (fromJson (include "redpanda.SecretBootstrapUser" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $bootstrapUser_4) "null") -}} +{{- $secrets = (concat (default (list ) $secrets) (list $bootstrapUser_4)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secrets) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretSTSLifecycle" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-sts-lifecycle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $adminCurlFlags := (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $secret.stringData "common.sh" (join "\n" (list `#!/usr/bin/env bash` `` `# the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME` (printf `CURL_URL="%s"` (get (fromJson (include "redpanda.adminInternalURL" (dict "a" (list $dot) ))) "r")) `` `# commands used throughout` (printf `CURL_NODE_ID_CMD="curl --silent --fail %s ${CURL_URL}/v1/node_config"` $adminCurlFlags) `` `CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"'` `CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"'` (printf `CURL_MAINTENANCE_GET_CMD="curl -X GET --silent %s ${CURL_URL}/v1/maintenance"` $adminCurlFlags)))) -}} +{{- $postStartSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `postStartHook () {` ` set -x` `` ` touch /tmp/postStartHookStarted` `` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Clearing maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` # a 400 here would mean not in maintenance mode` ` until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do` ` status=$(${CURL_MAINTENANCE_DELETE_CMD})` ` sleep 0.5` ` done` `` ` touch /tmp/postStartHookFinished` `}` `` `postStartHook` `true`) -}} +{{- $_ := (set $secret.stringData "postStart.sh" (join "\n" $postStartSh)) -}} +{{- $preStopSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `touch /tmp/preStopHookStarted` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `set -x` `` `preStopHook () {` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Setting maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` until [ "${status:-}" = '"200"' ]; do` ` status=$(${CURL_MAINTENANCE_PUT_CMD})` ` sleep 0.5` ` done` `` ` until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do` ` res=$(${CURL_MAINTENANCE_GET_CMD})` ` finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$')` ` draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$')` ` sleep 0.5` ` done` `` ` touch /tmp/preStopHookFinished` `}`) -}} +{{- if (and (gt ($values.statefulset.replicas | int) (2 | int)) (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig "recovery_mode_enabled" false $values.config.node)) ))) "r"))) -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `preStopHook`)) -}} +{{- else -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `touch /tmp/preStopHookFinished` `echo "Not enough replicas or in recovery mode, cannot put a broker into maintenance mode."`)) -}} +{{- end -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `true`)) -}} +{{- $_ := (set $secret.stringData "preStop.sh" (join "\n" $preStopSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretSASLUsers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (and (ne $values.auth.sasl.secretRef "") $values.auth.sasl.enabled) (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.auth.sasl.users) ))) "r") | int) (0 | int))) -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $values.auth.sasl.secretRef "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $usersTxt := (list ) -}} +{{- range $_, $user := $values.auth.sasl.users -}} +{{- if (empty $user.mechanism) -}} +{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s" $user.name $user.password))) -}} +{{- else -}} +{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s:%s" $user.name $user.password $user.mechanism))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $secret.stringData "users.txt" (join "\n" $usersTxt)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- else -}}{{- if (and $values.auth.sasl.enabled (eq $values.auth.sasl.secretRef "")) -}} +{{- $_ := (fail "auth.sasl.secretRef cannot be empty when auth.sasl.enabled=true") -}} +{{- else -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretBootstrapUser" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.auth.sasl.enabled) (ne (toJson $values.auth.sasl.bootstrapUser.secretKeyRef) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $secretName := (printf "%s-bootstrap-user" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $_209_existing_5_ok_6 := (get (fromJson (include "_shims.lookup" (dict "a" (list "v1" "Secret" $dot.Release.Namespace $secretName) ))) "r") -}} +{{- $existing_5 := (index $_209_existing_5_ok_6 0) -}} +{{- $ok_6 := (index $_209_existing_5_ok_6 1) -}} +{{- if $ok_6 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_5) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $password := (randAlphaNum (32 | int)) -}} +{{- $userPassword := $values.auth.sasl.bootstrapUser.password -}} +{{- if (ne (toJson $userPassword) "null") -}} +{{- $password = $userPassword -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $secretName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "password" $password ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretConfigWatcher" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $bootstrapUser := (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $values.auth.sasl.bootstrapUser) ))) "r") -}} +{{- $sasl := $values.auth.sasl -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-config-watcher" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $saslUserSh := (coalesce nil) -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `#!/usr/bin/env bash` `` `trap 'error_handler $? $LINENO' ERR` `` `error_handler() {` ` echo "Error: ($1) occurred at line $2"` `}` `` `set -e` `` `# rpk cluster health can exit non-zero if it's unable to dial brokers. This` `# can happen for many reasons but we never want this script to crash as it` `# would take down yet another broker and make a bad situation worse.` `# Instead, just wait for the command to eventually exit zero.` `echo "Waiting for cluster to be ready"` `until rpk cluster health --watch --exit-when-healthy; do` ` echo "rpk cluster health failed. Waiting 5 seconds before trying again..."` ` sleep 5` `done`)) -}} +{{- if (and $sasl.enabled (ne $sasl.secretRef "")) -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `while true; do` ` echo "RUNNING: Monitoring and Updating SASL users"` ` USERS_DIR="/etc/secrets/users"` `` ` new_users_list(){` ` LIST=$1` ` NEW_USER=$2` ` if [[ -n "${LIST}" ]]; then` ` LIST="${NEW_USER},${LIST}"` ` else` ` LIST="${NEW_USER}"` ` fi` `` ` echo "${LIST}"` ` }` `` ` process_users() {` ` USERS_DIR=${1-"/etc/secrets/users"}` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` (printf ` USERS_LIST="%s"` $bootstrapUser) ` READ_LIST_SUCCESS=0` ` # Read line by line, handle a missing EOL at the end of file` ` while read p || [ -n "$p" ] ; do` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM <<< $p` ` # Do not process empty lines` ` if [ -z "$USER_NAME" ]; then` ` continue` ` fi` ` if [[ "${USER_NAME// /}" != "$USER_NAME" ]]; then` ` continue` ` fi` ` echo "Creating user ${USER_NAME}..."` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` creation_result=$(rpk acl user create ${USER_NAME} -p ${PASSWORD} --mechanism ${MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` # Check if the stderr contains "User already exists"` ` # this error occurs when password has changed` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Update user ${USER_NAME}"` ` # we will try to update by first deleting` ` deletion_result=$(rpk acl user delete ${USER_NAME} 2>&1) && deletion_result_exit_code=$? || deletion_result_exit_code=$?` ` if [[ $deletion_result_exit_code -ne 0 ]]; then` ` echo "deletion of user ${USER_NAME} failed: ${deletion_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # Now we update the user` ` update_result=$(rpk acl user create ${USER_NAME} -p ${PASSWORD} --mechanism ${MECHANISM} 2>&1) && update_result_exit_code=$? || update_result_exit_code=$? # On a non-success exit code` ` if [[ $update_result_exit_code -ne 0 ]]; then` ` echo "updating user ${USER_NAME} failed: ${update_result}"` ` READ_LIST_SUCCESS=1` ` break` ` else` ` echo "Updated user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` else` ` # Another error occurred, so output the original message and exit code` ` echo "error creating user ${USER_NAME}: ${creation_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # On a success, the user was created so output that` ` else` ` echo "Created user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` done < $USERS_FILE` `` ` if [[ -n "${USERS_LIST}" && ${READ_LIST_SUCCESS} ]]; then` ` echo "Setting superusers configurations with users [${USERS_LIST}]"` ` superuser_result=$(rpk cluster config set superusers [${USERS_LIST}] 2>&1) && superuser_result_exit_code=$? || superuser_result_exit_code=$?` ` if [[ $superuser_result_exit_code -ne 0 ]]; then` ` echo "Setting superusers configurations failed: ${superuser_result}"` ` else` ` echo "Completed setting superusers configurations"` ` fi` ` fi` ` }` `` ` # before we do anything ensure we have the bootstrap user` ` echo "Ensuring bootstrap user ${RPK_USER}..."` ` creation_result=$(rpk acl user create ${RPK_USER} -p ${RPK_PASS} --mechanism ${RPK_SASL_MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Bootstrap user already created"` ` else` ` echo "error creating user ${RPK_USER}: ${creation_result}"` ` fi` ` fi` `` ` # first time processing` ` process_users $USERS_DIR` `` ` # subsequent changes detected here` ` # watching delete_self as documented in https://ahmet.im/blog/kubernetes-inotify/` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` ` while RES=$(inotifywait -q -e delete_self ${USERS_FILE}); do` ` process_users $USERS_DIR` ` done` `done`)) -}} +{{- else -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `echo "Nothing to do. Sleeping..."` `sleep infinity`)) -}} +{{- end -}} +{{- $_ := (set $secret.stringData "sasl-user.sh" (join "\n" $saslUserSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretFSValidator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%.49s-fs-validator" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $_ := (set $secret.stringData "fsValidator.sh" `set -e +EXPECTED_FS_TYPE=$1 + +DATA_DIR="/var/lib/redpanda/data" +TEST_FILE="testfile" + +echo "checking data directory exist..." +if [ ! -d "${DATA_DIR}" ]; then + echo "data directory does not exists, exiting" + exit 1 +fi + +echo "checking filesystem type..." +FS_TYPE=$(df -T $DATA_DIR | tail -n +2 | awk '{print $2}') + +if [ "${FS_TYPE}" != "${EXPECTED_FS_TYPE}" ]; then + echo "file system found to be ${FS_TYPE} when expected ${EXPECTED_FS_TYPE}" + exit 1 +fi + +echo "checking if able to create a test file..." + +touch ${DATA_DIR}/${TEST_FILE} +result=$(touch ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) +if [ "${result}" != "0" ]; then + echo "could not write testfile, may not have write permission" + exit 1 +fi + +echo "checking if able to delete a test file..." + +result=$(rm ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) +if [ "${result}" != "0" ]; then + echo "could not delete testfile" + exit 1 +fi + +echo "passed"`) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretConfigurator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%.51s-configurator" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $configuratorSh := (list ) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `set -xe` `SERVICE_NAME=$1` `KUBERNETES_NODE_NAME=$2` `POD_ORDINAL=${SERVICE_NAME##*-}` "BROKER_INDEX=`expr $POD_ORDINAL + 1`" `` `CONFIG=/etc/redpanda/redpanda.yaml` `` `# Setup config files` `cp /tmp/base-config/redpanda.yaml "${CONFIG}"`)) -}} +{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r")) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure bootstrap` `## Not used for Redpanda v22.3.0+` `rpk --config "${CONFIG}" redpanda config set redpanda.node_id "${POD_ORDINAL}"` `if [ "${POD_ORDINAL}" = "0" ]; then` ` rpk --config "${CONFIG}" redpanda config set redpanda.seed_servers '[]' --format yaml` `fi`)) -}} +{{- end -}} +{{- $kafkaSnippet := (get (fromJson (include "redpanda.secretConfiguratorKafkaConfig" (dict "a" (list $dot) ))) "r") -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $kafkaSnippet)) -}} +{{- $httpSnippet := (get (fromJson (include "redpanda.secretConfiguratorHTTPConfig" (dict "a" (list $dot) ))) "r") -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $httpSnippet)) -}} +{{- if (and (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r") $values.rackAwareness.enabled) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure Rack Awareness` `set +x` (printf `RACK=$(curl --silent --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --fail -H 'Authorization: Bearer '$(cat /run/secrets/kubernetes.io/serviceaccount/token) "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/nodes/${KUBERNETES_NODE_NAME}?pretty=true" | grep %s | grep -v '\"key\":' | sed 's/.*": "\([^"]\+\).*/\1/')` (squote (quote $values.rackAwareness.nodeAnnotation))) `set -x` `rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}"`)) -}} +{{- end -}} +{{- $_ := (set $secret.stringData "configurator.sh" (join "\n" $configuratorSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.secretConfiguratorKafkaConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $snippet := (coalesce nil) -}} +{{- $listenerName := "kafka" -}} +{{- $listenerAdvertisedName := $listenerName -}} +{{- $redpandaConfigPart := "redpanda" -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.kafka.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.kafka.external) ))) "r") | int) (0 | int)) -}} +{{- $externalCounter := (0 | int) -}} +{{- range $externalName, $externalVals := $values.listeners.kafka.external -}} +{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}} +{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}} +{{- $port := ($externalVals.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}} +{{- else -}} +{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}} +{{- end -}} +{{- end -}} +{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}} +{{- $address := (toJson $host) -}} +{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}} +{{- if (eq $prefixTemplate "") -}} +{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $snippet) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.secretConfiguratorHTTPConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $snippet := (coalesce nil) -}} +{{- $listenerName := "http" -}} +{{- $listenerAdvertisedName := "pandaproxy" -}} +{{- $redpandaConfigPart := "pandaproxy" -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.http.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.http.external) ))) "r") | int) (0 | int)) -}} +{{- $externalCounter := (0 | int) -}} +{{- range $externalName, $externalVals := $values.listeners.http.external -}} +{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}} +{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}} +{{- $port := ($externalVals.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}} +{{- else -}} +{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}} +{{- end -}} +{{- end -}} +{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}} +{{- $address := (toJson $host) -}} +{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}} +{{- if (eq $prefixTemplate "") -}} +{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $snippet) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminTLSCurlFlags" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "") | toJson -}} +{{- break -}} +{{- end -}} +{{- if $values.listeners.admin.tls.requireClientAuth -}} +{{- $path := (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $path := (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "--cacert %s" $path)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.externalAdvertiseAddress" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $eaa := "${SERVICE_NAME}" -}} +{{- $externalDomainTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}} +{{- $expanded := (tpl $externalDomainTemplate $dot) -}} +{{- if (not (empty $expanded)) -}} +{{- $eaa = (printf "%s.%s" "${SERVICE_NAME}" $expanded) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $eaa) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedHostJSON" -}} +{{- $dot := (index .a 0) -}} +{{- $externalName := (index .a 1) -}} +{{- $port := (index .a 2) -}} +{{- $replicaIndex := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $host := (dict "name" $externalName "address" (get (fromJson (include "redpanda.externalAdvertiseAddress" (dict "a" (list $dot) ))) "r") "port" $port ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- $address := "" -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $address = (index $values.external.addresses $replicaIndex) -}} +{{- else -}} +{{- $address = (index $values.external.addresses (0 | int)) -}} +{{- end -}} +{{- $domain_7 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}} +{{- if (ne $domain_7 "") -}} +{{- $host = (dict "name" $externalName "address" (printf "%s.%s" $address (tpl $domain_7 $dot)) "port" $port ) -}} +{{- else -}} +{{- $host = (dict "name" $externalName "address" $address "port" $port ) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $host) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminInternalHTTPProtocol" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" "https") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "http") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminInternalURL" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s://%s.%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") `${SERVICE_NAME}` (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) ($values.listeners.admin.port | int))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_service.internal.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_service.internal.go.tpl new file mode 100644 index 0000000000..0719ec5fa3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_service.internal.go.tpl @@ -0,0 +1,38 @@ +{{- /* Generated from "service_internal.go" */ -}} + +{{- define "redpanda.MonitoringEnabledLabel" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "monitoring.redpanda.com/enabled" (printf "%t" $values.monitoring.enabled) )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceInternal" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $ports := (list ) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "admin" "protocol" "TCP" "appProtocol" $values.listeners.admin.appProtocol "port" ($values.listeners.admin.port | int) "targetPort" ($values.listeners.admin.port | int) )))) -}} +{{- if $values.listeners.http.enabled -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "protocol" "TCP" "port" ($values.listeners.http.port | int) "targetPort" ($values.listeners.http.port | int) )))) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "kafka" "protocol" "TCP" "port" ($values.listeners.kafka.port | int) "targetPort" ($values.listeners.kafka.port | int) )))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rpc" "protocol" "TCP" "port" ($values.listeners.rpc.port | int) "targetPort" ($values.listeners.rpc.port | int) )))) -}} +{{- if $values.listeners.schemaRegistry.enabled -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "schemaregistry" "protocol" "TCP" "port" ($values.listeners.schemaRegistry.port | int) "targetPort" ($values.listeners.schemaRegistry.port | int) )))) -}} +{{- end -}} +{{- $annotations := (dict ) -}} +{{- if (ne (toJson $values.service) "null") -}} +{{- $annotations = $values.service.internal.annotations -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.MonitoringEnabledLabel" (dict "a" (list $dot) ))) "r")) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" "ClusterIP" "publishNotReadyAddresses" true "clusterIP" "None" "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "ports" $ports )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_service.loadbalancer.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_service.loadbalancer.go.tpl new file mode 100644 index 0000000000..bb34c583ed --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_service.loadbalancer.go.tpl @@ -0,0 +1,105 @@ +{{- /* Generated from "service.loadbalancer.go" */ -}} + +{{- define "redpanda.LoadBalancerServices" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $values.external.type "LoadBalancer") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $externalDNS := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.externalDns (mustMergeOverwrite (dict "enabled" false ) (dict ))) ))) "r") -}} +{{- $labels := (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $labels "repdanda.com/type" "loadbalancer") -}} +{{- $selector := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}} +{{- $services := (coalesce nil) -}} +{{- $replicas := ($values.statefulset.replicas | int) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $podname := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i) -}} +{{- $annotations := (dict ) -}} +{{- range $k, $v := $values.external.annotations -}} +{{- $_ := (set $annotations $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if $externalDNS.enabled -}} +{{- $prefix := $podname -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $prefix = (index $values.external.addresses (0 | int)) -}} +{{- else -}} +{{- $prefix = (index $values.external.addresses $i) -}} +{{- end -}} +{{- end -}} +{{- $address := (printf "%s.%s" $prefix (tpl $values.external.domain $dot)) -}} +{{- $_ := (set $annotations "external-dns.alpha.kubernetes.io/hostname" $address) -}} +{{- end -}} +{{- $podSelector := (dict ) -}} +{{- range $k, $v := $selector -}} +{{- $_ := (set $podSelector $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $podSelector "statefulset.kubernetes.io/pod-name" $podname) -}} +{{- $ports := (coalesce nil) -}} +{{- range $name, $listener := $values.listeners.admin.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($values.listeners.admin.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.kafka.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.http.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.schemaRegistry.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $svc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "lb-%s" $podname) "namespace" $dot.Release.Namespace "labels" $labels "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "loadBalancerSourceRanges" $values.external.sourceRanges "ports" $ports "publishNotReadyAddresses" true "selector" $podSelector "sessionAffinity" "None" "type" "LoadBalancer" )) )) -}} +{{- $services = (concat (default (list ) $services) (list $svc)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $services) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_service.nodeport.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_service.nodeport.go.tpl new file mode 100644 index 0000000000..bc199951d7 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_service.nodeport.go.tpl @@ -0,0 +1,80 @@ +{{- /* Generated from "service.nodeport.go" */ -}} + +{{- define "redpanda.NodePortService" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $values.external.type "NodePort") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $ports := (coalesce nil) -}} +{{- range $name, $listener := $values.listeners.admin.external -}} +{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.kafka.external -}} +{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.http.external -}} +{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.schemaRegistry.external -}} +{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $annotations := $values.external.annotations -}} +{{- if (eq (toJson $annotations) "null") -}} +{{- $annotations = (dict ) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-external" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "ports" $ports "publishNotReadyAddresses" true "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "NodePort" )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_serviceaccount.go.tpl new file mode 100644 index 0000000000..82ec5be757 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_serviceaccount.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "redpanda.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_servicemonitor.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_servicemonitor.go.tpl new file mode 100644 index 0000000000..7f5a621309 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_servicemonitor.go.tpl @@ -0,0 +1,26 @@ +{{- /* Generated from "servicemonitor.go" */ -}} + +{{- define "redpanda.ServiceMonitor" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.monitoring.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $endpoint := (mustMergeOverwrite (dict ) (dict "interval" $values.monitoring.scrapeInterval "path" "/public_metrics" "port" "admin" "enableHttp2" $values.monitoring.enableHttp2 "scheme" "http" )) -}} +{{- if (or (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") (ne (toJson $values.monitoring.tlsConfig) "null")) -}} +{{- $_ := (set $endpoint "scheme" "https") -}} +{{- $_ := (set $endpoint "tlsConfig" $values.monitoring.tlsConfig) -}} +{{- if (eq (toJson $endpoint.tlsConfig) "null") -}} +{{- $_ := (set $endpoint "tlsConfig" (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (dict "insecureSkipVerify" true )) (dict ))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "ServiceMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $values.monitoring.labels) )) "spec" (mustMergeOverwrite (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "endpoints" (list $endpoint) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (dict "monitoring.redpanda.com/enabled" "true" "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name ) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.19/templates/_shims.tpl new file mode 100644 index 0000000000..7fdd55a9e5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_shims.tpl @@ -0,0 +1,338 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $ptr) "null") -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $m) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $ptr) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq (toJson $a) "null") (eq (toJson $b) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.get" -}} +{{- $dict := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (hasKey $dict $key)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (get $dict $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $_184_scale_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (float64 0)) ))) "r") -}} +{{- $scale := ((index $_184_scale_ok 0) | float64) -}} +{{- $ok := (index $_184_scale_ok 1) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_207_numeric_scale := (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r") -}} +{{- $numeric := ((index $_207_numeric_scale 0) | float64) -}} +{{- $scale := ((index $_207_numeric_scale 1) | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_234_numeric_scale := (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r") -}} +{{- $numeric := ((index $_234_numeric_scale 0) | float64) -}} +{{- $scale := ((index $_234_numeric_scale 1) | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_239_numeric_scale := (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r") -}} +{{- $numeric := ((index $_239_numeric_scale 0) | float64) -}} +{{- $scale := ((index $_239_numeric_scale 1) | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.time_ParseDuration" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $unitMap := (dict "s" ((1000000000 | int64) | int64) "m" ((60000000000 | int64) | int64) "h" ((3600000000000 | int64) | int64) ) -}} +{{- $original := $repr -}} +{{- $value := ((0 | int64) | int64) -}} +{{- if (eq $repr "") -}} +{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}} +{{- end -}} +{{- if (eq $repr "0") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $_, $_ := (list (0 | int) (0 | int) (0 | int)) -}} +{{- if (eq $repr "") -}} +{{- break -}} +{{- end -}} +{{- $n := (regexFind `^\d+` $repr) -}} +{{- if (eq $n "") -}} +{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}} +{{- end -}} +{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $n) ))) "r") | int) -1 $repr) -}} +{{- $unit := (regexFind `^(h|m|s)` $repr) -}} +{{- if (eq $unit "") -}} +{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}} +{{- end -}} +{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int) -1 $repr) -}} +{{- $value = ((add $value (((mul (int64 $n) (ternary (index $unitMap $unit) 0 (hasKey $unitMap $unit))) | int64))) | int64) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.time_Duration_String" -}} +{{- $dur := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (duration ((div $dur ((1000000000 | int64) | int64)) | int64))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne (toJson $manifest) "null" }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.19/templates/_statefulset.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_statefulset.go.tpl new file mode 100644 index 0000000000..d7649a1019 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_statefulset.go.tpl @@ -0,0 +1,773 @@ +{{- /* Generated from "statefulset.go" */ -}} + +{{- define "redpanda.statefulSetRedpandaEnv" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "POD_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.podIP" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.hostIP" )) )) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodLabelsSelector" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $_86_existing_1_ok_2 := (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r") -}} +{{- $existing_1 := (index $_86_existing_1_ok_2 0) -}} +{{- $ok_2 := (index $_86_existing_1_ok_2 1) -}} +{{- if (and $ok_2 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_1.spec.selector.matchLabels) ))) "r") | int) (0 | int))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_1.spec.selector.matchLabels) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $additionalSelectorLabels := (dict ) -}} +{{- if (ne (toJson $values.statefulset.additionalSelectorLabels) "null") -}} +{{- $additionalSelectorLabels = $values.statefulset.additionalSelectorLabels -}} +{{- end -}} +{{- $component := (printf "%s-statefulset" (trimSuffix "-" (trunc (51 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")))) -}} +{{- $defaults := (dict "app.kubernetes.io/component" $component "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $additionalSelectorLabels $defaults)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $_117_existing_3_ok_4 := (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r") -}} +{{- $existing_3 := (index $_117_existing_3_ok_4 0) -}} +{{- $ok_4 := (index $_117_existing_3_ok_4 1) -}} +{{- if (and $ok_4 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_3.spec.template.metadata.labels) ))) "r") | int) (0 | int))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_3.spec.template.metadata.