Browse Source

initial commit

Alex Wong 1 year ago
commit
e501aaaf87
100 changed files with 4630 additions and 0 deletions
  1. 2 0
      .gitignore
  2. 13 0
      .jenkins/Jenkinsfile-helm-build-ceph-provisioners
  3. 13 0
      .jenkins/Jenkinsfile-helm-build-chartmuseum
  4. 13 0
      .jenkins/Jenkinsfile-helm-build-dubbo-admin
  5. 13 0
      .jenkins/Jenkinsfile-helm-build-elasticsearch
  6. 13 0
      .jenkins/Jenkinsfile-helm-build-fluentd
  7. 13 0
      .jenkins/Jenkinsfile-helm-build-grafana
  8. 13 0
      .jenkins/Jenkinsfile-helm-build-jenkins
  9. 13 0
      .jenkins/Jenkinsfile-helm-build-kubernetes-dashboard
  10. 13 0
      .jenkins/Jenkinsfile-helm-build-monocular
  11. 13 0
      .jenkins/Jenkinsfile-helm-build-mysqlha
  12. 13 0
      .jenkins/Jenkinsfile-helm-build-nginx
  13. 13 0
      .jenkins/Jenkinsfile-helm-build-nginx-ingress
  14. 13 0
      .jenkins/Jenkinsfile-helm-build-prometheus
  15. 13 0
      .jenkins/Jenkinsfile-helm-build-rabbitmq-ha
  16. 13 0
      .jenkins/Jenkinsfile-helm-build-zookeeper
  17. 8 0
      ceph-provisioners/Chart.yaml
  18. 0 0
      ceph-provisioners/overrides/dang.yaml
  19. 1 0
      ceph-provisioners/overrides/gmem.yaml
  20. 21 0
      ceph-provisioners/templates/_helpers.tpl
  21. 19 0
      ceph-provisioners/templates/ceph-bin.yaml
  22. 107 0
      ceph-provisioners/templates/cephfs-provisioner.yaml
  23. 29 0
      ceph-provisioners/templates/clusterrole.yaml
  24. 17 0
      ceph-provisioners/templates/clusterrolebinding.yaml
  25. 112 0
      ceph-provisioners/templates/rbd-provisioner.yaml
  26. 13 0
      ceph-provisioners/templates/role.yaml
  27. 17 0
      ceph-provisioners/templates/rolebinding.yaml
  28. 4 0
      ceph-provisioners/templates/serviceaccount.yaml
  29. 54 0
      ceph-provisioners/values.yaml
  30. 23 0
      chartmuseum/.helmignore
  31. 18 0
      chartmuseum/Chart.yaml
  32. 6 0
      chartmuseum/OWNERS
  33. 411 0
      chartmuseum/README.md
  34. 44 0
      chartmuseum/overrides/dang.yaml
  35. 37 0
      chartmuseum/overrides/gmem.yaml
  36. 30 0
      chartmuseum/templates/NOTES.txt
  37. 85 0
      chartmuseum/templates/_helpers.tpl
  38. 130 0
      chartmuseum/templates/deployment.yaml
  39. 33 0
      chartmuseum/templates/ingress.yaml
  40. 23 0
      chartmuseum/templates/pvc.yaml
  41. 17 0
      chartmuseum/templates/secret.yaml
  42. 27 0
      chartmuseum/templates/service.yaml
  43. 175 0
      chartmuseum/values.yaml
  44. 10 0
      dubbo-admin/Chart.yaml
  45. 0 0
      dubbo-admin/overrides/dang.yaml
  46. 8 0
      dubbo-admin/overrides/gmem.yaml
  47. 15 0
      dubbo-admin/templates/_helpers.tpl
  48. 56 0
      dubbo-admin/templates/deployment.yaml
  49. 30 0
      dubbo-admin/templates/ingress.yaml
  50. 19 0
      dubbo-admin/templates/service.yaml
  51. 1 0
      dubbo-admin/values.yaml
  52. 15 0
      elasticsearch/Chart.yaml
  53. 49 0
      elasticsearch/overrides/dang.yaml
  54. 35 0
      elasticsearch/overrides/gmem.yaml
  55. 0 0
      elasticsearch/templates/NOTES.txt
  56. 22 0
      elasticsearch/templates/_helpers.tpl
  57. 33 0
      elasticsearch/templates/elastichq-ingress.yaml
  58. 25 0
      elasticsearch/templates/elastichq-svc.yaml
  59. 51 0
      elasticsearch/templates/elastichq.yaml
  60. 146 0
      elasticsearch/templates/es-client.yaml
  61. 259 0
      elasticsearch/templates/es-config.yaml
  62. 64 0
      elasticsearch/templates/es-curator-config.yaml
  63. 49 0
      elasticsearch/templates/es-curator.yaml
  64. 24 0
      elasticsearch/templates/es-data-svc.yaml
  65. 157 0
      elasticsearch/templates/es-data.yaml
  66. 21 0
      elasticsearch/templates/es-discovery-svc.yaml
  67. 156 0
      elasticsearch/templates/es-master.yaml
  68. 27 0
      elasticsearch/templates/es-svc.yaml
  69. 19 0
      elasticsearch/templates/kibana-config.yaml
  70. 33 0
      elasticsearch/templates/kibana-ingress.yaml
  71. 25 0
      elasticsearch/templates/kibana-svc.yaml
  72. 78 0
      elasticsearch/templates/kibana.yaml
  73. 209 0
      elasticsearch/values.yaml
  74. 11 0
      fluentd/Chart.yaml
  75. 3 0
      fluentd/overrides/gmem.yaml
  76. 15 0
      fluentd/templates/_helpers.tpl
  77. 179 0
      fluentd/templates/fluentd-config.yaml
  78. 65 0
      fluentd/templates/fluentd-ds.yaml
  79. 43 0
      fluentd/templates/fluentd-rbac.yaml
  80. 20 0
      fluentd/values.yaml
  81. 14 0
      grafana/Chart.yaml
  82. 62 0
      grafana/README.md
  83. 25 0
      grafana/overrides/dang.yaml
  84. 1 0
      grafana/overrides/gmem.yaml
  85. 37 0
      grafana/templates/NOTES.txt
  86. 32 0
      grafana/templates/_helpers.tpl
  87. 53 0
      grafana/templates/configmap.yaml
  88. 19 0
      grafana/templates/dashboards-json-configmap.yaml
  89. 178 0
      grafana/templates/deployment.yaml
  90. 40 0
      grafana/templates/ingress.yaml
  91. 25 0
      grafana/templates/pvc.yaml
  92. 18 0
      grafana/templates/secret.yaml
  93. 48 0
      grafana/templates/service.yaml
  94. 156 0
      grafana/values.yaml
  95. 21 0
      jenkins/.helmignore
  96. 16 0
      jenkins/Chart.yaml
  97. 6 0
      jenkins/OWNERS
  98. 234 0
      jenkins/README.md
  99. 15 0
      jenkins/overrides/dang.yaml
  100. 0 0
      jenkins/overrides/gmem.yaml

+ 2 - 0
.gitignore View File

@@ -0,0 +1,2 @@
1
+*.tgz
2
+.idea

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-ceph-provisioners View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'ceph-provisioners'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-chartmuseum View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'chartmuseum'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-dubbo-admin View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'dubbo-admin'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-elasticsearch View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'elasticsearch'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-fluentd View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'fluentd'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-grafana View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'grafana'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-jenkins View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'jenkins'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-kubernetes-dashboard View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'kubernetes-dashboard'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-monocular View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'monocular'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-mysqlha View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'mysqlha'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-nginx View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'nginx'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-nginx-ingress View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'nginx-ingress'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-prometheus View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'prometheus'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-rabbitmq-ha View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'rabbitmq-ha'
10
+            }
11
+        }
12
+    }
13
+}

+ 13 - 0
.jenkins/Jenkinsfile-helm-build-zookeeper View File

@@ -0,0 +1,13 @@
1
+pipeline {
2
+    agent none
3
+    options { skipDefaultCheckout() }
4
+    stages {
5
+        stage( 'helm build' ) {
6
+            agent { label 'helm' }
7
+            steps {
8
+                checkout scm
9
+                helmBuild chart: 'zookeeper'
10
+            }
11
+        }
12
+    }
13
+}

+ 8 - 0
ceph-provisioners/Chart.yaml View File

@@ -0,0 +1,8 @@
1
+apiVersion: v1
2
+description: Ceph provisioners
3
+icon: https://cdn.gmem.site/images/k8s/ceph-provisioners.png
4
+name: ceph-provisioners
5
+version: 1.0.0
6
+maintainers:
7
+- name: alex
8
+  email: alex@gmem.cc

+ 0 - 0
ceph-provisioners/overrides/dang.yaml View File


+ 1 - 0
ceph-provisioners/overrides/gmem.yaml View File

@@ -0,0 +1 @@
1
+fullnameOverride: ceph-provisioners

+ 21 - 0
ceph-provisioners/templates/_helpers.tpl View File

@@ -0,0 +1,21 @@
1
+
2
+{{- define "cp.name" -}}
3
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
4
+{{- end -}}
5
+
6
+{{- define "cp.fullname" -}}
7
+{{- if .Values.fullnameOverride -}}
8
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
9
+{{- else -}}
10
+{{- $name := default .Chart.Name .Values.nameOverride -}}
11
+{{- if contains $name .Release.Name -}}
12
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
13
+{{- else -}}
14
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
15
+{{- end -}}
16
+{{- end -}}
17
+{{- end -}}
18
+
19
+{{- define "cp.chart" -}}
20
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
21
+{{- end -}}

+ 19 - 0
ceph-provisioners/templates/ceph-bin.yaml View File

@@ -0,0 +1,19 @@
1
+apiVersion: v1
2
+kind: ConfigMap
3
+metadata:
4
+  name: {{ template "cp.fullname" . }}-bin
5
+  labels:
6
+    tier: infrastructure
7
+    application: ceph-provisioners
8
+    component: ceph-bin
9
+    release: {{ .Release.Name }}
10
+    heritage: {{ .Release.Service }}
11
+data:
12
+  rbd-provisioner.sh: |
13
+    #!/bin/bash
14
+    set -ex
15
+    exec /usr/local/bin/rbd-provisioner -id ${POD_NAME}
16
+  cephfs-provisioner.sh: |
17
+    #!/bin/bash
18
+    set -ex
19
+    exec /usr/local/bin/cephfs-provisioner -id ${POD_NAME}

+ 107 - 0
ceph-provisioners/templates/cephfs-provisioner.yaml View File

@@ -0,0 +1,107 @@
1
+apiVersion: apps/v1
2
+kind: StatefulSet
3
+metadata:
4
+  name: {{ template "cp.fullname" . }}-cephfs
5
+  labels:
6
+    tier: infrastructure
7
+    application: ceph-provisioners
8
+    component: cephfs-provisioner
9
+    release: {{ .Release.Name }}
10
+    heritage: {{ .Release.Service }}
11
+spec:
12
+  replicas: {{ .Values.cephfs.replicas }}
13
+  selector:
14
+    matchLabels:
15
+      tier: infrastructure
16
+      application: ceph-provisioners
17
+      component: cephfs-provisioner
18
+      release: {{ .Release.Name }}
19
+  template:
20
+    metadata:
21
+      labels:
22
+        tier: infrastructure
23
+        application: ceph-provisioners
24
+        component: cephfs-provisioner
25
+        release: {{ .Release.Name }}
26
+    spec:
27
+      affinity:
28
+        podAntiAffinity:
29
+          preferredDuringSchedulingIgnoredDuringExecution:
30
+          - podAffinityTerm:
31
+              labelSelector:
32
+                matchLabels:
33
+                  tier: infrastructure
34
+                  application: ceph-provisioners
35
+                  component: cephfs-provisioner
36
+                  release: {{ .Release.Name }}
37
+              topologyKey: kubernetes.io/hostname
38
+            weight: 1
39
+      containers:
40
+      - name: cephfs-provisioner
41
+        command:
42
+          - /cephfs-provisioner.sh
43
+        image: {{ .Values.cephfs.image.repository }}:{{ .Values.cephfs.image.tag }}
44
+        imagePullPolicy: Always
45
+        env:
46
+        - name: POD_NAME
47
+          valueFrom:
48
+            fieldRef:
49
+              fieldPath: metadata.name
50
+        - name: PROVISIONER_NAME
51
+          value: ceph.com/cephfs
52
+        - name: LC_ALL
53
+          value: en_US.UTF-8
54
+        - name: LANG
55
+          value: en_US.UTF-8
56
+        - name: LANGUAGE
57
+          value: en_US.UTF-8
58
+        volumeMounts:
59
+        - mountPath: /etc/localtime
60
+          name: lt-config
61
+        - mountPath: /etc/timezone
62
+          name: tz-config
63
+        - mountPath: /etc/ceph
64
+          name: ceph-config
65
+        - mountPath: /cephfs-provisioner.sh
66
+          name: ceph-bin
67
+          readOnly: true
68
+          subPath: cephfs-provisioner.sh
69
+      serviceAccount: {{ template "cp.fullname" . }}
70
+      volumes:
71
+      - hostPath:
72
+          path: /usr/share/zoneinfo/Asia/Shanghai
73
+        name: lt-config
74
+      - hostPath:
75
+          path: /etc/timezone
76
+        name: tz-config
77
+      - hostPath:
78
+          path: /etc/ceph
79
+        name: ceph-config
80
+      - configMap:
81
+          defaultMode: 365
82
+          name: {{ template "cp.fullname" . }}-bin
83
+        name: ceph-bin
84
+
85
+
86
+{{- range .Values.cephfs.scs }}
87
+
88
+---
89
+
90
+apiVersion: storage.k8s.io/v1
91
+kind: StorageClass
92
+metadata:
93
+  name: {{ .name }}
94
+{{- if .default }}
95
+  annotations:
96
+    storageclass.kubernetes.io/is-default-class: "true"
97
+{{- end }}
98
+parameters:
99
+  adminId: {{ .adminId }}
100
+  adminSecretNamespace: {{ .adminSecretNamespace }}
101
+  adminSecretName: {{ .adminSecretName }}
102
+  monitors: {{ .monitors }}
103
+provisioner: ceph.com/cephfs
104
+reclaimPolicy: {{ .reclaimPolicy }}
105
+volumeBindingMode: {{ .volumeBindingMode }}
106
+
107
+{{- end }}

