diff --git a/assets/airlock/microgateway-4.4.2.tgz b/assets/airlock/microgateway-4.4.2.tgz
new file mode 100644
index 0000000000..a36112ce65
Binary files /dev/null and b/assets/airlock/microgateway-4.4.2.tgz differ
diff --git a/assets/airlock/microgateway-cni-4.4.2.tgz b/assets/airlock/microgateway-cni-4.4.2.tgz
new file mode 100644
index 0000000000..0c5398b10b
Binary files /dev/null and b/assets/airlock/microgateway-cni-4.4.2.tgz differ
diff --git a/assets/cockroach-labs/cockroachdb-15.0.2.tgz b/assets/cockroach-labs/cockroachdb-15.0.2.tgz
new file mode 100644
index 0000000000..f2392be65c
Binary files /dev/null and b/assets/cockroach-labs/cockroachdb-15.0.2.tgz differ
diff --git a/assets/redpanda/redpanda-5.9.18.tgz b/assets/redpanda/redpanda-5.9.18.tgz
new file mode 100644
index 0000000000..d39a788b50
Binary files /dev/null and b/assets/redpanda/redpanda-5.9.18.tgz differ
diff --git a/assets/speedscale/speedscale-operator-2.3.45.tgz b/assets/speedscale/speedscale-operator-2.3.45.tgz
new file mode 100644
index 0000000000..82a24ee4d0
Binary files /dev/null and b/assets/speedscale/speedscale-operator-2.3.45.tgz differ
diff --git a/charts/airlock/microgateway-cni/4.4.2/.helmignore b/charts/airlock/microgateway-cni/4.4.2/.helmignore
new file mode 100644
index 0000000000..8561d28926
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/.helmignore
@@ -0,0 +1,27 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+# Helm unit tests
+/tests
+/validation
diff --git a/charts/airlock/microgateway-cni/4.4.2/Chart.yaml b/charts/airlock/microgateway-cni/4.4.2/Chart.yaml
new file mode 100644
index 0000000000..e4b34e0c15
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/Chart.yaml
@@ -0,0 +1,43 @@
+annotations:
+ artifacthub.io/category: security
+ artifacthub.io/license: MIT
+ artifacthub.io/links: |
+ - name: Airlock Microgateway Documentation
+ url: https://docs.airlock.com/microgateway/4.4/
+ - name: Airlock Microgateway Labs
+ url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
+ - name: Airlock Microgateway Forum
+ url: https://forum.airlock.com/
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Airlock Microgateway CNI
+ catalog.cattle.io/kube-version: '>=1.25.0-0'
+ catalog.cattle.io/release-name: ""
+ charts.openshift.io/name: Airlock Microgateway CNI
+apiVersion: v2
+appVersion: 4.4.2
+description: A Helm chart for deploying the Airlock Microgateway CNI plugin
+home: https://www.airlock.com/en/microgateway
+icon: file://assets/icons/microgateway-cni.svg
+keywords:
+- WAF
+- Web Application Firewall
+- WAAP
+- Web Application and API protection
+- OWASP
+- Airlock
+- Microgateway
+- Security
+- Filtering
+- DevSecOps
+- shift left
+- CNI
+kubeVersion: '>=1.25.0-0'
+maintainers:
+- email: support@airlock.com
+ name: Airlock
+ url: https://www.airlock.com/
+name: microgateway-cni
+sources:
+- https://github.com/airlock/microgateway
+type: application
+version: 4.4.2
diff --git a/charts/airlock/microgateway-cni/4.4.2/README.md b/charts/airlock/microgateway-cni/4.4.2/README.md
new file mode 100644
index 0000000000..ef42515c5c
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/README.md
@@ -0,0 +1,138 @@
+# Airlock Microgateway CNI
+
+ 
+
+*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
+
+
+
+
+ 
+
+
+Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
+__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.4.2).__
+
+### Features
+* Kubernetes native integration with sidecar injection and Gateway API support
+* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
+* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
+* Content security filters for protecting against known attacks (OWASP Top 10)
+* Access control using OpenID Connect to allow only authenticated users to access the protected services
+* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation
+
+For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
+
+## Documentation and links
+
+Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
+
+* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
+* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
+* [Installation](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000138)
+* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
+* [GitHub](https://github.com/airlock/microgateway)
+
+# Quick start guide
+
+The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
+
+## Prerequisites
+* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
+
+## Deploy Airlock Microgateway CNI
+1. Install the CNI Plugin with Helm.
+ > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
+ ```bash
+ # Standard setup
+ helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
+ kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
+ ```
+ ```bash
+ # GKE setup
+ helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.2/deploy/charts/airlock-microgateway-cni/gke-values.yaml
+ kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
+ ```
+ ```bash
+ # OpenShift setup
+ helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.2/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
+ kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
+ ```
+ > **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
+
+2. (Recommended) You can verify the correctness of the installation with `helm test`.
+ ```bash
+ # Standard and GKE setup
+ helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
+ helm test airlock-microgateway-cni -n kube-system --logs
+ helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
+ ```
+ ```bash
+ # OpenShift setup
+ helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
+ helm test airlock-microgateway-cni -n openshift-operators --logs
+ helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.2'
+ ```
+
+ Consult our [documentation](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000139) in case of any installation error.
+
+## Support
+
+### Premium support
+If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
+
+### Community support
+For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
+| commonAnnotations | object | `{}` | Annotations to add to all resources. |
+| commonLabels | object | `{}` | Labels to add to all resources. |
+| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. |
+| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. |
+| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
+| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
+| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
+| config.repairMode | string | `"none"` | Specifies the repair mode There is a race condition regarding the installation of the CNI Plugin and creation of Pods when starting a Node. This would cause Pods to be unprotected, because the CNI did not reconfigure the Pod's network. The Airlock Microgateway Network Validator prevents this and causes the Pod to fail on purpose. Pods can be repaired by choosing the appropriate repair mode. Available options are: `deletePods` will delete failing Pods, such that the CNI Plugin can correctly configure them `none` will not perform any action for failing Pods |
+| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
+| image.digest | string | `"sha256:160407ca4790555afc8ea706f51bc0729c1a79862c295ad9df68999692b932a5"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
+| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
+| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
+| image.tag | string | `"4.4.2"` | Image tag to pull. |
+| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
+| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
+| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
+| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
+| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
+| podAnnotations | object | `{}` | Annotations to add to all Pods. |
+| podLabels | object | `{}` | Labels to add to all Pods. |
+| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
+| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
+| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
+| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
+| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
+| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
+| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
+
+## License
+View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
+* Decompiling or reverse engineering is not permitted.
+* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
+
+Airlock® is a security innovation by [ergon](https://www.ergon.ch/en)
+
+
+
+
+
+
+ 
+
+
diff --git a/charts/airlock/microgateway-cni/4.4.2/gke-values.yaml b/charts/airlock/microgateway-cni/4.4.2/gke-values.yaml
new file mode 100644
index 0000000000..d6d5c21d14
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/gke-values.yaml
@@ -0,0 +1,4 @@
+# values for deploying on GKE
+
+config:
+ cniBinDir: "/home/kubernetes/bin"
diff --git a/charts/airlock/microgateway-cni/4.4.2/openshift-values.yaml b/charts/airlock/microgateway-cni/4.4.2/openshift-values.yaml
new file mode 100644
index 0000000000..3b1d6cccde
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/openshift-values.yaml
@@ -0,0 +1,15 @@
+# values for deploying on OpenShift
+
+rbac:
+ createSCCRole: true
+
+privileged: true
+
+multusNetworkAttachmentDefinition:
+ create: true
+ namespace: default
+
+config:
+ installMode: "standalone"
+ cniNetDir: "/etc/cni/multus/net.d"
+ cniBinDir: "/var/lib/cni/bin"
diff --git a/charts/airlock/microgateway-cni/4.4.2/questions.yml b/charts/airlock/microgateway-cni/4.4.2/questions.yml
new file mode 100644
index 0000000000..73ed44d646
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/questions.yml
@@ -0,0 +1,18 @@
+questions:
+ - variable: config.cniNetDir
+ required: true
+ type: string
+ label: CNI Network Configuration Directory
+ group: "CNI Settings"
+ description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
+ - variable: config.cniBinDir
+ required: true
+ type: string
+ label: CNI Plugin Binaries Directory
+ group: "CNI Settings"
+ description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
+ - variable: config.installMode
+ required: true
+ label: CNI Plugin Installation Mode
+ group: "CNI Settings"
+ description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/NOTES.txt b/charts/airlock/microgateway-cni/4.4.2/templates/NOTES.txt
new file mode 100644
index 0000000000..bb94ff521e
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/NOTES.txt
@@ -0,0 +1,15 @@
+Thank you for installing Airlock Microgateway CNI.
+
+Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution.
+For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}.
+The chapter 'Setup > Installation' describes how to set those settings correctly.
+
+Further information:
+* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}
+* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm
+
+Next steps:
+* Install Airlock Microgateway (if not done already)
+ https://artifacthub.io/packages/helm/airlock-microgateway/microgateway
+
+Your release version is {{ .Chart.Version }}.
\ No newline at end of file
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/_helpers.tpl b/charts/airlock/microgateway-cni/4.4.2/templates/_helpers.tpl
new file mode 100644
index 0000000000..996491a873
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/_helpers.tpl
@@ -0,0 +1,101 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "airlock-microgateway-cni.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Convert an image configuration object into an image ref string.
+*/}}
+{{- define "airlock-microgateway-cni.image" -}}
+ {{- if .digest -}}
+ {{- printf "%s@%s" .repository .digest -}}
+ {{- else if .tag -}}
+ {{- printf "%s:%s" .repository .tag -}}
+ {{- else -}}
+ {{- printf "%s" .repository -}}
+ {{- end -}}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
+and the longest suffix is 13 characters.
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "airlock-microgateway-cni.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 50 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "airlock-microgateway-cni.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "airlock-microgateway-cni.labels" -}}
+helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
+{{ include "airlock-microgateway-cni.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml .}}
+{{- end }}
+{{- end }}
+
+{{/*
+Common labels without component
+*/}}
+{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
+{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
+{{ unset $labels "app.kubernetes.io/component" | toYaml }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "airlock-microgateway-cni.selectorLabels" -}}
+app.kubernetes.io/component: cni-plugin-installer
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use for the CNI Plugin
+*/}}
+{{- define "airlock-microgateway-cni.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "airlock-microgateway-cni.isSemver" -}}
+{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
+{{- end -}}
+
+{{- define "airlock-microgateway-cni.docsVersion" -}}
+{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
+ {{- $version := (semver .Chart.AppVersion) -}}
+ {{- $version.Major }}.{{ $version.Minor -}}
+{{- else -}}
+ {{- print "latest" -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/clusterrole.yaml b/charts/airlock/microgateway-cni/4.4.2/templates/clusterrole.yaml
new file mode 100644
index 0000000000..7412ab5135
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/clusterrole.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - patch
+ {{- if eq .Values.config.repairMode "deletePods" }}
+ - delete
+ {{- end }}
+{{- end -}}
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/clusterrolebinding.yaml b/charts/airlock/microgateway-cni/4.4.2/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..04f87cb0fa
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/configmap.yaml b/charts/airlock/microgateway-cni/4.4.2/templates/configmap.yaml
new file mode 100644
index 0000000000..b880116ef9
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/configmap.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+data:
+ plugin-conf.json: |-
+ {
+ "type": "{{ include "airlock-microgateway-cni.fullname" . }}",
+ "debug": {{ eq .Values.config.logLevel "debug" }},
+ "logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log",
+ "kubernetes": {
+ "kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig",
+ "excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }}
+ }
+ }
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/daemonset.yaml b/charts/airlock/microgateway-cni/4.4.2/templates/daemonset.yaml
new file mode 100644
index 0000000000..fcb5846ca8
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/daemonset.yaml
@@ -0,0 +1,138 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ selector:
+ matchLabels:
+ {{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ annotations:
+ checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+ kubectl.kubernetes.io/default-container: cni-installer
+ {{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 8 }}
+ {{- with .Values.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ containers:
+ - args:
+ - --log-level
+ - "{{ .Values.config.logLevel }}"
+ env:
+ - name: CNI_NETWORK_CONFIG
+ valueFrom:
+ configMapKeyRef:
+ key: plugin-conf.json
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ - name: CNI_BIN_DIR
+ value: /host/opt/cni/bin
+ - name: CNI_NET_DIR
+ value: /host/etc/cni/net.d
+ - name: KUBECONFIG_FILE_NAME
+ value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig"
+ - name: INSTALL_MODE
+ value: {{ .Values.config.installMode }}
+ - name: REPAIR_MODE