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $statefulSetLabels := (dict ) -}} +{{- if (ne (toJson $values.statefulset.podTemplate.labels) "null") -}} +{{- $statefulSetLabels = $values.statefulset.podTemplate.labels -}} +{{- end -}} +{{- $defaults := (dict "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $statefulSetLabels (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") $defaults (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodAnnotations" -}} +{{- $dot := (index .a 0) -}} +{{- $configMapChecksum := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $configMapChecksumAnnotation := (dict "config.redpanda.com/checksum" $configMapChecksum ) -}} +{{- if (ne (toJson $values.statefulset.podTemplate.annotations) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.statefulset.podTemplate.annotations $configMapChecksumAnnotation)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.statefulset.annotations $configMapChecksumAnnotation)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}} +{{- $volumes := (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r") -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volumes = (concat (default (list ) $volumes) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.50s-sts-lifecycle" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" "lifecycle-scripts" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $fullname )) (dict )) )) (dict "name" "base-config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.51s-configurator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.51s-configurator" $fullname) )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%s-config-watcher" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%s-config-watcher" $fullname) ))))) -}} +{{- if $values.statefulset.initContainers.fsValidator.enabled -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.49s-fs-validator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.49s-fs-validator" $fullname) )))) -}} +{{- end -}} +{{- $vol_5 := (get (fromJson (include "redpanda.Listeners.TrustStoreVolume" (dict "a" (list $values.listeners $values.tls) ))) "r") -}} +{{- if (ne (toJson $vol_5) "null") -}} +{{- $volumes = (concat (default (list ) $volumes) (list $vol_5)) -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (default (list ) (get (fromJson (include "redpanda.templateToVolumes" (dict "a" (list $dot $values.statefulset.extraVolumes) ))) "r"))) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (get (fromJson (include "redpanda.statefulSetVolumeDataDir" (dict "a" (list $dot) ))) "r"))) -}} +{{- $v_6 := (get (fromJson (include "redpanda.statefulSetVolumeTieredStorageDir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $v_6) "null") -}} +{{- $volumes = (concat (default (list ) $volumes) (list $v_6)) -}} +{{- end -}} +{{- if (and (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r")) ((or ((and (and $values.rbac.enabled $values.statefulset.sideCars.controllers.enabled) $values.statefulset.sideCars.controllers.createRBAC)) $values.rackAwareness.enabled))) -}} +{{- $foundK8STokenVolume := false -}} +{{- range $_, $v := $volumes -}} +{{- if (hasPrefix $v.name (printf "%s%s" "kube-api-access" "-")) -}} +{{- $foundK8STokenVolume = true -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (not $foundK8STokenVolume) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (get (fromJson (include "redpanda.kubeTokenAPIVolume" (dict "a" (list "kube-api-access") ))) "r"))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $volumes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.kubeTokenAPIVolume" -}} +{{- $name := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "projected" (mustMergeOverwrite (dict "sources" (coalesce nil) ) (dict "defaultMode" (420 | int) "sources" (list (mustMergeOverwrite (dict ) (dict "serviceAccountToken" (mustMergeOverwrite (dict "path" "" ) (dict "path" "token" "expirationSeconds" ((3607 | int) | int64) )) )) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" "kube-root-ca.crt" )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" "ca.crt" "path" "ca.crt" ))) )) )) (mustMergeOverwrite (dict ) (dict "downwardAPI" (mustMergeOverwrite (dict ) (dict "items" (list (mustMergeOverwrite (dict "path" "" ) (dict "path" "namespace" "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "apiVersion" "v1" "fieldPath" "metadata.namespace" )) ))) )) ))) )) )) (dict "name" $name ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetVolumeDataDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $datadirSource := (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) -}} +{{- if $values.storage.persistentVolume.enabled -}} +{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "persistentVolumeClaim" (mustMergeOverwrite (dict "claimName" "" ) (dict "claimName" "datadir" )) )) -}} +{{- else -}}{{- if (ne $values.storage.hostPath "") -}} +{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" $values.storage.hostPath )) )) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) $datadirSource (dict "name" "datadir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetVolumeTieredStorageDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredType := (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") -}} +{{- if (or (eq $tieredType "none") (eq $tieredType "persistentVolume")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq $tieredType "hostPath") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" (get (fromJson (include "redpanda.Storage.GetTieredStorageHostPath" (dict "a" (list $values.storage) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict "sizeLimit" (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r"))) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetVolumeMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}} +{{- $values := $dot.Values.AsMap -}} +{{- $mounts = (concat (default (list ) $mounts) (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "lifecycle-scripts" "mountPath" "/var/lifecycle" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" ))))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $values.listeners $values.tls) ))) "r")) ))) "r") | int) (0 | int)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststores" "mountPath" "/etc/truststores" "readOnly" true )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $mounts) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetInitContainers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $containers := (coalesce nil) -}} +{{- $c_7 := (get (fromJson (include "redpanda.statefulSetInitContainerTuning" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_7) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_7)) -}} +{{- end -}} +{{- $c_8 := (get (fromJson (include "redpanda.statefulSetInitContainerSetDataDirOwnership" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_8) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_8)) -}} +{{- end -}} +{{- $c_9 := (get (fromJson (include "redpanda.statefulSetInitContainerFSValidator" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_9) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_9)) -}} +{{- end -}} +{{- $c_10 := (get (fromJson (include "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_10) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_10)) -}} +{{- end -}} +{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetInitContainerConfigurator" (dict "a" (list $dot) ))) "r"))) -}} +{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.bootstrapYamlTemplater" (dict "a" (list $dot) ))) "r"))) -}} +{{- $containers = (concat (default (list ) $containers) (default (list ) (get (fromJson (include "redpanda.templateToContainers" (dict "a" (list $dot $values.statefulset.initContainers.extraInitContainers) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $containers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerTuning" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.tuning.tune_aio_events) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "tuning" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict ) (dict "capabilities" (mustMergeOverwrite (dict ) (dict "add" (list `SYS_RESOURCE`) )) "privileged" true "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64) )) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.tuning.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/etc/redpanda" )))) "resources" $values.statefulset.initContainers.tuning.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerSetDataDirOwnership" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.setDataDirOwnership.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_453_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-datadir-ownership") ))) "r") -}} +{{- $uid := ((index $_453_uid_gid 0) | int64) -}} +{{- $gid := ((index $_453_uid_gid 1) | int64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "set-datadir-ownership" "image" (printf "%s:%s" $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `chown %d:%d -R /var/lib/redpanda/data` $uid $gid)) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setDataDirOwnership.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.setDataDirOwnership.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.securityContextUidGid" -}} +{{- $dot := (index .a 0) -}} +{{- $containerName := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $uid := $values.statefulset.securityContext.runAsUser -}} +{{- if (and (ne (toJson $values.statefulset.podSecurityContext) "null") (ne (toJson $values.statefulset.podSecurityContext.runAsUser) "null")) -}} +{{- $uid = $values.statefulset.podSecurityContext.runAsUser -}} +{{- end -}} +{{- if (eq (toJson $uid) "null") -}} +{{- $_ := (fail (printf `%s container requires runAsUser to be specified` $containerName)) -}} +{{- end -}} +{{- $gid := $values.statefulset.securityContext.fsGroup -}} +{{- if (and (ne (toJson $values.statefulset.podSecurityContext) "null") (ne (toJson $values.statefulset.podSecurityContext.fsGroup) "null")) -}} +{{- $gid = $values.statefulset.podSecurityContext.fsGroup -}} +{{- end -}} +{{- if (eq (toJson $gid) "null") -}} +{{- $_ := (fail (printf `%s container requires fsGroup to be specified` $containerName)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $uid $gid)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerFSValidator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "fs-validator" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` (printf `trap "exit 0" TERM; exec /etc/secrets/fs-validator/scripts/fsValidator.sh %s & wait $!` $values.statefulset.initContainers.fsValidator.expectedFS)) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.fsValidator.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.49s-fs-validator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" `/etc/secrets/fs-validator/scripts/` )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.fsValidator.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_535_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-tiered-storage-cache-dir-ownership") ))) "r") -}} +{{- $uid := ((index $_535_uid_gid 0) | int64) -}} +{{- $gid := ((index $_535_uid_gid 1) | int64) -}} +{{- $cacheDir := (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") -}} +{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" )))) -}} +{{- if (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none") -}} +{{- $name := "tiered-storage-dir" -}} +{{- if (and (ne (toJson $values.storage.persistentVolume) "null") (ne $values.storage.persistentVolume.nameOverwrite "")) -}} +{{- $name = $values.storage.persistentVolume.nameOverwrite -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" $cacheDir )))) -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" `set-tiered-storage-cache-dir-ownership` "image" (printf `%s:%s` $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `mkdir -p %s; chown %d:%d -R %s` $cacheDir $uid $gid $cacheDir)) "volumeMounts" $mounts "resources" $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerConfigurator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volMounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}} +{{- $volMounts = (concat (default (list ) $volMounts) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.configurator.extraVolumeMounts) ))) "r"))) -}} +{{- $volMounts = (concat (default (list ) $volMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/configurator/scripts/" )))) -}} +{{- if (and (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r")) $values.rackAwareness.enabled) -}} +{{- $mountName := "kube-api-access" -}} +{{- range $_, $vol := (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") -}} +{{- if (hasPrefix $vol.name (printf "%s%s" "kube-api-access" "-")) -}} +{{- $mountName = $vol.name -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $volMounts = (concat (default (list ) $volMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mountName "readOnly" true "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `trap "exit 0" TERM; exec $CONFIGURATOR_SCRIPT "${SERVICE_NAME}" "${KUBERNETES_NODE_NAME}" & wait $!`) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONFIGURATOR_SCRIPT" "value" "/etc/secrets/configurator/scripts/configurator.sh" )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) "resourceFieldRef" (coalesce nil) "configMapKeyRef" (coalesce nil) "secretKeyRef" (coalesce nil) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "KUBERNETES_NODE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "spec.nodeName" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP_ADDRESS" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "apiVersion" "v1" "fieldPath" "status.hostIP" )) )) )))) ))) "r") "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" $volMounts "resources" $values.statefulset.initContainers.configurator.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetContainers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $containers := (coalesce nil) -}} +{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetContainerRedpanda" (dict "a" (list $dot) ))) "r"))) -}} +{{- $c_11 := (get (fromJson (include "redpanda.statefulSetContainerConfigWatcher" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_11) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_11)) -}} +{{- end -}} +{{- $c_12 := (get (fromJson (include "redpanda.statefulSetContainerControllers" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $c_12) "null") -}} +{{- $containers = (concat (default (list ) $containers) (list $c_12)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $containers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.wrapLifecycleHook" -}} +{{- $hook := (index .a 0) -}} +{{- $timeoutSeconds := (index .a 1) -}} +{{- $cmd := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $wrapped := (join " " $cmd) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list "bash" "-c" (printf "timeout -v %d %s 2>&1 | sed \"s/^/lifecycle-hook %s $(date): /\" | tee /proc/1/fd/1; true" $timeoutSeconds $wrapped $hook))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerRedpanda" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "$(SERVICE_NAME)" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $container := (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.bootstrapEnvVars" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetRedpandaEnv" (dict "a" (list ) ))) "r")) ))) "r") "lifecycle" (mustMergeOverwrite (dict ) (dict "postStart" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (get (fromJson (include "redpanda.wrapLifecycleHook" (dict "a" (list "post-start" ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64) (list "bash" "-x" "/var/lifecycle/postStart.sh")) ))) "r") )) )) "preStop" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (get (fromJson (include "redpanda.wrapLifecycleHook" (dict "a" (list "pre-stop" ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64) (list "bash" "-x" "/var/lifecycle/preStop.sh")) ))) "r") )) )) )) "startupProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -e` (printf `RESULT=$(curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready")` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r")) `echo $RESULT` `echo $RESULT | grep ready` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.startupProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.startupProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.startupProbe.failureThreshold | int) )) "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (printf `curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready"` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r"))) )) )) (dict "initialDelaySeconds" ($values.statefulset.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.livenessProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.livenessProbe.failureThreshold | int) )) "command" (list `rpk` `redpanda` `start` (printf `--advertise-rpc-addr=%s:%d` $internalAdvertiseAddress ($values.listeners.rpc.port | int))) "volumeMounts" (concat (default (list ) (get (fromJson (include "redpanda.StatefulSetVolumeMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.extraVolumeMounts) ))) "r"))) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "resources" (get (fromJson (include "redpanda.RedpandaResources.GetResourceRequirements" (dict "a" (list $values.resources) ))) "r") )) -}} +{{- if (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig `recovery_mode_enabled` false $values.config.node)) ))) "r")) -}} +{{- $_ := (set $container "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -x` `RESULT=$(rpk cluster health)` `echo $RESULT` `echo $RESULT | grep 'Healthy:.*true'` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.statefulset.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.statefulset.readinessProbe.periodSeconds | int) "successThreshold" ($values.statefulset.readinessProbe.successThreshold | int) "failureThreshold" ($values.statefulset.readinessProbe.failureThreshold | int) ))) -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "admin" "containerPort" ($values.listeners.admin.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.admin.external -}} +{{- if (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "admin-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ($values.listeners.http.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.http.external -}} +{{- if (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "http-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "kafka" "containerPort" ($values.listeners.kafka.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.kafka.external -}} +{{- if (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "kafka-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "rpc" "containerPort" ($values.listeners.rpc.port | int) ))))) -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "schemaregistry" "containerPort" ($values.listeners.schemaRegistry.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.schemaRegistry.external -}} +{{- if (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "schema-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none")) -}} +{{- $name := "tiered-storage-dir" -}} +{{- if (and (ne (toJson $values.storage.persistentVolume) "null") (ne $values.storage.persistentVolume.nameOverwrite "")) -}} +{{- $name = $values.storage.persistentVolume.nameOverwrite -}} +{{- end -}} +{{- $_ := (set $container "volumeMounts" (concat (default (list ) $container.volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") ))))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $container) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminApiURLs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `${SERVICE_NAME}.%s:%d` (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerConfigWatcher" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "config-watcher" "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` `trap "exit 0" TERM; exec /etc/secrets/config-watcher/scripts/sasl-user.sh & wait $!`) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (coalesce nil)) ))) "r") "resources" $values.statefulset.sideCars.configWatcher.resources "securityContext" $values.statefulset.sideCars.configWatcher.securityContext "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%s-config-watcher` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/config-watcher/scripts" ))))) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.sideCars.configWatcher.extraVolumeMounts) ))) "r"))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerControllers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.rbac.enabled) (not $values.statefulset.sideCars.controllers.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $volumeMounts := (list ) -}} +{{- if (and (and (and $values.rbac.enabled $values.statefulset.sideCars.controllers.enabled) $values.statefulset.sideCars.controllers.createRBAC) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r"))) -}} +{{- $mountName := "kube-api-access" -}} +{{- range $_, $vol := (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") -}} +{{- if (hasPrefix $vol.name (printf "%s%s" "kube-api-access" "-")) -}} +{{- $mountName = $vol.name -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mountName "readOnly" true "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "redpanda-controllers" "image" (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) "command" (list `/manager`) "args" (list `--operator-mode=false` (printf `--namespace=%s` $dot.Release.Namespace) (printf `--health-probe-bind-address=%s` $values.statefulset.sideCars.controllers.healthProbeAddress) (printf `--metrics-bind-address=%s` $values.statefulset.sideCars.controllers.metricsAddress) (printf `--pprof-bind-address=%s` $values.statefulset.sideCars.controllers.pprofAddress) (printf `--additional-controllers=%s` (join "," $values.statefulset.sideCars.controllers.run))) "env" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_HELM_RELEASE_NAME" "value" $dot.Release.Name ))) "resources" $values.statefulset.sideCars.controllers.resources "securityContext" $values.statefulset.sideCars.controllers.securityContext "volumeMounts" $volumeMounts ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkEnvVars" -}} +{{- $dot := (index .a 0) -}} +{{- $envVars := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (ne (toJson $values.auth.sasl) "null") $values.auth.sasl.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $envVars) (default (list ) (get (fromJson (include "redpanda.BootstrapUser.RpkEnvironment" (dict "a" (list $values.auth.sasl.bootstrapUser (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envVars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.bootstrapEnvVars" -}} +{{- $dot := (index .a 0) -}} +{{- $envVars := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (ne (toJson $values.auth.sasl) "null") $values.auth.sasl.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $envVars) (default (list ) (get (fromJson (include "redpanda.BootstrapUser.BootstrapEnvironment" (dict "a" (list $values.auth.sasl.bootstrapUser (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envVars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToVolumeMounts" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToContainers" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSet" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list $dot) ))) "r")) (not $values.force)) -}} +{{- $sv := (get (fromJson (include "redpanda.semver" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (fail (printf "Error: The Redpanda version (%s) is no longer supported \nTo accept this risk, run the upgrade again adding `--force=true`\n" $sv)) -}} +{{- end -}} +{{- $ss := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) "status" (dict "replicas" 0 "availableReplicas" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "StatefulSet" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) "serviceName" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "replicas" ($values.statefulset.replicas | int) "updateStrategy" $values.statefulset.updateStrategy "podManagementPolicy" "Parallel" "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.statefulset.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "labels" (get (fromJson (include "redpanda.StatefulSetPodLabels" (dict "a" (list $dot) ))) "r") "annotations" (get (fromJson (include "redpanda.StatefulSetPodAnnotations" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetChecksumAnnotation" (dict "a" (list $dot) ))) "r")) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "automountServiceAccountToken" false "terminationGracePeriodSeconds" ($values.statefulset.terminationGracePeriodSeconds | int64) "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "initContainers" (get (fromJson (include "redpanda.StatefulSetInitContainers" (dict "a" (list $dot) ))) "r") "containers" (get (fromJson (include "redpanda.StatefulSetContainers" (dict "a" (list $dot) ))) "r") "volumes" (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") "topologySpreadConstraints" (get (fromJson (include "redpanda.statefulSetTopologySpreadConstraints" (dict "a" (list $dot) ))) "r") "nodeSelector" (get (fromJson (include "redpanda.statefulSetNodeSelectors" (dict "a" (list $dot) ))) "r") "affinity" (get (fromJson (include "redpanda.statefulSetAffinity" (dict "a" (list $dot) ))) "r") "priorityClassName" $values.statefulset.priorityClassName "tolerations" (get (fromJson (include "redpanda.statefulSetTolerations" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") "volumeClaimTemplates" (coalesce nil) )) )) -}} +{{- if (or $values.storage.persistentVolume.enabled ((and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (eq (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")))) -}} +{{- $t_13 := (get (fromJson (include "redpanda.volumeClaimTemplateDatadir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $t_13) "null") -}} +{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_13))) -}} +{{- end -}} +{{- $t_14 := (get (fromJson (include "redpanda.volumeClaimTemplateTieredStorageDir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne (toJson $t_14) "null") -}} +{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_14))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.semver" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetChecksumAnnotation" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $dependencies := (coalesce nil) -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot false) ))) "r"))) -}} +{{- if $values.external.enabled -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r"))) -}} +{{- if (empty $values.external.addresses) -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list "")) -}} +{{- else -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list $values.external.addresses)) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (sha256sum (toJson $dependencies))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetTolerations" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default $values.tolerations $values.statefulset.tolerations)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetNodeSelectors" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default $values.statefulset.nodeSelector $values.nodeSelector)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetAffinity" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $affinity := (mustMergeOverwrite (dict ) (dict )) -}} +{{- if (not (empty $values.statefulset.nodeAffinity)) -}} +{{- $_ := (set $affinity "nodeAffinity" $values.statefulset.nodeAffinity) -}} +{{- else -}}{{- if (not (empty $values.affinity.nodeAffinity)) -}} +{{- $_ := (set $affinity "nodeAffinity" $values.affinity.nodeAffinity) -}} +{{- end -}} +{{- end -}} +{{- if (not (empty $values.statefulset.podAffinity)) -}} +{{- $_ := (set $affinity "podAffinity" $values.statefulset.podAffinity) -}} +{{- else -}}{{- if (not (empty $values.affinity.podAffinity)) -}} +{{- $_ := (set $affinity "podAffinity" $values.affinity.podAffinity) -}} +{{- end -}} +{{- end -}} +{{- if (not (empty $values.statefulset.podAntiAffinity)) -}} +{{- $_ := (set $affinity "podAntiAffinity" (mustMergeOverwrite (dict ) (dict ))) -}} +{{- if (eq $values.statefulset.podAntiAffinity.type "hard") -}} +{{- $_ := (set $affinity.podAntiAffinity "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )))) -}} +{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "soft") -}} +{{- $_ := (set $affinity.podAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" ($values.statefulset.podAntiAffinity.weight | int) "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )) )))) -}} +{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "custom") -}} +{{- $_ := (set $affinity "podAntiAffinity" $values.statefulset.podAntiAffinity.custom) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- else -}}{{- if (not (empty $values.affinity.podAntiAffinity)) -}} +{{- $_ := (set $affinity "podAntiAffinity" $values.affinity.podAntiAffinity) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $affinity) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.volumeClaimTemplateDatadir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.storage.persistentVolume.