+ 29 - 0
ceph-provisioners/templates/clusterrole.yaml View File

@@ -0,0 +1,29 @@
1
+kind: ClusterRole
2
+apiVersion: rbac.authorization.k8s.io/v1
3
+metadata:
4
+  name: {{ template "cp.fullname" . }}
5
+  labels:
6
+    tier: infrastructure
7
+    application: ceph-provisioners
8
+    release: {{ .Release.Name }}
9
+    heritage: {{ .Release.Service }}
10
+rules:
11
+  - apiGroups: [""]
12
+    resources: ["persistentvolumes"]
13
+    verbs: ["get", "list", "watch", "create", "delete"]
14
+  - apiGroups: [""]
15
+    resources: ["persistentvolumeclaims"]
16
+    verbs: ["get", "list", "watch", "update"]
17
+  - apiGroups: ["storage.k8s.io"]
18
+    resources: ["storageclasses"]
19
+    verbs: ["get", "list", "watch"]
20
+  - apiGroups: [""]
21
+    resources: ["events"]
22
+    verbs: ["list", "watch", "create", "update", "patch"]
23
+  - apiGroups: [""]
24
+    resources: ["services"]
25
+    resourceNames: ["kube-dns"]
26
+    verbs: ["list", "get"]
27
+  - apiGroups: [""]
28
+    resources: ["secrets"]
29
+    verbs: ["get", "create", "delete"]

+ 17 - 0
ceph-provisioners/templates/clusterrolebinding.yaml View File

@@ -0,0 +1,17 @@
1
+kind: ClusterRoleBinding
2
+apiVersion: rbac.authorization.k8s.io/v1
3
+metadata:
4
+  name: {{ template "cp.fullname" . }}
5
+  labels:
6
+    tier: infrastructure
7
+    application: ceph-provisioners
8
+    release: {{ .Release.Name }}
9
+    heritage: {{ .Release.Service }}
10
+subjects:
11
+  - kind: ServiceAccount
12
+    name: {{ template "cp.fullname" . }}
13
+    namespace: {{ .Release.Namespace }}
14
+roleRef:
15
+  kind: ClusterRole
16
+  name: {{ template "cp.fullname" . }}
17
+  apiGroup: rbac.authorization.k8s.io

+ 112 - 0
ceph-provisioners/templates/rbd-provisioner.yaml View File

@@ -0,0 +1,112 @@
1
+apiVersion: apps/v1
2
+kind: StatefulSet
3
+metadata:
4
+  name: {{ template "cp.fullname" . }}-rbd
5
+  labels:
6
+    tier: infrastructure
7
+    application: ceph-provisioners
8
+    component: rbd-provisioner
9
+    release: {{ .Release.Name }}
10
+    heritage: {{ .Release.Service }}
11
+spec:
12
+  replicas: {{ .Values.rbd.replicas }}
13
+  selector:
14
+    matchLabels:
15
+      tier: infrastructure
16
+      application: ceph-provisioners
17
+      component: rbd-provisioner
18
+      release: {{ .Release.Name }}
19
+  template:
20
+    metadata:
21
+      labels:
22
+        tier: infrastructure
23
+        application: ceph-provisioners
24
+        component: rbd-provisioner
25
+        release: {{ .Release.Name }}
26
+    spec:
27
+      affinity:
28
+        podAntiAffinity:
29
+          preferredDuringSchedulingIgnoredDuringExecution:
30
+          - podAffinityTerm:
31
+              labelSelector:
32
+                matchLabels:
33
+                  tier: infrastructure
34
+                  application: ceph-provisioners
35
+                  component: rbd-provisioner
36
+                  release: {{ .Release.Name }}
37
+              topologyKey: kubernetes.io/hostname
38
+            weight: 1
39
+      containers:
40
+      - name: rbd-provisioner
41
+        command:
42
+          - /rbd-provisioner.sh
43
+        image: {{ .Values.rbd.image.repository }}:{{ .Values.rbd.image.tag }}
44
+        env:
45
+        - name: POD_NAME
46
+          valueFrom:
47
+            fieldRef:
48
+              fieldPath: metadata.name
49
+        - name: PROVISIONER_NAME
50
+          value: ceph.com/rbd
51
+        - name: LC_ALL
52
+          value: en_US.UTF-8
53
+        - name: LANG
54
+          value: en_US.UTF-8
55
+        - name: LANGUAGE
56
+          value: en_US.UTF-8
57
+        volumeMounts:
58
+        - mountPath: /etc/localtime
59
+          name: lt-config
60
+        - mountPath: /etc/timezone
61
+          name: tz-config
62
+        - mountPath: /etc/ceph
63
+          name: ceph-config
64
+        - mountPath: /rbd-provisioner.sh
65
+          name: ceph-bin
66
+          readOnly: true
67
+          subPath: rbd-provisioner.sh
68
+      serviceAccount: {{ template "cp.fullname" . }}
69
+      volumes:
70
+      - hostPath:
71
+          path: /usr/share/zoneinfo/Asia/Shanghai
72
+        name: lt-config
73
+      - hostPath:
74
+          path: /etc/timezone
75
+        name: tz-config
76
+      - hostPath:
77
+          path: /etc/ceph
78
+        name: ceph-config
79
+      - configMap:
80
+          defaultMode: 365
81
+          name: {{ template "cp.fullname" . }}-bin
82
+        name: ceph-bin
83
+
84
+
85
+{{- range .Values.rbd.scs }}
86
+
87
+---
88
+
89
+apiVersion: storage.k8s.io/v1
90
+kind: StorageClass
91
+metadata:
92
+  name: {{ .name }}
93
+{{- if .default }}
94
+  annotations:
95
+    storageclass.kubernetes.io/is-default-class: "true"
96
+{{- end }}
97
+parameters:
98
+  adminId: {{ .adminId }}
99
+  adminSecretNamespace: {{ .adminSecretNamespace }}
100
+  adminSecretName: {{ .adminSecretName }}
101
+  fsType: {{ .fsType }}
102
+  imageFeatures: layering
103
+  imageFormat: "2"
104
+  monitors: {{ .monitors }}
105
+  pool: {{ .pool }}
106
+  userId: {{ .userId }}
107
+  userSecretName: {{ .userSecretName }}
108
+provisioner: ceph.com/rbd
109
+reclaimPolicy: {{ .reclaimPolicy }}
110
+volumeBindingMode: {{ .volumeBindingMode }}
111
+
112
+{{- end }}

+ 13 - 0
ceph-provisioners/templates/role.yaml View File

@@ -0,0 +1,13 @@
1
+apiVersion: rbac.authorization.k8s.io/v1
2
+kind: Role
3
+metadata:
4
+  name: {{ template "cp.fullname" . }}
5
+  labels:
6
+    tier: infrastructure
7
+    application: ceph-provisioners
8
+    release: {{ .Release.Name }}
9
+    heritage: {{ .Release.Service }}
10
+rules:
11
+- apiGroups: [""]
12
+  resources: ["secrets"]
13
+  verbs: ["get", "create", "delete"]

+ 17 - 0
ceph-provisioners/templates/rolebinding.yaml View File

@@ -0,0 +1,17 @@
1
+apiVersion: rbac.authorization.k8s.io/v1
2
+kind: RoleBinding
3
+metadata:
4
+  name: {{ template "cp.fullname" . }}
5
+  labels:
6
+    tier: infrastructure
7
+    application: ceph-provisioners
8
+    release: {{ .Release.Name }}
9
+    heritage: {{ .Release.Service }}
10
+roleRef:
11
+  apiGroup: rbac.authorization.k8s.io
12
+  kind: Role
13
+  name: {{ template "cp.fullname" . }}
14
+subjects:
15
+- kind: ServiceAccount
16
+  name: {{ template "cp.fullname" . }}
17
+  namespace: {{ .Release.Namespace }}

+ 4 - 0
ceph-provisioners/templates/serviceaccount.yaml View File

@@ -0,0 +1,4 @@
1
+apiVersion: v1
2
+kind: ServiceAccount
3
+metadata:
4
+  name: {{ template "cp.fullname" . }}

+ 54 - 0
ceph-provisioners/values.yaml View File

@@ -0,0 +1,54 @@
1
+rbd:
2
+  image:
3
+    repository: docker.gmem.cc/external_storage/rbd-provisioner
4
+    tag: v0.1.2
5
+  replicas: 2
6
+  scs:
7
+    - monitors: Carbon,Radon,Neon
8
+      pool: rbd
9
+      name: ceph-rbd
10
+      default: true
11
+      userId: admin
12
+      userSecretName: pvc-ceph-key
13
+      adminId: admin
14
+      adminSecretNamespace: ceph
15
+      adminSecretName: pvc-ceph-key
16
+      fsType: xfs
17
+      reclaimPolicy: Delete
18
+      volumeBindingMode: Immediate
19
+    - monitors: Carbon,Radon,Neon
20
+      pool: rbd-ssd
21
+      name: ceph-rbd-ssd
22
+      default: false
23
+      userId: admin
24
+      userSecretName: pvc-ceph-key
25
+      adminId: admin
26
+      adminSecretNamespace: ceph
27
+      adminSecretName: pvc-ceph-key
28
+      fsType: xfs
29
+      reclaimPolicy: Delete
30
+      volumeBindingMode: Immediate
31
+    - monitors: Carbon,Radon,Neon
32
+      pool: rbd-hdd
33
+      name: ceph-rbd-hdd
34
+      default: false
35
+      userId: admin
36
+      userSecretName: pvc-ceph-key
37
+      adminId: admin
38
+      adminSecretNamespace: ceph
39
+      adminSecretName: pvc-ceph-key
40
+      fsType: xfs
41
+      reclaimPolicy: Delete
42
+      volumeBindingMode: Immediate
43
+
44
+cephfs:
45
+  image:
46
+    repository: docker.gmem.cc/external_storage/cephfs-provisioner
47
+    tag: latest
48
+  replicas: 2
49
+  scs:
50
+    - monitors: Carbon,Radon,Neon
51
+      name: ceph-fs
52
+      adminId: admin
53
+      adminSecretNamespace: ceph
54
+      adminSecretName: pvc-ceph-key

+ 23 - 0
chartmuseum/.helmignore View File

@@ -0,0 +1,23 @@
1
+# Patterns to ignore when building packages.
2
+# This supports shell glob matching, relative path matching, and
3
+# negation (prefixed with !). Only one pattern per line.
4
+.DS_Store
5
+# Common VCS dirs
6
+.git/
7
+.gitignore
8
+.bzr/
9
+.bzrignore
10
+.hg/
11
+.hgignore
12
+.svn/
13
+# Common backup files
14
+*.swp
15
+*.bak
16
+*.tmp
17
+*~
18
+# Various IDEs
19
+.project
20
+.idea/
21
+*.tmproj
22
+# OWNERS file for Kubernetes
23
+OWNERS