+ value: {{ .Values.config.repairMode }}
+ - name: KUBERNETES_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ image: {{ include "airlock-microgateway-cni.image" .Values.image }}
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cni-installer
+ {{- with .Values.resources }}
+ resources:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ startupProbe:
+ exec:
+ command:
+ - /cni-installer
+ - probe
+ failureThreshold: 5
+ initialDelaySeconds: 3
+ periodSeconds: 3
+ timeoutSeconds: 3
+ readinessProbe:
+ exec:
+ command:
+ - /cni-installer
+ - probe
+ failureThreshold: 1
+ periodSeconds: 60
+ timeoutSeconds: 3
+ securityContext:
+ allowPrivilegeEscalation: {{ .Values.privileged }}
+ capabilities:
+ drop:
+ - ALL
+ privileged: {{ .Values.privileged }}
+ readOnlyRootFilesystem: true
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ seccompProfile:
+ type: RuntimeDefault
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ - mountPath: /run/cni-installer
+ name: cni-installer-status
+ hostNetwork: true
+ priorityClassName: system-node-critical
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 0
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+ terminationGracePeriodSeconds: 5
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ tolerations:
+ - effect: NoSchedule
+ operator: Exists
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ volumes:
+ - hostPath:
+ path: "{{ .Values.config.cniBinDir }}"
+ type: Directory
+ name: cni-bin-dir
+ - hostPath:
+ path: "{{ .Values.config.cniNetDir }}"
+ type: Directory
+ name: cni-net-dir
+ - emptyDir: {}
+ name: cni-installer-status
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/network-attachment-definition.yaml b/charts/airlock/microgateway-cni/4.4.2/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..5d657e309c
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/network-attachment-definition.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.multusNetworkAttachmentDefinition.create -}}
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end -}}
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/scc-role.yaml b/charts/airlock/microgateway-cni/4.4.2/templates/scc-role.yaml
new file mode 100644
index 0000000000..8627486928
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/scc-role.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.rbac.createSCCRole -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+rules:
+- apiGroups:
+ - security.openshift.io
+ resourceNames:
+ - privileged
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - use
+{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/scc-rolebinding.yaml b/charts/airlock/microgateway-cni/4.4.2/templates/scc-rolebinding.yaml
new file mode 100644
index 0000000000..ebd02982c0
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/scc-rolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.rbac.createSCCRole -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
+subjects:
+- kind: ServiceAccount
+ name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+{{- end -}}
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/serviceaccount.yaml b/charts/airlock/microgateway-cni/4.4.2/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..3dc8d58eae
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end -}}
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/tests/rbac.yaml b/charts/airlock/microgateway-cni/4.4.2/templates/tests/rbac.yaml
new file mode 100644
index 0000000000..744799333f
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/tests/rbac.yaml
@@ -0,0 +1,64 @@
+{{- if .Values.tests.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
+ app.kubernetes.io/component: tests
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
+ app.kubernetes.io/component: tests
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+subjects:
+- kind: ServiceAccount
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
+ app.kubernetes.io/component: tests
+rules:
+- apiGroups:
+ - "apps"
+ resources:
+ - daemonsets
+ resourceNames:
+ - {{ include "airlock-microgateway-cni.fullname" . }}
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - pods/log
+ verbs:
+ - get
+ - list
+{{- if .Values.rbac.createSCCRole }}
+- apiGroups:
+ - security.openshift.io
+ resourceNames:
+ - privileged
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - use
+{{- end -}}
+{{- end -}}
diff --git a/charts/airlock/microgateway-cni/4.4.2/templates/tests/test-install.yaml b/charts/airlock/microgateway-cni/4.4.2/templates/tests/test-install.yaml
new file mode 100644
index 0000000000..12d8c8de78
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/templates/tests/test-install.yaml
@@ -0,0 +1,103 @@
+{{- if .Values.tests.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install"
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
+ app.kubernetes.io/component: test-install
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+spec:
+ restartPolicy: Never
+ containers:
+ - name: test
+ image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
+ securityContext:
+ allowPrivilegeEscalation: {{ .Values.privileged }}
+ capabilities:
+ drop:
+ - ALL
+ privileged: {{ .Values.privileged }}
+ readOnlyRootFilesystem: true
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ readOnly: true
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ readOnly: true
+ command:
+ - sh
+ - -c
+ - |
+ set -eu
+
+ fail() {
+ echo "Error: ${1}"
+ echo ""
+ echo 'CNI installer logs:'
+ kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer
+ exit 1
+ }
+
+ containsMGWCNIConf() {
+ cat "${1}" | grep -qe '"type":.*"{{ include "airlock-microgateway-cni.fullname" . }}"'
+ }
+
+ if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then
+ fail 'CNI DaemonSet rollout did not complete within timeout'
+ fi
+
+ echo "Checking whether CNI binary was installed"
+ if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then
+ fail 'CNI binary was not installed'
+ fi
+
+ echo "Checking whether CNI kubeconfig was installed"
+ if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then
+ fail 'CNI kubeconfig was not created'
+ fi
+
+ echo "Checking whether CNI configuration was written"
+ case {{ .Values.config.installMode }} in
+ "chained")
+ for file in "/host/etc/cni/net.d/"*.conflist; do
+ if containsMGWCNIConf "${file}"; then
+ echo "Success"
+ exit 0
+ fi
+ done
+ ;;
+ "standalone")
+ if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then
+ echo "Success"
+ exit 0
+ fi
+ ;;
+ "manual")
+ echo "- Skipping because we are in 'manual' install mode"
+ echo "Success"
+ exit 0
+ ;;
+ esac
+
+ fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found'
+ serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ volumes:
+ - hostPath:
+ path: "{{ .Values.config.cniBinDir }}"
+ type: Directory
+ name: cni-bin-dir
+ - hostPath:
+ path: "{{ .Values.config.cniNetDir }}"
+ type: Directory
+ name: cni-net-dir
+{{- end -}}
diff --git a/charts/airlock/microgateway-cni/4.4.2/values.schema.json b/charts/airlock/microgateway-cni/4.4.2/values.schema.json
new file mode 100644
index 0000000000..c2cf207348
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/values.schema.json
@@ -0,0 +1,233 @@
+{
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
+ "type": "object",
+ "properties": {
+ "nameOverride": {