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" "datadir" "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) $values.storage.persistentVolume.labels $values.commonLabels) "annotations" (default (coalesce nil) $values.storage.persistentVolume.annotations) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" $values.storage.persistentVolume.size ) )) )) )) -}} +{{- if (not (empty $values.storage.persistentVolume.storageClass)) -}} +{{- if (eq $values.storage.persistentVolume.storageClass "-") -}} +{{- $_ := (set $pvc.spec "storageClassName" "") -}} +{{- else -}} +{{- $_ := (set $pvc.spec "storageClassName" $values.storage.persistentVolume.storageClass) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pvc) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.volumeClaimTemplateTieredStorageDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (default "tiered-storage-dir" $values.storage.persistentVolume.nameOverwrite) "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeLabels" (dict "a" (list $values.storage) ))) "r") $values.commonLabels) "annotations" (default (coalesce nil) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeAnnotations" (dict "a" (list $values.storage) ))) "r")) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" (index (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") `cloud_storage_cache_size`) ) )) )) )) -}} +{{- $sc_15 := (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeStorageClass" (dict "a" (list $values.storage) ))) "r") -}} +{{- if (eq $sc_15 "-") -}} +{{- $_ := (set $pvc.spec "storageClassName" "") -}} +{{- else -}}{{- if (not (empty $sc_15)) -}} +{{- $_ := (set $pvc.spec "storageClassName" $sc_15) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pvc) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetTopologySpreadConstraints" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (coalesce nil) -}} +{{- $labelSelector := (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) -}} +{{- range $_, $v := $values.statefulset.topologySpreadConstraints -}} +{{- $result = (concat (default (list ) $result) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "maxSkew" ($v.maxSkew | int) "topologyKey" $v.topologyKey "whenUnsatisfiable" $v.whenUnsatisfiable "labelSelector" $labelSelector )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StorageTieredConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.19/templates/_values.go.tpl new file mode 100644 index 0000000000..7cd62c909e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/_values.go.tpl @@ -0,0 +1,1559 @@ +{{- /* Generated from "values.go" */ -}} + +{{- define "redpanda.AuditLogging.Translate" -}} +{{- $a := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- $isSASLEnabled := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- $enabled := (and $a.enabled $isSASLEnabled) -}} +{{- $_ := (set $result "audit_enabled" $enabled) -}} +{{- if (not $enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne (($a.clientMaxBufferSize | int) | int) (16777216 | int)) -}} +{{- $_ := (set $result "audit_client_max_buffer_size" ($a.clientMaxBufferSize | int)) -}} +{{- end -}} +{{- if (ne (($a.queueDrainIntervalMs | int) | int) (500 | int)) -}} +{{- $_ := (set $result "audit_queue_drain_interval_ms" ($a.queueDrainIntervalMs | int)) -}} +{{- end -}} +{{- if (ne (($a.queueMaxBufferSizePerShard | int) | int) (1048576 | int)) -}} +{{- $_ := (set $result "audit_queue_max_buffer_size_per_shard" ($a.queueMaxBufferSizePerShard | int)) -}} +{{- end -}} +{{- if (ne (($a.partitions | int) | int) (12 | int)) -}} +{{- $_ := (set $result "audit_log_num_partitions" ($a.partitions | int)) -}} +{{- end -}} +{{- if (ne ($a.replicationFactor | int) (0 | int)) -}} +{{- $_ := (set $result "audit_log_replication_factor" ($a.replicationFactor | int)) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.enabledEventTypes) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_enabled_event_types" $a.enabledEventTypes) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedTopics) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_excluded_topics" $a.excludedTopics) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedPrincipals) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_excluded_principals" $a.excludedPrincipals) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Auth.IsSASLEnabled" -}} +{{- $a := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $a.sasl) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $a.sasl.enabled) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Auth.Translate" -}} +{{- $a := (index .a 0) -}} +{{- $isSASLEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not $isSASLEnabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $users := (list (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $a.sasl.bootstrapUser) ))) "r")) -}} +{{- range $_, $u := $a.sasl.users -}} +{{- $users = (concat (default (list ) $users) (list $u.name)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "superusers" $users )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Logging.Translate" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- $clusterID_1 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.usageStats.clusterId "") ))) "r") -}} +{{- if (ne $clusterID_1 "") -}} +{{- $_ := (set $result "cluster_id" $clusterID_1) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.GetResourceRequirements" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "limits" $rr.limits "requests" $rr.requests ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $reqs := (mustMergeOverwrite (dict ) (dict "limits" (dict "cpu" $rr.cpu.cores "memory" $rr.memory.container.max ) )) -}} +{{- if (ne (toJson $rr.memory.container.min) "null") -}} +{{- $_ := (set $reqs "requests" (dict "cpu" $rr.cpu.cores "memory" $rr.memory.container.min )) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $reqs) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.GetRedpandaFlags" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $flags := (dict "--reserve-memory" (printf "%dM" ((get (fromJson (include "redpanda.RedpandaResources.reserveMemory" (dict "a" (list $rr) ))) "r") | int64)) ) -}} +{{- $smp_2 := (get (fromJson (include "redpanda.RedpandaResources.smp" (dict "a" (list $rr) ))) "r") -}} +{{- if (ne (toJson $smp_2) "null") -}} +{{- $_ := (set $flags "--smp" (printf "%d" ($smp_2 | int64))) -}} +{{- end -}} +{{- $memory_3 := (get (fromJson (include "redpanda.RedpandaResources.memory" (dict "a" (list $rr) ))) "r") -}} +{{- if (ne (toJson $memory_3) "null") -}} +{{- $_ := (set $flags "--memory" (printf "%dM" ($memory_3 | int64))) -}} +{{- end -}} +{{- if (and (eq (toJson $rr.limits) "null") (eq (toJson $rr.requests) "null")) -}} +{{- $_ := (set $flags "--lock-memory" (printf "%v" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $rr.memory.enable_memory_locking false) ))) "r"))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.RedpandaResources.GetOverProvisionValue" (dict "a" (list $rr) ))) "r") -}} +{{- $_ := (set $flags "--overprovisioned" "") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $flags) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.GetOverProvisionValue" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} +{{- $_449_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "cpu" "0") ))) "r") -}} +{{- $cpuReq := (index $_449_cpuReq_ok 0) -}} +{{- $ok := (index $_449_cpuReq_ok 1) -}} +{{- if (not $ok) -}} +{{- $_451_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "cpu" "0") ))) "r") -}} +{{- $cpuReq = (index $_451_cpuReq_ok 0) -}} +{{- $ok = (index $_451_cpuReq_ok 1) -}} +{{- end -}} +{{- if (and $ok (lt ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $cpuReq) ))) "r") | int64) (1000 | int64))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (lt ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $rr.cpu.cores) ))) "r") | int64) (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $rr.cpu.overprovisioned false) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.smp" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} +{{- $_475_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "cpu" "0") ))) "r") -}} +{{- $cpuReq := (index $_475_cpuReq_ok 0) -}} +{{- $ok := (index $_475_cpuReq_ok 1) -}} +{{- if (not $ok) -}} +{{- $_477_cpuReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "cpu" "0") ))) "r") -}} +{{- $cpuReq = (index $_477_cpuReq_ok 0) -}} +{{- $ok = (index $_477_cpuReq_ok 1) -}} +{{- end -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $smp := ((div ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $cpuReq) ))) "r") | int64) (1000 | int64)) | int64) -}} +{{- if (lt $smp (1 | int64)) -}} +{{- $smp = (1 | int64) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $smp) | toJson -}} +{{- break -}} +{{- end -}} +{{- $coresInMillies_4 := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $rr.cpu.cores) ))) "r") | int64) -}} +{{- if (lt $coresInMillies_4 (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((1 | int64) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rr.cpu.cores) ))) "r") | int64) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.memory" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} +{{- $_534_memReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.requests) "memory" "0") ))) "r") -}} +{{- $memReq := (index $_534_memReq_ok 0) -}} +{{- $ok := (index $_534_memReq_ok 1) -}} +{{- if (not $ok) -}} +{{- $_536_memReq_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list ($rr.limits) "memory" "0") ))) "r") -}} +{{- $memReq = (index $_536_memReq_ok 0) -}} +{{- $ok = (index $_536_memReq_ok 1) -}} +{{- end -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $memory := (((mulf (((get (fromJson (include "_shims.resource_Value" (dict "a" (list $memReq) ))) "r") | int64) | float64) 0.90) | float64) | int64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div $memory ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $memory := ((0 | int64) | int64) -}} +{{- $containerMemory := ((get (fromJson (include "redpanda.RedpandaResources.containerMemory" (dict "a" (list $rr) ))) "r") | int64) -}} +{{- $rpMem_5 := $rr.memory.redpanda -}} +{{- if (and (ne (toJson $rpMem_5) "null") (ne (toJson $rpMem_5.memory) "null")) -}} +{{- $memory = ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_5.memory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64) -}} +{{- else -}} +{{- $memory = (((mulf ($containerMemory | float64) 0.8) | float64) | int64) -}} +{{- end -}} +{{- if (eq $memory (0 | int64)) -}} +{{- $_ := (fail "unable to get memory value redpanda-memory") -}} +{{- end -}} +{{- if (lt $memory (256 | int64)) -}} +{{- $_ := (fail (printf "%d is below the minimum value for Redpanda" $memory)) -}} +{{- end -}} +{{- if (gt ((add $memory (((get (fromJson (include "redpanda.RedpandaResources.reserveMemory" (dict "a" (list $rr) ))) "r") | int64) | int64)) | int64) $containerMemory) -}} +{{- $_ := (fail (printf "Not enough container memory for Redpanda memory values where Redpanda: %d, reserve: %d, container: %d" $memory ((get (fromJson (include "redpanda.RedpandaResources.reserveMemory" (dict "a" (list $rr) ))) "r") | int64) $containerMemory)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $memory) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.reserveMemory" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne (toJson $rr.limits) "null") (ne (toJson $rr.requests) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpMem_6 := $rr.memory.redpanda -}} +{{- if (and (ne (toJson $rpMem_6) "null") (ne (toJson $rpMem_6.reserveMemory) "null")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_6.reserveMemory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((add (((mulf (((get (fromJson (include "redpanda.RedpandaResources.containerMemory" (dict "a" (list $rr) ))) "r") | int64) | float64) 0.002) | float64) | int64) (200 | int64)) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.containerMemory" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $rr.memory.container.min) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rr.memory.container.min) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rr.memory.container.max) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.IsTieredStorageEnabled" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $conf := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}} +{{- $_654_b_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil)) ))) "r") -}} +{{- $b := (index $_654_b_ok 0) -}} +{{- $ok := (index $_654_b_ok 1) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and $ok (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" $b) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.GetTieredStorageConfig" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $s.tieredConfig) ))) "r") | int) (0 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredConfig) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.config) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.GetTieredStorageHostPath" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $hp := $s.tieredStorageHostPath -}} +{{- if (empty $hp) -}} +{{- $hp = $s.tiered.hostPath -}} +{{- end -}} +{{- if (empty $hp) -}} +{{- $_ := (fail (printf `storage.tiered.mountType is "%s" but storage.tiered.hostPath is empty` $s.tiered.mountType)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $hp) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredCacheDirectory" -}} +{{- $s := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_683_dir_7_ok_8 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $values.config.node "cloud_storage_cache_directory") "") ))) "r") -}} +{{- $dir_7 := (index $_683_dir_7_ok_8 0) -}} +{{- $ok_8 := (index $_683_dir_7_ok_8 1) -}} +{{- if $ok_8 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $dir_7) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") -}} +{{- $_692_dir_9_ok_10 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $tieredConfig "cloud_storage_cache_directory") "") ))) "r") -}} +{{- $dir_9 := (index $_692_dir_9_ok_10 0) -}} +{{- $ok_10 := (index $_692_dir_9_ok_10 1) -}} +{{- if $ok_10 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $dir_9) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/var/lib/redpanda/data/cloud_storage_cache") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredMountType" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne (toJson $s.tieredStoragePersistentVolume) "null") $s.tieredStoragePersistentVolume.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "persistentVolume") | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (empty $s.tieredStorageHostPath)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "hostPath") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.mountType) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeLabels" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeAnnotations" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.annotations) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.annotations) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeStorageClass" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.storageClass) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.storageClass) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.StorageMinFreeBytes" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne (toJson $s.persistentVolume) "null") (not $s.persistentVolume.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (5368709120 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $minimumFreeBytes := ((mulf (((get (fromJson (include "_shims.resource_Value" (dict "a" (list $s.persistentVolume.size) ))) "r") | int64) | float64) 0.05) | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (min (5368709120 | int) ($minimumFreeBytes | int64))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Tuning.Translate" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- $s := (toJson $t) -}} +{{- $tune := (fromJson $s) -}} +{{- $_918_m_ok := (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil)) ))) "r") -}} +{{- $m := (index $_918_m_ok 0) -}} +{{- $ok := (index $_918_m_ok 1) -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $k, $v := $m -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.CreateSeedServers" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $result = (concat (default (list ) $result) (list (dict "host" (dict "address" (printf "%s-%d.%s" $fullname $i $internalDomain) "port" ($l.rpc.port | int) ) ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.AdminList" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.ServerList" (dict "a" (list $replicas "" $fullname $internalDomain ($l.admin.port | int)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.SchemaRegistryList" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.ServerList" (dict "a" (list $replicas "" $fullname $internalDomain ($l.schemaRegistry.port | int)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServerList" -}} +{{- $replicas := (index .a 0) -}} +{{- $prefix := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- $port := (index .a 4) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $result = (concat (default (list ) $result) (list (printf "%s%s-%d.%s:%d" $prefix $fullname $i $internalDomain ($port | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.TrustStoreVolume" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cmSources := (dict ) -}} +{{- $secretSources := (dict ) -}} +{{- range $_, $ts := (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $l $tls) ))) "r") -}} +{{- $projection := (get (fromJson (include "redpanda.TrustStore.VolumeProjection" (dict "a" (list $ts) ))) "r") -}} +{{- if (ne (toJson $projection.secret) "null") -}} +{{- $_ := (set $secretSources $projection.secret.name (concat (default (list ) (index $secretSources $projection.secret.name)) (default (list ) $projection.secret.items))) -}} +{{- else -}} +{{- $_ := (set $cmSources $projection.configMap.name (concat (default (list ) (index $cmSources $projection.configMap.name)) (default (list ) $projection.configMap.items))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $sources := (coalesce nil) -}} +{{- range $_, $name := (sortAlpha (keys $cmSources)) -}} +{{- $keys := (index $cmSources $name) -}} +{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $name := (sortAlpha (keys $secretSources)) -}} +{{- $keys := (index $secretSources $name) -}} +{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (lt ((get (fromJson (include "_shims.len" (dict "a" (list $sources) ))) "r") | int) (1 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "projected" (mustMergeOverwrite (dict "sources" (coalesce nil) ) (dict "sources" $sources )) )) (dict "name" "truststores" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.dedupKeyToPaths" -}} +{{- $items := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $seen := (dict ) -}} +{{- $deduped := (coalesce nil) -}} +{{- range $_, $item := $items -}} +{{- $_1035___ok_11 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $seen $item.key false) ))) "r") -}} +{{- $_ := (index $_1035___ok_11 0) -}} +{{- $ok_11 := (index $_1035___ok_11 1) -}} +{{- if $ok_11 -}} +{{- continue -}} +{{- end -}} +{{- $deduped = (concat (default (list ) $deduped) (list $item)) -}} +{{- $_ := (set $seen $item.key true) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $deduped) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (get (fromJson (include "redpanda.KafkaListeners.TrustStores" (dict "a" (list $l.kafka $tls) ))) "r") -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.AdminListeners.TrustStores" (dict "a" (list $l.admin $tls) ))) "r"))) -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.HTTPListeners.TrustStores" (dict "a" (list $l.http $tls) ))) "r"))) -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.SchemaRegistryListeners.TrustStores" (dict "a" (list $l.schemaRegistry $tls) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Config.CreateRPKConfiguration" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c.rpk -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCertMap.MustGet" -}} +{{- $m := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_1126_cert_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil) )) ))) "r") -}} +{{- $cert := (index $_1126_cert_ok 0) -}} +{{- $ok := (index $_1126_cert_ok 1) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "Certificate %q referenced, but not found in the tls.certs map" $name)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cert) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.BootstrapEnvironment" -}} +{{- $b := (index .a 0) -}} +{{- $fullname := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (get (fromJson (include "redpanda.BootstrapUser.RpkEnvironment" (dict "a" (list $b $fullname) ))) "r")) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RP_BOOTSTRAP_USER" "value" "$(RPK_USER):$(RPK_PASS):$(RPK_SASL_MECHANISM)" ))))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.Username" -}} +{{- $b := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $b.name) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $b.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "kubernetes-controller") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.RpkEnvironment" -}} +{{- $b := (index .a 0) -}} +{{- $fullname := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_PASS" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (get (fromJson (include "redpanda.BootstrapUser.SecretKeySelector" (dict "a" (list $b $fullname) ))) "r") )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_USER" "value" (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $b) ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_SASL_MECHANISM" "value" (get (fromJson (include "redpanda.BootstrapUser.GetMechanism" (dict "a" (list $b) ))) "r") )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.GetMechanism" -}} +{{- $b := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $b.mechanism "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" "SCRAM-SHA-256") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $b.mechanism) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.SecretKeySelector" -}} +{{- $b := (index .a 0) -}} +{{- $fullname := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $b.secretKeyRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $b.secretKeyRef) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (printf "%s-bootstrap-user" $fullname) )) (dict "key" "password" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s" "/etc/truststores" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.RelativePath" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $t.configMapKeyRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "configmaps/%s-%s" $t.configMapKeyRef.name $t.configMapKeyRef.key)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "secrets/%s-%s" $t.secretKeyRef.name $t.secretKeyRef.key)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.VolumeProjection" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $t.configMapKeyRef) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.configMapKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.configMapKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.secretKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.secretKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.IsEnabled" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled $tls.enabled) ))) "r") (ne $t.cert ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $t.trustStore) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.ServerCAPath" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s/tls.crt" "/etc/tls/certs" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.GetCert" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r")) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.GetCertName" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.cert $i.cert) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne (toJson $t.trustStore) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.IsEnabled" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $t) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (ne (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r") "") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $i $tls) ))) "r")) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.ConsoleTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $adminAPIPrefix := (printf "%s/%s" "/etc/tls/certs" $l.tls.cert) -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $l.tls.cert) ))) "r").caEnabled -}} +{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $adminAPIPrefix)) -}} +{{- else -}} +{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $adminAPIPrefix)) -}} +{{- end -}} +{{- if (not $l.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $adminAPIPrefix)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $adminAPIPrefix)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $admin := (list (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r")) -}} +{{- range $k, $lis := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "port" ($lis.port | int) "address" "0.0.0.0" ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $admin) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $admin := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $admin = (concat (default (list ) $admin) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $admin) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (list ) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (ternary (index $l.external $key) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "tls" (coalesce nil) ) (hasKey $l.external $key)) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $saslEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if $saslEnabled -}} +{{- $_ := (set $internal "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_12 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_12 "") -}} +{{- $_ := (set $internal "authentication_method" $am_12) -}} +{{- end -}} +{{- $result := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if $saslEnabled -}} +{{- $_ := (set $listener "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_13 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_13 "") -}} +{{- $_ := (set $listener "authentication_method" $am_13) -}} +{{- end -}} +{{- $result = (concat (default (list ) $result) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $pp := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $pp = (concat (default (list ) $pp) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $pp = (concat (default (list ) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pp) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (ternary (index $l.external $key) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "prefixTemplate" (coalesce nil) "tls" (coalesce nil) ) (hasKey $l.external $key)) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $auth := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}} +{{- $_ := (set $internal "authentication_method" "sasl") -}} +{{- end -}} +{{- $am_14 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_14 "") -}} +{{- $_ := (set $internal "authentication_method" $am_14) -}} +{{- end -}} +{{- $kafka := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}} +{{- $_ := (set $listener "authentication_method" "sasl") -}} +{{- end -}} +{{- $am_15 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_15 "") -}} +{{- $_ := (set $listener "authentication_method" $am_15) -}} +{{- end -}} +{{- $kafka = (concat (default (list ) $kafka) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $kafka) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $kafka := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $kafka = (concat (default (list ) $kafka) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $kafka = (concat (default (list ) $kafka) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $kafka) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (ternary (index $l.external $key) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "prefixTemplate" (coalesce nil) "tls" (coalesce nil) ) (hasKey $l.external $key)) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.ConsoleTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $kafkaPathPrefix := (printf "%s/%s" "/etc/tls/certs" $l.tls.cert) -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $l.tls.cert) ))) "r").caEnabled -}} +{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $kafkaPathPrefix)) -}} +{{- else -}} +{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $kafkaPathPrefix)) -}} +{{- end -}} +{{- if (not $l.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $kafkaPathPrefix)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $kafkaPathPrefix)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.ConnectorsTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- $fullName := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "ca" (dict "secretRef" "" "secretNameOverwrite" "" ) "cert" (dict "secretRef" "" "secretNameOverwrite" "" ) "key" (dict "secretRef" "" "secretNameOverwrite" "" ) ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "ca" (mustMergeOverwrite (dict "secretRef" "" "secretNameOverwrite" "" ) (dict "secretRef" (printf "%s-default-cert" $fullName) ))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $saslEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if $saslEnabled -}} +{{- $_ := (set $internal "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_16 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_16 "") -}} +{{- $_ := (set $internal "authentication_method" $am_16) -}} +{{- end -}} +{{- $result := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if $saslEnabled -}} +{{- $_ := (set $listener "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_17 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_17 "") -}} +{{- $_ := (set $listener "authentication_method" $am_17) -}} +{{- end -}} +{{- $result = (concat (default (list ) $result) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $listeners = (concat (default (list ) $listeners) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $listeners = (concat (default (list ) $listeners) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $listeners) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (ternary (index $l.external $key) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "tls" (coalesce nil) ) (hasKey $l.external $key)) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.ConsoleTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $schemaRegistryPrefix := (printf "%s/%s" "/etc/tls/certs" $l.tls.cert) -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $l.tls.cert) ))) "r").caEnabled -}} +{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $schemaRegistryPrefix)) -}} +{{- else -}} +{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $schemaRegistryPrefix)) -}} +{{- end -}} +{{- if (not $l.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $schemaRegistryPrefix)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $schemaRegistryPrefix)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TunableConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq (toJson $c) "null") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.NodeConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (not (empty $v)) -}} +{{- $_1960___ok_18 := (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r") -}} +{{- $_ := ((index $_1960___ok_18 0) | float64) -}} +{{- $ok_18 := (index $_1960___ok_18 1) -}} +{{- if $ok_18 -}} +{{- $_ := (set $result $k $v) -}} +{{- else -}}{{- if (kindIs "bool" $v) -}} +{{- $_ := (set $result $k $v) -}} +{{- else -}} +{{- $_ := (set $result $k (toYaml $v)) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClusterConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- $_1980_b_19_ok_20 := (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false) ))) "r") -}} +{{- $b_19 := (index $_1980_b_19_ok_20 0) -}} +{{- $ok_20 := (index $_1980_b_19_ok_20 1) -}} +{{- if $ok_20 -}} +{{- $_ := (set $result $k $b_19) -}} +{{- continue -}} +{{- end -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretRef.AsSource" -}} +{{- $sr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sr.name )) (dict "key" $sr.key )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretRef.IsValid" -}} +{{- $sr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (and (ne (toJson $sr) "null") (not (empty $sr.key))) (not (empty $sr.name)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageCredentials.AsEnvVars" -}} +{{- $tsc := (index .a 0) -}} +{{- $config := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_2025___hasAccessKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_access_key" (coalesce nil)) ))) "r") -}} +{{- $_ := (index $_2025___hasAccessKey 0) -}} +{{- $hasAccessKey := (index $_2025___hasAccessKey 1) -}} +{{- $_2026___hasSecretKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_secret_key" (coalesce nil)) ))) "r") -}} +{{- $_ := (index $_2026___hasSecretKey 0) -}} +{{- $hasSecretKey := (index $_2026___hasSecretKey 1) -}} +{{- $_2027___hasSharedKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_azure_shared_key" (coalesce nil)) ))) "r") -}} +{{- $_ := (index $_2027___hasSharedKey 0) -}} +{{- $hasSharedKey := (index $_2027___hasSharedKey 1) -}} +{{- $envvars := (coalesce nil) -}} +{{- if (and (not $hasAccessKey) (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.accessKey) ))) "r")) -}} +{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.accessKey) ))) "r") )))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.secretKey) ))) "r") -}} +{{- if (and (not $hasSecretKey) (not (get (fromJson (include "redpanda.TieredStorageConfig.HasAzureCanaries" (dict "a" (list (deepCopy $config)) ))) "r"))) -}} +{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_SECRET_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.secretKey) ))) "r") )))) -}} +{{- else -}}{{- if (and (not $hasSharedKey) (get (fromJson (include "redpanda.TieredStorageConfig.HasAzureCanaries" (dict "a" (list (deepCopy $config)) ))) "r")) -}} +{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_AZURE_SHARED_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.secretKey) ))) "r") )))) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envvars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageConfig.HasAzureCanaries" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_2063___containerExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_container" (coalesce nil)) ))) "r") -}} +{{- $_ := (index $_2063___containerExists 0) -}} +{{- $containerExists := (index $_2063___containerExists 1) -}} +{{- $_2064___accountExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_storage_account" (coalesce nil)) ))) "r") -}} +{{- $_ := (index $_2064___accountExists 0) -}} +{{- $accountExists := (index $_2064___accountExists 1) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and $containerExists $accountExists)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageConfig.CloudStorageCacheSize" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_2069_value_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c `cloud_storage_cache_size` (coalesce nil)) ))) "r") -}} +{{- $value := (index $_2069_value_ok 0) -}} +{{- $ok := (index $_2069_value_ok 1) -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- $creds := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $config := (merge (dict ) (dict ) $c) -}} +{{- range $_, $envvar := (get (fromJson (include "redpanda.TieredStorageCredentials.AsEnvVars" (dict "a" (list $creds $c) ))) "r") -}} +{{- $key := (lower (substr ((get (fromJson (include "_shims.len" (dict "a" (list "REDPANDA_") ))) "r") | int) -1 $envvar.name)) -}} +{{- $_ := (set $config $key (printf "$%s" $envvar.name)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $size_21 := (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy $c)) ))) "r") -}} +{{- if (ne (toJson $size_21) "null") -}} +{{- $_ := (set $config "cloud_storage_cache_size" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $size_21) ))) "r") | int64)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $config) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.19/templates/entry-point.yaml b/charts/redpanda/redpanda/5.9.19/templates/entry-point.yaml new file mode 100644 index 0000000000..6cdf646ad6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/entry-point.yaml @@ -0,0 +1,17 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.render" .) -}} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-api-status.