+ 18 - 0
chartmuseum/Chart.yaml View File

@@ -0,0 +1,18 @@
1
+apiVersion: v1
2
+description: Helm Chart Repository with support for Amazon S3 and Google Cloud Storage
3
+name: chartmuseum
4
+version: 1.3.1
5
+appVersion: 0.5.2
6
+home: https://github.com/chartmuseum/chartmuseum
7
+icon: https://raw.githubusercontent.com/chartmuseum/chartmuseum/master/logo.png
8
+keywords:
9
+- chartmuseum
10
+- helm
11
+- charts repo
12
+maintainers:
13
+- name: codefresh-io
14
+  email: opensource@codefresh.io
15
+- name: cloudposse
16
+  email: hello@cloudposse.com
17
+- name: chartmuseum
18
+  email: chartmuseum@gmail.com

+ 6 - 0
chartmuseum/OWNERS View File

@@ -0,0 +1,6 @@
1
+approvers:
2
+- jdolitsky
3
+- goruha
4
+reviewers:
5
+- jdolitsky
6
+- goruha

+ 411 - 0
chartmuseum/README.md View File

@@ -0,0 +1,411 @@
1
+# ChartMuseum Helm Chart
2
+
3
+Deploy your own private ChartMuseum.   
4
+
5
+Please also see https://github.com/kubernetes-helm/chartmuseum
6
+
7
+## Table of Content
8
+
9
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
10
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
11
+
12
+
13
+- [Prerequisites](#prerequisites)
14
+- [Configuration](#configuration)
15
+- [Installation](#installation)
16
+  - [Using with Amazon S3](#using-with-amazon-s3)
17
+    - [permissions grant with access keys](#permissions-grant-with-access-keys)
18
+    - [permissions grant with IAM instance profile](#permissions-grant-with-iam-instance-profile)
19
+    - [permissions grant with IAM assumed role](#permissions-grant-with-iam-assumed-role)
20
+  - [Using with Google Cloud Storage](#using-with-google-cloud-storage)
21
+  - [Using with Microsoft Azure Blob Storage](#using-with-microsoft-azure-blob-storage)
22
+  - [Using with Alibaba Cloud OSS Storage](#using-with-alibaba-cloud-oss-storage)
23
+  - [Using with local filesystem storage](#using-with-local-filesystem-storage)
24
+    - [Example storage class](#example-storage-class)
25
+- [Uninstall](#uninstall)
26
+
27
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
28
+ 
29
+
30
+## Prerequisites
31
+
32
+* Kubernetes with extensions/v1beta1 available
33
+* [If enabled] A persistent storage resource and RW access to it
34
+* [If enabled] Kubernetes StorageClass for dynamic provisioning
35
+
36
+## Configuration
37
+
38
+By default this chart will not have persistent storage, and the API service
39
+will be *DISABLED*.  This protects against unauthorized access to the API
40
+with default configuration values.
41
+
42
+For a more robust solution supply helm install with a custom values.yaml   
43
+You are also required to create the StorageClass resource ahead of time:   
44
+```
45
+kubectl create -f /path/to/storage_class.yaml
46
+```
47
+
48
+The following table lists common configurable parameters of the chart and
49
+their default values. See values.yaml for all available options. 
50
+
51
+|       Parameter                        |           Description                       |                         Default                     |
52
+|----------------------------------------|---------------------------------------------|-----------------------------------------------------|
53
+| `image.pullPolicy`                     | Container pull policy                       | `IfNotPresent`                                      |
54
+| `image.repository`                     | Container image to use                      | `chartmuseum/chartmuseum`                           |
55
+| `image.tag`                            | Container image tag to deploy               | `v0.5.2`                                            |
56
+| `persistence.accessMode`               | Access mode to use for PVC                  | `ReadWriteOnce`                                     |
57
+| `persistence.enabled`                  | Whether to use a PVC for persistent storage | `false`                                             |
58
+| `persistence.size`                     | Amount of space to claim for PVC            | `8Gi`                                               |
59
+| `persistence.storageClass`             | Storage Class to use for PVC                | `-`                                                 |
60
+| `replicaCount`                         | k8s replicas                                | `1`                                                 |
61
+| `resources.limits.cpu`                 | Container maximum CPU                       | `100m`                                              |
62
+| `resources.limits.memory`              | Container maximum memory                    | `128Mi`                                             |
63
+| `resources.requests.cpu`               | Container requested CPU                     | `80m`                                               |
64
+| `resources.requests.memory`            | Container requested memory                  | `64Mi`                                              |
65
+| `nodeSelector`                         | Map of node labels for pod assignment       | `{}`                                                |
66
+| `tolerations`                          | List of node taints to tolerate             | `[]`                                                |
67
+| `affinity`                             | Map of node/pod affinities                  | `{}`                                                |
68
+| `env.open.STORAGE`                     | Storage Backend to use                      | `local`                                             |
69
+| `env.open.ALIBABA_BUCKET`              | Bucket to store charts in for Alibaba       | ``                                                  |
70
+| `env.open.ALIBABA_PREFIX`              | Prefix to store charts under for Alibaba    | ``                                                  |
71
+| `env.open.ALIBABA_ENDPOINT`            | Alternative Alibaba endpoint                | ``                                                  |
72
+| `env.open.ALIBABA_SSE`                 | Server side encryption algorithm to use     | ``                                                  |
73
+| `env.open.AMAZON_BUCKET`               | Bucket to store charts in for AWS           | ``                                                  |
74
+| `env.open.AMAZON_ENDPOINT`             | Alternative AWS endpoint                    | ``                                                  |
75
+| `env.open.AMAZON_PREFIX`               | Prefix to store charts under for AWS        | ``                                                  |
76
+| `env.open.AMAZON_REGION`               | Region to use for bucket access for AWS     | ``                                                  |
77
+| `env.open.AMAZON_SSE`                  | Server side encryption algorithm to use     | ``                                                  |
78
+| `env.open.GOOGLE_BUCKET`               | Bucket to store charts in for GCP           | ``                                                  |
79
+| `env.open.GOOGLE_PREFIX`               | Prefix to store charts under for GCP        | ``                                                  |
80
+| `env.open.STORAGE_MICROSOFT_CONTAINER` | Container to store charts under for MS      | ``                                                  |
81
+| `env.open.STORAGE_MICROSOFT_PREFIX`    | Prefix to store charts under for MS         | ``                                                  |
82
+| `env.open.CHART_POST_FORM_FIELD_NAME`  | Form field to query for chart file content  | ``                                                  |
83
+| `env.open.PROV_POST_FORM_FIELD_NAME`   | Form field to query for chart provenance    | ``                                                  |
84
+| `env.open.DEPTH`                       | levels of nested repos for multitenancy.    | `0`                                                 |
85
+| `env.open.DEBUG`                       | Show debug messages                         | `false`                                             |
86
+| `env.open.LOG_JSON`                    | Output structured logs in JSON              | `true`                                              |
87
+| `env.open.DISABLE_METRICS`             | Disable Prometheus metrics                  | `true`                                              |
88
+| `env.open.DISABLE_API`                 | Disable all routes prefixed with /api       | `true`                                              |
89
+| `env.open.ALLOW_OVERWRITE`             | Allow chart versions to be re-uploaded      | `false`                                             |
90
+| `env.open.CHART_URL`                   | Absolute url for .tgzs in index.yaml        | ``                                                  |
91
+| `env.open.AUTH_ANONYMOUS_GET`          | Allow anon GET operations when auth is used | `false`                                             |
92
+| `env.open.CONTEXT_PATH`                | Set the base context path                   | ``                                                  |
93
+| `env.open.INDEX_LIMIT`                 | Parallel scan limit for the repo indexer    | ``                                                  |
94
+| `env.secret.BASIC_AUTH_USER`           | Username for basic HTTP authentication      | ``                                                  |
95
+| `env.secret.BASIC_AUTH_PASS`           | Password for basic HTTP authentication      | ``                                                  |
96
+| `gcp.secret.enabled`                   | Flag for the GCP service account            | `false`                                             |
97
+| `gcp.secret.name`                      | Secret name for the GCP json file           | ``                                                  |
98
+| `gcp.secret.key`                       | Secret key for te GCP json file             | `credentials.json`                                  |
99
+
100
+Specify each parameter using the `--set key=value[,key=value]` argument to
101
+`helm install`.
102
+
103
+## Installation
104
+
105
+```shell
106
+helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
107
+```
108
+
109
+### Using with Amazon S3
110
+Make sure your environment is properly setup to access `my-s3-bucket`
111
+
112
+You need at least the following permissions inside your IAM Policy
113
+```yaml
114
+{
115
+  "Version": "2012-10-17",
116
+  "Statement": [
117
+    {
118
+      "Sid": "AllowListObjects",
119
+      "Effect": "Allow",
120
+      "Action": [
121
+        "s3:ListBucket"
122
+      ],
123
+      "Resource": "arn:aws:s3:::my-s3-bucket"
124
+    },
125
+    {
126
+      "Sid": "AllowObjectsCRUD",
127
+      "Effect": "Allow",
128
+      "Action": [
129
+        "s3:DeleteObject",
130
+        "s3:GetObject",
131
+        "s3:PutObject"
132
+      ],
133
+      "Resource": "arn:aws:s3:::my-s3-bucket/*"
134
+    }
135
+  ]
136
+}
137
+```
138
+
139
+You can grant it to `chartmuseum` by several ways:
140
+
141
+#### permissions grant with access keys
142
+
143
+Grant permissions to `special user` and us it's access keys for auth on aws
144
+
145
+Specify `custom.yaml` with such values
146
+
147
+```yaml
148
+env:
149
+  open:
150
+    STORAGE: amazon
151
+    STORAGE_AMAZON_BUCKET: my-s3-bucket
152
+    STORAGE_AMAZON_PREFIX:
153
+    STORAGE_AMAZON_REGION: us-east-1
154
+  secret:
155
+    AWS_ACCESS_KEY_ID: "********" ## aws access key id value
156
+    AWS_SECRET_ACCESS_KEY: "********" ## aws access key secret value 
157
+```
158
+
159
+Run command to install
160
+
161
+```shell
162
+helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
163
+```
164
+
165
+#### permissions grant with IAM instance profile
166
+
167
+You can grant permissions to k8s node IAM instance profile.
168
+For more information read this [article](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)
169
+
170
+Specify `custom.yaml` with such values
171
+
172
+```yaml
173
+env:
174
+  open:
175
+    STORAGE: amazon
176
+    STORAGE_AMAZON_BUCKET: my-s3-bucket
177
+    STORAGE_AMAZON_PREFIX:
178
+    STORAGE_AMAZON_REGION: us-east-1
179
+```
180
+
181
+Run command to install
182
+
183
+```shell
184
+helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
185
+```
186
+
187
+#### permissions grant with IAM assumed role
188
+
189
+To provide access with assumed role you need to install [kube2iam](https://github.com/kubernetes/charts/tree/master/stable/kube2iam)
190
+and create role with granded permissions.
191
+
192
+Specify `custom.yaml` with such values
193
+
194
+```yaml
195
+env:
196
+  open:
197
+    STORAGE: amazon
198
+    STORAGE_AMAZON_BUCKET: my-s3-bucket
199
+    STORAGE_AMAZON_PREFIX:
200
+    STORAGE_AMAZON_REGION: us-east-1
201
+replica:
202
+  annotations:
203
+    iam.amazonaws.com/role: "{assumed role name}"
204
+```
205
+
206
+Run command to install
207
+
208
+```shell
209
+helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
210
+```
211
+
212
+### Using with Google Cloud Storage
213
+Make sure your environment is properly setup to access `my-gcs-bucket`
214
+
215
+Specify `custom.yaml` with such values
216
+
217
+```yaml
218
+env:
219
+  open:
220
+    STORAGE: google
221
+    STORAGE_GOOGLE_BUCKET: my-gcs-bucket
222
+    STORAGE_GOOGLE_PREFIX:    
223
+```
224
+
225
+### Using with Google Cloud Storage and a Google Service Account
226
+
227
+A Google service account credentials are stored in a json file. There are two approaches here. Ideally you don't want to send your secrets to tiller. In that case, before installing this chart, you should create a secret with those credentials:
228
+
229
+```shell
230
+kubectl create secret generic chartmuseum-secret --from-file=credentials.json="my-project-45e35d85a593.json"
231
+```
232
+
233
+Then you can either use a `VALUES` yaml with your values or set those values in the command line:
234
+
235
+```shell
236
+helm install stable/chartmuseum --debug  --set gcp.secret.enabled=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum,gcp.secret.name=chartmuseum-secret
237
+```
238
+
239
+If you prefer to use a yaml file:
240
+
241
+```yaml
242
+env:
243
+  open:
244
+    STORAGE: google
245
+    STORAGE_GOOGLE_BUCKET: my-gcs-bucket
246
+    STORAGE_GOOGLE_PREFIX:
247
+
248
+gcp:
249
+  secret:
250
+    enabled: true
251
+    name: chartmuseum-secret
252
+    key: credentials.json
253
+```
254
+
255
+Run command to install
256
+
257
+```shell
258
+helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
259
+```
260
+
261
+In case that you don't mind adding your secret to tiller (you shouldn't do it), this are the commands
262
+
263
+```yaml
264
+env:
265
+  open:
266
+    STORAGE: google
267
+    STORAGE_GOOGLE_BUCKET: my-gcs-bucket
268
+    STORAGE_GOOGLE_PREFIX:
269
+  secret:
270
+    GOOGLE_CREDENTIALS_JSON: my-json-file-base64-encoded
271
+gcp:
272
+  secret:
273
+    enabled: true
274
+
275
+```
276
+
277
+Run command to install
278
+
279
+```shell
280
+helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
281
+```
282
+
283
+To set the values directly in the command line, use the follosing command. Note that we have to base64 encode the json file because we cannot pass a multi-line text as a value.
284
+
285
+```shell
286
+export JSONKEY=$(cat my-project-77e35d85a593.json | base64)
287
+helm install stable/chartmuseum --debug  --set gcp.secret.enabled=true,env.secret.GOOGLE_CREDENTIALS_JSON=${JSONKEY},env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum
288
+```
289
+
290
+### Using with Microsoft Azure Blob Storage
291
+
292
+Make sure your environment is properly setup to access `mycontainer`.
293
+
294
+To do so, you must set the following env vars:
295
+- `AZURE_STORAGE_ACCOUNT`
296
+- `AZURE_STORAGE_ACCESS_KEY`
297
+
298
+Specify `custom.yaml` with such values
299
+
300
+```yaml
301
+env:
302
+  open:
303
+    STORAGE: microsoft
304
+    STORAGE_MICROSOFT_CONTAINER: mycontainer
305
+    # prefix to store charts for microsoft storage backend
306
+    STORAGE_MICROSOFT_PREFIX:    
307
+  secret:
308
+    AZURE_STORAGE_ACCOUNT: "********" ## azure storage account
309
+    AZURE_STORAGE_ACCESS_KEY: "********" ## azure storage account access key 
310
+```
311
+
312
+Run command to install
313
+
314
+```shell
315
+helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
316
+```
317
+
318
+### Using with Alibaba Cloud OSS Storage
319
+
320
+Make sure your environment is properly setup to access `my-oss-bucket`.
321
+
322
+To do so, you must set the following env vars:
323
+- `ALIBABA_CLOUD_ACCESS_KEY_ID`
324
+- `ALIBABA_CLOUD_ACCESS_KEY_SECRET`
325
+
326
+Specify `custom.yaml` with such values
327
+
328
+```yaml
329
+env:
330
+  open:
331
+    STORAGE: alibaba
332
+    STORAGE_ALIBABA_BUCKET: my-oss-bucket
333
+    STORAGE_ALIBABA_PREFIX:
334
+    STORAGE_ALIBABA_ENDPOINT: oss-cn-beijing.aliyuncs.com
335
+  secret:
336
+    ALIBABA_CLOUD_ACCESS_KEY_ID: "********" ## alibaba OSS access key id
337
+    ALIBABA_CLOUD_ACCESS_KEY_SECRET: "********" ## alibaba OSS access key secret 
338
+```
339
+
340
+Run command to install
341
+
342
+```shell
343
+helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
344
+```
345
+
346
+### Using with local filesystem storage
347
+By default chartmuseum uses local filesystem storage. 
348
+But on pod recreation it will lose all charts, to prevent that enable persistent storage. 
349
+
350
+```yaml
351
+env:
352
+  open:
353
+    STORAGE: local
354
+persistence:
355
+  enabled: true
356
+  accessMode: ReadWriteOnce
357
+  size: 8Gi
358
+  ## A manually managed Persistent Volume and Claim
359
+  ## Requires persistence.enabled: true
360
+  ## If defined, PVC must be created manually before volume will be bound
361
+  # existingClaim:
362
+
363
+  ## Chartmuseum data Persistent Volume Storage Class
364
+  ## If defined, storageClassName: <storageClass>
365
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
366
+  ## If undefined (the default) or set to null, no storageClassName spec is
367
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
368
+  ##   GKE, AWS & OpenStack)
369
+  ##
370
+  # storageClass: "-"
371
+```
372
+
373
+Run command to install
374
+
375
+```shell
376
+helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
377
+```
378
+
379
+#### Example storage class
380
+
381
+Example storage-class.yaml provided here for use with a Ceph cluster.   
382
+
383
+```
384
+kind: StorageClass
385
+apiVersion: storage.k8s.io/v1
386
+metadata:
387
+  name: storage-volume
388
+provisioner: kubernetes.io/rbd
389
+parameters:
390
+  monitors: "10.11.12.13:4567,10.11.12.14:4567"
391
+  adminId: admin
392
+  adminSecretName: thesecret
393
+  adminSecretNamespace: default
394
+  pool: chartstore
395
+  userId: user
396
+  userSecretName: thesecret 
397
+```
398
+
399
+## Uninstall 
400
+
401
+By default, a deliberate uninstall will result in the persistent volume 
402
+claim being deleted.   
403
+
404
+```shell
405
+helm delete my-chartmuseum
406
+```
407
+
408
+To delete the deployment and its history:
409
+```shell
410
+helm delete --purge my-chartmuseum
411
+```