+ "type": "string"
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "commonLabels": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "commonAnnotations": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "imagePullSecrets": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "minLength": 1
+ }
+ },
+ "required": [
+ "name"
+ ],
+ "additionalProperties": true
+ }
+ },
+ "image": {
+ "$ref": "#/definitions/Image"
+ },
+ "podAnnotations": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "podLabels": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "nodeSelector": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "affinity": {
+ "type": "object"
+ },
+ "rbac": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "createSCCRole": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "create",
+ "createSCCRole"
+ ],
+ "additionalProperties": false
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "serviceAccount": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "annotations": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "annotations",
+ "create",
+ "name"
+ ],
+ "additionalProperties": false
+ },
+ "multusNetworkAttachmentDefinition": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "namespace": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "create",
+ "namespace"
+ ],
+ "additionalProperties": false
+ },
+ "config": {
+ "type": "object",
+ "properties": {
+ "installMode": {
+ "type": "string",
+ "enum": [
+ "chained",
+ "standalone",
+ "manual"
+ ]
+ },
+ "repairMode": {
+ "type": "string",
+ "enum": [
+ "deletePods",
+ "none"
+ ]
+ },
+ "logLevel": {
+ "type": "string",
+ "enum": [
+ "debug",
+ "info",
+ "warn",
+ "error"
+ ]
+ },
+ "cniNetDir": {
+ "type": "string",
+ "minLength": 1
+ },
+ "cniBinDir": {
+ "type": "string",
+ "minLength": 1
+ },
+ "excludeNamespaces": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ },
+ "required": [
+ "cniBinDir",
+ "cniNetDir",
+ "excludeNamespaces",
+ "installMode",
+ "repairMode",
+ "logLevel"
+ ],
+ "additionalProperties": false
+ },
+ "tests": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "additionalProperties": false
+ },
+ "global": {
+ "type": "object"
+ }
+ },
+ "required": [
+ "affinity",
+ "commonAnnotations",
+ "commonLabels",
+ "config",
+ "fullnameOverride",
+ "image",
+ "imagePullSecrets",
+ "multusNetworkAttachmentDefinition",
+ "nameOverride",
+ "nodeSelector",
+ "podAnnotations",
+ "podLabels",
+ "privileged",
+ "rbac",
+ "resources",
+ "serviceAccount",
+ "tests"
+ ],
+ "additionalProperties": false,
+ "definitions": {
+ "StringMap": {
+ "type": "object",
+ "additionalProperties": {
+ "type": "string"
+ }
+ },
+ "Image": {
+ "type": "object",
+ "properties": {
+ "repository": {
+ "type": "string",
+ "minLength": 1
+ },
+ "tag": {
+ "type": "string"
+ },
+ "digest": {
+ "type": "string",
+ "pattern": "^$|^sha256:[a-f0-9]{64}$"
+ },
+ "pullPolicy": {
+ "type": "string",
+ "enum": [
+ "Always",
+ "IfNotPresent",
+ "Never"
+ ]
+ }
+ },
+ "required": [
+ "digest",
+ "pullPolicy",
+ "repository",
+ "tag"
+ ],
+ "additionalProperties": false
+ }
+ }
+}
diff --git a/charts/airlock/microgateway-cni/4.4.2/values.yaml b/charts/airlock/microgateway-cni/4.4.2/values.yaml
new file mode 100644
index 0000000000..90fd2cd74f
--- /dev/null
+++ b/charts/airlock/microgateway-cni/4.4.2/values.yaml
@@ -0,0 +1,94 @@
+# -- Allows overriding the name to use instead of "microgateway-cni".
+nameOverride: ""
+# -- Allows overriding the name to use as full name of resources.
+fullnameOverride: ""
+# -- Labels to add to all resources.
+commonLabels: {}
+# -- Annotations to add to all resources.
+commonAnnotations: {}
+# -- ImagePullSecrets to use when pulling images.
+imagePullSecrets: []
+# - name: myRegistryKeySecretName
+
+# Specifies the Airlock Microgateway CNI image.
+image:
+ # -- Image repository from which to pull the Airlock Microgateway CNI image.
+ repository: "quay.io/airlock/microgateway-cni"
+ # -- Image tag to pull.
+ tag: "4.4.2"
+ # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a").
+ # Overrides tag when specified.
+ digest: "sha256:160407ca4790555afc8ea706f51bc0729c1a79862c295ad9df68999692b932a5"
+ # -- Pull policy for this image.
+ pullPolicy: IfNotPresent
+# -- Annotations to add to all Pods.
+podAnnotations: {}
+# -- Labels to add to all Pods.
+podLabels: {}
+# -- Resource restrictions to apply to the CNI installer container.
+resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes.
+nodeSelector:
+ kubernetes.io/os: linux
+# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes.
+affinity: {}
+# Configures the generation of RBAC Roles and RoleBindings.
+rbac:
+ # -- Whether to create RBAC resources which are required for the CNI plugin to function.
+ create: true
+ # -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint.
+ createSCCRole: false
+# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift).
+privileged: false
+# Configures the generation of the ServiceAccount.
+serviceAccount:
+ # -- Whether a ServiceAccount should be created.
+ create: true
+ # -- Annotations to add to the ServiceAccount.
+ annotations: {}
+ # -- Name of the ServiceAccount to use.
+ # If not set and create is true, a name is generated using the fullname template.
+ name: ""
+# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift)
+multusNetworkAttachmentDefinition:
+ # -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods.
+ create: false
+ # -- Namespace in which the NetworkAttachmentDefinition is deployed.
+ # Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces
+ # may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation
+ namespace: default
+# Parameters for the CNI installer configuration.
+config:
+ # -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers),
+ # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift)
+ # or in `manual` mode, where no CNI network configuration is written.
+ installMode: "chained"
+ # -- Specifies the repair mode
+ # There is a race condition regarding the installation of the CNI Plugin and creation of Pods when starting a Node.
+ # This would cause Pods to be unprotected, because the CNI did not reconfigure the Pod's network.
+ # The Airlock Microgateway Network Validator prevents this and causes the Pod to fail on purpose.
+ # Pods can be repaired by choosing the appropriate repair mode.
+ # Available options are:
+ # `deletePods` will delete failing Pods, such that the CNI Plugin can correctly configure them
+ # `none` will not perform any action for failing Pods
+ repairMode: "none"
+ # -- Log level for the CNI installer and plugin.
+ logLevel: info
+ # -- Directory where the CNI config files reside on the host.
+ # This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
+ # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node.
+ cniNetDir: "/etc/cni/net.d"
+ # -- Directory where the CNI plugin binaries reside on the host.
+ # This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
+ # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node.
+ cniBinDir: "/opt/cni/bin"
+ # -- Namespaces for which this CNI plugin should not apply any modifications.
+ excludeNamespaces:
+ - kube-system
+tests:
+ # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
+ # If set to false, `helm test` will not run any tests.