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-api-status.yaml new file mode 100644 index 0000000000..330a2c4a4d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-api-status.yaml @@ -0,0 +1,52 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool)) -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-api-status" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + until rpk cluster info \ + --brokers {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} + do sleep 2 + done + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-auditLogging.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-auditLogging.yaml new file mode 100644 index 0000000000..fea34776fc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-auditLogging.yaml @@ -0,0 +1,86 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} +{{/* + This feature is gated by having a license, and it must have sasl enabled, we assume these conditions are met + as part of setting auditLogging being enabled. +*/}} +{{- if and .Values.tests.enabled .Values.auditLogging.enabled (include "redpanda-atleast-23-3-0" . | fromJson).bool }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-audit-logging" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: { { - toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -xe + old_setting=${-//[^x]/} + audit_topic_name="_redpanda.audit_log" + expected_partitions={{ .Values.auditLogging.partitions }} + + # sasl configurations + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi + + # now run the to determine if we have the right results + # should describe topic without error + rpk topic describe ${audit_topic_name} + # should get the expected values + result=$(rpk topic list | grep ${audit_topic_name}) + name=$(echo $result | awk '{print $1}') + partitions=$(echo $result | awk '{print $2}') + if [ "${name}" != "${audit_topic_name}" ]; then + echo "expected topic name does not match" + exit 1 + fi + if [ ${partitions} != ${expected_partitions} ]; then + echo "expected partition size did not match" + exit 1 + fi + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-connector-via-console.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-connector-via-console.yaml new file mode 100644 index 0000000000..67619a829b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-connector-via-console.yaml @@ -0,0 +1,166 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled .Values.connectors.enabled .Values.console.enabled }} +{{- $sasl := .Values.auth.sasl }} +{{- $values := .Values }} +{{- $consoleValues := (merge (dict) .Values.console .Subcharts.console.Values) -}} +{{- $consoleDot := dict "Values" (dict "AsMap" $consoleValues) "Release" .Release "Chart" .Subcharts.console.Chart -}} +{{- $connectorsDot := dict "Values" (merge (dict) .Values.connectors .Subcharts.connectors.Values) "Release" .Release "Chart" .Subcharts.connectors.Chart -}} +{{/* brokers */}} +{{- $kafkaBrokers := list }} +{{- range (include "seed-server-list" . | mustFromJson) }} + {{- $kafkaBrokers = append $kafkaBrokers (printf "%s:%s" . ($values.listeners.kafka.port | toString)) }} +{{- end }} +{{- $brokersString := join "," $kafkaBrokers}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . | trunc 54 }}-test-connectors-via-console + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + test-name: test-connectors-via-console + annotations: + test-name: test-connectors-via-console + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: TLS_ENABLED + value: {{ (include "kafka-internal-tls-enabled" . | fromJson).bool | quote }} + command: + - /bin/bash + - -c + - | + set -xe + + trap connectorsState ERR + + connectorsState () { + echo check connectors expand status + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=status + echo check connectors expand info + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=info + echo check connector configuration + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME + echo check connector topics + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics + } + + {{- if .Values.auth.sasl.enabled }} + set -e + set +x + + echo "SASL enabled: reading credentials from $(find /etc/secrets/users/* -print)" + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + RPK_USER="${REDPANDA_SASL_USERNAME}" + RPK_PASS="${REDPANDA_SASL_PASSWORD}" + RPK_SASL_MECHANISM="${REDPANDA_SASL_MECHANISM}" + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + + JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\"," + JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\"," + set -x + set +e + {{- end }} + + {{- $testTopic := printf "test-topic-%s" (randNumeric 3) }} + rpk topic create {{ $testTopic }} + rpk topic list + echo "Test message!" | rpk topic produce {{ $testTopic }} + + SECURITY_PROTOCOL=PLAINTEXT + if [[ -n "$RPK_SASL_MECHANISM" && $TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SASL_SSL" + elif [[ -n "$RPK_SASL_MECHANISM" ]]; then + SECURITY_PROTOCOL="SASL_PLAINTEXT" + elif [[ $TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SSL" + fi + + CONNECTOR_NAME=mm2-$RANDOM + cat << 'EOF' > /tmp/mm2-conf.json + { + "connectorName": "CONNECTOR_NAME", + "config": { + "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", + "topics": "{{ $testTopic }}", + "replication.factor": "1", + "tasks.max": "1", + "source.cluster.bootstrap.servers": {{ $brokersString | quote }}, + "target.cluster.bootstrap.servers": {{ $brokersString | quote }}, + "target.cluster.alias": "test-only-redpanda", + "source.cluster.alias": "source", + "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "source->target.enabled": "true", + "target->source.enabled": "false", + "sync.topic.configs.interval.seconds": "5", + "sync.topics.configs.enabled": "true", + "source.cluster.ssl.truststore.type": "PEM", + "target.cluster.ssl.truststore.type": "PEM", + "source.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", + "target.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", + JAAS_CONFIG_SOURCE + JAAS_CONFIG_TARGET + "source.cluster.security.protocol": "SECURITY_PROTOCOL", + "target.cluster.security.protocol": "SECURITY_PROTOCOL", + "source.cluster.sasl.mechanism": "SASL_MECHANISM", + "target.cluster.sasl.mechanism": "SASL_MECHANISM" + } + } + EOF + + sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json + sed -i "s/SASL_MECHANISM/$RPK_SASL_MECHANISM/g" /tmp/mm2-conf.json + sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json + set +x + sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json + sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json + set -x + + URL=http://{{ get ((include "console.Fullname" (dict "a" (list $consoleDot))) | fromJson) "r" }}:{{ get (fromJson (include "console.ContainerPort" (dict "a" (list $consoleDot) ))) "r" }}/api/kafka-connect/clusters/connectors/connectors + {{/* outputting to /dev/null because the output contains the user password */}} + echo "Creating mm2 connector" + curl {{ template "curl-options" . }} -H 'Content-Type: application/json' "${URL}" -d @/tmp/mm2-conf.json + + rpk topic consume source.{{ $testTopic }} -n 1 + + echo "Destroying mm2 connector" + curl {{ template "curl-options" . }} -X DELETE "${URL}/${CONNECTOR_NAME}" + + rpk topic list + rpk topic delete {{ $testTopic }} source.{{ $testTopic }} mm2-offset-syncs.test-only-redpanda.internal + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-console.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-console.yaml new file mode 100644 index 0000000000..aeef1117ac --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-console.yaml @@ -0,0 +1,49 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled .Values.console.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-console" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + curl {{ template "curl-options" . }} http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }}/api/cluster + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-internal-external-tls-secrets.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-internal-external-tls-secrets.yaml new file mode 100644 index 0000000000..53d75bb1ba --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-internal-external-tls-secrets.yaml @@ -0,0 +1,122 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "tls-enabled" . | fromJson).bool ( eq .Values.external.type "NodePort" ) }} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-internal-externals-cert-secrets + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - bash + - -c + - | + set -x + + retry() { + local retries="$1" + local command="$2" + + # Run the command, and save the exit code + bash -c $command + local exit_code=$? + + # If the exit code is non-zero (i.e. command failed), and we have not + # reached the maximum number of retries, run the command again + if [[ $exit_code -ne 0 && $retries -gt 0 ]]; then + retry $(($retries - 1)) "$command" + else + # Return the exit code from the command + return $exit_code + fi + } + + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + echo testing cert: {{ $name | quote }} + + {{- if eq $cert.secretRef.name "internal-tls-secret" }} + echo "---> testing internal tls" + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ include "admin-api-urls" $ }}' + {{- end }} + + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- if and (eq $values.listeners.schemaRegistry.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- if and (eq $values.listeners.http.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- end }} + echo "----" + + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-internal-tls-status.yaml new file mode 100644 index 0000000000..dcfc02cbdc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-internal-tls-status.yaml @@ -0,0 +1,62 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "kafka-internal-tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}} + {{- $service := .Values.listeners.kafka -}} + {{- $cert := get .Values.tls.certs $service.tls.cert -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-internal-tls-status + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + until rpk cluster info \ + --brokers {{ include "redpanda.fullname" .}}-0.{{ include "redpanda.internal.domain" . }}:{{ $service.port }} \ + --tls-enabled \ + {{- if $cert.caEnabled }} + --tls-truststore /etc/tls/certs/{{ $service.tls.cert }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + --tls-truststore /etc/ssl/certs/ca-certificates.crt + {{- end }} + do sleep 2 + done + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-nodelete.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-nodelete.yaml new file mode 100644 index 0000000000..9b5fe4237e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-nodelete.yaml @@ -0,0 +1,100 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (dig "kafka_nodelete_topics" "[]" $.Values.config.cluster) }} +{{- $noDeleteTopics := .Values.config.cluster.kafka_nodelete_topics }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-nodelete + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: REDPANDA_BROKERS + value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e +{{- $cloudStorageFlags := "" }} +{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} + {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} +{{- end }} +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + + exists=$(rpk topic list | grep my_sample_topic | awk '{print $1}') + if [[ "$exists" != "my_sample_topic" ]]; then + until rpk topic create my_sample_topic {{ $cloudStorageFlags }} + do sleep 2 + done + fi + + {{- range $i := until 100 }} + echo "Pandas are awesome!" | rpk topic produce my_sample_topic + {{- end }} + sleep 2 + rpk topic consume my_sample_topic -n 1 | grep "Pandas are awesome!" + + # now check if we can delete the topic (we should not) + rpk topic delete my_sample_topic + + {{- if has "my_sample_topic" $noDeleteTopics }} + result=$(rpk topic list | grep my_sample_topic | awk '{print $1}') + if [[ "$result" != "my_sample_topic" ]]; then + echo "topic should not have been deleted" + exit 1 + fi + {{- end }} + + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-produce-consume.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-produce-consume.yaml new file mode 100644 index 0000000000..d8f0ee7518 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-produce-consume.yaml @@ -0,0 +1,83 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-produce-consume + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: REDPANDA_BROKERS + value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e +{{- $cloudStorageFlags := "" }} +{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} + {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} +{{- end }} +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + until rpk topic create produce.consume.test.$POD_NAME {{ $cloudStorageFlags }} + do sleep 2 + done + {{- range $i := until 100 }} + echo "Pandas are awesome!" | rpk topic produce produce.consume.test.$POD_NAME + {{- end }} + sleep 2 + rpk topic consume produce.consume.test.$POD_NAME -n 1 | grep "Pandas are awesome!" + rpk topic delete produce.consume.test.$POD_NAME + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-sasl-status.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-sasl-status.yaml new file mode 100644 index 0000000000..0519c44bba --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-kafka-sasl-status.yaml @@ -0,0 +1,79 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-kafka-sasl-status" + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -xe + +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + + until rpk acl user delete myuser + do sleep 2 + done + sleep 3 + + {{ include "rpk-cluster-info" $ }} + {{ include "rpk-acl-user-create" $ }} + {{ include "rpk-acl-create" $ }} + sleep 3 + {{ include "rpk-topic-create" $ }} + {{ include "rpk-topic-describe" $ }} + {{ include "rpk-topic-delete" $ }} + rpk acl user delete myuser + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-license-with-console.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-license-with-console.yaml new file mode 100644 index 0000000000..1edf7a3507 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-license-with-console.yaml @@ -0,0 +1,61 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "is-licensed" . | fromJson).bool .Values.console.enabled }} +{{- $consolePort := (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-license-with-console" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: [ "/bin/bash", "-c" ] + args: + - | + echo "testing that we do NOT have an open source license" + set -xe + + max_iteration=10 + curl -vm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq . + type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type) + while [[ $max_iteration -gt 0 && ("$type" == "open_source" || "$type" == "") ]]; do + max_iteration=$(( max_iteration - 1 )) + type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type) + done + if [[ "$type" == "open_source" || "$type" == "" ]]; then + curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq . + exit 1 + fi + set +x + echo "license test passed." +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-lifecycle-scripts.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-lifecycle-scripts.yaml new file mode 100644 index 0000000000..5c72e1d9fb --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-lifecycle-scripts.yaml @@ -0,0 +1,66 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-lifecycle" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: SERVICE_NAME + value: {{ include "redpanda.fullname" . }}-0 + command: + - /bin/timeout + - "{{ mul .Values.statefulset.terminationGracePeriodSeconds 2 }}" + - bash + - -xec + - | + /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/preStop.sh + ls -l /tmp/preStop* + test -f /tmp/preStopHookStarted + test -f /tmp/preStopHookFinished + + /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/postStart.sh + ls -l /tmp/postStart* + test -f /tmp/postStartHookStarted + test -f /tmp/postStartHookFinished + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: lifecycle-scripts + mountPath: /var/lifecycle + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} + - name: lifecycle-scripts + secret: + secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle + defaultMode: 0o775 + {{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-loadbalancer-tls.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-loadbalancer-tls.yaml new file mode 100644 index 0000000000..4db3523d2b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-loadbalancer-tls.yaml @@ -0,0 +1,173 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "LoadBalancer" ) -}} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-loadbalancer-tls + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + serviceAccountName: test-loadbalancer-tls-redpanda + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: + - bash + - -c + - | + set -x + export APISERVER=https://kubernetes.default.svc + export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount + export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) + export TOKEN=$(cat ${SERVICEACCOUNT}/token) + export CACERT=${SERVICEACCOUNT}/ca.crt + + ip_list="" + + replicas={{ .Values.statefulset.replicas }} + if [ "${replicas}" -lt "1" ]; then + echo "replicas cannot be less than 1" + exit 1 + fi + + range=$(expr $replicas - 1) + ordinal_list=$(seq 0 $range) + + set -e + + for i in $ordinal_list + do + POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/services/lb-{{ template "redpanda.fullname" . }}-$i) + ip=$(echo $POD_DESC | jq -r .status.loadBalancer.ingress[0].ip ) + ip_list="$ip $ip_list" + done + + echo test will be run against $ip_list + echo testing LoadBalancer connectivity + + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + + {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + + {{- if eq $values.listeners.http.external.default.tls.cert $name }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + {{- end }} + + {{- end }} + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test-loadbalancer-tls-redpanda +subjects: + - kind: ServiceAccount + name: test-loadbalancer-tls-redpanda + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +rules: + - apiGroups: + - "" + resources: + - pods + - services + verbs: + - get + +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-nodeport-tls.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-nodeport-tls.yaml new file mode 100644 index 0000000000..4310eaf3a9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-nodeport-tls.yaml @@ -0,0 +1,173 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "NodePort" ) -}} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-nodeport-tls + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + serviceAccountName: test-nodeport-tls-redpanda-no-a-test + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: + - bash + - -c + - | + set -x + export APISERVER=https://kubernetes.default.svc + export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount + export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) + export TOKEN=$(cat ${SERVICEACCOUNT}/token) + export CACERT=${SERVICEACCOUNT}/ca.crt + + ip_list="" + + replicas={{ .Values.statefulset.replicas }} + if [ "${replicas}" -lt "1" ]; then + echo "replicas cannot be less than 1" + exit 1 + fi + + range=$(expr $replicas - 1) + ordinal_list=$(seq 0 $range) + + set -e + + for i in $ordinal_list + do + POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/pods/{{ template "redpanda.fullname" . }}-$i) + ip=$(echo $POD_DESC | jq -r .status.hostIP ) + ip_list="$ip $ip_list" + done + + echo test will be run against $ip_list + echo testing NodePort connectivity + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + + {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + + {{- if eq $values.listeners.http.external.default.tls.cert $name }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + {{- end }} + + {{- end }} + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test-nodeport-tls-redpanda-no-a-test +subjects: + - kind: ServiceAccount + name: test-nodeport-tls-redpanda-no-a-test + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +rules: + - apiGroups: + - "" + resources: + - pods + - services + verbs: + - get +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-pandaproxy-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-pandaproxy-internal-tls-status.yaml new file mode 100644 index 0000000000..4cb6aaa0f6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-pandaproxy-internal-tls-status.yaml @@ -0,0 +1,81 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "http-internal-tls-enabled" . | fromJson).bool .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} + {{- $service := .Values.listeners.http -}} + {{- $cert := get .Values.tls.certs $service.tls.cert -}} + {{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-pandaproxy-internal-tls-status + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: [ "/bin/bash", "-c" ] + args: + - | + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}" + RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}" + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + + curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + {{- if $cert.caEnabled }} + --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/brokers + + curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + {{- if $cert.caEnabled }} + --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/topics + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-pandaproxy-status.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-pandaproxy-status.yaml new file mode 100644 index 0000000000..4f5ee6bb71 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-pandaproxy-status.yaml @@ -0,0 +1,72 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (not (include "http-internal-tls-enabled" . | fromJson).bool) .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} + {{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-pandaproxy-status" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: [ "/bin/bash", "-c" ] + args: + - | + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}" + RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}" + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + + curl {{ template "curl-options" . }} \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/brokers + + curl {{ template "curl-options" . }} \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/topics + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-prometheus-targets.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-prometheus-targets.yaml new file mode 100644 index 0000000000..81f83a34e2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-prometheus-targets.yaml @@ -0,0 +1,84 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} + +{{- if and .Values.tests.enabled .Values.monitoring.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-prometheus-targets" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: registry.gitlab.com/gitlab-ci-utils/curl-jq:latest + command: [ "/bin/bash", "-c" ] + args: + - | + set -xe + + HEALTHY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/healthy) + if [ $HEALTHY != 200 ]; then + echo "prometheus is not healthy, exiting" + exit 1 + fi + + echo "prometheus is healthy, checking if ready..." + + READY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/ready) + if [ $READY != 200 ]; then + echo "prometheus is not ready, exiting" + exit 1 + fi + + echo "prometheus is ready, requesting target information..." + + + curl_prometheus() { + + # Run the command, and save the exit code + # from: https://prometheus.io/docs/prometheus/latest/querying/api/ + local RESULT=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq '.data.activeTargets[].health | select(. == "up")' | wc -l ) + + echo $RESULT + } + for d in $(seq 1 30); do + RESULT=$(curl_prometheus) + if [ $RESULT == {{ .Values.statefulset.replicas }} ]; then + break + fi + sleep 15 + done + + set +x + if [ $RESULT != {{ .Values.statefulset.replicas }} ]; then + curl --fail http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq . + echo "the number of targets unexpected; got ${RESULT} targets 'up', but was expecting {{ .Values.statefulset.replicas }}" + exit 1 + fi +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-rack-awareness.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-rack-awareness.yaml new file mode 100644 index 0000000000..82a31937f5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-rack-awareness.yaml @@ -0,0 +1,61 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-rack-awareness + namespace: {{ .Release.Namespace | quote }} +{{- with include "full.labels" . }} + labels: {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} +{{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /bin/bash + - -c + - | + set -e +{{- if and .Values.rackAwareness.enabled (include "redpanda-atleast-22-3-0" . | fromJson).bool }} + curl {{ template "curl-options" . }} \ + {{- if (include "tls-enabled" . | fromJson).bool }} + {{- if (dig "default" "caEnabled" false .Values.tls.certs) }} + --cacert "/etc/tls/certs/default/ca.crt" \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"' + {{- else }} + http://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"' + {{- end }} +{{- end }} + + rpk redpanda admin config print --host {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }} | grep '"enable_rack_awareness": {{ .Values.rackAwareness.enabled }}' + + rpk cluster config get enable_rack_awareness + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-rpk-debug-bundle.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-rpk-debug-bundle.yaml new file mode 100644 index 0000000000..3230f08817 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-rpk-debug-bundle.yaml @@ -0,0 +1,104 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* + +This test currently fails because of a bug where when multiple containers exist +The api returns an error. We should be requesting logs from each container. + + +{{- if and .Values.tests.enabled .Values.rbac.enabled (include "redpanda-atleast-23-1-1" .