+ 44 - 0
chartmuseum/overrides/dang.yaml View File

@@ -0,0 +1,44 @@
1
+fullnameOverride: chartmuseum
2
+image:
3
+  repository: registry.k8s.eb.mid/chart/chartmuseum
4
+  tag: v0.5.2
5
+  pullPolicy: IfNotPresent
6
+env:
7
+  open:
8
+    STORAGE: local
9
+    AUTH_ANONYMOUS_GET: true
10
+  secret:
11
+    BASIC_AUTH_USER: admin
12
+    BASIC_AUTH_PASS: k8s.eb.mid
13
+
14
+service:
15
+  type: ClusterIP
16
+  externalPort: 8080
17
+  nodePort:
18
+  annotations: {}
19
+
20
+resources:
21
+  limits:
22
+    cpu: 500m
23
+    memory: 512Mi
24
+  requests:
25
+    cpu: 80m
26
+    memory: 64Mi
27
+
28
+persistence:
29
+  enabled: true
30
+  accessMode: ReadWriteOnce
31
+  size: 64Gi
32
+
33
+ingress:
34
+  enabled: true
35
+  hosts:
36
+    chart.k8s.eb.dapp.com:
37
+        - /
38
+    chart.k8s.eb.mid:
39
+        - /
40
+  tls:
41
+  - secretName: dangk8scert
42
+    hosts:
43
+    - chart.k8s.eb.dapp.com
44
+    - chart.k8s.eb.mid

+ 37 - 0
chartmuseum/overrides/gmem.yaml View File

@@ -0,0 +1,37 @@
1
+fullnameOverride: chartmuseum
2
+env:
3
+  open:
4
+    STORAGE: local
5
+    AUTH_ANONYMOUS_GET: true
6
+  secret:
7
+    BASIC_AUTH_USER: admin
8
+    BASIC_AUTH_PASS: admin
9
+
10
+service:
11
+  type: ClusterIP
12
+  externalPort: 8080
13
+  nodePort:
14
+  annotations: {}
15
+
16
+resources:
17
+  limits:
18
+    cpu: 500m
19
+    memory: 512Mi
20
+  requests:
21
+    cpu: 100m
22
+    memory: 64Mi
23
+
24
+persistence:
25
+  enabled: true
26
+  accessMode: ReadWriteOnce
27
+  size: 16Gi
28
+
29
+ingress:
30
+  enabled: true
31
+  hosts:
32
+    chartmuseum.k8s.gmem.cc:
33
+        - /
34
+  tls:
35
+  - secretName: gmemk8scert-chartmuseum
36
+    hosts:
37
+    - chartmuseum.k8s.gmem.cc

+ 30 - 0
chartmuseum/templates/NOTES.txt View File

@@ -0,0 +1,30 @@
1
+** Please be patient while the chart is being deployed **
2
+
3
+Get the ChartMuseum URL by running:
4
+
5
+{{- if contains "NodePort" .Values.service.type }}
6
+
7
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "chartmuseum.fullname" . }})
8
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
9
+  echo http://$NODE_IP:$NODE_PORT{{ .Values.env.open.CONTEXT_PATH }}/
10
+
11
+{{- else if contains "LoadBalancer" .Values.service.type }}
12
+
13
+** Please ensure an external IP is associated to the {{ template "chartmuseum.fullname" . }} service before proceeding **
14
+** Watch the status using: kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "chartmuseum.fullname" . }} **
15
+
16
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "chartmuseum.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
17
+  echo http://$SERVICE_IP:{{ .Values.service.externalPort }}{{ .Values.env.open.CONTEXT_PATH }}/
18
+
19
+OR
20
+
21
+  export SERVICE_HOST=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "chartmuseum.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
22
+  echo http://$SERVICE_HOST:{{ .Values.service.externalPort }}{{ .Values.env.open.CONTEXT_PATH }}/
23
+
24
+{{- else if contains "ClusterIP"  .Values.service.type }}
25
+
26
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "chartmuseum.name" . }}" -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
27
+  echo http://127.0.0.1:8080{{ .Values.env.open.CONTEXT_PATH }}/
28
+  kubectl port-forward $POD_NAME 8080:8080
29
+
30
+{{- end }}

+ 85 - 0
chartmuseum/templates/_helpers.tpl View File

@@ -0,0 +1,85 @@
1
+{{- /*
2
+name defines a template for the name of the chartmuseum chart.
3
+
4
+The prevailing wisdom is that names should only contain a-z, 0-9 plus dot (.) and dash (-), and should
5
+not exceed 63 characters.
6
+
7
+Parameters:
8
+
9
+- .Values.nameOverride: Replaces the computed name with this given name
10
+- .Values.namePrefix: Prefix
11
+- .Values.global.namePrefix: Global prefix
12
+- .Values.nameSuffix: Suffix
13
+- .Values.global.nameSuffix: Global suffix
14
+
15
+The applied order is: "global prefix + prefix + name + suffix + global suffix"
16
+
17
+Usage: 'name: "{{- template "chartmuseum.name" . -}}"'
18
+*/ -}}
19
+{{- define "chartmuseum.name"}}
20
+{{- $global := default (dict) .Values.global -}}
21
+{{- $base := default .Chart.Name .Values.nameOverride -}}
22
+{{- $gpre := default "" $global.namePrefix -}}
23
+{{- $pre := default "" .Values.namePrefix -}}
24
+{{- $suf := default "" .Values.nameSuffix -}}
25
+{{- $gsuf := default "" $global.nameSuffix -}}
26
+{{- $name := print $gpre $pre $base $suf $gsuf -}}
27
+{{- $name | lower | trunc 54 | trimSuffix "-" -}}
28
+{{- end -}}
29
+
30
+{{- /*
31
+fullname defines a suitably unique name for a resource by combining
32
+the release name and the chartmuseum chart name.
33
+
34
+The prevailing wisdom is that names should only contain a-z, 0-9 plus dot (.) and dash (-), and should
35
+not exceed 63 characters.
36
+
37
+Parameters:
38
+
39
+- .Values.fullnameOverride: Replaces the computed name with this given name
40
+- .Values.fullnamePrefix: Prefix
41
+- .Values.global.fullnamePrefix: Global prefix
42
+- .Values.fullnameSuffix: Suffix
43
+- .Values.global.fullnameSuffix: Global suffix
44
+
45
+The applied order is: "global prefix + prefix + name + suffix + global suffix"
46
+
47
+Usage: 'name: "{{- template "chartmuseum.fullname" . -}}"'
48
+*/ -}}
49
+{{- define "chartmuseum.fullname"}}
50
+{{- $global := default (dict) .Values.global -}}
51
+{{- $base := default (printf "%s-%s" .Release.Name .Chart.Name) .Values.fullnameOverride -}}
52
+{{- $gpre := default "" $global.fullnamePrefix -}}
53
+{{- $pre := default "" .Values.fullnamePrefix -}}
54
+{{- $suf := default "" .Values.fullnameSuffix -}}
55
+{{- $gsuf := default "" $global.fullnameSuffix -}}
56
+{{- $name := print $gpre $pre $base $suf $gsuf -}}
57
+{{- $name | lower | trunc 54 | trimSuffix "-" -}}
58
+{{- end -}}
59
+
60
+
61
+{{- /*
62
+chartmuseum.labels.standard prints the standard chartmuseum Helm labels.
63
+
64
+The standard labels are frequently used in metadata.
65
+*/ -}}
66
+{{- define "chartmuseum.labels.standard" -}}
67
+tier: devops
68
+application: {{ template "chartmuseum.name" . }}
69
+chart: {{ template "chartmuseum.chartref" . }}
70
+heritage: {{ .Release.Service | quote }}
71
+release: {{ .Release.Name | quote }}
72
+{{- end -}}
73
+
74
+{{- /*
75
+chartmuseum.chartref prints a chart name and version.
76
+
77
+It does minimal escaping for use in Kubernetes labels.
78
+
79
+Example output:
80
+
81
+chartmuseum-0.4.5
82
+*/ -}}
83
+{{- define "chartmuseum.chartref" -}}
84
+{{- replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name -}}
85
+{{- end -}}