+ enabled: false
diff --git a/charts/airlock/microgateway/4.3.2/.helmignore b/charts/airlock/microgateway/4.3.2/.helmignore
index 101ff5ac56..8561d28926 100644
--- a/charts/airlock/microgateway/4.3.2/.helmignore
+++ b/charts/airlock/microgateway/4.3.2/.helmignore
@@ -21,8 +21,7 @@
.idea/
*.tmproj
.vscode/
-# CRDs kustomization.yaml
-/crds/kustomization.yaml
+
# Helm unit tests
/tests
/validation
diff --git a/charts/airlock/microgateway/4.3.2/Chart.yaml b/charts/airlock/microgateway/4.3.2/Chart.yaml
index 63e5bc58d6..ea724bec37 100644
--- a/charts/airlock/microgateway/4.3.2/Chart.yaml
+++ b/charts/airlock/microgateway/4.3.2/Chart.yaml
@@ -9,15 +9,15 @@ annotations:
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
- catalog.cattle.io/display-name: Airlock Microgateway
+ catalog.cattle.io/display-name: Airlock Microgateway CNI
catalog.cattle.io/kube-version: '>=1.25.0-0'
- catalog.cattle.io/release-name: microgateway
- charts.openshift.io/name: Airlock Microgateway
+ catalog.cattle.io/release-name: microgateway-cni
+ charts.openshift.io/name: Airlock Microgateway CNI
apiVersion: v2
appVersion: 4.3.2
-description: A Helm chart for deploying the Airlock Microgateway
+description: A Helm chart for deploying the Airlock Microgateway CNI plugin
home: https://www.airlock.com/en/microgateway
-icon: file://assets/icons/microgateway.svg
+icon: file://assets/icons/microgateway-cni.svg
keywords:
- WAF
- Web Application Firewall
@@ -30,14 +30,13 @@ keywords:
- Filtering
- DevSecOps
- shift left
-- control plane
-- Operator
+- CNI
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
-name: microgateway
+name: microgateway-cni
sources:
- https://github.com/airlock/microgateway
type: application
diff --git a/charts/airlock/microgateway/4.3.2/README.md b/charts/airlock/microgateway/4.3.2/README.md
index ddb26273cf..583f3efa88 100644
--- a/charts/airlock/microgateway/4.3.2/README.md
+++ b/charts/airlock/microgateway/4.3.2/README.md
@@ -1,4 +1,4 @@
-# Airlock Microgateway
+# Airlock Microgateway CNI
 
@@ -40,58 +40,43 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
-* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni)
-* [Airlock Microgateway License](#obtain-airlock-microgateway-license)
-* [cert-manager](https://cert-manager.io/)
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
-In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license.
-For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
-### Obtain Airlock Microgateway License
-1. Either request a community or premium license
- * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community)
- * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium)
-2. Check your inbox and save the license file microgateway-license.txt locally.
-
-> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type.
-### Deploy cert-manager
-```bash
-helm repo add jetstack https://charts.jetstack.io
-helm install cert-manager jetstack/cert-manager --version '1.15.1' -n cert-manager --create-namespace --set crds.enabled=true --wait
-```
-
-## Deploy Airlock Microgateway Operator
-
-> This guide assumes a microgateway-license.txt file is present in the working directory.
-
-1. Install CRDs and Operator.
+## Deploy Airlock Microgateway CNI
+1. Install the CNI Plugin with Helm.
+ > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
```bash
- # Create namespace
- kubectl create namespace airlock-microgateway-system
-
- # Install License
- kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
-
- # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
- helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.2' --wait
+ # Standard setup
+ helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2'
+ kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
+ ```
+ ```bash
+ # GKE setup
+ helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.2/deploy/charts/airlock-microgateway-cni/gke-values.yaml
+ kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
+ ```
+ ```bash
+ # OpenShift setup
+ helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.2/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
+ kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
+ **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
- helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.2'
- helm test airlock-microgateway -n airlock-microgateway-system --logs
- helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.2'
+ # Standard and GKE setup
+ helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2'
+ helm test airlock-microgateway-cni -n kube-system --logs
+ helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2'
+ ```
+ ```bash
+ # OpenShift setup
+ helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2'
+ helm test airlock-microgateway-cni -n openshift-operators --logs
+ helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2'
```
-### Upgrading CRDs
-
-The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster.
-CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
-```bash
-kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.2 --server-side --force-conflicts
-```
-
-**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.
+ Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
## Support
@@ -104,61 +89,33 @@ For the community edition, check our **[Airlock community forum](https://forum.a
| Key | Type | Default | Description |
|-----|------|---------|-------------|
+| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
-| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". |
-| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. |
-| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. |
-| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. |
-| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. |
-| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. |
-| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. |
-| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. |
-| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. |
-| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. |
-| engine.image.digest | string | `"sha256:8d42759d999e6b69efa9ef1ecfdc84dc1f8f6f1ca822c8d2d3ef8ff1e335b9c9"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
-| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
-| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. |
-| engine.image.tag | string | `"4.3.2"` | Image tag to pull. |
-| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. |
-| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. |
-| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. |
+| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. |
+| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. |
+| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
+| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
+| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
+| image.digest | string | `"sha256:ed5ec546a65f0ae0bc3e058aafc1d2aa4848996b9f415fe6232486934443b460"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
+| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
+| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
+| image.tag | string | `"4.3.2"` | Image tag to pull. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
-| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. |
-| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". |
-| networkValidator.image.digest | string | `"sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd"` | SHA256 image digest to pull (in the format "sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd"). Overrides tag when specified. |
-| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
-| networkValidator.image.repository | string | `"cgr.dev/chainguard/netcat"` | Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. |
-| networkValidator.image.tag | string | `""` | Image tag to pull. |
-| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. |
-| operator.config.logLevel | string | `"info"` | Operator application log level. |
-| operator.image.digest | string | `"sha256:d22f2ca35603b805caa67dd07aba524c3e4d68c3b59f7ddfc0e22e7fc09a200c"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. |
-| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
-| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. |
-| operator.image.tag | string | `"4.3.2"` | Image tag to pull. |
-| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. |
-| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. |
-| operator.podLabels | object | `{}` | Labels to add to all Pods. |
-| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. |
-| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. |
-| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. |
-| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
-| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
-| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
-| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. |
-| operator.serviceLabels | object | `{}` | Labels to add to the Service. |
-| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. |
-| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. |
-| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. |
-| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. |
-| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. |
-| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. |
-| sessionAgent.image.digest | string | `"sha256:d487f4099c267310debffe5d5cac168deeddf6082dafbee352550f2792b9609c"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
-| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
-| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. |
-| sessionAgent.image.tag | string | `"4.3.2"` | Image tag to pull. |
-| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. |
+| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
+| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
+| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
+| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
+| podAnnotations | object | `{}` | Annotations to add to all Pods. |
+| podLabels | object | `{}` | Labels to add to all Pods. |
+| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
+| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
+| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
+| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
+| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
+| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License
diff --git a/charts/airlock/microgateway/4.3.2/crds/accesscontrols.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/accesscontrols.microgateway.airlock.com.yaml
deleted file mode 100644
index 056dd32d95..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/accesscontrols.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,124 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: accesscontrols.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: AccessControl
- listKind: AccessControlList
- plural: accesscontrols
- singular: accesscontrol
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: AccessControl specifies the options to perform access control with a Microgateway Engine container.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specifies how the Airlock Microgateway Engine performs access control.
- properties:
- policies:
- description: Policies configures access control policies.
- items:
- properties:
- authorization:
- description: Authorization configures how requests are authorized. An empty object value {} disables authorization.
- properties:
- authentication:
- description: Authentication specifies that clients need to be authenticated with the provided method.
- properties:
- oidc:
- description: OIDC configures client authentication using OpenID Connect.