|fromJson).bool -}} + {{- $sasl := .Values.auth.sasl }} + {{- $useSaslSecret := and $sasl.enabled (not (empty $sasl.secretRef )) }} + + +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-rpk-debug-bundle + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + statefulset.kubernetes.io/pod-name: {{ include "redpanda.fullname" . }}-0 + topologyKey: kubernetes.io/hostname + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + initContainers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: shared-data + mountPath: /usr/share/redpanda/test + - name: datadir + mountPath: /var/lib/redpanda/data + command: + - /bin/bash + - -c + - | + set -e + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + rpk debug bundle -o /usr/share/redpanda/test/debug-test.zip -n {{ .Release.Namespace }} + containers: + - name: {{ template "redpanda.name" . }}-tester + image: busybox:latest + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: shared-data + mountPath: /test + command: + - /bin/ash + - -c + - | + set -e + unzip /test/debug-test.zip -d /tmp/bundle + + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-0.txt + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-1.txt + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-2.txt + + test -d /tmp/bundle/controller + + test -f /tmp/bundle/k8s/pods.json + test -f /tmp/bundle/k8s/configmaps.json + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end -}} +*/}} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.19/templates/tests/test-sasl-updated.yaml b/charts/redpanda/redpanda/5.9.19/templates/tests/test-sasl-updated.yaml new file mode 100644 index 0000000000..5f61be552e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/templates/tests/test-sasl-updated.yaml @@ -0,0 +1,71 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool (eq .Values.auth.sasl.secretRef "some-users") -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-update-sasl-users" + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + + set -x + + # check that the users list did update + ready_result_exit_code=1 + while [[ ${ready_result_exit_code} -ne 0 ]]; do + ready_result=$(rpk acl user list | grep anotheranotherme 2>&1) && ready_result_exit_code=$? + sleep 2 + done + + # check that sasl is not broken + {{ include "rpk-cluster-info" $ }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.19/values.schema.json b/charts/redpanda/redpanda/5.9.19/values.schema.json new file mode 100644 index 0000000000..233361d29d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/values.schema.json @@ -0,0 +1,20037 @@ +{ + "$id": "https://github.com/redpanda-data/redpanda-operator/charts/redpanda/values", + "$schema": "https://json-schema.org/draft/2020-12/schema", + "description": "DO NOT EDIT!. This file was generated by ./cmd/genschema/genschema.go", + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "auditLogging": { + "properties": { + "clientMaxBufferSize": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + }, + "enabledEventTypes": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "excludedPrincipals": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "excludedTopics": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "listener": { + "type": "string" + }, + "partitions": { + "type": "integer" + }, + "queueDrainIntervalMs": { + "type": "integer" + }, + "queueMaxBufferSizePerShard": { + "type": "integer" + }, + "replicationFactor": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "auth": { + "properties": { + "sasl": { + "properties": { + "bootstrapUser": { + "properties": { + "mechanism": { + "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$", + "type": "string" + }, + "name": { + "type": "string" + }, + "password": { + "type": "string" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "mechanism": { + "type": "string" + }, + "secretRef": { + "type": "string" + }, + "users": { + "oneOf": [ + { + "items": { + "properties": { + "mechanism": { + "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$", + "type": "string" + }, + "name": { + "type": "string" + }, + "password": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "required": [ + "enabled" + ], + "type": "object" + } + }, + "required": [ + "sasl" + ], + "type": "object" + }, + "clusterDomain": { + "type": "string" + }, + "commonLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "config": { + "properties": { + "cluster": { + "type": "object" + }, + "node": { + "type": "object" + }, + "pandaproxy_client": { + "properties": { + "consumer_heartbeat_interval_ms": { + "type": "integer" + }, + "consumer_rebalance_timeout_ms": { + "type": "integer" + }, + "consumer_request_max_bytes": { + "type": "integer" + }, + "consumer_request_timeout_ms": { + "type": "integer" + }, + "consumer_session_timeout_ms": { + "type": "integer" + }, + "produce_batch_delay_ms": { + "type": "integer" + }, + "produce_batch_record_count": { + "type": "integer" + }, + "produce_batch_size_bytes": { + "type": "integer" + }, + "retries": { + "type": "integer" + }, + "retry_base_backoff_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "rpk": { + "type": "object" + }, + "schema_registry_client": { + "properties": { + "consumer_heartbeat_interval_ms": { + "type": "integer" + }, + "consumer_rebalance_timeout_ms": { + "type": "integer" + }, + "consumer_request_max_bytes": { + "type": "integer" + }, + "consumer_request_timeout_ms": { + "type": "integer" + }, + "consumer_session_timeout_ms": { + "type": "integer" + }, + "produce_batch_delay_ms": { + "type": "integer" + }, + "produce_batch_record_count": { + "type": "integer" + }, + "produce_batch_size_bytes": { + "type": "integer" + }, + "retries": { + "type": "integer" + }, + "retry_base_backoff_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "tunable": { + "additionalProperties": true, + "properties": { + "group_initial_rebalance_delay": { + "type": "integer" + }, + "log_retention_ms": { + "type": "integer" + } + }, + "type": "object" + } + }, + "required": [ + "cluster", + "node", + "tunable" + ], + "type": "object" + }, + "connectors": { + "properties": { + "auth": { + "properties": { + "sasl": { + "properties": { + "enabled": { + "type": "boolean" + }, + "mechanism": { + "type": "string" + }, + "secretRef": { + "type": "string" + }, + "userName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "commonLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "connectors": { + "properties": { + "additionalConfiguration": { + "type": "string" + }, + "bootstrapServers": { + "type": "string" + }, + "brokerTLS": { + "properties": { + "ca": { + "properties": { + "secretNameOverwrite": { + "type": "string" + }, + "secretRef": { + "type": "string" + } + }, + "type": "object" + }, + "cert": { + "properties": { + "secretNameOverwrite": { + "type": "string" + }, + "secretRef": { + "type": "string" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "key": { + "properties": { + "secretNameOverwrite": { + "type": "string" + }, + "secretRef": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "groupID": { + "type": "string" + }, + "producerBatchSize": { + "type": "integer" + }, + "producerLingerMS": { + "type": "integer" + }, + "restPort": { + "type": "integer" + }, + "schemaRegistryURL": { + "type": "string" + }, + "secretManager": { + "properties": { + "connectorsPrefix": { + "type": "string" + }, + "consolePrefix": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "region": { + "type": "string" + } + }, + "type": "object" + }, + "storage": { + "properties": { + "remote": { + "properties": { + "read": { + "properties": { + "config": { + "type": "boolean" + }, + "offset": { + "type": "boolean" + }, + "status": { + "type": "boolean" + } + }, + "type": "object" + }, + "write": { + "properties": { + "config": { + "type": "boolean" + }, + "offset": { + "type": "boolean" + }, + "status": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "replicationFactor": { + "properties": { + "config": { + "type": "integer" + }, + "offset": { + "type": "integer" + }, + "status": { + "type": "integer" + } + }, + "type": "object" + }, + "topic": { + "properties": { + "config": { + "type": "string" + }, + "offset": { + "type": "string" + }, + "status": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "container": { + "properties": { + "javaGCLogEnabled": { + "type": "string" + }, + "resources": { + "properties": { + "javaMaxHeapSize": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "request": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "deployment": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "budget": { + "properties": { + "maxUnavailable": { + "type": "integer" + } + }, + "type": "object" + }, + "command": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "create": { + "type": "boolean" + }, + "extraEnv": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "extraEnvFrom": { + "oneOf": [ + { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "livenessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "custom": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "topologyKey": { + "type": "string" + }, + "type": { + "type": "string" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "priorityClassName": { + "type": "string" + }, + "progressDeadlineSeconds": { + "type": "integer" + }, + "readinessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "replicas": { + "type": "integer" + }, + "restartPolicy": { + "type": "string" + }, + "revisionHistoryLimit": { + "type": "integer" + }, + "schedulerName": { + "type": "string" + }, + "securityContext": { + "properties": { + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "oneOf": [ + { + "items": { + "type": "integer" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "sysctls": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "strategy": { + "properties": { + "rollingUpdate": { + "properties": { + "maxSurge": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "maxUnavailable": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "topologySpreadConstraints": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "maxSkew": { + "type": "integer" + }, + "minDomains": { + "type": "integer" + }, + "nodeAffinityPolicy": { + "type": "string" + }, + "nodeTaintsPolicy": { + "type": "string" + }, + "topologyKey": { + "type": "string" + }, + "whenUnsatisfiable": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "type": "object" + }, + "imagePullSecrets": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "logging": { + "properties": { + "level": { + "type": "string" + } + }, + "type": "object" + }, + "monitoring": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "namespaceSelector": { + "properties": { + "any": { + "type": "boolean" + }, + "matchNames": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "scrapeInterval": { + "type": "string" + } + }, + "type": "object" + }, + "nameOverride": { + "type": "string" + }, + "service": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "ports": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "serviceAccount": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "storage": { + "properties": { + "volume": { + "oneOf": [ + { + "items": { + "properties": { + "awsElasticBlockStore": { + "properties": { + "fsType": { + "type": "string" + }, + "partition": { + "type": "integer" + }, + "readOnly": { + "type": "boolean" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "azureDisk": { + "properties": { + "cachingMode": { + "type": "string" + }, + "diskName": { + "type": "string" + }, + "diskURI": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "azureFile": { + "properties": { + "readOnly": { + "type": "boolean" + }, + "secretName": { + "type": "string" + }, + "shareName": { + "type": "string" + } + }, + "type": "object" + }, + "cephfs": { + "properties": { + "monitors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretFile": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "cinder": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "configMap": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "csi": { + "properties": { + "driver": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "nodePublishSecretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "readOnly": { + "type": "boolean" + }, + "volumeAttributes": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "downwardAPI": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "emptyDir": { + "properties": { + "medium": { + "type": "string" + }, + "sizeLimit": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "type": "object" + }, + "ephemeral": { + "properties": { + "volumeClaimTemplate": { + "properties": { + "metadata": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "creationTimestamp": { + "properties": {}, + "type": "object" + }, + "deletionGracePeriodSeconds": { + "type": "integer" + }, + "deletionTimestamp": { + "properties": {}, + "type": "object" + }, + "finalizers": { + "items": { + "type": "string" + }, + "type": "array" + }, + "generateName": { + "type": "string" + }, + "generation": { + "type": "integer" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "managedFields": { + "items": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldsType": { + "type": "string" + }, + "fieldsV1": { + "properties": {}, + "type": "object" + }, + "manager": { + "type": "string" + }, + "operation": { + "type": "string" + }, + "subresource": { + "type": "string" + }, + "time": { + "properties": {}, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "ownerReferences": { + "items": { + "properties": { + "apiVersion": { + "type": "string" + }, + "blockOwnerDeletion": { + "type": "boolean" + }, + "controller": { + "type": "boolean" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "uid": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resourceVersion": { + "type": "string" + }, + "selfLink": { + "type": "string" + }, + "uid": { + "type": "string" + } + }, + "type": "object" + }, + "spec": { + "properties": { + "accessModes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "dataSource": { + "properties": { + "apiGroup": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "dataSourceRef": { + "properties": { + "apiGroup": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "properties": { + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "selector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "storageClassName": { + "type": "string" + }, + "volumeAttributesClassName": { + "type": "string" + }, + "volumeMode": { + "type": "string" + }, + "volumeName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "fc": { + "properties": { + "fsType": { + "type": "string" + }, + "lun": { + "type": "integer" + }, + "readOnly": { + "type": "boolean" + }, + "targetWWNs": { + "items": { + "type": "string" + }, + "type": "array" + }, + "wwids": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "flexVolume": { + "properties": { + "driver": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "options": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "flocker": { + "properties": { + "datasetName": { + "type": "string" + }, + "datasetUUID": { + "type": "string" + } + }, + "type": "object" + }, + "gcePersistentDisk": { + "properties": { + "fsType": { + "type": "string" + }, + "partition": { + "type": "integer" + }, + "pdName": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "gitRepo": { + "properties": { + "directory": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "revision": { + "type": "string" + } + }, + "type": "object" + }, + "glusterfs": { + "properties": { + "endpoints": { + "type": "string" + }, + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "hostPath": { + "properties": { + "path": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "iscsi": { + "properties": { + "chapAuthDiscovery": { + "type": "boolean" + }, + "chapAuthSession": { + "type": "boolean" + }, + "fsType": { + "type": "string" + }, + "initiatorName": { + "type": "string" + }, + "iqn": { + "type": "string" + }, + "iscsiInterface": { + "type": "string" + }, + "lun": { + "type": "integer" + }, + "portals": { + "items": { + "type": "string" + }, + "type": "array" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "targetPortal": { + "type": "string" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "nfs": { + "properties": { + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "server": { + "type": "string" + } + }, + "type": "object" + }, + "persistentVolumeClaim": { + "properties": { + "claimName": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "photonPersistentDisk": { + "properties": { + "fsType": { + "type": "string" + }, + "pdID": { + "type": "string" + } + }, + "type": "object" + }, + "portworxVolume": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "projected": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "sources": { + "items": { + "properties": { + "clusterTrustBundle": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + }, + "path": { + "type": "string" + }, + "signerName": { + "type": "string" + } + }, + "type": "object" + }, + "configMap": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "downwardAPI": { + "properties": { + "items": { + "items": { + "properties": { + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "serviceAccountToken": { + "properties": { + "audience": { + "type": "string" + }, + "expirationSeconds": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "quobyte": { + "properties": { + "group": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "registry": { + "type": "string" + }, + "tenant": { + "type": "string" + }, + "user": { + "type": "string" + }, + "volume": { + "type": "string" + } + }, + "type": "object" + }, + "rbd": { + "properties": { + "fsType": { + "type": "string" + }, + "image": { + "type": "string" + }, + "keyring": { + "type": "string" + }, + "monitors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "pool": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "scaleIO": { + "properties": { + "fsType": { + "type": "string" + }, + "gateway": { + "type": "string" + }, + "protectionDomain": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "sslEnabled": { + "type": "boolean" + }, + "storageMode": { + "type": "string" + }, + "storagePool": { + "type": "string" + }, + "system": { + "type": "string" + }, + "volumeName": { + "type": "string" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "optional": { + "type": "boolean" + }, + "secretName": { + "type": "string" + } + }, + "type": "object" + }, + "storageos": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "volumeName": { + "type": "string" + }, + "volumeNamespace": { + "type": "string" + } + }, + "type": "object" + }, + "vsphereVolume": { + "properties": { + "fsType": { + "type": "string" + }, + "storagePolicyID": { + "type": "string" + }, + "storagePolicyName": { + "type": "string" + }, + "volumePath": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "volumeMounts": { + "oneOf": [ + { + "items": { + "properties": { + "mountPath": { + "type": "string" + }, + "mountPropagation": { + "type": "string" + }, + "name": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "recursiveReadOnly": { + "type": "string" + }, + "subPath": { + "type": "string" + }, + "subPathExpr": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "test": { + "properties": { + "create": { + "type": "boolean" + } + }, + "type": "object" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "console": { + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "autoscaling": { + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + }, + "targetMemoryUtilizationPercentage": { + "type": "integer" + } + }, + "type": "object" + }, + "commonLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "configmap": { + "properties": { + "create": { + "type": "boolean" + } + }, + "type": "object" + }, + "console": { + "properties": { + "config": { + "type": "object" + }, + "roleBindings": { + "oneOf": [ + { + "items": { + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "roles": { + "oneOf": [ + { + "items": { + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "deployment": { + "properties": { + "command": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "create": { + "type": "boolean" + }, + "extraArgs": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "enterprise": { + "properties": { + "licenseSecretRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "extraContainers": { + "oneOf": [ + { + "items": { + "properties": { + "args": { + "items": { + "type": "string" + }, + "type": "array" + }, + "command": { + "items": { + "type": "string" + }, + "type": "array" + }, + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "envFrom": { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "lifecycle": { + "properties": { + "postStart": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "preStop": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "ports": { + "items": { + "properties": { + "containerPort": { + "type": "integer" + }, + "hostIP": { + "type": "string" + }, + "hostPort": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "protocol": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "readinessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "resizePolicy": { + "items": { + "properties": { + "resourceName": { + "type": "string" + }, + "restartPolicy": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resources": { + "properties": { + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "restartPolicy": { + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "stdin": { + "type": "boolean" + }, + "stdinOnce": { + "type": "boolean" + }, + "terminationMessagePath": { + "type": "string" + }, + "terminationMessagePolicy": { + "type": "string" + }, + "tty": { + "type": "boolean" + }, + "volumeDevices": { + "items": { + "properties": { + "devicePath": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "volumeMounts": { + "items": { + "properties": { + "mountPath": { + "type": "string" + }, + "mountPropagation": { + "type": "string" + }, + "name": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "recursiveReadOnly": { + "type": "string" + }, + "subPath": { + "type": "string" + }, + "subPathExpr": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "workingDir": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "extraEnv": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "extraEnvFrom": { + "oneOf": [ + { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "extraVolumeMounts": { + "oneOf": [ + { + "items": { + "properties": { + "mountPath": { + "type": "string" + }, + "mountPropagation": { + "type": "string" + }, + "name": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "recursiveReadOnly": { + "type": "string" + }, + "subPath": { + "type": "string" + }, + "subPathExpr": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "extraVolumes": { + "oneOf": [ + { + "items": { + "properties": { + "awsElasticBlockStore": { + "properties": { + "fsType": { + "type": "string" + }, + "partition": { + "type": "integer" + }, + "readOnly": { + "type": "boolean" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "azureDisk": { + "properties": { + "cachingMode": { + "type": "string" + }, + "diskName": { + "type": "string" + }, + "diskURI": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "azureFile": { + "properties": { + "readOnly": { + "type": "boolean" + }, + "secretName": { + "type": "string" + }, + "shareName": { + "type": "string" + } + }, + "type": "object" + }, + "cephfs": { + "properties": { + "monitors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretFile": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "cinder": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "configMap": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "csi": { + "properties": { + "driver": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "nodePublishSecretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "readOnly": { + "type": "boolean" + }, + "volumeAttributes": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "downwardAPI": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "emptyDir": { + "properties": { + "medium": { + "type": "string" + }, + "sizeLimit": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "type": "object" + }, + "ephemeral": { + "properties": { + "volumeClaimTemplate": { + "properties": { + "metadata": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "creationTimestamp": { + "properties": {}, + "type": "object" + }, + "deletionGracePeriodSeconds": { + "type": "integer" + }, + "deletionTimestamp": { + "properties": {}, + "type": "object" + }, + "finalizers": { + "items": { + "type": "string" + }, + "type": "array" + }, + "generateName": { + "type": "string" + }, + "generation": { + "type": "integer" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "managedFields": { + "items": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldsType": { + "type": "string" + }, + "fieldsV1": { + "properties": {}, + "type": "object" + }, + "manager": { + "type": "string" + }, + "operation": { + "type": "string" + }, + "subresource": { + "type": "string" + }, + "time": { + "properties": {}, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "ownerReferences": { + "items": { + "properties": { + "apiVersion": { + "type": "string" + }, + "blockOwnerDeletion": { + "type": "boolean" + }, + "controller": { + "type": "boolean" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "uid": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resourceVersion": { + "type": "string" + }, + "selfLink": { + "type": "string" + }, + "uid": { + "type": "string" + } + }, + "type": "object" + }, + "spec": { + "properties": { + "accessModes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "dataSource": { + "properties": { + "apiGroup": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "dataSourceRef": { + "properties": { + "apiGroup": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "properties": { + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "selector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "storageClassName": { + "type": "string" + }, + "volumeAttributesClassName": { + "type": "string" + }, + "volumeMode": { + "type": "string" + }, + "volumeName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "fc": { + "properties": { + "fsType": { + "type": "string" + }, + "lun": { + "type": "integer" + }, + "readOnly": { + "type": "boolean" + }, + "targetWWNs": { + "items": { + "type": "string" + }, + "type": "array" + }, + "wwids": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "flexVolume": { + "properties": { + "driver": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "options": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "flocker": { + "properties": { + "datasetName": { + "type": "string" + }, + "datasetUUID": { + "type": "string" + } + }, + "type": "object" + }, + "gcePersistentDisk": { + "properties": { + "fsType": { + "type": "string" + }, + "partition": { + "type": "integer" + }, + "pdName": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "gitRepo": { + "properties": { + "directory": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "revision": { + "type": "string" + } + }, + "type": "object" + }, + "glusterfs": { + "properties": { + "endpoints": { + "type": "string" + }, + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "hostPath": { + "properties": { + "path": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "iscsi": { + "properties": { + "chapAuthDiscovery": { + "type": "boolean" + }, + "chapAuthSession": { + "type": "boolean" + }, + "fsType": { + "type": "string" + }, + "initiatorName": { + "type": "string" + }, + "iqn": { + "type": "string" + }, + "iscsiInterface": { + "type": "string" + }, + "lun": { + "type": "integer" + }, + "portals": { + "items": { + "type": "string" + }, + "type": "array" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "targetPortal": { + "type": "string" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "nfs": { + "properties": { + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "server": { + "type": "string" + } + }, + "type": "object" + }, + "persistentVolumeClaim": { + "properties": { + "claimName": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "photonPersistentDisk": { + "properties": { + "fsType": { + "type": "string" + }, + "pdID": { + "type": "string" + } + }, + "type": "object" + }, + "portworxVolume": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "projected": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "sources": { + "items": { + "properties": { + "clusterTrustBundle": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + }, + "path": { + "type": "string" + }, + "signerName": { + "type": "string" + } + }, + "type": "object" + }, + "configMap": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "downwardAPI": { + "properties": { + "items": { + "items": { + "properties": { + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "serviceAccountToken": { + "properties": { + "audience": { + "type": "string" + }, + "expirationSeconds": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "quobyte": { + "properties": { + "group": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "registry": { + "type": "string" + }, + "tenant": { + "type": "string" + }, + "user": { + "type": "string" + }, + "volume": { + "type": "string" + } + }, + "type": "object" + }, + "rbd": { + "properties": { + "fsType": { + "type": "string" + }, + "image": { + "type": "string" + }, + "keyring": { + "type": "string" + }, + "monitors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "pool": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "scaleIO": { + "properties": { + "fsType": { + "type": "string" + }, + "gateway": { + "type": "string" + }, + "protectionDomain": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "sslEnabled": { + "type": "boolean" + }, + "storageMode": { + "type": "string" + }, + "storagePool": { + "type": "string" + }, + "system": { + "type": "string" + }, + "volumeName": { + "type": "string" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "optional": { + "type": "boolean" + }, + "secretName": { + "type": "string" + } + }, + "type": "object" + }, + "storageos": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "volumeName": { + "type": "string" + }, + "volumeNamespace": { + "type": "string" + } + }, + "type": "object" + }, + "vsphereVolume": { + "properties": { + "fsType": { + "type": "string" + }, + "storagePolicyID": { + "type": "string" + }, + "storagePolicyName": { + "type": "string" + }, + "volumePath": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "properties": { + "pullPolicy": { + "type": "string" + }, + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "type": "object" + }, + "imagePullSecrets": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "ingress": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "className": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "hosts": { + "oneOf": [ + { + "items": { + "properties": { + "host": { + "type": "string" + }, + "paths": { + "items": { + "properties": { + "path": { + "type": "string" + }, + "pathType": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "tls": { + "oneOf": [ + { + "items": { + "properties": { + "hosts": { + "items": { + "type": "string" + }, + "type": "array" + }, + "secretName": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "initContainers": { + "properties": { + "extraInitContainers": { + "type": "string" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podAnnotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podSecurityContext": { + "properties": { + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "oneOf": [ + { + "items": { + "type": "integer" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "sysctls": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "properties": { + "claims": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "create": { + "type": "boolean" + }, + "enterprise": { + "properties": { + "license": { + "type": "string" + } + }, + "type": "object" + }, + "kafka": { + "properties": { + "awsMskIamSecretKey": { + "type": "string" + }, + "protobufGitBasicAuthPassword": { + "type": "string" + }, + "saslPassword": { + "type": "string" + }, + "schemaRegistryPassword": { + "type": "string" + }, + "schemaRegistryTlsCa": { + "type": "string" + }, + "schemaRegistryTlsCert": { + "type": "string" + }, + "schemaRegistryTlsKey": { + "type": "string" + }, + "tlsCa": { + "type": "string" + }, + "tlsCert": { + "type": "string" + }, + "tlsKey": { + "type": "string" + }, + "tlsPassphrase": { + "type": "string" + } + }, + "type": "object" + }, + "login": { + "properties": { + "github": { + "properties": { + "clientSecret": { + "type": "string" + }, + "personalAccessToken": { + "type": "string" + } + }, + "type": "object" + }, + "google": { + "properties": { + "clientSecret": { + "type": "string" + }, + "groupsServiceAccount": { + "type": "string" + } + }, + "type": "object" + }, + "jwtSecret": { + "type": "string" + }, + "oidc": { + "properties": { + "clientSecret": { + "type": "string" + } + }, + "type": "object" + }, + "okta": { + "properties": { + "clientSecret": { + "type": "string" + }, + "directoryApiToken": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "redpanda": { + "properties": { + "adminApi": { + "properties": { + "password": { + "type": "string" + }, + "tlsCa": { + "type": "string" + }, + "tlsCert": { + "type": "string" + }, + "tlsKey": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "secretMounts": { + "oneOf": [ + { + "items": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "path": { + "type": "string" + }, + "secretName": { + "type": "string" + }, + "subPath": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "service": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "targetPort": { + "type": "integer" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "serviceAccount": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "strategy": { + "properties": { + "rollingUpdate": { + "properties": { + "maxSurge": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "maxUnavailable": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "tests": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "topologySpreadConstraints": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "maxSkew": { + "type": "integer" + }, + "minDomains": { + "type": "integer" + }, + "nodeAffinityPolicy": { + "type": "string" + }, + "nodeTaintsPolicy": { + "type": "string" + }, + "topologyKey": { + "type": "string" + }, + "whenUnsatisfiable": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "enterprise": { + "properties": { + "license": { + "type": "string" + }, + "licenseSecretRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "external": { + "properties": { + "addresses": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "domain": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "externalDns": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "prefixTemplate": { + "type": "string" + }, + "service": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "sourceRanges": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "type": { + "pattern": "^(LoadBalancer|NodePort)$", + "type": "string" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "force": { + "type": "boolean" + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "description": "Values used to define the container image to be used for Redpanda", + "properties": { + "pullPolicy": { + "description": "The Kubernetes Pod image pull policy.", + "pattern": "^(Always|Never|IfNotPresent)$", + "type": "string" + }, + "repository": { + "default": "docker.redpanda.com/redpandadata/redpanda", + "description": "container image repository", + "type": "string" + }, + "tag": { + "default": "Chart.appVersion", + "description": "The container image tag. Use the Redpanda release version. Must be a valid semver prefixed with a 'v'.", + "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$", + "type": "string" + } + }, + "required": [ + "repository", + "pullPolicy" + ], + "type": "object" + }, + "imagePullSecrets": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "license_key": { + "deprecated": true, + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\\.