+ 130 - 0
chartmuseum/templates/deployment.yaml View File

@@ -0,0 +1,130 @@
1
+apiVersion: extensions/v1beta1
2
+kind: Deployment
3
+metadata:
4
+  name: {{ include "chartmuseum.fullname" . }}
5
+  annotations:
6
+{{ toYaml .Values.deployment.annotations | indent 4 }}
7
+  labels:
8
+{{ include "chartmuseum.labels.standard" . | indent 4 }}
9
+spec:
10
+  replicas: {{ .Values.replicaCount }}
11
+  strategy:
12
+{{ toYaml .Values.strategy | indent 4 }}
13
+  revisionHistoryLimit: 10
14
+  template:
15
+    metadata:
16
+      name: {{ include "chartmuseum.fullname" . }}
17
+      annotations:
18
+{{ toYaml .Values.replica.annotations | indent 8 }}
19
+      labels:
20
+        tier: devops
21
+        application: {{ template "chartmuseum.name" . }}
22
+        release: {{ .Release.Name | quote }}
23
+    spec:
24
+      containers:
25
+      - name: {{ .Chart.Name }}
26
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
27
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
28
+        env:
29
+{{- range $name, $value := .Values.env.open }}
30
+{{- if not (empty $value) }}
31
+        - name: {{ $name | quote }}
32
+          value: {{ $value | quote }}
33
+{{- end }}
34
+{{- end }}
35
+{{- if .Values.gcp.secret.enabled }}
36
+        - name: GOOGLE_APPLICATION_CREDENTIALS
37
+          value: "/etc/secrets/google/credentials.json"
38
+{{- end }}
39
+{{- $secret_name := include "chartmuseum.fullname" . }}
40
+{{- range $name, $value := .Values.env.secret }}
41
+{{- if not ( empty $value) }}
42
+        - name: {{ $name | quote }}
43
+          valueFrom:
44
+            secretKeyRef:
45
+              name: {{ $secret_name }}
46
+              key: {{ $name | quote }}
47
+{{- end }}
48
+{{- end }}
49
+        args:
50
+        - --port=8080
51
+{{- if eq .Values.env.open.STORAGE "local" }}
52
+        - --storage-local-rootdir=/storage
53
+{{- end }}
54
+        ports:
55
+        - name: http
56
+          containerPort: 8080
57
+        livenessProbe:
58
+          httpGet:
59
+            path: {{ .Values.env.open.CONTEXT_PATH }}/health
60
+            port: http
61
+{{ toYaml .Values.probes.liveness | indent 10 }}
62
+        readinessProbe:
63
+          httpGet:
64
+            path: {{ .Values.env.open.CONTEXT_PATH }}/health
65
+            port: http
66
+{{ toYaml .Values.probes.readiness | indent 10 }}
67
+{{- if eq .Values.env.open.STORAGE "local" }}
68
+        volumeMounts:
69
+        - mountPath: /etc/localtime
70
+          name: lt-config
71
+        - mountPath: /etc/timezone
72
+          name: tz-config
73
+        - mountPath: /storage
74
+          name: storage-volume
75
+{{- end }}
76
+{{- if  .Values.gcp.secret.enabled }}
77
+        volumeMounts:
78
+        - mountPath: /etc/localtime
79
+          name: lt-config
80
+        - mountPath: /etc/timezone
81
+          name: tz-config
82
+        - mountPath: /etc/secrets/google
83
+          name: {{ include "chartmuseum.fullname" . }}-gcp
84
+{{- end }}
85
+      {{- with .Values.resources }}
86
+        resources:
87
+{{ toYaml . | indent 10 }}
88
+      {{- end }}
89
+    {{- with .Values.nodeSelector }}
90
+      nodeSelector:
91
+{{ toYaml . | indent 8 }}
92
+    {{- end }}
93
+    {{- with .Values.affinity }}
94
+      affinity:
95
+{{ toYaml . | indent 8 }}
96
+    {{- end }}
97
+    {{- with .Values.tolerations }}
98
+      tolerations:
99
+{{ toYaml . | indent 8 }}
100
+    {{- end }}
101
+
102
+      volumes:
103
+      - hostPath:
104
+          path: /usr/share/zoneinfo/Asia/Shanghai
105
+        name: lt-config
106
+      - hostPath:
107
+          path: /etc/timezone
108
+        name: tz-config
109
+      - name: storage-volume
110
+      {{- if .Values.persistence.enabled }}
111
+        persistentVolumeClaim:
112
+          claimName: {{ .Values.persistence.existingClaim | default (include "chartmuseum.fullname" .) }}
113
+      {{- else }}
114
+        emptyDir: {}
115
+      {{- end -}}
116
+      {{ if .Values.gcp.secret.enabled }}
117
+      - name: {{ include "chartmuseum.fullname" . }}-gcp
118
+        secret:
119
+      {{ if .Values.env.secret.GOOGLE_CREDENTIALS_JSON }}
120
+          secretName: {{ include "chartmuseum.fullname" . }}
121
+          items:
122
+          - key: GOOGLE_CREDENTIALS_JSON
123
+            path: credentials.json
124
+      {{ else }}
125
+          secretName: {{ .Values.gcp.secret.name }}
126
+          items:
127
+          - key: {{ .Values.gcp.secret.key }}
128
+            path: credentials.json
129
+      {{ end }}
130
+      {{ end }}

+ 33 - 0
chartmuseum/templates/ingress.yaml View File

@@ -0,0 +1,33 @@
1
+{{- $servicePort := .Values.service.externalPort -}}
2
+{{- $serviceName := include "chartmuseum.fullname" . -}}
3
+{{- if .Values.ingress.enabled }}
4
+---
5
+apiVersion: extensions/v1beta1
6
+kind: Ingress
7
+metadata:
8
+  name: {{ include "chartmuseum.fullname" . }}
9
+  annotations:
10
+{{ toYaml .Values.ingress.annotations | indent 4 }}
11
+  labels:
12
+{{- if .Values.ingress.labels }}
13
+{{ toYaml .Values.ingress.labels | indent 4 }}
14
+{{- end }}
15
+{{ include "chartmuseum.labels.standard" . | indent 4 }}
16
+spec:
17
+  rules:
18
+  {{- range $host, $paths := .Values.ingress.hosts }}
19
+  - host: {{ $host }}
20
+    http:
21
+      paths:
22
+      {{- range $paths }}
23
+      - path: {{ . }}
24
+        backend:
25
+          serviceName: {{ $serviceName }}
26
+          servicePort: {{ $servicePort }}
27
+      {{- end -}}
28
+  {{- end -}}
29
+  {{- if .Values.ingress.tls }}
30
+  tls:
31
+{{ toYaml .Values.ingress.tls | indent 4 }}
32
+  {{- end -}}
33
+{{- end -}}

+ 23 - 0
chartmuseum/templates/pvc.yaml View File

@@ -0,0 +1,23 @@
1
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
2
+kind: PersistentVolumeClaim
3
+apiVersion: v1
4
+metadata:
5
+  name: {{ include "chartmuseum.fullname" . }}
6
+  labels:
7
+    tier: devops
8
+    application: {{ include "chartmuseum.fullname" . }}
9
+    release: {{ .Release.Name | quote }}
10
+spec:
11
+  accessModes:
12
+    - {{ .Values.persistence.accessMode | quote }}
13
+  resources:
14
+    requests:
15
+      storage: {{ .Values.persistence.size | quote }}
16
+{{- if .Values.persistence.storageClass }}
17
+{{- if (eq "-" .Values.persistence.storageClass) }}
18
+  storageClassName: ""
19
+{{- else }}
20
+  storageClassName: "{{ .Values.persistence.storageClass }}"
21
+{{- end }}
22
+{{- end }}
23
+{{- end }}

+ 17 - 0
chartmuseum/templates/secret.yaml View File

@@ -0,0 +1,17 @@
1
+apiVersion: v1
2
+kind: Secret
3
+metadata:
4
+  name: {{ include "chartmuseum.fullname" . }}
5
+  labels:
6
+{{ include "chartmuseum.labels.standard" . | indent 4 }}
7
+type: Opaque
8
+data:
9
+{{- range $name, $value := .Values.env.secret }}
10
+{{- if not (empty $value) }}
11
+{{- if eq $name "GOOGLE_CREDENTIALS_JSON" }}
12
+  {{ $name }}: {{ $value }}
13
+  {{- else }}
14
+  {{ $name }}: {{ $value | b64enc }}
15
+{{- end }}
16
+{{- end }}
17
+{{- end }}

+ 27 - 0
chartmuseum/templates/service.yaml View File

@@ -0,0 +1,27 @@
1
+apiVersion: v1
2
+kind: Service
3
+metadata:
4
+  name: {{ include "chartmuseum.fullname" . }}
5
+  annotations:
6
+{{ toYaml .Values.service.annotations | indent 4 }}
7
+  labels:
8
+{{ include "chartmuseum.labels.standard" . | indent 4 }}
9
+{{- if .Values.service.annotations }}
10
+  annotations:
11
+{{ toYaml .Values.service.annotations | indent 4 }}
12
+{{- end }}
13
+spec:
14
+  type: {{ .Values.service.type }}
15
+  ports:
16
+  - port: {{ .Values.service.externalPort }}
17
+{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
18
+    nodePort: {{.Values.service.nodePort}}
19
+{{- else }}
20
+    targetPort: http
21
+{{- end }}
22
+    protocol: TCP
23
+    name: http
24
+  selector:
25
+    tier: devops
26
+    application: {{ template "chartmuseum.name" . }}
27
+    release: {{ .Release.Name | quote }}