- properties:
- oidcRelyingPartyRef:
- description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - oidcRelyingPartyRef
- type: object
- type: object
- type: object
- identityPropagation:
- description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application.
- properties:
- actions:
- description: Actions specifies the propagation actions.
- items:
- properties:
- identityPropagationRef:
- description: IdentityPropagationRef selects an IdentityPropagation to apply.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - identityPropagationRef
- type: object
- type: array
- onFailure:
- description: |-
- OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
- _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations.
- enum:
- - Pass
- type: string
- required:
- - actions
- - onFailure
- type: object
- required:
- - authorization
- type: object
- maxItems: 1
- minItems: 1
- type: array
- required:
- - policies
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources: {}
diff --git a/charts/airlock/microgateway/4.3.2/crds/contentsecurities.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/contentsecurities.microgateway.airlock.com.yaml
deleted file mode 100644
index 6d6092e381..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/contentsecurities.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,139 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: contentsecurities.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: ContentSecurity
- listKind: ContentSecurityList
- plural: contentsecurities
- singular: contentsecurity
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specifies the options to secure an upstream web application with a Microgateway Engine container.
- properties:
- apiProtection:
- description: |-
- APIProtection defines the relevant configurations to protect APIs.
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- graphQLRef:
- description: |-
- GraphQLRef selects the relevant GraphQL configuration resource.
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- openAPIRef:
- description: |-
- OpenAPIRef selects the relevant OpenAPI configuration resource.
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- type: object
- filter:
- description: |-
- Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests
- to protect against various attack patterns.
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- denyRulesRef:
- description: |-
- DenyRulesRef selects the relevant DenyRules configuration resource.
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- type: object
- headerRewritesRef:
- description: |-
- HeaderRewritesRef selects the relevant HeaderRewrites.
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- limitsRef:
- description: |-
- LimitsRef selects the relevant Limits configuration resource.
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- parserRef:
- description: |-
- ParserRef selects the relevant Parser configuration resource.
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- type: object
- type: object
- served: true
- storage: true
- subresources: {}
diff --git a/charts/airlock/microgateway/4.3.2/crds/denyrules.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/denyrules.microgateway.airlock.com.yaml
deleted file mode 100644
index e54df2ee24..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/denyrules.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,1804 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: denyrules.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: DenyRules
- listKind: DenyRulesList
- plural: denyrules
- singular: denyrules
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- DenyRules configures request filtering using Airlock built-in and custom deny rules.
- Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application.
- To handle possible false positives, lower the security level or define fine-granular deny rule exceptions
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired deny rules behavior.
- properties:
- request:
- description: Request configures deny rules for downstream requests.
- properties:
- builtIn:
- description: BuiltIn configures the built-in deny rules.
- properties:
- exceptions:
- description: Exceptions allows to define exceptions for specific requests and deny rules.
- items:
- description: |-
- DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked).
- At least one of blockedData and requestConditions must be set.
- properties:
- blockedData:
- description: BlockedData defines an exception based on the request data causing the block.
- properties:
- graphQL:
- description: |-
- GraphQL defines an exception based on a blocked GraphQL query.
- Only one of parameter, header, path, pathSegment, json or graphQL can be set.
- properties:
- argument:
- description: |-
- Argument defines an argument of a field of the GraphQL query.
- At least one of field, argument and value must be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- field:
- description: |-
- Field defines a field of the GraphQL query.
- At least one of field, argument and value must be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: |-
- Value defines the value of an argument of the GraphQL query.
- At least one of field, argument and value must be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- header:
- description: |-
- Header defines an exception based on a blocked header.
- Only one of parameter, header, path, pathSegment, json or graphQL can be set.
- properties:
- name:
- description: Name defines the name of a header.
- properties:
- matcher:
- description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a header.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- json:
- description: |-
- JSON defines an exception based on a blocked JSON property.
- Only one of parameter, header, path, pathSegment, json or graphQL can be set.
- properties:
- jsonPath:
- description: |-
- JSONPath defines the JSONPath pattern to match the path within the JSON.
- Expressions in JSONPath i.e. `?(expr)` are not supported.
- minLength: 1
- type: string
- key:
- description: |-
- Key defines the key of the JSON property.
- At most one of key and value can be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: |-
- Value defines the value of the JSON property.
- At most one of key and value can be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- parameter:
- description: |-
- Parameter defines an exception based on a blocked parameter.
- Only one of parameter, header, path, pathSegment, json or graphQL can be set.
- properties:
- name:
- description: Name defines the name of a parameter.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- source:
- default: Any
- description: Source defines the source of the parameter.
- enum:
- - Query
- - Post
- - Any
- type: string
- value:
- description: Value defines the value of a parameter.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- path:
- description: |-
- Path defines an exception based on the blocked path.
- Only one of parameter, header, path, pathSegment, json or graphQL can be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- pathSegment:
- description: |-
- PathSegment defines an exception based on a blocked path segment.
- Only one of parameter, header, path, pathSegment, json or graphQL can be set.
- properties:
- segments:
- description: Segments defines the position of a segment within the path.
- properties:
- index:
- description: Index specifies an exact path segment position by index (0-based).
- minimum: 0
- type: integer
- type: object
- value:
- description: Value defines the value of a path segment.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- type: object
- requestConditions:
- description: RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked.
- properties:
- header:
- description: Header defines the matching headers of a request.
- properties:
- name:
- description: Name defines the name of a header.
- properties:
- matcher:
- description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a header.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- invert:
- default: false
- description: Invert indicates whether the request condition should be inverted.
- type: boolean
- mediaType:
- description: MediaType defines the matching media type from the content-type header of a request.
- properties:
- matcher:
- description: |-
- NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
- In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- method:
- description: Method defines the matching methods of a request.
- items:
- description: Method defines common HTTP methods.
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - PATCH
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- type: string
- type: array
- path:
- description: Path defines the matching path of a request.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- remoteIP:
- description: RemoteIP defines the matching remote IPs of a request.
- properties:
- cidrRanges:
- description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
- items:
- description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
- format: cidr
- type: string
- minItems: 1
- type: array
- invert:
- default: false
- description: Invert indicates whether the match should be inverted.
- type: boolean
- required:
- - cidrRanges
- type: object
- type: object
- ruleKeys:
- description: RuleKeys restricts the exception to a set of deny rules.
- items:
- description: |-
- A deny rule name can be any of the following values:
- ENCODING |
- EXPLOIT |
- HPP |
- HTML |
- IDOR |
- LDAP |
- NOSQL |
- OGNL |
- PHP |
- PROTOCOL |
- SANITY |
- SCANNING |
- SQL |
- TEMPLATE |
- UNIXCMD |
- WINCMD |
- XSS
- enum:
- - ENCODING
- - EXPLOIT
- - HPP
- - HTML
- - IDOR
- - LDAP
- - NOSQL
- - OGNL
- - PHP
- - PROTOCOL
- - SANITY
- - SCANNING
- - SQL
- - TEMPLATE
- - UNIXCMD
- - WINCMD
- - XSS
- type: string
- minItems: 1
- type: array
- type: object
- type: array
- overrides:
- description: Overrides allows to override the builtIn settings for specific deny rules.