(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$|^$", + "type": "string" + }, + "license_secret_ref": { + "deprecated": true, + "properties": { + "secret_key": { + "type": "string" + }, + "secret_name": { + "type": "string" + } + }, + "type": "object" + }, + "listeners": { + "properties": { + "admin": { + "properties": { + "appProtocol": { + "type": "string" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "port", + "tls" + ], + "type": "object" + }, + "http": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "prefixTemplate": { + "type": "string" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "kafkaEndpoint": { + "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$", + "type": "string" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "enabled", + "tls", + "kafkaEndpoint", + "port" + ], + "type": "object" + }, + "kafka": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "sasl", + "none", + "mtls_identity" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "sasl", + "none", + "mtls_identity" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "prefixTemplate": { + "type": "string" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "tls", + "port" + ], + "type": "object" + }, + "rpc": { + "properties": { + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "port", + "tls" + ], + "type": "object" + }, + "schemaRegistry": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "kafkaEndpoint": { + "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$", + "type": "string" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "enabled", + "kafkaEndpoint", + "port", + "tls" + ], + "type": "object" + } + }, + "required": [ + "admin", + "http", + "kafka", + "schemaRegistry", + "rpc" + ], + "type": "object" + }, + "logging": { + "properties": { + "logLevel": { + "pattern": "^(error|warn|info|debug|trace)$", + "type": "string" + }, + "usageStats": { + "properties": { + "clusterId": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + } + }, + "required": [ + "logLevel", + "usageStats" + ], + "type": "object" + }, + "monitoring": { + "properties": { + "enableHttp2": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "scrapeInterval": { + "type": "string" + }, + "tlsConfig": { + "properties": { + "ca": { + "properties": { + "configMap": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "caFile": { + "type": "string" + }, + "cert": { + "properties": { + "configMap": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "certFile": { + "type": "string" + }, + "insecureSkipVerify": { + "type": "boolean" + }, + "keyFile": { + "type": "string" + }, + "keySecret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "maxVersion": { + "type": "string" + }, + "minVersion": { + "type": "string" + }, + "serverName": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "enabled", + "scrapeInterval" + ], + "type": "object" + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "post_install_job": { + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "activeDeadlineSeconds": { + "type": "integer" + }, + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "containers": { + "oneOf": [ + { + "items": { + "properties": { + "args": { + "items": { + "type": "string" + }, + "type": "array" + }, + "command": { + "items": { + "type": "string" + }, + "type": "array" + }, + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "envFrom": { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "lifecycle": { + "properties": { + "postStart": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "preStop": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "ports": { + "items": { + "properties": { + "containerPort": { + "type": "integer" + }, + "hostIP": { + "type": "string" + }, + "hostPort": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "protocol": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "readinessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "resizePolicy": { + "items": { + "properties": { + "resourceName": { + "type": "string" + }, + "restartPolicy": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resources": { + "properties": { + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "restartPolicy": { + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "stdin": { + "type": "boolean" + }, + "stdinOnce": { + "type": "boolean" + }, + "terminationMessagePath": { + "type": "string" + }, + "terminationMessagePolicy": { + "type": "string" + }, + "tty": { + "type": "boolean" + }, + "volumeDevices": { + "items": { + "properties": { + "devicePath": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "volumeMounts": { + "items": { + "properties": { + "mountPath": { + "type": "string" + }, + "mountPropagation": { + "type": "string" + }, + "name": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "recursiveReadOnly": { + "type": "string" + }, + "subPath": { + "type": "string" + }, + "subPathExpr": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "workingDir": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "dnsConfig": { + "properties": { + "nameservers": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "options": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "searches": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "dnsPolicy": { + "type": "string" + }, + "enableServiceLinks": { + "type": "boolean" + }, + "ephemeralContainers": { + "oneOf": [ + { + "items": { + "properties": { + "args": { + "items": { + "type": "string" + }, + "type": "array" + }, + "command": { + "items": { + "type": "string" + }, + "type": "array" + }, + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "envFrom": { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "lifecycle": { + "properties": { + "postStart": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "preStop": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "ports": { + "items": { + "properties": { + "containerPort": { + "type": "integer" + }, + "hostIP": { + "type": "string" + }, + "hostPort": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "protocol": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "readinessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "resizePolicy": { + "items": { + "properties": { + "resourceName": { + "type": "string" + }, + "restartPolicy": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resources": { + "properties": { + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "restartPolicy": { + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "stdin": { + "type": "boolean" + }, + "stdinOnce": { + "type": "boolean" + }, + "targetContainerName": { + "type": "string" + }, + "terminationMessagePath": { + "type": "string" + }, + "terminationMessagePolicy": { + "type": "string" + }, + "tty": { + "type": "boolean" + }, + "volumeDevices": { + "items": { + "properties": { + "devicePath": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "volumeMounts": { + "items": { + "properties": { + "mountPath": { + "type": "string" + }, + "mountPropagation": { + "type": "string" + }, + "name": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "recursiveReadOnly": { + "type": "string" + }, + "subPath": { + "type": "string" + }, + "subPathExpr": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "workingDir": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "hostAliases": { + "oneOf": [ + { + "items": { + "properties": { + "hostnames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "ip": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "hostIPC": { + "type": "boolean" + }, + "hostNetwork": { + "type": "boolean" + }, + "hostPID": { + "type": "boolean" + }, + "hostUsers": { + "type": "boolean" + }, + "hostname": { + "type": "string" + }, + "imagePullSecrets": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "initContainers": { + "oneOf": [ + { + "items": { + "properties": { + "args": { + "items": { + "type": "string" + }, + "type": "array" + }, + "command": { + "items": { + "type": "string" + }, + "type": "array" + }, + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "envFrom": { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "lifecycle": { + "properties": { + "postStart": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "preStop": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "ports": { + "items": { + "properties": { + "containerPort": { + "type": "integer" + }, + "hostIP": { + "type": "string" + }, + "hostPort": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "protocol": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "readinessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "resizePolicy": { + "items": { + "properties": { + "resourceName": { + "type": "string" + }, + "restartPolicy": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resources": { + "properties": { + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "restartPolicy": { + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "stdin": { + "type": "boolean" + }, + "stdinOnce": { + "type": "boolean" + }, + "terminationMessagePath": { + "type": "string" + }, + "terminationMessagePolicy": { + "type": "string" + }, + "tty": { + "type": "boolean" + }, + "volumeDevices": { + "items": { + "properties": { + "devicePath": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "volumeMounts": { + "items": { + "properties": { + "mountPath": { + "type": "string" + }, + "mountPropagation": { + "type": "string" + }, + "name": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "recursiveReadOnly": { + "type": "string" + }, + "subPath": { + "type": "string" + }, + "subPathExpr": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "workingDir": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "nodeName": { + "type": "string" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "os": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "overhead": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "preemptionPolicy": { + "type": "string" + }, + "priority": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "readinessGates": { + "oneOf": [ + { + "items": { + "properties": { + "conditionType": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "resourceClaims": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "source": { + "properties": { + "resourceClaimName": { + "type": "string" + }, + "resourceClaimTemplateName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "restartPolicy": { + "type": "string" + }, + "runtimeClassName": { + "type": "string" + }, + "schedulerName": { + "type": "string" + }, + "schedulingGates": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "oneOf": [ + { + "items": { + "type": "integer" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "sysctls": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "serviceAccount": { + "type": "string" + }, + "serviceAccountName": { + "type": "string" + }, + "setHostnameAsFQDN": { + "type": "boolean" + }, + "shareProcessNamespace": { + "type": "boolean" + }, + "subdomain": { + "type": "string" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "topologySpreadConstraints": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "maxSkew": { + "type": "integer" + }, + "minDomains": { + "type": "integer" + }, + "nodeAffinityPolicy": { + "type": "string" + }, + "nodeTaintsPolicy": { + "type": "string" + }, + "topologyKey": { + "type": "string" + }, + "whenUnsatisfiable": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "volumes": { + "oneOf": [ + { + "items": { + "properties": { + "awsElasticBlockStore": { + "properties": { + "fsType": { + "type": "string" + }, + "partition": { + "type": "integer" + }, + "readOnly": { + "type": "boolean" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "azureDisk": { + "properties": { + "cachingMode": { + "type": "string" + }, + "diskName": { + "type": "string" + }, + "diskURI": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "azureFile": { + "properties": { + "readOnly": { + "type": "boolean" + }, + "secretName": { + "type": "string" + }, + "shareName": { + "type": "string" + } + }, + "type": "object" + }, + "cephfs": { + "properties": { + "monitors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretFile": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "cinder": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "configMap": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "csi": { + "properties": { + "driver": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "nodePublishSecretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "readOnly": { + "type": "boolean" + }, + "volumeAttributes": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "downwardAPI": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "emptyDir": { + "properties": { + "medium": { + "type": "string" + }, + "sizeLimit": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "type": "object" + }, + "ephemeral": { + "properties": { + "volumeClaimTemplate": { + "properties": { + "metadata": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "creationTimestamp": { + "properties": {}, + "type": "object" + }, + "deletionGracePeriodSeconds": { + "type": "integer" + }, + "deletionTimestamp": { + "properties": {}, + "type": "object" + }, + "finalizers": { + "items": { + "type": "string" + }, + "type": "array" + }, + "generateName": { + "type": "string" + }, + "generation": { + "type": "integer" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "ownerReferences": { + "items": { + "properties": { + "apiVersion": { + "type": "string" + }, + "blockOwnerDeletion": { + "type": "boolean" + }, + "controller": { + "type": "boolean" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "uid": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resourceVersion": { + "type": "string" + }, + "uid": { + "type": "string" + } + }, + "type": "object" + }, + "spec": { + "properties": { + "accessModes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "dataSource": { + "properties": { + "apiGroup": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "dataSourceRef": { + "properties": { + "apiGroup": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "properties": { + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "selector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "storageClassName": { + "type": "string" + }, + "volumeAttributesClassName": { + "type": "string" + }, + "volumeMode": { + "type": "string" + }, + "volumeName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "fc": { + "properties": { + "fsType": { + "type": "string" + }, + "lun": { + "type": "integer" + }, + "readOnly": { + "type": "boolean" + }, + "targetWWNs": { + "items": { + "type": "string" + }, + "type": "array" + }, + "wwids": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "flexVolume": { + "properties": { + "driver": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "options": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "flocker": { + "properties": { + "datasetName": { + "type": "string" + }, + "datasetUUID": { + "type": "string" + } + }, + "type": "object" + }, + "gcePersistentDisk": { + "properties": { + "fsType": { + "type": "string" + }, + "partition": { + "type": "integer" + }, + "pdName": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "gitRepo": { + "properties": { + "directory": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "revision": { + "type": "string" + } + }, + "type": "object" + }, + "glusterfs": { + "properties": { + "endpoints": { + "type": "string" + }, + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "hostPath": { + "properties": { + "path": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "iscsi": { + "properties": { + "chapAuthDiscovery": { + "type": "boolean" + }, + "chapAuthSession": { + "type": "boolean" + }, + "fsType": { + "type": "string" + }, + "initiatorName": { + "type": "string" + }, + "iqn": { + "type": "string" + }, + "iscsiInterface": { + "type": "string" + }, + "lun": { + "type": "integer" + }, + "portals": { + "items": { + "type": "string" + }, + "type": "array" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "targetPortal": { + "type": "string" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "nfs": { + "properties": { + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "server": { + "type": "string" + } + }, + "type": "object" + }, + "persistentVolumeClaim": { + "properties": { + "claimName": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "photonPersistentDisk": { + "properties": { + "fsType": { + "type": "string" + }, + "pdID": { + "type": "string" + } + }, + "type": "object" + }, + "portworxVolume": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "projected": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "sources": { + "items": { + "properties": { + "clusterTrustBundle": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + }, + "path": { + "type": "string" + }, + "signerName": { + "type": "string" + } + }, + "type": "object" + }, + "configMap": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "downwardAPI": { + "properties": { + "items": { + "items": { + "properties": { + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "serviceAccountToken": { + "properties": { + "audience": { + "type": "string" + }, + "expirationSeconds": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "quobyte": { + "properties": { + "group": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "registry": { + "type": "string" + }, + "tenant": { + "type": "string" + }, + "user": { + "type": "string" + }, + "volume": { + "type": "string" + } + }, + "type": "object" + }, + "rbd": { + "properties": { + "fsType": { + "type": "string" + }, + "image": { + "type": "string" + }, + "keyring": { + "type": "string" + }, + "monitors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "pool": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "scaleIO": { + "properties": { + "fsType": { + "type": "string" + }, + "gateway": { + "type": "string" + }, + "protectionDomain": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "sslEnabled": { + "type": "boolean" + }, + "storageMode": { + "type": "string" + }, + "storagePool": { + "type": "string" + }, + "system": { + "type": "string" + }, + "volumeName": { + "type": "string" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "optional": { + "type": "boolean" + }, + "secretName": { + "type": "string" + } + }, + "type": "object" + }, + "storageos": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "volumeName": { + "type": "string" + }, + "volumeNamespace": { + "type": "string" + } + }, + "type": "object" + }, + "vsphereVolume": { + "properties": { + "fsType": { + "type": "string" + }, + "storagePolicyID": { + "type": "string" + }, + "storagePolicyName": { + "type": "string" + }, + "volumePath": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "required": [ + "labels", + "annotations" + ], + "type": "object" + }, + "resources": { + "properties": { + "claims": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "rackAwareness": { + "properties": { + "enabled": { + "type": "boolean" + }, + "nodeAnnotation": { + "type": "string" + } + }, + "required": [ + "enabled", + "nodeAnnotation" + ], + "type": "object" + }, + "rbac": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled", + "annotations" + ], + "type": "object" + }, + "resources": { + "properties": { + "cpu": { + "properties": { + "cores": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "overprovisioned": { + "type": "boolean" + } + }, + "required": [ + "cores" + ], + "type": "object" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "memory": { + "properties": { + "container": { + "properties": { + "max": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "min": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "required": [ + "max" + ], + "type": "object" + }, + "enable_memory_locking": { + "type": "boolean" + }, + "redpanda": { + "properties": { + "memory": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "reserveMemory": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "type": "object" + } + }, + "required": [ + "container" + ], + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "required": [ + "cpu", + "memory" + ], + "type": "object" + }, + "service": { + "properties": { + "internal": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "serviceAccount": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "required": [ + "annotations", + "create", + "name" + ], + "type": "object" + }, + "statefulset": { + "properties": { + "additionalRedpandaCmdFlags": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "additionalSelectorLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "budget": { + "properties": { + "maxUnavailable": { + "type": "integer" + } + }, + "required": [ + "maxUnavailable" + ], + "type": "object" + }, + "extraVolumeMounts": { + "type": "string" + }, + "extraVolumes": { + "type": "string" + }, + "initContainerImage": { + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "type": "object" + }, + "initContainers": { + "properties": { + "configurator": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "extraInitContainers": { + "type": "string" + }, + "fsValidator": { + "properties": { + "enabled": { + "type": "boolean" + }, + "expectedFS": { + "type": "string" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "setDataDirOwnership": { + "properties": { + "enabled": { + "type": "boolean" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "setTieredStorageCacheDirOwnership": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "tuning": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "nodeAffinity": { + "type": "object" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podAffinity": { + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "custom": { + "type": "object" + }, + "topologyKey": { + "type": "string" + }, + "type": { + "pattern": "^(hard|soft|custom)$", + "type": "string" + }, + "weight": { + "type": "integer" + } + }, + "required": [ + "topologyKey", + "type", + "weight" + ], + "type": "object" + }, + "podSecurityContext": { + "deprecated": true, + "properties": { + "allowPriviledgeEscalation": { + "type": "boolean" + }, + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "activeDeadlineSeconds": { + "type": "integer" + }, + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "containers": { + "oneOf": [ + { + "items": { + "properties": { + "args": { + "items": { + "type": "string" + }, + "type": "array" + }, + "command": { + "items": { + "type": "string" + }, + "type": "array" + }, + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "envFrom": { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "lifecycle": { + "properties": { + "postStart": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "preStop": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "ports": { + "items": { + "properties": { + "containerPort": { + "type": "integer" + }, + "hostIP": { + "type": "string" + }, + "hostPort": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "protocol": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "readinessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "resizePolicy": { + "items": { + "properties": { + "resourceName": { + "type": "string" + }, + "restartPolicy": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resources": { + "properties": { + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "restartPolicy": { + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "stdin": { + "type": "boolean" + }, + "stdinOnce": { + "type": "boolean" + }, + "terminationMessagePath": { + "type": "string" + }, + "terminationMessagePolicy": { + "type": "string" + }, + "tty": { + "type": "boolean" + }, + "volumeDevices": { + "items": { + "properties": { + "devicePath": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "volumeMounts": { + "items": { + "properties": { + "mountPath": { + "type": "string" + }, + "mountPropagation": { + "type": "string" + }, + "name": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "recursiveReadOnly": { + "type": "string" + }, + "subPath": { + "type": "string" + }, + "subPathExpr": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "workingDir": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "dnsConfig": { + "properties": { + "nameservers": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "options": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "searches": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "dnsPolicy": { + "type": "string" + }, + "enableServiceLinks": { + "type": "boolean" + }, + "ephemeralContainers": { + "oneOf": [ + { + "items": { + "properties": { + "args": { + "items": { + "type": "string" + }, + "type": "array" + }, + "command": { + "items": { + "type": "string" + }, + "type": "array" + }, + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "envFrom": { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "lifecycle": { + "properties": { + "postStart": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "preStop": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "ports": { + "items": { + "properties": { + "containerPort": { + "type": "integer" + }, + "hostIP": { + "type": "string" + }, + "hostPort": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "protocol": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "readinessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "resizePolicy": { + "items": { + "properties": { + "resourceName": { + "type": "string" + }, + "restartPolicy": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resources": { + "properties": { + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "restartPolicy": { + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "stdin": { + "type": "boolean" + }, + "stdinOnce": { + "type": "boolean" + }, + "targetContainerName": { + "type": "string" + }, + "terminationMessagePath": { + "type": "string" + }, + "terminationMessagePolicy": { + "type": "string" + }, + "tty": { + "type": "boolean" + }, + "volumeDevices": { + "items": { + "properties": { + "devicePath": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "volumeMounts": { + "items": { + "properties": { + "mountPath": { + "type": "string" + }, + "mountPropagation": { + "type": "string" + }, + "name": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "recursiveReadOnly": { + "type": "string" + }, + "subPath": { + "type": "string" + }, + "subPathExpr": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "workingDir": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "hostAliases": { + "oneOf": [ + { + "items": { + "properties": { + "hostnames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "ip": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "hostIPC": { + "type": "boolean" + }, + "hostNetwork": { + "type": "boolean" + }, + "hostPID": { + "type": "boolean" + }, + "hostUsers": { + "type": "boolean" + }, + "hostname": { + "type": "string" + }, + "imagePullSecrets": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "initContainers": { + "oneOf": [ + { + "items": { + "properties": { + "args": { + "items": { + "type": "string" + }, + "type": "array" + }, + "command": { + "items": { + "type": "string" + }, + "type": "array" + }, + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "envFrom": { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "lifecycle": { + "properties": { + "postStart": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "preStop": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "sleep": { + "properties": { + "seconds": { + "type": "integer" + } + }, + "type": "object" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "ports": { + "items": { + "properties": { + "containerPort": { + "type": "integer" + }, + "hostIP": { + "type": "string" + }, + "hostPort": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "protocol": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "readinessProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "resizePolicy": { + "items": { + "properties": { + "resourceName": { + "type": "string" + }, + "restartPolicy": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resources": { + "properties": { + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "restartPolicy": { + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "exec": { + "properties": { + "command": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "failureThreshold": { + "type": "integer" + }, + "grpc": { + "properties": { + "port": { + "type": "integer" + }, + "service": { + "type": "string" + } + }, + "type": "object" + }, + "httpGet": { + "properties": { + "host": { + "type": "string" + }, + "httpHeaders": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + }, + "scheme": { + "type": "string" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "tcpSocket": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + } + ] + } + }, + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "stdin": { + "type": "boolean" + }, + "stdinOnce": { + "type": "boolean" + }, + "terminationMessagePath": { + "type": "string" + }, + "terminationMessagePolicy": { + "type": "string" + }, + "tty": { + "type": "boolean" + }, + "volumeDevices": { + "items": { + "properties": { + "devicePath": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "volumeMounts": { + "items": { + "properties": { + "mountPath": { + "type": "string" + }, + "mountPropagation": { + "type": "string" + }, + "name": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "recursiveReadOnly": { + "type": "string" + }, + "subPath": { + "type": "string" + }, + "subPathExpr": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "workingDir": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "nodeName": { + "type": "string" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "os": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "overhead": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "preemptionPolicy": { + "type": "string" + }, + "priority": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "readinessGates": { + "oneOf": [ + { + "items": { + "properties": { + "conditionType": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "resourceClaims": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "source": { + "properties": { + "resourceClaimName": { + "type": "string" + }, + "resourceClaimTemplateName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "restartPolicy": { + "type": "string" + }, + "runtimeClassName": { + "type": "string" + }, + "schedulerName": { + "type": "string" + }, + "schedulingGates": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "oneOf": [ + { + "items": { + "type": "integer" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "sysctls": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "serviceAccount": { + "type": "string" + }, + "serviceAccountName": { + "type": "string" + }, + "setHostnameAsFQDN": { + "type": "boolean" + }, + "shareProcessNamespace": { + "type": "boolean" + }, + "subdomain": { + "type": "string" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "topologySpreadConstraints": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "maxSkew": { + "type": "integer" + }, + "minDomains": { + "type": "integer" + }, + "nodeAffinityPolicy": { + "type": "string" + }, + "nodeTaintsPolicy": { + "type": "string" + }, + "topologyKey": { + "type": "string" + }, + "whenUnsatisfiable": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "volumes": { + "oneOf": [ + { + "items": { + "properties": { + "awsElasticBlockStore": { + "properties": { + "fsType": { + "type": "string" + }, + "partition": { + "type": "integer" + }, + "readOnly": { + "type": "boolean" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "azureDisk": { + "properties": { + "cachingMode": { + "type": "string" + }, + "diskName": { + "type": "string" + }, + "diskURI": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "azureFile": { + "properties": { + "readOnly": { + "type": "boolean" + }, + "secretName": { + "type": "string" + }, + "shareName": { + "type": "string" + } + }, + "type": "object" + }, + "cephfs": { + "properties": { + "monitors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretFile": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "cinder": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "configMap": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "csi": { + "properties": { + "driver": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "nodePublishSecretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "readOnly": { + "type": "boolean" + }, + "volumeAttributes": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "downwardAPI": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "emptyDir": { + "properties": { + "medium": { + "type": "string" + }, + "sizeLimit": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "type": "object" + }, + "ephemeral": { + "properties": { + "volumeClaimTemplate": { + "properties": { + "metadata": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "creationTimestamp": { + "properties": {}, + "type": "object" + }, + "deletionGracePeriodSeconds": { + "type": "integer" + }, + "deletionTimestamp": { + "properties": {}, + "type": "object" + }, + "finalizers": { + "items": { + "type": "string" + }, + "type": "array" + }, + "generateName": { + "type": "string" + }, + "generation": { + "type": "integer" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "ownerReferences": { + "items": { + "properties": { + "apiVersion": { + "type": "string" + }, + "blockOwnerDeletion": { + "type": "boolean" + }, + "controller": { + "type": "boolean" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "uid": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "resourceVersion": { + "type": "string" + }, + "uid": { + "type": "string" + } + }, + "type": "object" + }, + "spec": { + "properties": { + "accessModes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "dataSource": { + "properties": { + "apiGroup": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "dataSourceRef": { + "properties": { + "apiGroup": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + }, + "type": "object" + }, + "resources": { + "properties": { + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "selector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "storageClassName": { + "type": "string" + }, + "volumeAttributesClassName": { + "type": "string" + }, + "volumeMode": { + "type": "string" + }, + "volumeName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "fc": { + "properties": { + "fsType": { + "type": "string" + }, + "lun": { + "type": "integer" + }, + "readOnly": { + "type": "boolean" + }, + "targetWWNs": { + "items": { + "type": "string" + }, + "type": "array" + }, + "wwids": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "flexVolume": { + "properties": { + "driver": { + "type": "string" + }, + "fsType": { + "type": "string" + }, + "options": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "flocker": { + "properties": { + "datasetName": { + "type": "string" + }, + "datasetUUID": { + "type": "string" + } + }, + "type": "object" + }, + "gcePersistentDisk": { + "properties": { + "fsType": { + "type": "string" + }, + "partition": { + "type": "integer" + }, + "pdName": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "gitRepo": { + "properties": { + "directory": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "revision": { + "type": "string" + } + }, + "type": "object" + }, + "glusterfs": { + "properties": { + "endpoints": { + "type": "string" + }, + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "hostPath": { + "properties": { + "path": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "iscsi": { + "properties": { + "chapAuthDiscovery": { + "type": "boolean" + }, + "chapAuthSession": { + "type": "boolean" + }, + "fsType": { + "type": "string" + }, + "initiatorName": { + "type": "string" + }, + "iqn": { + "type": "string" + }, + "iscsiInterface": { + "type": "string" + }, + "lun": { + "type": "integer" + }, + "portals": { + "items": { + "type": "string" + }, + "type": "array" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "targetPortal": { + "type": "string" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "nfs": { + "properties": { + "path": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "server": { + "type": "string" + } + }, + "type": "object" + }, + "persistentVolumeClaim": { + "properties": { + "claimName": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + } + }, + "type": "object" + }, + "photonPersistentDisk": { + "properties": { + "fsType": { + "type": "string" + }, + "pdID": { + "type": "string" + } + }, + "type": "object" + }, + "portworxVolume": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "volumeID": { + "type": "string" + } + }, + "type": "object" + }, + "projected": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "sources": { + "items": { + "properties": { + "clusterTrustBundle": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + }, + "path": { + "type": "string" + }, + "signerName": { + "type": "string" + } + }, + "type": "object" + }, + "configMap": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "downwardAPI": { + "properties": { + "items": { + "items": { + "properties": { + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "serviceAccountToken": { + "properties": { + "audience": { + "type": "string" + }, + "expirationSeconds": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "quobyte": { + "properties": { + "group": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "registry": { + "type": "string" + }, + "tenant": { + "type": "string" + }, + "user": { + "type": "string" + }, + "volume": { + "type": "string" + } + }, + "type": "object" + }, + "rbd": { + "properties": { + "fsType": { + "type": "string" + }, + "image": { + "type": "string" + }, + "keyring": { + "type": "string" + }, + "monitors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "pool": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "scaleIO": { + "properties": { + "fsType": { + "type": "string" + }, + "gateway": { + "type": "string" + }, + "protectionDomain": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "sslEnabled": { + "type": "boolean" + }, + "storageMode": { + "type": "string" + }, + "storagePool": { + "type": "string" + }, + "system": { + "type": "string" + }, + "volumeName": { + "type": "string" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "defaultMode": { + "type": "integer" + }, + "items": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "optional": { + "type": "boolean" + }, + "secretName": { + "type": "string" + } + }, + "type": "object" + }, + "storageos": { + "properties": { + "fsType": { + "type": "string" + }, + "readOnly": { + "type": "boolean" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "volumeName": { + "type": "string" + }, + "volumeNamespace": { + "type": "string" + } + }, + "type": "object" + }, + "vsphereVolume": { + "properties": { + "fsType": { + "type": "string" + }, + "storagePolicyID": { + "type": "string" + }, + "storagePolicyName": { + "type": "string" + }, + "volumePath": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "required": [ + "labels", + "annotations" + ], + "type": "object" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "replicas": { + "type": "integer" + }, + "securityContext": { + "deprecated": true, + "properties": { + "allowPriviledgeEscalation": { + "type": "boolean" + }, + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + }, + "type": "object" + }, + "sideCars": { + "properties": { + "configWatcher": { + "properties": { + "enabled": { + "type": "boolean" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "controllers": { + "properties": { + "createRBAC": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "healthProbeAddress": { + "type": "string" + }, + "image": { + "properties": { + "repository": { + "default": "docker.redpanda.com/redpandadata/redpanda-operator", + "type": "string" + }, + "tag": { + "default": "Chart.appVersion", + "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$", + "type": "string" + } + }, + "required": [ + "tag", + "repository" + ], + "type": "object" + }, + "metricsAddress": { + "type": "string" + }, + "pprofAddress": { + "type": "string" + }, + "resources": true, + "run": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "appArmorProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "topologySpreadConstraints": { + "oneOf": [ + { + "items": { + "properties": { + "maxSkew": { + "type": "integer" + }, + "topologyKey": { + "type": "string" + }, + "whenUnsatisfiable": { + "pattern": "^(ScheduleAnyway|DoNotSchedule)$", + "type": "string" + } + }, + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "updateStrategy": { + "properties": { + "type": { + "pattern": "^(RollingUpdate|OnDelete)$", + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object" + } + }, + "required": [ + "additionalSelectorLabels", + "replicas", + "updateStrategy", + "podTemplate", + "budget", + "startupProbe", + "livenessProbe", + "readinessProbe", + "podAffinity", + "podAntiAffinity", + "nodeSelector", + "priorityClassName", + "topologySpreadConstraints", + "tolerations", + "securityContext", + "sideCars" + ], + "type": "object" + }, + "storage": { + "properties": { + "hostPath": { + "type": "string" + }, + "persistentVolume": { + "deprecated": true, + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "nameOverwrite": { + "type": "string" + }, + "size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "enabled", + "labels", + "size", + "storageClass" + ], + "type": "object" + }, + "tiered": { + "properties": { + "config": { + "properties": { + "cloud_storage_access_key": { + "type": "string" + }, + "cloud_storage_api_endpoint": { + "type": "string" + }, + "cloud_storage_api_endpoint_port": { + "type": "integer" + }, + "cloud_storage_azure_adls_endpoint": { + "type": "string" + }, + "cloud_storage_azure_adls_port": { + "type": "integer" + }, + "cloud_storage_bucket": { + "type": "string" + }, + "cloud_storage_cache_check_interval": { + "type": "integer" + }, + "cloud_storage_cache_directory": { + "type": "string" + }, + "cloud_storage_cache_size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "cloud_storage_credentials_source": { + "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$", + "type": "string" + }, + "cloud_storage_disable_tls": { + "type": "boolean" + }, + "cloud_storage_enable_remote_read": { + "type": "boolean" + }, + "cloud_storage_enable_remote_write": { + "type": "boolean" + }, + "cloud_storage_enabled": { + "type": "boolean" + }, + "cloud_storage_initial_backoff_ms": { + "type": "integer" + }, + "cloud_storage_manifest_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_max_connection_idle_time_ms": { + "type": "integer" + }, + "cloud_storage_max_connections": { + "type": "integer" + }, + "cloud_storage_reconciliation_interval_ms": { + "type": "integer" + }, + "cloud_storage_region": { + "type": "string" + }, + "cloud_storage_secret_key": { + "type": "string" + }, + "cloud_storage_segment_max_upload_interval_sec": { + "type": "integer" + }, + "cloud_storage_segment_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_trust_file": { + "type": "string" + }, + "cloud_storage_upload_ctrl_d_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_max_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_min_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_p_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_update_interval_ms": { + "type": "integer" + } + }, + "required": [ + "cloud_storage_enabled" + ], + "type": "object" + }, + "credentialsSecretRef": { + "properties": { + "accessKey": { + "properties": { + "configurationKey": { + "type": "string" + }, + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "secretKey": { + "properties": { + "configurationKey": { + "type": "string" + }, + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "hostPath": { + "type": "string" + }, + "mountType": { + "pattern": "^(none|hostPath|emptyDir|persistentVolume)$", + "type": "string" + }, + "persistentVolume": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "nameOverwrite": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "labels", + "storageClass" + ], + "type": "object" + } + }, + "required": [ + "mountType" + ], + "type": "object" + }, + "tieredConfig": { + "deprecated": true, + "properties": { + "cloud_storage_access_key": { + "type": "string" + }, + "cloud_storage_api_endpoint": { + "type": "string" + }, + "cloud_storage_api_endpoint_port": { + "type": "integer" + }, + "cloud_storage_azure_adls_endpoint": { + "type": "string" + }, + "cloud_storage_azure_adls_port": { + "type": "integer" + }, + "cloud_storage_bucket": { + "type": "string" + }, + "cloud_storage_cache_check_interval": { + "type": "integer" + }, + "cloud_storage_cache_directory": { + "type": "string" + }, + "cloud_storage_cache_size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "cloud_storage_credentials_source": { + "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$", + "type": "string" + }, + "cloud_storage_disable_tls": { + "type": "boolean" + }, + "cloud_storage_enable_remote_read": { + "type": "boolean" + }, + "cloud_storage_enable_remote_write": { + "type": "boolean" + }, + "cloud_storage_enabled": { + "type": "boolean" + }, + "cloud_storage_initial_backoff_ms": { + "type": "integer" + }, + "cloud_storage_manifest_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_max_connection_idle_time_ms": { + "type": "integer" + }, + "cloud_storage_max_connections": { + "type": "integer" + }, + "cloud_storage_reconciliation_interval_ms": { + "type": "integer" + }, + "cloud_storage_region": { + "type": "string" + }, + "cloud_storage_secret_key": { + "type": "string" + }, + "cloud_storage_segment_max_upload_interval_sec": { + "type": "integer" + }, + "cloud_storage_segment_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_trust_file": { + "type": "string" + }, + "cloud_storage_upload_ctrl_d_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_max_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_min_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_p_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_update_interval_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "tieredStorageHostPath": { + "deprecated": true, + "type": "string" + }, + "tieredStoragePersistentVolume": { + "deprecated": true, + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "enabled", + "labels", + "storageClass" + ], + "type": "object" + } + }, + "required": [ + "hostPath", + "tiered", + "persistentVolume" + ], + "type": "object" + }, + "tests": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "tls": { + "properties": { + "certs": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "applyInternalDNSNames": { + "type": "boolean" + }, + "caEnabled": { + "type": "boolean" + }, + "clientSecretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "duration": { + "pattern": ".*[smh]$", + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "issuerRef": { + "properties": { + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "caEnabled" + ], + "type": "object" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled", + "certs" + ], + "type": "object" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "tuning": { + "properties": { + "ballast_file_path": { + "type": "string" + }, + "ballast_file_size": { + "type": "string" + }, + "tune_aio_events": { + "type": "boolean" + }, + "tune_ballast_file": { + "type": "boolean" + }, + "tune_clocksource": { + "type": "boolean" + }, + "well_known_io": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "affinity", + "image" + ], + "type": "object" +} diff --git a/charts/redpanda/redpanda/5.9.19/values.yaml b/charts/redpanda/redpanda/5.9.19/values.yaml new file mode 100644 index 0000000000..8c0c35d658 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.19/values.yaml @@ -0,0 +1,1157 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file contains values for variables referenced from yaml files in the templates directory. +# +# For further information on Helm templating see the documentation at: +# https://helm.sh/docs/chart_template_guide/values_files/ + +# +# >>> This chart requires Helm version 3.6.0 or greater <<< +# + +# Common settings +# +# -- Override `redpanda.name` template. +nameOverride: "" +# -- Override `redpanda.fullname` template. +fullnameOverride: "" +# -- Default Kubernetes cluster domain. +clusterDomain: cluster.local +# -- Additional labels to add to all Kubernetes objects. +# For example, `my.k8s.service: redpanda`. +commonLabels: {} +# -- Node selection constraints for scheduling Pods, can override this for StatefulSets. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). +nodeSelector: {} +# -- Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). +affinity: {} +# -- Taints to be tolerated by Pods, can override this for StatefulSets. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). +tolerations: [] + +# -- Redpanda Docker image settings. +image: + # -- Docker repository from which to pull the Redpanda Docker image. + repository: docker.redpanda.com/redpandadata/redpanda + # -- The Redpanda version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + # @default -- `Chart.appVersion`. + tag: "" + # -- The imagePullPolicy. + # If `image.tag` is 'latest', the default is `Always`. + pullPolicy: IfNotPresent + +# -- Redpanda Service settings. +# service: +# -- set service.name to override the default service name +# name: redpanda +# -- internal Service +# internal: +# -- add annotations to the internal Service +# annotations: {} +# +# -- eg. for a bare metal install using external-dns +# annotations: +# "external-dns.alpha.kubernetes.io/hostname": redpanda.domain.dom +# "external-dns.alpha.kubernetes.io/endpoints-type": HostIP + +# -- Pull secrets may be used to provide credentials to image repositories +# See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). +imagePullSecrets: [] + +# -- DEPRECATED Enterprise license key (optional). +# For details, +# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). +license_key: "" +# -- DEPRECATED Secret name and secret key where the license key is stored. +license_secret_ref: {} + # secret_name: my-secret + # secret_key: key-where-license-is-stored + +# -- Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication +# for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0. +auditLogging: + # -- Enable or disable audit logging, for production clusters we suggest you enable, + # however, this will only work if you also enable sasl and a listener with sasl enabled. + enabled: false + # -- Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. + # For external listeners, use the external listener name, such as `default`. + listener: internal + # -- Integer value defining the number of partitions used by a newly created audit topic. + partitions: 12 + # -- Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`]. + enabledEventTypes: + # -- List of topics to exclude from auditing, default is null. + excludedTopics: + # -- List of principals to exclude from auditing, default is null. + excludedPrincipals: + # -- Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages. + clientMaxBufferSize: 16777216 + # -- In ms, frequency in which per shard audit logs are batched to client for write to audit log. + queueDrainIntervalMs: 500 + # -- Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard. + queueMaxBufferSizePerShard: 1048576 + # -- Defines the replication factor for a newly created audit log topic. This configuration applies + # only to the audit log topic and may be different from the cluster or other topic configurations. + # This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, + # Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null` + replicationFactor: + +# -- Enterprise (optional) +# For details, +# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). +enterprise: + # -- license (optional). + license: "" + # -- Secret name and key where the license key is stored. + licenseSecretRef: {} + # name: my-secret + # key: key-where-license-is-stored + +# -- Rack Awareness settings. +# For details, +# see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/). +rackAwareness: + # -- When running in multiple racks or availability zones, use a Kubernetes Node + # annotation value as the Redpanda rack value. + # Enabling this requires running with a service account with "get" Node permissions. + # To have the Helm chart configure these permissions, + # set `serviceAccount.create=true` and `rbac.enabled=true`. + enabled: false + # -- The common well-known annotation to use as the rack ID. + # Override this only if you use a custom Node annotation. + nodeAnnotation: topology.kubernetes.io/zone + +# +# -- Redpanda Console settings. +# For a reference of configuration settings, +# see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). +console: + enabled: true + configmap: + create: false + secret: + create: false + deployment: + create: false + config: {} + +# +# -- Redpanda Managed Connectors settings +# For a reference of configuration settings, +# see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/). +connectors: + enabled: false + deployment: + create: false + test: + create: false + +# -- Authentication settings. +# For details, +# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). +auth: + sasl: + # -- Enable SASL authentication. + # If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`. + enabled: false + # -- The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + mechanism: SCRAM-SHA-512 + # -- A Secret that contains your superuser credentials. + # For details, + # see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets). + secretRef: "redpanda-users" + # -- Optional list of superusers. + # These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. + # If this list is empty, + # the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. + # Uncomment the sample list if you wish to try adding sample sasl users or override to use your own. + users: [] + # - name: admin + # password: change-me + # mechanism: SCRAM-SHA-512 + # -- Details about how to create the bootstrap user for the cluster. + # The secretKeyRef is optionally specified. If it is specified, the + # chart will use a password written to that secret when creating the + # "kubernetes-controller" bootstrap user. If it is unspecified, then + # the secret will be generated and stored in the secret + # "releasename"-bootstrap-user, with the key "password". + bootstrapUser: + # -- The name used to override the name of the bootstrap user. If unspecified the bootstrap user is named + # "kubernetes-controller". This should only be specified when SASL authentication is enabled (usually installation) + # and should not be changed afterward. + # name: my-user + # -- The authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + mechanism: SCRAM-SHA-256 + # secretKeyRef: + # name: my-password + # key: my-key + +# -- TLS settings. +# For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/). +tls: + # -- Enable TLS globally for all listeners. + # Each listener must include a Certificate name in its `.tls` object. + # To allow you to enable TLS for individual listeners, + # Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. + # See `listeners..tls.enabled`. + enabled: true + # -- List all Certificates here, + # then you can reference a specific Certificate's name + # in each listener's `listeners..tls.cert` setting. + certs: + # -- This key is the Certificate name. + # To apply the Certificate to a specific listener, + # reference the Certificate's name in `listeners..tls.cert`. + default: + # -- To use a custom pre-installed Issuer, + # add its name and kind to the `issuerRef` object. + # issuerRef: + # name: redpanda-default-root-issuer + # kind: Issuer # Can be Issuer or ClusterIssuer + # -- To use a secret with custom tls files, + # secretRef: + # name: my-tls-secret + # -- Indicates whether or not the Secret holding this certificate + # includes a `ca.crt` key. When `true`, chart managed clients, such as + # rpk, will use `ca.crt` for certificate verification and listeners with + # `require_client_auth` and no explicit `truststore` will use `ca.crt` as + # their `truststore_file` for verification of client certificates. When + # `false`, chart managed clients will use `tls.crt` for certificate + # verification and listeners with `require_client_auth` and no explicit + # `truststore` will use the container's CA certificates. + caEnabled: true + # duration: 43800h + # if you wish to have Kubernetes internal dns names (IE the headless service of the redpanda StatefulSet) included in `dnsNames` of the certificate even, when supplying an issuer. + # applyInternalDNSNames: false + # -- Example external tls configuration + # uncomment and set the right key to the listeners that require them + # also enable the tls setting for those listeners. + external: + # -- To use a custom pre-installed Issuer, + # add its name and kind to the `issuerRef` object. + # issuerRef: + # name: redpanda-default-root-issuer + # kind: Issuer # Can be Issuer or ClusterIssuer + # -- To use a secret with custom tls files, + # secretRef: + # name: my-tls-secret + # -- Indicates whether or not the Secret holding this certificate + # includes a `ca.crt` key. When `true`, chart managed clients, such as + # rpk, will use `ca.crt` for certificate verification and listeners with + # `require_client_auth` and no explicit `truststore` will use `ca.crt` as + # their `truststore_file` for verification of client certificates. When + # `false`, chart managed clients will use `tls.crt` for certificate + # verification and listeners with `require_client_auth` and no explicit + # `truststore` will use the container's CA certificates. + caEnabled: true + # duration: 43800h + # if you wish to for apply internal dns names to the certificate even when supplying an issuer + # applyInternalDNSNames: false + +# -- External access settings. +# For details, +# see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/). +external: + # -- Service allows you to manage the creation of an external kubernetes service object + service: + # -- Enabled if set to false will not create the external service type + # You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). + # Set this to false if you rather manage your own service. + enabled: true + # -- Enable external access for each Service. + # You can toggle external access for each listener in + # `listeners..external..enabled`. + enabled: true + # -- External access type. Only `NodePort` and `LoadBalancer` are supported. + # If undefined, then advertised listeners will be configured in Redpanda, + # but the helm chart will not create a Service. + # You must create a Service manually. + # Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. + # NodePort is recommended in cases where latency is a priority. + type: NodePort + # Optional source range for external access. Only applicable when external.type is LoadBalancer + # sourceRanges: [] + # -- Optional domain advertised to external clients + # If specified, then it will be appended to the `external.addresses` values as each broker's advertised address + # domain: local + # Optional list of addresses that the Redpanda brokers advertise. + # Provide one entry for each broker in order of StatefulSet replicas. + # The number of brokers is defined in statefulset.replicas. + # The values can be IP addresses or DNS names. + # If external.domain is set, the domain is appended to these values. + # There is an option to define a single external address for all brokers and leverage + # prefixTemplate as it will be calculated during initContainer execution. + # addresses: + # - redpanda-0 + # - redpanda-1 + # - redpanda-2 + # + # annotations: + # For example: + # cloud.google.com/load-balancer-type: "Internal" + # service.beta.kubernetes.io/aws-load-balancer-type: nlb + # If you enable externalDns, each LoadBalancer service instance + # will be annotated with external-dns hostname + # matching external.addresses + external.domain + # externalDns: + # enabled: true + # prefixTemplate: "" + +# -- Log-level settings. +logging: + # -- Log level + # Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`. + logLevel: info + # -- Send usage statistics back to Redpanda Data. + # For details, + # see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting). + usageStats: + # Enable the `rpk.enable_usage_stats` property. + enabled: true + # Your cluster ID (optional) + # clusterId: your-helm-cluster + +# -- Monitoring. +# This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. +monitoring: + enabled: false + scrapeInterval: 30s + labels: {} + # Enables http2 for scraping metrics for prometheus. Used when Istio's mTLS is enabled and using tlsConfig. + # enableHttp2: true + # tlsConfig: + # caFile: /etc/prom-certs/root-cert.pem + # certFile: /etc/prom-certs/cert-chain.pem + # insecureSkipVerify: true + # keyFile: /etc/prom-certs/key.pem + +# -- Pod resource management. +# @raw +# This section simplifies resource allocation for the redpanda container by +# providing a single location where resources are defined. +# +# Resources may be specified by either setting `resources.cpu` and +# `resources.memory` (the default) or by setting `resources.requests` and +# `resources.limits`. +# +# For details on `resources.cpu` and `resources.memory`, see their respective +# documentation below. +# +# When `resources.limits` and `resources.requests` are set, the redpanda +# container's resources will be set to exactly the provided values. This allows +# users to granularly control limits and requests to best suit their use case. +# For example: `resources.requests.cpu` may be set without setting +# `resources.limits.cpu` to avoid the potential of CPU throttling. +# +# Redpanda's resource related CLI flags will then be calculated as follows: +# * `--smp max(1, floor(coalesce(resources.requests.cpu, resources.limits.cpu)))` +# * `--memory coalesce(resources.requests.memory, resources.limits.memory) * 90%` +# * `--reserve-memory 0` +# * `--overprovisioned coalesce(resources.requests.cpu, resources.limits.cpu) < 1000m` +# +# If neither a request nor a limit is provided for cpu or memory, the +# corresponding flag will be omitted. As a result, setting `resources.limits` +# and `resources.requests` to `{}` will result in redpanda being run without +# `--smp` or `--memory`. (This is not recommended). +# +# If the computed CLI flags are undesirable, they may be overridden by +# specifying the desired value through `statefulset.additionalRedpandaCmdFlags`. +# +# The default values are for a development environment. +# Production-level values and other considerations are documented, +# where those values are different from the default. +# For details, +# see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/). +resources: + # limits: null + # requests: null + # + # -- CPU resources. + # For details, + # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources). + cpu: + # -- Redpanda makes use of a thread per core model. + # For details, see this [blog](https://redpanda.com/blog/tpc-buffers). + # For this reason, Redpanda should only be given full cores. + # + # Note: You can increase cores, but decreasing cores is supported only from + # 24.3 Redpanda version. + # + # This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. + # For production, use `4` or greater. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. See + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy. + cores: 1 + # + # -- Overprovisioned means Redpanda won't assume it has all of the provisioned CPU. + # This should be true unless the container has CPU affinity. + # Equivalent to: `--idle-poll-time-us 0 --thread-affinity 0 --poll-aio 0` + # + # If the value of full cores in `resources.cpu.cores` is less than `1`, this + # setting is set to `true`. + # overprovisioned: false + # + # -- Memory resources + # For details, + # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources). + memory: + # -- Enables memory locking. + # For production, set to `true`. + # enable_memory_locking: false + # + # It is recommended to have at least 2Gi of memory per core for the Redpanda binary. + # This memory is taken from the total memory given to each container. + # The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for + # other container processes. + # So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. + # + # These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory + # requests/limits in the StatefulSet. + # Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi + # To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container. + # For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a memory limit and a memory request. + # * For every container in the Pod, the memory limit must equal the memory request. + # + container: + # Minimum memory count for each Redpanda broker. + # If omitted, the `min` value is equal to the `max` value (requested resources defaults to limits). + # This setting is equivalent to `resources.requests.memory`. + # For production, use 10Gi or greater. + # min: 2.5Gi + # + # -- Maximum memory count for each Redpanda broker. + # Equivalent to `resources.limits.memory`. + # For production, use `10Gi` or greater. + max: 2.5Gi + # + # This optional `redpanda` object allows you to specify the memory size for both the Redpanda + # process and the Seastar subsystem. + # This section is omitted by default, and memory sizes are calculated automatically + # based on container memory. + # Uncommenting this section and setting memory and reserveMemory values will disable + # automatic calculation. + # + # If you are setting these values manually, follow these guidelines carefully. Incorrect settings can lead to performance degradation, instability, or even data loss. The total memory allocated to a container is determined as the sum of the following two areas: + # + #- Redpanda (including Seastar): Defined by the `--memory` parameter. Includes the memory used by the Redpanda process and the reserved memory allocated for Seastar. A minimum of 2Gi per core is required, and this value typically accounts for ~80% of the container’s total memory. For production, allocate at least 8Gi. + # + # - Operating system (OS): Defined by the `--reserve-memory` parameter. Represents the memory available for the operating system and other processes within the container. + # redpanda: + # Memory for the Redpanda process. + # This must be lower than the container's memory (resources.memory.container.min if provided, otherwise + # resources.memory.container.max). + # Equivalent to --memory. + # For production, use 8Gi or greater. + # memory: 2Gi + # + # Memory reserved for the OS. + # Equivalent to --reserve-memory. + # reserveMemory: 200Mi + +# -- Persistence settings. +# For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/). +storage: + # -- Absolute path on the host to store Redpanda's data. + # If unspecified, then an `emptyDir` volume is used. + # If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect. + hostPath: "" + # -- If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and + # used to store Redpanda's data. Otherwise, `storage.hostPath` is used. + persistentVolume: + enabled: true + size: 20Gi + # -- To disable dynamic provisioning, set to `-`. + # If undefined or empty (default), then no storageClassName spec is set, + # and the default dynamic provisioner is chosen (gp2 on AWS, standard on + # GKE, AWS & OpenStack). + storageClass: "" + # -- Additional labels to apply to the created PersistentVolumeClaims. + labels: {} + # -- Additional annotations to apply to the created PersistentVolumeClaims. + annotations: {} + # -- Option to change volume claim template name for tiered storage persistent volume + # if tiered.mountType is set to `persistentVolume` + nameOverwrite: "" + # + # Settings for the Tiered Storage cache. + # For details, + # see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/#caching). + + tiered: + # mountType can be one of: + # - none: does not mount a volume. Tiered storage will use the data directory. + # - hostPath: will allow you to chose a path on the Node the pod is running on + # - emptyDir: will mount a fresh empty directory every time the pod starts + # - persistentVolume: creates and mounts a PersistentVolumeClaim + mountType: none + + # For the maximum size of the disk cache, see `tieredConfig.cloud_storage_cache_size`. + # + # -- Absolute path on the host to store Redpanda's Tiered Storage cache. + hostPath: "" + # PersistentVolumeClaim to be created for the Tiered Storage cache and + # used to store data retrieved from cloud storage, such as S3). + persistentVolume: + # -- To disable dynamic provisioning, set to "-". + # If undefined or empty (default), then no storageClassName spec is set, + # and the default dynamic provisioner is chosen (gp2 on AWS, standard on + # GKE, AWS & OpenStack). + storageClass: "" + # -- Additional labels to apply to the created PersistentVolumeClaims. + labels: {} + # -- Additional annotations to apply to the created PersistentVolumeClaims. + annotations: {} + + # credentialsSecretRef can be used to set `cloud_storage_secret_key` and/or `cloud_storage_access_key` from + # referenced Kubernetes Secret + credentialsSecretRef: + accessKey: + # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_access_key + configurationKey: cloud_storage_access_key + # name: + # key: + secretKey: + # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_secret_key + # or + # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_azure_shared_key + configurationKey: cloud_storage_secret_key + # name: + # key + # -- DEPRECATED `configurationKey`, `name` and `key`. Please use `accessKey` and `secretKey` + # configurationKey: cloud_storage_secret_key + # name: + # key: + # + # -- Tiered Storage settings + # Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` + # For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). + # For a list of properties, see [Object Storage Properties](https://docs.redpanda.com/current/reference/properties/object-storage-properties/). + config: + # -- Global flag that enables Tiered Storage if a license key is provided. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enabled). + cloud_storage_enabled: false + # -- Cluster level default remote write configuration for new topics. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_write). + cloud_storage_enable_remote_write: true + # -- Cluster level default remote read configuration for new topics. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_read). + cloud_storage_enable_remote_read: true + # -- Maximum size of the disk cache used by Tiered Storage. + # Default is 20 GiB. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_cache_size). + cloud_storage_cache_size: 5368709120 + +post_install_job: + enabled: true + # Resource requests and limits for the post-install batch job + # resources: + # requests: + # cpu: 1 + # memory: 512Mi + # limits: + # cpu: 2 + # memory: 1024Mi + # labels: {} + # annotations: {} + affinity: {} + + podTemplate: + # -- Labels to apply (or overwrite the default) to the Pods of this Job. + labels: {} + # -- Annotations to apply (or overwrite the default) to the Pods of this Job. + annotations: {} + # -- A subset of Kubernetes' PodSpec type that will be merged into the + # final PodSpec. See [Merge Semantics](#merging-semantics) for details. + spec: + securityContext: {} + containers: + - name: post-install + securityContext: {} + env: [] + +statefulset: + # -- Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster) + replicas: 3 + updateStrategy: + type: RollingUpdate + budget: + maxUnavailable: 1 + # -- DEPRECATED Please use statefulset.podTemplate.annotations. + # Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have + # any dedicated annotation. + annotations: {} + # -- Additional labels to be added to statefulset label selector. + # For example, `my.k8s.service: redpanda`. + additionalSelectorLabels: {} + podTemplate: + # -- Additional labels to apply to the Pods of the StatefulSet. + labels: {} + # -- Additional annotations to apply to the Pods of the StatefulSet. + annotations: {} + # -- A subset of Kubernetes' PodSpec type that will be merged into the + # final PodSpec. See [Merge Semantics](#merging-semantics) for details. + spec: + securityContext: {} + containers: [] + # -- Adjust the period for your probes to meet your needs. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + startupProbe: + initialDelaySeconds: 1 + failureThreshold: 120 + periodSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + failureThreshold: 3 + periodSeconds: 10 + readinessProbe: + initialDelaySeconds: 1 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + # + # StatefulSet resources: + # Resources are set through the top-level resources section above. + # It is recommended to set resource values in that section rather than here, as this will guarantee + # memory is allocated across containers, Redpanda, and the Seastar subsystem correctly. + # This automatic memory allocation is in place because Repanda and the Seastar subsystem require flags + # at startup that set the amount of memory available to each process. + # Kubernetes (mainly statefulset), Redpanda, and Seastar memory values are tightly coupled. + # Adding a resource section here will be ignored. + # + # -- Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + podAffinity: {} + # -- Anti-affinity rules for scheduling Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + # You may either edit the default settings for anti-affinity rules, + # or specify new anti-affinity rules to use instead of the defaults. + podAntiAffinity: + # -- The topologyKey to be used. + # Can be used to spread across different nodes, AZs, regions etc. + topologyKey: kubernetes.io/hostname + # -- Valid anti-affinity types are `soft`, `hard`, or `custom`. + # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + type: hard + # -- Weight for `soft` anti-affinity rules. + # Does not apply to other anti-affinity types. + weight: 100 + # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + custom: {} + # -- Node selection constraints for scheduling Pods of this StatefulSet. + # These constraints override the global `nodeSelector` value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + nodeSelector: {} + # -- PriorityClassName given to Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + priorityClassName: "" + # -- Taints to be tolerated by Pods of this StatefulSet. + # These tolerations override the global tolerations value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + tolerations: [] + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + # -- DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext. + securityContext: + fsGroup: 101 + runAsUser: 101 + fsGroupChangePolicy: OnRootMismatch + sideCars: + configWatcher: + enabled: true + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a memory limit and a memory request. + # * For every container in the Pod, the memory limit must equal the memory request. + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. For details, see + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + resources: {} + securityContext: {} + extraVolumeMounts: |- + # Configure extra controllers to run as sidecars inside the Pods running Redpanda brokers. + # Available controllers: + # - Decommission Controller: The Decommission Controller ensures smooth scaling down operations. + # This controller is responsible for monitoring changes in the number of StatefulSet replicas and orchestrating + # the decommissioning of brokers when necessary. It also sets the reclaim policy for the decommissioned + # broker's PersistentVolume to `Retain` and deletes the corresponding PersistentVolumeClaim. + # - Node-PVC Controller: The Node-PVC Controller handles the PVCs of deleted brokers. + # By setting the PV Retain policy to retain, it facilitates the rescheduling of brokers to new, healthy nodes when + # an existing node is removed. + controllers: + image: + tag: v2.3.6-24.3.3 + repository: docker.redpanda.com/redpandadata/redpanda-operator + # You must also enable RBAC, `rbac.enabled=true`, to deploy this sidecar + enabled: false + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. For details, see + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + resources: {} + securityContext: {} + healthProbeAddress: ":8085" + metricsAddress: ":9082" + pprofAddress: ":9083" + run: + - all + createRBAC: true + initContainers: + fsValidator: + enabled: false + expectedFS: xfs + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + tuning: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + setDataDirOwnership: + # -- In environments where root is not allowed, you cannot change the ownership of files and directories. + # Enable `setDataDirOwnership` when using default minikube cluster configuration. + enabled: false + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + setTieredStorageCacheDirOwnership: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + configurator: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + ## Additional init containers + extraInitContainers: |- +# - name: "test-init-container" +# image: "mintel/docker-alpine-bash-curl-jq:latest" +# command: [ "/bin/bash", "-c" ] +# args: +# - | +# set -xe +# echo "Hello World!" + initContainerImage: + repository: busybox + tag: latest + # -- Additional flags to pass to redpanda, + additionalRedpandaCmdFlags: [] +# - --unsafe-bypass-fsync + # -- Termination grace period in seconds is time required to execute preStop hook + # which puts particular Redpanda Pod (process/container) into maintenance mode. + # Before settle down on particular value please put Redpanda under load and perform + # rolling upgrade or rolling restart. That value needs to accommodate two processes: + # * preStop hook needs to put Redpanda into maintenance mode + # * after preStop hook Redpanda needs to handle gracefully SIGTERM signal + # + # Both processes are executed sequentially where preStop hook has hard deadline in the + # middle of terminationGracePeriodSeconds. + # + # REF: + # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + # https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination + terminationGracePeriodSeconds: 90 + ## Additional Volumes that you mount + extraVolumes: |- + ## Additional Volume mounts for redpanda container + extraVolumeMounts: |- + +# -- Service account management. +serviceAccount: + # -- Specifies whether a service account should be created. + create: false + # -- Specifies whether a service account should automount API-Credentials. The token is used in sidecars.controllers + automountServiceAccountToken: false + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `redpanda.fullname` template. + name: "" + +# -- Role Based Access Control. +rbac: + # -- Enable for features that need extra privileges. + # If you use the Redpanda Operator, + # you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag + # to give it the required ClusterRoles. + enabled: false + # -- Annotations to add to the `rbac` resources. + annotations: {} + +# -- Redpanda tuning settings. +# Each is set to their default values in Redpanda. +tuning: + # -- Increase the maximum number of outstanding asynchronous IO operations if the + # current value is below a certain threshold. This allows Redpanda to make as many + # simultaneous IO requests as possible, increasing throughput. + # + # When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`. + # For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/). + tune_aio_events: true + # + # Syncs NTP + # tune_clocksource: false + # + # Creates a "ballast" file so that, if a Redpanda node runs out of space, + # you can delete the ballast file to allow the node to resume operations and then + # delete a topic or records to reduce the space used by Redpanda. + # tune_ballast_file: false + # + # The path where the ballast file will be created. + # ballast_file_path: "/var/lib/redpanda/data/ballast" + # + # The ballast file size. + # ballast_file_size: "1GiB" + # + # (Optional) The vendor, VM type and storage device type that redpanda will run on, in + # the format ::. This hints to rpk which configuration values it + # should use for the redpanda IO scheduler. + # Some valid values are "gcp:c2-standard-16:nvme", "aws:i3.xlarge:default" + # well_known_io: "" + # + # The following tuning parameters must be false in container environments and will be ignored: + # tune_network + # tune_disk_scheduler + # tune_disk_nomerges + # tune_disk_irq + # tune_fstrim + # tune_cpu + # tune_swappiness + # tune_transparent_hugepages + # tune_coredump + + +# -- Listener settings. +# +# Override global settings configured above for individual +# listeners. +# For details, +# see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/). +listeners: + # -- Admin API listener (only one). + admin: + # -- The port for both internal and external connections to the Admin API. + port: 9644 + # -- Optional instrumentation hint - https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + # appProtocol: + # -- Optional external access settings. + external: + # -- Name of the external listener. + default: + port: 9645 + # Override the global `external.enabled` for only this listener. + # enabled: true + # -- The port advertised to this listener's external clients. + # List one port if you want to use the same port for each broker (would be the case when using NodePort service). + # Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. + # If undefined, `listeners.admin.port` is used. + tls: + # enabled: true + cert: external + advertisedPorts: + - 31644 + # -- Optional TLS section (required if global TLS is enabled) + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + # -- Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs). + cert: default + # -- If true, the truststore file for this listener is included in the ConfigMap. + requireClientAuth: false + # -- Kafka API listeners. + kafka: + # -- The port for internal client connections. + port: 9093 + # default is "sasl" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + # -- The port used for external client connections. + port: 9094 + # prefixTemplate: "" + # -- If undefined, `listeners.kafka.external.default.port` is used. + advertisedPorts: + - 31092 + tls: + # enabled: true + cert: external + # default is "sasl" + authenticationMethod: + # -- RPC listener (this is never externally accessible). + rpc: + port: 33145 + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + # -- Schema registry listeners. + schemaRegistry: + enabled: true + port: 8081 + kafkaEndpoint: default + # default is "http_basic" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + port: 8084 + advertisedPorts: + - 30081 + tls: + # enabled: true + cert: external + requireClientAuth: false + # default is "http_basic" + authenticationMethod: + # -- HTTP API listeners (aka PandaProxy). + http: + enabled: true + port: 8082 + kafkaEndpoint: default + # default is "http_basic" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + port: 8083 + # prefixTemplate: "" + advertisedPorts: + - 30082 + tls: + # enabled: true + cert: external + requireClientAuth: false + # default is "http_basic" + authenticationMethod: + +# Expert Config +# Here be dragons! +# +# -- This section contains various settings supported by Redpanda that may not work +# correctly in a Kubernetes cluster. Changing these settings comes with some risk. +# +# Use these settings to customize various Redpanda configurations that are not covered in other sections. +# These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, +# and therefore should not be modified for the purpose of configuring those objects. +# Instead, these settings get passed directly to the Redpanda binary at startup. +# For descriptions of these properties, +# see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/). +config: + rpk: {} + # additional_start_flags: # List of flags to pass to rpk, e.g., ` "--idle-poll-time-us=0"` + # -- [Cluster Configuration Properties](https://docs.redpanda.com/current/reference/properties/cluster-properties/) + cluster: {} + + # -- Tunable cluster properties. + # Deprecated: all settings here may be specified via `config.cluster`. + tunable: + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_min). + log_segment_size_min: 16777216 # 16 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_max). + log_segment_size_max: 268435456 # 256 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#compacted_log_segment_size). + compacted_log_segment_size: 67108864 # 64 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#max_compacted_log_segment_size). + max_compacted_log_segment_size: 536870912 # 512 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit). + kafka_connection_rate_limit: 1000 + + # -- [Broker (node) Configuration Properties](https://docs.redpanda.com/docs/reference/broker-properties/). + node: + # -- Crash loop limit + # A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. + # This limit prevents a broker from getting stuck in an infinite cycle of crashes. + # User can disable this crash loop limit check by the following action: + # + # * One hour elapses since the last crash + # * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects + # * The startup_log file in the node’s data_directory is manually deleted + # + # Default to 5 + # REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit + crash_loop_limit: 5 + + # Reference schema registry client https://docs.redpanda.com/current/reference/node-configuration-sample/ + schema_registry_client: {} + # # Number of times to retry a request to a broker + # # Default: 5 + # retries: 5 + # + # # Delay (in milliseconds) for initial retry backoff + # # Default: 100ms + # retry_base_backoff_ms: 100 + # + # # Number of records to batch before sending to broker + # # Default: 1000 + # produce_batch_record_count: 1000 + # + # # Number of bytes to batch before sending to broker + # # Defautl 1MiB + # produce_batch_size_bytes: 1048576 + # + # # Delay (in milliseconds) to wait before sending batch + # # Default: 100ms + # produce_batch_delay_ms: 100 + # + # # Interval (in milliseconds) for consumer request timeout + # # Default: 100ms + # consumer_request_timeout_ms: 100 + # + # # Max bytes to fetch per request + # # Default: 1MiB + # consumer_request_max_bytes: 1048576 + # + # # Timeout (in milliseconds) for consumer session + # # Default: 10s + # consumer_session_timeout_ms: 10000 + # + # # Timeout (in milliseconds) for consumer rebalance + # # Default: 2s + # consumer_rebalance_timeout_ms: 2000 + # + # # Interval (in milliseconds) for consumer heartbeats + # # Default: 500ms + # consumer_heartbeat_interval_ms: 500 + + # Reference panda proxy client https://docs.redpanda.com/current/reference/node-configuration-sample/ + pandaproxy_client: {} + # # Number of times to retry a request to a broker + # # Default: 5 + # retries: 5 + # + # # Delay (in milliseconds) for initial retry backoff + # # Default: 100ms + # retry_base_backoff_ms: 100 + # + # # Number of records to batch before sending to broker + # # Default: 1000 + # produce_batch_record_count: 1000 + # + # # Number of bytes to batch before sending to broker + # # Defautl 1MiB + # produce_batch_size_bytes: 1048576 + # + # # Delay (in milliseconds) to wait before sending batch + # # Default: 100ms + # produce_batch_delay_ms: 100 + # + # # Interval (in milliseconds) for consumer request timeout + # # Default: 100ms + # consumer_request_timeout_ms: 100 + # + # # Max bytes to fetch per request + # # Default: 1MiB + # consumer_request_max_bytes: 1048576 + # + # # Timeout (in milliseconds) for consumer session + # # Default: 10s + # consumer_session_timeout_ms: 10000 + # + # # Timeout (in milliseconds) for consumer rebalance + # # Default: 2s + # consumer_rebalance_timeout_ms: 2000 + # + # # Interval (in milliseconds) for consumer heartbeats + # # Default: 500ms + # consumer_heartbeat_interval_ms: 500 + + # Invalid properties + # Any of these properties will be ignored. These otherwise valid properties are not allowed + # to be used in this section since they impact deploying Redpanda in Kubernetes. + # Make use of the above sections to modify these values instead (see comments below). + # admin: "127.0.0.1:9644" # Address and port of admin server: use listeners.admin + # admin_api_tls: validate_many # TLS configuration for admin HTTP server: use listeners.admin.tls + # advertised_kafka_api: None # Address of Kafka API published to the clients + # advertised_pandaproxy_api: None # Rest API address and port to publish to client + # advertised_rpc_api: None # Address of RPC endpoint published to other cluster members + # enable_admin_api: true # Enable the admin API + # enable_sasl: false # Enable SASL authentication for Kafka connections + # kafka_api: "127.0.0.1:9092" # Address and port of an interface to listen for Kafka API requests + # kafka_api_tls: None # TLS configuration for Kafka API endpoint + # pandaproxy_api: "0.0.0.0:8082" # Rest API listen address and port + # pandaproxy_api_tls: validate_many # TLS configuration for Pandaproxy api + # rpc_server: "127.0.0.1:33145" # IP address and port for RPC server + # rpc_server_tls: validate # TLS configuration for RPC server + # superusers: None # List of superuser usernames + +tests: + enabled: true diff --git a/index.yaml b/index.yaml index 994135c7ae..b094954627 100644 --- a/index.yaml +++ b/index.yaml @@ -14962,6 +14962,112 @@ entries: - assets/inaccel/fpga-operator-2.8.2.tgz version: 2.8.2 gluu: + - annotations: + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.3.0-1 + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.3.0-1 + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.3.0-1 + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.3.0-1 + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.3.0-1 + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.3.0-1 + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.3.0-1 + - name: casa + image: ghcr.io/janssenproject/jans/casa:1.3.0-1 + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:5.3.0-1 + - name: link + image: ghcr.io/janssenproject/jans/link:1.3.0-1 + - name: saml + image: ghcr.io/janssenproject/jans/saml:1.3.0-1 + - name: kc-scheduler + image: ghcr.io/janssenproject/jans/kc-scheduler:1.3.0-1 + artifacthub.io/license: Apache-2.0 + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu + apiVersion: v2 + appVersion: 5.3.0 + created: "2025-01-23T00:03:45.292298194Z" + dependencies: + - condition: global.config.enabled + name: config + repository: "" + version: 1.3.0 + - condition: global.config-api.enabled + name: config-api + repository: "" + version: 1.3.0 + - condition: global.auth-server.enabled + name: auth-server + repository: "" + version: 1.3.0 + - condition: global.admin-ui.enabled + name: admin-ui + repository: "" + version: 5.3.0 + - condition: global.fido2.enabled + name: fido2 + repository: "" + version: 1.3.0 + - condition: global.scim.enabled + name: scim + repository: "" + version: 1.3.0 + - condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: "" + version: 1.3.0 + - condition: global.casa.enabled + name: casa + repository: "" + version: 1.3.0 + - condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: "" + version: 1.3.0 + - condition: global.persistence.enabled + name: persistence + repository: "" + version: 1.3.0 + - condition: global.istio.ingress + name: cn-istio-ingress + repository: "" + version: 1.3.0 + - condition: global.link.enabled + name: link + repository: "" + version: 1.3.0 + - condition: global.saml.enabled + name: saml + repository: "" + version: 1.3.0 + - condition: global.kc-scheduler.enabled + name: kc-scheduler + repository: "" + version: 1.3.0 + description: Gluu Access and Identity Management + digest: cba6f2b167a95b044576edeb8d22d446f0996882050c137d2b7a8df63f38ad0e + home: https://www.gluu.org + icon: file://assets/icons/gluu.ico + kubeVersion: '>=v1.21.0-0' + maintainers: + - email: team@gluu.org + name: moabu + name: gluu + sources: + - https://docs.gluu.org + urls: + - assets/gluu/gluu-5.3.0.tgz + version: 5.3.0 - annotations: artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/images: | @@ -27868,6 +27974,33 @@ entries: - assets/airlock/microgateway-cni-4.2.3.tgz version: 4.2.3 minio-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Minio Operator + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: operator + apiVersion: v2 + appVersion: v7.0.0 + created: "2025-01-23T00:03:47.902194519Z" + description: A Helm chart for MinIO Operator + digest: 5d48fa2cef114a156eb15c62b481d9e00727af741afbc6fcc8428f102f0446e5 + home: https://min.io + icon: file://assets/icons/minio-operator.png + keywords: + - storage + - object-storage + - S3 + kubeVersion: '>=1.19-0' + maintainers: + - email: dev@minio.io + name: MinIO, Inc + name: minio-operator + sources: + - https://github.com/minio/operator + type: application + urls: + - assets/minio/minio-operator-7.0.0.tgz + version: 7.0.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Minio Operator @@ -36613,6 +36746,48 @@ entries: - assets/quobyte/quobyte-cluster-0.1.8.tgz version: 0.1.8 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v24.3.3 + - name: busybox + image: busybox:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.10.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v24.3.3 + created: "2025-01-23T00:03:49.536040979Z" + dependencies: + - condition: console.enabled + name: console + repository: https://charts.redpanda.com + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: https://charts.redpanda.com + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: 0e50e2fbe32f2f609600f5d7ba7bf53bc4d31b27b1ab6fb114e2a44545efa42b + icon: file://assets/icons/redpanda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/redpanda-operator/tree/main/charts/redpanda + type: application + urls: + - assets/redpanda/redpanda-5.9.19.tgz + version: 5.9.19 - annotations: artifacthub.io/images: | - name: redpanda @@ -48175,4 +48350,4 @@ entries: urls: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 -generated: "2025-01-22T17:51:04.776244721Z" +generated: "2025-01-23T00:03:43.913976787Z"