+ 175 - 0
chartmuseum/values.yaml View File

@@ -0,0 +1,175 @@
1
+replicaCount: 1
2
+strategy:
3
+  type: RollingUpdate
4
+  rollingUpdate:
5
+    maxUnavailable: 0
6
+image:
7
+  repository: docker.gmem.cc/chartmuseum
8
+  tag: v0.5.2
9
+  pullPolicy: IfNotPresent
10
+env:
11
+  open:
12
+    LC_ALL: en_US.UTF-8
13
+    LANG: en_US.UTF-8
14
+    LANGUAGE: en_US.UTF-8
15
+    # storage backend, can be one of: local, alibaba, amazon, google, microsoft
16
+    STORAGE: local
17
+    # oss bucket to store charts for alibaba storage backend
18
+    STORAGE_ALIBABA_BUCKET:
19
+    # prefix to store charts for alibaba storage backend
20
+    STORAGE_ALIBABA_PREFIX:
21
+    # oss endpoint to store charts for alibaba storage backend
22
+    STORAGE_ALIBABA_ENDPOINT:
23
+    # server side encryption algorithm for alibaba storage backend, can be one
24
+    # of: AES256 or KMS
25
+    STORAGE_ALIBABA_SSE:
26
+    # s3 bucket to store charts for amazon storage backend
27
+    STORAGE_AMAZON_BUCKET:
28
+    # prefix to store charts for amazon storage backend
29
+    STORAGE_AMAZON_PREFIX:
30
+    # region of s3 bucket to store charts
31
+    STORAGE_AMAZON_REGION:
32
+    # alternative s3 endpoint
33
+    STORAGE_AMAZON_ENDPOINT:
34
+    # server side encryption algorithm
35
+    STORAGE_AMAZON_SSE:
36
+    # gcs bucket to store charts for google storage backend
37
+    STORAGE_GOOGLE_BUCKET:
38
+    # prefix to store charts for google storage backend
39
+    STORAGE_GOOGLE_PREFIX:
40
+    # container to store charts for microsoft storage backend
41
+    STORAGE_MICROSOFT_CONTAINER:
42
+    # prefix to store charts for microsoft storage backend
43
+    STORAGE_MICROSOFT_PREFIX:
44
+    # form field which will be queried for the chart file content
45
+    CHART_POST_FORM_FIELD_NAME: chart
46
+    # form field which will be queried for the provenance file content
47
+    PROV_POST_FORM_FIELD_NAME: prov
48
+    # levels of nested repos for multitenancy. The default depth is 0 (singletenant server)
49
+    DEPTH: 0
50
+    # show debug messages
51
+    DEBUG: false
52
+    # output structured logs as json
53
+    LOG_JSON: true
54
+    # disable Prometheus metrics
55
+    DISABLE_METRICS: true
56
+    # disable all routes prefixed with /api
57
+    DISABLE_API: false
58
+    # allow chart versions to be re-uploaded
59
+    ALLOW_OVERWRITE: false
60
+    # absolute url for .tgzs in index.yaml
61
+    CHART_URL:
62
+    # allow anonymous GET operations when auth is used
63
+    AUTH_ANONYMOUS_GET: false
64
+    # sets the base context path
65
+    CONTEXT_PATH:
66
+    # parallel scan limit for the repo indexer
67
+    INDEX_LIMIT: 0
68
+  secret:
69
+    # username for basic http authentication
70
+    BASIC_AUTH_USER:
71
+    # password for basic http authentication
72
+    BASIC_AUTH_PASS:
73
+    # GCP service account json file
74
+    GOOGLE_CREDENTIALS_JSON:
75
+deployment:
76
+  ## Chartmuseum Deployment annotations
77
+  annotations: {}
78
+  #   name: value
79
+replica:
80
+  ## Chartmuseum Replicas annotations
81
+  annotations: {}
82
+  ## Read more about kube2iam to provide access to s3 https://github.com/jtblin/kube2iam
83
+  #   iam.amazonaws.com/role: role-arn
84
+service:
85
+  type: ClusterIP
86
+  externalPort: 8080
87
+  nodePort:
88
+  annotations: {}
89
+
90
+resources: {}
91
+#  limits:
92
+#    cpu: 100m
93
+#    memory: 128Mi
94
+#  requests:
95
+#    cpu: 80m
96
+#    memory: 64Mi
97
+
98
+probes:
99
+  liveness:
100
+    initialDelaySeconds: 5
101
+    periodSeconds: 10
102
+    timeoutSeconds: 1
103
+    successThreshold: 1
104
+    failureThreshold: 3
105
+  readiness:
106
+    initialDelaySeconds: 5
107
+    periodSeconds: 10
108
+    timeoutSeconds: 1
109
+    successThreshold: 1
110
+    failureThreshold: 3
111
+
112
+
113
+nodeSelector: {}
114
+
115
+tolerations: []
116
+
117
+affinity: {}
118
+
119
+persistence:
120
+  enabled: false
121
+  accessMode: ReadWriteOnce
122
+  size: 8Gi
123
+  ## A manually managed Persistent Volume and Claim
124
+  ## Requires persistence.enabled: true
125
+  ## If defined, PVC must be created manually before volume will be bound
126
+  # existingClaim:
127
+
128
+  ## Chartmuseum data Persistent Volume Storage Class
129
+  ## If defined, storageClassName: <storageClass>
130
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
131
+  ## If undefined (the default) or set to null, no storageClassName spec is
132
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
133
+  ##   GKE, AWS & OpenStack)
134
+  ##
135
+  # storageClass: "-"
136
+
137
+## Ingress for load balancer
138
+ingress:
139
+  enabled: false
140
+## Chartmuseum Ingress labels
141
+##
142
+#   labels:
143
+#     dns: "route53"
144
+
145
+## Chartmuseum Ingress annotations
146
+##
147
+#   annotations:
148
+#     kubernetes.io/ingress.class: nginx
149
+#     kubernetes.io/tls-acme: "true"
150
+
151
+## Chartmuseum Ingress hostnames
152
+## Must be provided if Ingress is enabled
153
+##
154
+#   hosts:
155
+#     chartmuseum.domain.com:
156
+#         - /charts
157
+#         - /index.yaml
158
+
159
+## Chartmuseum Ingress TLS configuration
160
+## Secrets must be manually created in the namespace
161
+##
162
+#   tls:
163
+#   - secretName: chartmuseum-server-tls
164
+#     hosts:
165
+#     - chartmuseum.domain.com
166
+
167
+# Adding secrets to tiller is not a great option, so If you want to use an existing
168
+# secret that contains the json file, you can use the following entries
169
+gcp:
170
+  secret:
171
+    enabled: false
172
+    # Name of the secret that contains the encoded json
173
+    name:
174
+    # Secret key that holds the json value.
175
+    key: credentials.json

+ 10 - 0
dubbo-admin/Chart.yaml View File

@@ -0,0 +1,10 @@
1
+apiVersion: v1
2
+name: dubbo-admin
3
+version: 1.0.0
4
+appVersion: 0.0.1
5
+description: WebUI for Dubbo
6
+icon: https://cdn.gmem.site/images/k8s/dubbo.png
7
+maintainers:
8
+  - name: Alex Wong
9
+    email: alex@gmem.cc
10
+engine: gotpl

+ 0 - 0
dubbo-admin/overrides/dang.yaml View File


+ 8 - 0
dubbo-admin/overrides/gmem.yaml View File

@@ -0,0 +1,8 @@
1
+image: docker.gmem.cc/dubbo-admin:0.0.1
2
+ingress:
3
+  hosts:
4
+    - dbadm.k8s.gmem.cc
5
+  tls:
6
+  - secretName: gmemk8scert-dbadm
7
+    hosts:
8
+      - dbadm.k8s.gmem.cc

+ 15 - 0
dubbo-admin/templates/_helpers.tpl View File

@@ -0,0 +1,15 @@
1
+{{/* vim: set filetype=mustache: */}}
2
+{{/*
3
+Expand the name of the chart.
4
+*/}}
5
+{{- define "name" -}}
6
+{{- default .Chart.Name .Values.nameOverride | trunc 53 | trimSuffix "-" -}}
7
+{{- end -}}
8
+
9
+{{/*
10
+Create a default fully qualified app name.
11
+We truncate at 53 chars (63 - len("-discovery")) because some Kubernetes name fields are limited to 63 (by the DNS naming spec).
12
+*/}}
13
+{{- define "fullname" -}}
14
+{{- default (printf "%s-%s" .Release.Name .Chart.Name) .Values.fullnameOverride | trunc 53 | trimSuffix "-" -}}
15
+{{- end -}}

+ 56 - 0
dubbo-admin/templates/deployment.yaml View File

@@ -0,0 +1,56 @@
1
+apiVersion: apps/v1
2
+kind: Deployment
3
+metadata:
4
+  name: {{ .Chart.Name }}
5
+  labels:
6
+    tier: middleware
7
+    application: {{ .Chart.Name }}
8
+    release: {{ .Release.Name }}
9
+    heritage: {{ .Release.Service }}
10
+spec:
11
+  replicas: {{ .Values.replicas }}
12
+  selector:
13
+    matchLabels:
14
+      tier: middleware
15
+      application: {{ .Chart.Name }}
16
+      release: {{ .Release.Name }}
17
+  template:
18
+    metadata:
19
+      labels:
20
+        tier: middleware
21
+        application: {{ .Chart.Name }}
22
+        release: {{ .Release.Name }}
23
+    spec:
24
+      containers:
25
+      - name: runtime
26
+        image: {{ .Values.image }}
27
+        imagePullPolicy: Always
28
+        resources:
29
+          requests:
30
+            cpu: 50m
31
+            memory: 256Mi
32
+        env:
33
+          - name: LANG
34
+            value: en_US.UTF-8
35
+          - name: LANGUAGE
36
+            value: en_US.UTF-8
37
+          - name: LC_ALL
38
+            value: en_US.UTF-8
39
+          - name: SERVER_PORT
40
+            value: "80"
41
+          - name: ZK_HOST
42
+            value: zk
43
+          - name: ZK_PORT
44
+            value: "2181"
45
+        volumeMounts:
46
+        - mountPath: /etc/localtime
47
+          name: lt-config
48
+        - mountPath: /etc/timezone
49
+          name: tz-config
50
+      volumes:
51
+      - hostPath:
52
+          path: /usr/share/zoneinfo/Asia/Shanghai
53
+        name: lt-config
54
+      - hostPath:
55
+          path: /etc/timezone
56
+        name: tz-config

+ 30 - 0
dubbo-admin/templates/ingress.yaml View File

@@ -0,0 +1,30 @@
1
+apiVersion: extensions/v1beta1
2
+kind: Ingress
3
+metadata:
4
+  name: {{ .Chart.Name }}
5
+  labels:
6
+    tier: middleware
7
+    application: {{ .Chart.Name }}
8
+    release: {{ .Release.Name }}
9
+    heritage: {{ .Release.Service }}
10
+spec:
11
+{{- if .Values.ingress.tls }}
12
+  tls:
13
+  {{- range .Values.ingress.tls }}
14
+    - hosts:
15
+      {{- range .hosts }}
16
+        - {{ . }}
17
+      {{- end }}
18
+      secretName: {{ .secretName }}
19
+  {{- end }}
20
+{{- end }}
21
+  rules:
22
+  {{- range .Values.ingress.hosts }}
23
+    - host: {{ . }}
24
+      http:
25
+        paths:
26
+          - path: /
27
+            backend:
28
+              serviceName: {{ $.Chart.Name }}
29
+              servicePort: 80
30
+  {{- end }}

+ 19 - 0
dubbo-admin/templates/service.yaml View File

@@ -0,0 +1,19 @@
1
+apiVersion: v1
2
+kind: Service
3
+metadata:
4
+  name: {{ .Chart.Name }}
5
+  labels:
6
+    tier: middleware
7
+    application: {{ .Chart.Name }}
8
+    release: {{ .Release.Name }}
9
+    heritage: {{ .Release.Service }}
10
+spec:
11
+  type: ClusterIP
12
+  ports:
13
+  - port: 80
14
+    targetPort: 80
15
+    protocol: TCP
16
+  selector:
17
+    tier: middleware
18
+    application: {{ .Chart.Name }}
19
+    release: {{ .Release.Name }}

+ 1 - 0
dubbo-admin/values.yaml View File

@@ -0,0 +1 @@
1
+replicas: 1

+ 15 - 0
elasticsearch/Chart.yaml View File

@@ -0,0 +1,15 @@
1
+apiVersion: v1
2
+name: elasticsearch
3
+home: https://www.elastic.co/products/elasticsearch
4
+version: 0.2.4
5
+appVersion: 6.2.4
6
+description: Elasticsearch is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases.
7
+icon: https://static-www.elastic.co/assets/blteb1c97719574938d/logo-elastic-elasticsearch-lt.svg
8
+sources:
9
+  - https://www.elastic.co/products/elasticsearch
10
+maintainers:
11
+  - name: Matt Titmus
12
+    email: matthew.titmus@gmail.com
13
+  - name: Alex Wong
14
+    email: alex@gmem.cc
15
+engine: gotpl