- items:
- description: DenyRulesOverride allows to override the builtIn settings for specific deny rules.
- properties:
- conditions:
- description: Conditions select which built-in deny rules' settings will be adjusted.
- properties:
- ruleKeys:
- description: RuleKeys is a list of built-in deny rule names.
- items:
- description: |-
- A deny rule name can be any of the following values:
- ENCODING |
- EXPLOIT |
- HPP |
- HTML |
- IDOR |
- LDAP |
- NOSQL |
- OGNL |
- PHP |
- PROTOCOL |
- SANITY |
- SCANNING |
- SQL |
- TEMPLATE |
- UNIXCMD |
- WINCMD |
- XSS
- enum:
- - ENCODING
- - EXPLOIT
- - HPP
- - HTML
- - IDOR
- - LDAP
- - NOSQL
- - OGNL
- - PHP
- - PROTOCOL
- - SANITY
- - SCANNING
- - SQL
- - TEMPLATE
- - UNIXCMD
- - WINCMD
- - XSS
- type: string
- minItems: 1
- type: array
- types:
- description: Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules.
- items:
- description: |-
- A deny rule override type name can be any of the following values:
- Header |
- Parameter |
- Path |
- JSON |
- GraphQL
- enum:
- - Header
- - Parameter
- - Path
- - PathSegment
- - JSON
- - GraphQL
- type: string
- minItems: 0
- type: array
- type: object
- settings:
- description: Settings override the corresponding properties for the selected rules.
- properties:
- level:
- description: Level specifies the filter strength.
- enum:
- - Unfiltered
- - Basic
- - Standard
- - Strict
- type: string
- threatHandlingMode:
- description: ThreatHandlingMode specifies how threats should be handled.
- enum:
- - Block
- - LogOnly
- type: string
- type: object
- type: object
- type: array
- settings:
- description: Settings contains the keys which will be adjusted.
- properties:
- level:
- default: Standard
- description: Level represents a set of deny rules with different filter strengths.
- enum:
- - Unfiltered
- - Basic
- - Standard
- - Strict
- type: string
- threatHandlingMode:
- default: Block
- description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches.
- enum:
- - Block
- - LogOnly
- type: string
- type: object
- type: object
- custom:
- description: Custom allows configuring additional deny rules.
- properties:
- rules:
- description: Rules defines list of additional deny rules.
- items:
- properties:
- blockData:
- description: BlockData specifies the request data which should cause a block.
- properties:
- graphQL:
- description: |-
- GraphQL specifies to block requests containing a matching GraphQL property.
- At least one of field, argument and value must be set.
- properties:
- argument:
- description: |-
- Argument defines an argument of a field of the GraphQL query.
- At least one of field, argument and value must be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- field:
- description: |-
- Field defines a field of the GraphQL query.
- At least one of field, argument and value must be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: |-
- Value defines the value of an argument of the GraphQL query.
- At least one of field, argument and value must be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- header:
- description: |-
- Header specifies to block requests containing a matching header.
- Only one of parameter, header, path, pathSegment or json can be set.
- properties:
- name:
- description: Name defines the name of a header.
- properties:
- matcher:
- description: |-
- NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
- In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a header.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- json:
- description: |-
- JSON specifies to block requests containing a matching JSON property in the body.
- Only one of parameter, header, path, pathSegment or json can be set.
- properties:
- key:
- description: Key defines the key of a JSON object.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a JSON object.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- parameter:
- description: |-
- Parameter specifies to block requests containing a matching parameter.
- Only one of parameter, header, path, pathSegment or json can be set.
- properties:
- name:
- description: Name defines the name of a parameter.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a parameter.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- path:
- description: |-
- Path specifies to block requests with a matching path.
- Only one of parameter, header, path, pathSegment or json can be set.
- properties:
- matcher:
- description: Matcher specifies which path to block.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- pathSegment:
- description: |-
- PathSegment specifies to block requests containing a matching path segment.
- Only one of parameter, header, path, pathSegment or json can be set.
- properties:
- segments:
- description: |-
- Segments restricts which path segments are filtered by this rule.
- If not specified, all segments of a path are filtered.
- properties:
- index:
- description: Index restricts the rule to the path segment at this index (0-based).
- minimum: 0
- type: integer
- type: object
- value:
- description: Value specifies which path segment values to block.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- required:
- - value
- type: object
- type: object
- requestConditions:
- description: RequestConditions defines additional request properties which must be matched in order for this rule to apply.
- properties:
- header:
- description: Header defines the matching headers of a request.
- properties:
- name:
- description: Name defines the name of a header.
- properties:
- matcher:
- description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a header.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- invert:
- default: false
- description: Invert indicates whether the request condition should be inverted.
- type: boolean
- mediaType:
- description: MediaType defines the matching media type from the content-type header of a request.
- properties:
- matcher:
- description: |-
- NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
- In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- method:
- description: Method defines the matching methods of a request.
- items:
- description: Method defines common HTTP methods.
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - PATCH
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- type: string
- type: array
- path:
- description: Path defines the matching path of a request.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- remoteIP:
- description: RemoteIP defines the matching remote IPs of a request.
- properties:
- cidrRanges:
- description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
- items:
- description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
- format: cidr
- type: string
- minItems: 1
- type: array
- invert:
- default: false
- description: Invert indicates whether the match should be inverted.
- type: boolean
- required:
- - cidrRanges
- type: object
- type: object
- ruleKey:
- description: RuleKey defines a technical key for the deny rule. Must be unique.
- minLength: 1
- pattern: ^[A-Z][A-Z0-9_]*$
- type: string
- threatHandlingMode:
- default: Block
- description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches.
- enum:
- - Block
- - LogOnly
- type: string
- required:
- - blockData
- - ruleKey
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - ruleKey
- x-kubernetes-list-type: map
- type: object
- type: object
- type: object
- type: object
- served: true
- storage: true
- subresources: {}
diff --git a/charts/airlock/microgateway/4.3.2/crds/envoyclusters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/envoyclusters.microgateway.airlock.com.yaml
deleted file mode 100644
index f5f2572644..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/envoyclusters.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: envoyclusters.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: EnvoyCluster
- listKind: EnvoyClusterList
- plural: envoyclusters
- singular: envoycluster
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired additional Envoy cluster.
- properties:
- value:
- description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway.