+ 49 - 0
elasticsearch/overrides/dang.yaml View File

@@ -0,0 +1,49 @@
1
+tier: devops
2
+fullnameOverride: es
3
+image:
4
+  es:
5
+    repository: registry.k8s.eb.mid/efk/docker-elasticsearch-kubernetes
6
+    tag: 6.2.4
7
+  init:
8
+    repository: registry.k8s.eb.mid/efk/busybox
9
+    tag: 1.27.2
10
+  curator:
11
+    repository: registry.k8s.eb.mid/efk/curator
12
+    tag: 5.5.1
13
+common:
14
+  env:
15
+    CLUSTER_NAME: "es"
16
+
17
+client:
18
+  heapMemory: 1024m
19
+  resources:
20
+    requests:
21
+      memory: 1024Mi
22
+
23
+data:
24
+  replicas: 6
25
+  heapMemory: 2048m
26
+  resources:
27
+    requests:
28
+      memory: 2048Mi
29
+  stateful:
30
+    size: 256Gi
31
+master:
32
+  heapMemory: 1024m
33
+  resources:
34
+    requests:
35
+      memory: 1024Mi
36
+  stateful:
37
+    size: 128Gi
38
+
39
+kibana:
40
+  image:
41
+    repository: registry.k8s.eb.mid/efk/kibana-oss
42
+    tag: 6.2.4
43
+  ingress:
44
+    hosts:
45
+    - efk.k8s.eb.dapp.com
46
+    tls:
47
+    - secretName: dangk8scert
48
+      hosts:
49
+        - efk.k8s.eb.dapp.com

+ 35 - 0
elasticsearch/overrides/gmem.yaml View File

@@ -0,0 +1,35 @@
1
+tier: devops
2
+fullnameOverride: es
3
+common:
4
+  stateful:
5
+    storageClass: ceph-rbd-hdd
6
+  env:
7
+    CLUSTER_NAME: "es"
8
+
9
+client:
10
+  replicas: 3
11
+  heapMemory: 1024m
12
+  data:
13
+    antiAffinity: none
14
+  resources:
15
+    requests:
16
+      memory: 1536Mi
17
+
18
+data:
19
+  replicas: 4
20
+  heapMemory: 2048m
21
+  data:
22
+    antiAffinity: none
23
+  resources:
24
+    requests:
25
+      memory: 3072Mi
26
+  stateful:
27
+    size: 64Gi
28
+
29
+master:
30
+  heapMemory: 256m
31
+  resources:
32
+    requests:
33
+      memory: 512Mi
34
+  stateful:
35
+    size: 8Gi

+ 0 - 0
elasticsearch/templates/NOTES.txt View File


+ 22 - 0
elasticsearch/templates/_helpers.tpl View File

@@ -0,0 +1,22 @@
1
+{{/* vim: set filetype=mustache: */}}
2
+{{/*
3
+Expand the name of the chart.
4
+*/}}
5
+{{- define "name" -}}
6
+{{- default .Chart.Name .Values.nameOverride | trunc 53 | trimSuffix "-" -}}
7
+{{- end -}}
8
+
9
+{{/*
10
+Create a default fully qualified app name.
11
+We truncate at 53 chars (63 - len("-discovery")) because some Kubernetes name fields are limited to 63 (by the DNS naming spec).
12
+*/}}
13
+{{- define "fullname" -}}
14
+{{- default (printf "%s-%s" .Release.Name .Chart.Name) .Values.fullnameOverride | trunc 53 | trimSuffix "-" -}}
15
+{{- end -}}
16
+
17
+{{/*
18
+Return the appropriate apiVersion for Curactor cron job.
19
+*/}}
20
+{{- define "curator.cronJob.apiVersion" -}}
21
+"batch/v1beta1"
22
+{{- end -}}

+ 33 - 0
elasticsearch/templates/elastichq-ingress.yaml View File

@@ -0,0 +1,33 @@
1
+{{- if .Values.elastichq.ingress.enabled -}}
2
+{{- $serviceName := printf "%s-elastichq" (include "fullname" .) -}}
3
+{{- $servicePort := .Values.elastichq.httpPort -}}
4
+apiVersion: extensions/v1beta1
5
+kind: Ingress
6
+metadata:
7
+  name: {{ template "fullname" . }}-elastichq
8
+  labels:
9
+    tier: {{ .Values.tier }}
10
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
11
+    release: {{ .Release.Name }}
12
+    heritage: {{ .Release.Service }}
13
+    application: {{ template "name" . }}
14
+    component: elastichq
15
+  annotations:
16
+    {{- range $key, $value := .Values.elastichq.ingress.annotations }}
17
+      {{ $key }}: {{ $value | quote }}
18
+    {{- end }}
19
+spec:
20
+  rules:
21
+    {{- range $host := .Values.elastichq.ingress.hosts }}
22
+    - host: {{ $host }}
23
+      http:
24
+        paths:
25
+          - backend:
26
+              serviceName: {{ $serviceName }}
27
+              servicePort: {{ $servicePort }}
28
+    {{- end -}}
29
+  {{- if .Values.elastichq.ingress.tls }}
30
+  tls:
31
+{{ toYaml .Values.elastichq.ingress.tls | indent 4 }}
32
+  {{- end -}}
33
+{{- end -}}

+ 25 - 0
elasticsearch/templates/elastichq-svc.yaml View File

@@ -0,0 +1,25 @@
1
+{{- if .Values.elastichq.enabled }}
2
+apiVersion: v1
3
+kind: Service
4
+metadata:
5
+  name: {{ template "fullname" . }}-elastichq
6
+  labels:
7
+    tier: {{ .Values.tier }}
8
+    app: {{ template "fullname" . }}
9
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
10
+    release: "{{ .Release.Name }}"
11
+    heritage: "{{ .Release.Service }}"
12
+    application: {{ template "name" . }}
13
+    component: elastichq
14
+spec:
15
+  type: {{ .Values.common.serviceType }}
16
+  ports:
17
+  - port: {{ .Values.elastichq.httpPort }}
18
+    targetPort: 5000
19
+    protocol: TCP
20
+  selector:
21
+    tier: {{ .Values.tier }}
22
+    application: {{ template "name" . }}
23
+    component: elastichq
24
+    release: "{{ .Release.Name }}"
25
+{{- end }}

+ 51 - 0
elasticsearch/templates/elastichq.yaml View File

@@ -0,0 +1,51 @@
1
+{{- if .Values.elastichq.enabled }}
2
+{{- $elasticsearchServiceName := printf "%s-%s" (include "fullname" .) "elasticsearch" | trunc 63 -}}
3
+apiVersion: extensions/v1beta1
4
+kind: Deployment
5
+metadata:
6
+  name: {{ template "fullname" . }}-elastichq
7
+  labels:
8
+    tier: {{ .Values.tier }}
9
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
10
+    release: "{{ .Release.Name }}"
11
+    heritage: "{{ .Release.Service }}"
12
+    application: {{ template "name" . }}
13
+    component: elastichq
14
+spec:
15
+  replicas: {{ .Values.elastichq.replicas }}
16
+  selector:
17
+    matchLabels:
18
+     tier: {{ .Values.tier }}
19
+     application: {{ template "name" . }}
20
+     component: elastichq
21
+     release: "{{ .Release.Name }}"
22
+  template:
23
+    metadata:
24
+      labels:
25
+        tier: {{ .Values.tier }}
26
+        application: {{ template "name" . }}
27
+        component: elastichq
28
+        release: "{{ .Release.Name }}"
29
+    spec:
30
+      containers:
31
+      - name: elastichq
32
+        image: "{{ .Values.elastichq.image.repository }}:{{ .Values.elastichq.image.tag }}"
33
+        imagePullPolicy: {{ .Values.elastichq.image.pullPolicy }}
34
+        env:
35
+        - name: LC_ALL
36
+          value: en_US.UTF-8
37
+        - name: LANG
38
+          value: en_US.UTF-8
39
+        - name: LANGUAGE
40
+          value: en_US.UTF-8
41
+        - name: CLUSTER_NAME
42
+          value: {{ .Values.common.env.CLUSTER_NAME }}
43
+        - name: HQ_DEFAULT_URL
44
+          value: http://{{ $elasticsearchServiceName }}:{{ .Values.service.httpPort }}
45
+        resources:
46
+{{ toYaml .Values.elastichq.resources | indent 12 }}
47
+        ports:
48
+        - containerPort: 5000
49
+          name: elastichq
50
+          protocol: TCP
51
+{{- end }}

+ 146 - 0
elasticsearch/templates/es-client.yaml View File

@@ -0,0 +1,146 @@
1
+apiVersion: apps/v1beta1
2
+kind: Deployment
3
+metadata:
4
+  name: {{ template "fullname" . }}-client
5
+  labels:
6
+    tier: {{ .Values.tier }}
7
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
8
+    heritage: "{{ .Release.Service }}"
9
+    application: {{ template "name" . }}
10
+    component: client
11
+    release: "{{ .Release.Name }}"
12
+spec:
13
+  replicas: {{ .Values.client.replicas }}
14
+  template:
15
+    metadata:
16
+      labels:
17
+        tier: {{ .Values.tier }}
18
+        application: {{ template "name" . }}
19
+        component: client
20
+        release: "{{ .Release.Name }}"
21
+    spec:
22
+      {{- if eq .Values.client.antiAffinity "hard" }}
23
+      affinity:
24
+        podAntiAffinity:
25
+          requiredDuringSchedulingIgnoredDuringExecution:
26
+            - topologyKey: "kubernetes.io/hostname"
27
+              labelSelector:
28
+                matchLabels:
29
+                  application: {{ template "name" . }}
30
+                  component: client
31
+                  release: "{{ .Release.Name }}"
32
+      {{- else if eq .Values.client.antiAffinity "soft" }}
33
+      affinity:
34
+        podAntiAffinity:
35
+          preferredDuringSchedulingIgnoredDuringExecution:
36
+          - weight: 1
37
+            podAffinityTerm:
38
+              topologyKey: "kubernetes.io/hostname"
39
+              labelSelector:
40
+                matchLabels:
41
+                  application: {{ template "name" . }}
42
+                  component: client
43
+                  release: "{{ .Release.Name }}"
44
+      {{- end }}
45
+      initContainers:
46
+      - name: init-sysctl
47
+        image: "{{ .Values.image.init.repository }}:{{ .Values.image.init.tag }}"
48
+        imagePullPolicy: {{ .Values.image.init.pullPolicy }}
49
+        command: ["sysctl", "-w", "vm.max_map_count=262144"]
50
+        securityContext:
51
+          privileged: true
52
+      containers:
53
+      - name: es-client
54
+        securityContext:
55
+          privileged: false
56
+          capabilities:
57
+            add:
58
+              - IPC_LOCK
59
+              - SYS_RESOURCE
60
+        image: "{{ .Values.image.es.repository }}:{{ .Values.image.es.tag }}"
61
+        imagePullPolicy: {{ .Values.image.es.pullPolicy }}
62
+        env:
63
+        - name: LC_ALL
64
+          value: en_US.UTF-8
65
+        - name: LANG
66
+          value: en_US.UTF-8
67
+        - name: LANGUAGE
68
+          value: en_US.UTF-8
69
+        - name: NAMESPACE
70
+          valueFrom:
71
+            fieldRef:
72
+              fieldPath: metadata.namespace
73
+        - name: NODE_NAME
74
+          valueFrom:
75
+            fieldRef:
76
+              fieldPath: metadata.name
77
+        - name: DISCOVERY_SERVICE
78
+          value: {{ template "fullname" . }}-discovery
79
+        {{- range $key, $value :=  .Values.common.env }}
80
+        - name: {{ $key | upper | replace "-" "_" }}
81
+          value: {{ $value | quote }}
82
+        {{- end }}
83
+        {{- range $key, $value :=  .Values.client.env }}
84
+        - name: {{ $key | upper | replace "-" "_" }}
85
+          value: {{ $value | quote }}
86
+        {{- end }}
87
+        - name: "ES_JAVA_OPTS"
88
+          value: "-Xms{{ .Values.client.heapMemory }} -Xmx{{ .Values.client.heapMemory }} -Xss{{ .Values.data.stackSize }}"
89
+        resources:
90
+{{ toYaml .Values.client.resources | indent 10 }}
91
+        ports:
92
+        - containerPort: 9200
93
+          name: http
94
+          protocol: TCP
95
+        - containerPort: 9300
96
+          name: transport
97
+          protocol: TCP
98
+        livenessProbe:
99
+          tcpSocket:
100
+            port: 9300
101
+          initialDelaySeconds: 60
102
+        readinessProbe:
103
+          httpGet:
104
+            path: /_cluster/state/version
105
+            port: 9200
106
+          initialDelaySeconds: 60
107
+          timeoutSeconds: 5
108
+        volumeMounts:
109
+        - mountPath: /etc/localtime
110
+          name: lt-config
111
+        - mountPath: /etc/timezone
112
+          name: tz-config
113
+        - name: storage
114
+          mountPath: /data
115
+        - name: config
116
+          mountPath: /elasticsearch/config/log4j2.properties
117
+          subPath: log4j2.properties
118
+        - name: config
119
+          mountPath: /elasticsearch/config/elasticsearch.yml
120
+          subPath: elasticsearch.yml
121
+        - name: config
122
+          mountPath: /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/java.security
123
+          subPath: java.security
124
+        - name: config
125
+          mountPath: /usr/lib/jvm/java-1.8-openjdk/lib/security/java.security
126
+          subPath: java.security
127
+        - name: config
128
+          mountPath: /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/java.policy
129
+          subPath: java.policy
130
+        - name: config
131
+          mountPath: /usr/lib/jvm/java-1.8-openjdk/lib/security/java.policy
132
+          subPath: java.policy
133
+
134
+      volumes:
135
+        - name: config
136
+          configMap:
137
+            name: {{ template "fullname" . }}-config
138
+        - hostPath:
139
+            path: /usr/share/zoneinfo/Asia/Shanghai
140
+          name: lt-config
141
+        - hostPath:
142
+            path: /etc/timezone
143
+          name: tz-config
144
+        - emptyDir:
145
+            medium: ""
146
+          name: "storage"

+ 259 - 0
elasticsearch/templates/es-config.yaml View File

@@ -0,0 +1,259 @@
1
+apiVersion: v1
2
+kind: ConfigMap
3
+metadata:
4
+  name: {{ template "fullname" . }}-config
5
+  labels:
6
+    tier: {{ .Values.tier }}
7
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
8
+    heritage: "{{ .Release.Service }}"
9
+    application: {{ template "name" . }}
10
+    release: "{{ .Release.Name }}"
11
+data:
12
+  log4j2.properties: |
13
+    status = error
14
+
15
+    appender.console.type = Console
16
+    appender.console.name = console
17
+    appender.console.layout.type = JsonLayout
18
+    appender.console.layout.charset = UTF-8
19
+    appender.console.layout.compact = true
20
+    appender.console.layout.eventEol = true
21
+    appender.console.layout.locationInfo = false
22
+    appender.console.layout.stacktraceAsString = true
23
+
24
+    rootLogger.level = info
25
+    rootLogger.appenderRef.console.ref = console
26
+  elasticsearch.yml: |
27
+    cluster:
28
+      name: ${CLUSTER_NAME}
29
+
30
+    node:
31
+      master: ${NODE_MASTER}
32
+      data: ${NODE_DATA}
33
+      name: ${NODE_NAME}
34
+      ingest: ${NODE_INGEST}
35
+      max_local_storage_nodes: ${MAX_LOCAL_STORAGE_NODES}
36
+
37
+    network.host: 0.0.0.0
38
+
39
+    path:
40
+      data: /data/data
41
+      logs: /data/log
42
+      repo: ${REPO_LOCATIONS}
43
+
44
+    bootstrap:
45
+      memory_lock: ${MEMORY_LOCK}
46
+
47
+    http:
48
+      enabled: ${HTTP_ENABLE}
49
+      compression: true
50
+      cors:
51
+        enabled: ${HTTP_CORS_ENABLE}
52
+        allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}
53
+
54
+    discovery:
55
+      zen:
56
+        ping.unicast.hosts: ${DISCOVERY_SERVICE}
57
+        minimum_master_nodes: ${NUMBER_OF_MASTERS}
58
+
59
+    xpack.monitoring.enabled: true
60
+    xpack.graph.enabled: true
61
+    xpack.security.enabled: true
62
+    xpack.security.transport.ssl.enabled: true
63
+    xpack.security.transport.ssl.verification_mode: certificate
64
+    xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
65
+    xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
66
+    xpack.security.authc:
67
+      anonymous:
68
+        username: anonymous
69
+        roles: transport_client
70
+        authz_exception: true
71
+  java.policy: |
72
+    grant codeBase "file:${{java.ext.dirs}}/*" {
73
+            permission java.security.AllPermission;
74
+    };
75
+
76
+    grant {
77
+            permission java.lang.RuntimePermission "stopThread";
78
+            permission java.net.SocketPermission "localhost:0", "listen";
79
+            permission java.util.PropertyPermission "java.version", "read";
80
+            permission java.util.PropertyPermission "java.vendor", "read";
81
+            permission java.util.PropertyPermission "java.vendor.url", "read";
82
+            permission java.util.PropertyPermission "java.class.version", "read";
83
+            permission java.util.PropertyPermission "os.name", "read";
84
+            permission java.util.PropertyPermission "os.version", "read";
85
+            permission java.util.PropertyPermission "os.arch", "read";
86
+            permission java.util.PropertyPermission "file.separator", "read";
87
+            permission java.util.PropertyPermission "path.separator", "read";
88
+            permission java.util.PropertyPermission "line.separator", "read";
89
+            permission java.util.PropertyPermission "java.specification.version", "read";
90
+            permission java.util.PropertyPermission "java.specification.vendor", "read";
91
+            permission java.util.PropertyPermission "java.specification.name", "read";
92
+            permission java.util.PropertyPermission "java.vm.specification.version", "read";
93
+            permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
94
+            permission java.util.PropertyPermission "java.vm.specification.name", "read";
95
+            permission java.util.PropertyPermission "java.vm.version", "read";
96
+            permission java.util.PropertyPermission "java.vm.vendor", "read";
97
+            permission java.util.PropertyPermission "java.vm.name", "read";
98
+            permission java.lang.RuntimePermission "accessDeclaredMembers";
99
+            permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
100
+    };
101
+  java.security: |
102
+    security.provider.1=sun.security.provider.Sun
103
+    security.provider.2=sun.security.rsa.SunRsaSign
104
+    security.provider.3=sun.security.ec.SunEC
105
+    security.provider.4=com.sun.net.ssl.internal.ssl.Provider
106
+    security.provider.5=com.sun.crypto.provider.SunJCE
107
+    security.provider.6=sun.security.jgss.SunProvider
108
+    security.provider.7=com.sun.security.sasl.Provider
109
+    security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
110
+    security.provider.9=sun.security.smartcardio.SunPCSC
111
+    security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
112
+
113
+    securerandom.source=file:/dev/random
114
+
115
+    securerandom.strongAlgorithms=NativePRNGBlocking:SUN
116
+
117
+    login.configuration.provider=sun.security.provider.ConfigFile
118
+
119
+    policy.provider=sun.security.provider.PolicyFile
120
+
121
+
122
+    policy.url.1=file:${java.home}/lib/security/java.policy
123
+    policy.url.2=file:${user.home}/.java.policy
124
+
125
+
126
+    policy.expandProperties=true
127
+
128
+    policy.allowSystemProperty=true
129
+
130
+    policy.ignoreIdentityScope=false
131
+
132
+    keystore.type=jks
133
+
134
+    keystore.type.compat=true
135
+
136
+    package.access=sun.,\
137
+                   com.sun.xml.internal.,\
138
+                   com.sun.imageio.,\
139
+                   com.sun.istack.internal.,\
140
+                   com.sun.jmx.,\
141
+                   com.sun.media.sound.,\
142
+                   com.sun.naming.internal.,\
143
+                   com.sun.proxy.,\
144
+                   com.sun.corba.se.,\
145
+                   com.sun.org.apache.bcel.internal.,\
146
+                   com.sun.org.apache.regexp.internal.,\
147
+                   com.sun.org.apache.xerces.internal.,\
148
+                   com.sun.org.apache.xpath.internal.,\
149
+                   com.sun.org.apache.xalan.internal.extensions.,\
150
+                   com.sun.org.apache.xalan.internal.lib.,\
151
+                   com.sun.org.apache.xalan.internal.res.,\
152
+                   com.sun.org.apache.xalan.internal.templates.,\
153
+                   com.sun.org.apache.xalan.internal.utils.,\
154
+                   com.sun.org.apache.xalan.internal.xslt.,\
155
+                   com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
156
+                   com.sun.org.apache.xalan.internal.xsltc.compiler.,\
157
+                   com.sun.org.apache.xalan.internal.xsltc.trax.,\
158
+                   com.sun.org.apache.xalan.internal.xsltc.util.,\
159
+                   com.sun.org.apache.xml.internal.res.,\
160
+                   com.sun.org.apache.xml.internal.resolver.helpers.,\
161
+                   com.sun.org.apache.xml.internal.resolver.readers.,\
162
+                   com.sun.org.apache.xml.internal.security.,\
163
+                   com.sun.org.apache.xml.internal.serializer.utils.,\
164
+                   com.sun.org.apache.xml.internal.utils.,\
165
+                   com.sun.org.glassfish.,\
166
+                   com.oracle.xmlns.internal.,\
167
+                   com.oracle.webservices.internal.,\
168
+                   oracle.jrockit.jfr.,\
169
+                   org.jcp.xml.dsig.internal.,\
170
+                   jdk.internal.,\
171
+                   jdk.nashorn.internal.,\
172
+                   jdk.nashorn.tools.,\
173
+                   com.sun.activation.registries.
174
+
175
+    package.definition=sun.,\
176
+                       com.sun.xml.internal.,\
177
+                       com.sun.imageio.,\
178
+                       com.sun.istack.internal.,\
179
+                       com.sun.jmx.,\
180
+                       com.sun.media.sound.,\
181
+                       com.sun.naming.internal.,\
182
+                       com.sun.proxy.,\
183
+                       com.sun.corba.se.,\
184
+                       com.sun.org.apache.bcel.internal.,\
185
+                       com.sun.org.apache.regexp.internal.,\
186
+                       com.sun.org.apache.xerces.internal.,\
187
+                       com.sun.org.apache.xpath.internal.,\
188
+                       com.sun.org.apache.xalan.internal.extensions.,\
189
+                       com.sun.org.apache.xalan.internal.lib.,\
190
+                       com.sun.org.apache.xalan.internal.res.,\
191
+                       com.sun.org.apache.xalan.internal.templates.,\
192
+                       com.sun.org.apache.xalan.internal.utils.,\
193
+                       com.sun.org.apache.xalan.internal.xslt.,\
194
+                       com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
195
+                       com.sun.org.apache.xalan.internal.xsltc.compiler.,\
196
+                       com.sun.org.apache.xalan.internal.xsltc.trax.,\
197
+                       com.sun.org.apache.xalan.internal.xsltc.util.,\
198
+                       com.sun.org.apache.xml.internal.res.,\
199
+                       com.sun.org.apache.xml.internal.resolver.helpers.,\
200
+                       com.sun.org.apache.xml.internal.resolver.readers.,\
201
+                       com.sun.org.apache.xml.internal.security.,\
202
+                       com.sun.org.apache.xml.internal.serializer.utils.,\
203
+                       com.sun.org.apache.xml.internal.utils.,\
204
+                       com.sun.org.glassfish.,\
205
+                       com.oracle.xmlns.internal.,\
206
+                       com.oracle.webservices.internal.,\
207
+                       oracle.jrockit.jfr.,\
208
+                       org.jcp.xml.dsig.internal.,\
209
+                       jdk.internal.,\
210
+                       jdk.nashorn.internal.,\
211
+                       jdk.nashorn.tools.,\
212
+                       com.sun.activation.registries.
213
+
214
+    security.overridePropertiesFile=true
215
+
216
+    security.useSystemPropertiesFile=true
217
+
218
+
219
+    ssl.KeyManagerFactory.algorithm=SunX509
220
+    ssl.TrustManagerFactory.algorithm=PKIX
221
+
222
+    krb5.kdc.bad.policy = tryLast
223
+
224
+
225
+    jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
226
+        RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
227
+
228
+    jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
229
+
230
+
231
+    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
232
+        EC keySize < 224
233
+
234
+    jdk.tls.legacyAlgorithms= \
235
+            K_NULL, C_NULL, M_NULL, \
236
+            DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
237
+            DH_RSA_EXPORT, RSA_EXPORT, \
238
+            DH_anon, ECDH_anon, \
239
+            RC4_128, RC4_40, DES_CBC, DES40_CBC, \
240
+            3DES_EDE_CBC
241
+
242
+    crypto.policy=unlimited
243
+
244
+    jdk.xml.dsig.secureValidationPolicy=\
245
+        disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
246
+        disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
247
+        disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
248
+        disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
249
+        maxTransforms 5,\
250
+        maxReferences 30,\
251
+        disallowReferenceUriSchemes file http https,\
252
+        minKeySize RSA 1024,\
253
+        minKeySize DSA 1024,\
254
+        noDuplicateIds,\