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- served: true
- storage: true
- subresources: {}
diff --git a/charts/airlock/microgateway/4.3.2/crds/envoyconfigurations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/envoyconfigurations.microgateway.airlock.com.yaml
deleted file mode 100644
index 9a26a34f4e..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/envoyconfigurations.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,185 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: envoyconfigurations.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: EnvoyConfiguration
- listKind: EnvoyConfigurationList
- plural: envoyconfigurations
- singular: envoyconfiguration
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .status.status
- name: Status
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- EnvoyConfiguration is the Schema for the envoyconfigurations API
- {{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}}
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration
- properties:
- envoyResources:
- properties:
- clusters:
- items:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: array
- endpoints:
- items:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: array
- extensions:
- items:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: array
- listeners:
- items:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: array
- routes:
- items:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: array
- runtimes:
- items:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: array
- scopedRoutes:
- items:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: array
- secrets:
- items:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: array
- type: object
- envoyResourcesRaw:
- description: |-
- EnvoyResourcesRaw defines the desired state for each resource type. The resources are stored as zstd compressed JSON bytes.
- For debugging purposes, the resources can be inspected with the following command: `kubectl get envoyconfiguration -ojsonpath='{.spec.envoyResourcesRaw}' | base64 -d | zstd -d | jq`
- format: byte
- type: string
- nodeID:
- description: '**Deprecated:** This field is now ignored as NodeID is always derived from the resource name.'
- type: string
- type: object
- status:
- description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- description: Last time the condition transitioned from one status to another.
- format: date-time
- type: string
- message:
- description: A human-readable message indicating details about the transition.
- type: string
- reason:
- description: The reason for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of True, False, Unknown.
- type: string
- type:
- description: Type of EnvoyConfiguration condition.
- type: string
- required:
- - status
- - type
- type: object
- type: array
- status:
- type: string
- xds:
- properties:
- resourceTypes:
- additionalProperties:
- description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type
- properties:
- errorMessage:
- description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client.
- type: string
- resources:
- additionalProperties:
- description: XdsResourceStatus defines the status of xDS for a specific resource
- properties:
- version:
- description: Version defines the version which is currently served for this resource.
- type: string
- required:
- - version
- type: object
- description: Resources defines the resources which are currently served for this resource type.
- type: object
- status:
- description: Status defines the current sync status of this resource type.
- type: string
- version:
- description: Version defines the version which is currently served for this resource type.
- type: string
- required:
- - resources
- - status
- - version
- type: object
- description: ResourceTypes defines the sync statuses for each resource type.
- type: object
- version:
- description: Version defines the version of the underlying xDS snapshot.
- type: integer
- required:
- - version
- type: object
- required:
- - status
- - xds
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/charts/airlock/microgateway/4.3.2/crds/envoyhttpfilters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/envoyhttpfilters.microgateway.airlock.com.yaml
deleted file mode 100644
index 0b963eeccd..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/envoyhttpfilters.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: envoyhttpfilters.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: EnvoyHTTPFilter
- listKind: EnvoyHTTPFilterList
- plural: envoyhttpfilters
- singular: envoyhttpfilter
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired additional Envoy HTTP filter.
- properties:
- value:
- description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway.
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- served: true
- storage: true
- subresources: {}
diff --git a/charts/airlock/microgateway/4.3.2/crds/graphqls.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/graphqls.microgateway.airlock.com.yaml
deleted file mode 100644
index 5029d7e16a..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/graphqls.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,88 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: graphqls.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: GraphQL
- listKind: GraphQLList
- plural: graphqls
- singular: graphql
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: GraphQL contains the configuration for the GraphQL specification.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired GraphQL specification.
- properties:
- settings:
- description: Settings defines the settings to configure GraphQL.
- properties:
- allowIntrospection:
- default: true
- description: AllowIntrospection specifies if the introspection system is exposed.
- type: boolean
- allowMutations:
- default: true
- description: AllowMutations specifies if mutations are allowed.
- type: boolean
- schema:
- description: Specifies the GraphQL schema.
- properties:
- source:
- description: Source specifies the GraphQL schema to be enforced.
- properties:
- configMapRef:
- description: ConfigMapRef references the configmap by its name containing the well-known key 'schema.graphql'.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- type: object
- required:
- - source
- type: object
- threatHandlingMode:
- default: Block
- description: ThreatHandlingMode specifies how threats should be handled.
- enum:
- - Block
- - LogOnly
- type: string
- type: object
- type: object
- type: object
- served: true
- storage: true
diff --git a/charts/airlock/microgateway/4.3.2/crds/headerrewrites.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/headerrewrites.microgateway.airlock.com.yaml
deleted file mode 100644
index 166db49b7e..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/headerrewrites.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,759 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: headerrewrites.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: HeaderRewrites
- listKind: HeaderRewritesList
- plural: headerrewrites
- singular: headerrewrites
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: HeaderRewrites is the Schema for the headerrewrites API
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired header rewriting behavior.
- properties:
- request:
- description: Request defines manipulations on upstream request headers.
- properties:
- add:
- description: Add defines which request headers will be added before forwarding to the upstream.
- properties:
- custom:
- description: |-
- Custom allows configuring additional upstream request headers.
- Add selected headers.
- items:
- properties:
- headers:
- description: Headers to add.
- items:
- description: HeaderRewritesHeader specifies a header with a particular value
- properties:
- name:
- description: Name defines the name of a header.
- minLength: 1
- type: string
- value:
- description: Value defines the value of a header.
- type: string
- required:
- - name
- - value
- type: object
- minItems: 1
- type: array
- mode:
- default: AddIfAbsent
- description: Mode defines the header addition strategy.
- enum:
- - AddIfAbsent
- - OverwriteOrAdd
- type: string
- name:
- description: Name describing the configured operation.
- minLength: 1
- type: string
- required:
- - headers
- - name
- type: object
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- allow:
- description: |-
- Allow defines which request headers will be forwarded to the upstream.
- This can either be allHeaders or matchingHeaders.
- Default: matchingHeaders: {...}
- properties:
- allHeaders:
- description: AllHeaders specifies that all request headers should be forwarded.
- type: object
- matchingHeaders:
- description: MatchingHeaders specifies which request headers should be forwarded.
- properties:
- builtIn:
- description: BuiltIn allows configuring a set of predefined upstream request headers.
- properties:
- standardHeaders:
- default: true
- description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers.
- type: boolean
- type: object
- custom:
- description: Custom allows configuring additional upstream request headers.
- items:
- properties:
- headers:
- description: Headers to allow.
- items:
- description: |-
- HeaderMatcher defines a matcher for an HTTP header.
- At least one of name and value must be set.
- properties:
- name:
- description: Name defines the name of a header.
- properties:
- matcher:
- description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a header.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- minItems: 1
- type: array
- name:
- description: Name describing the configured operation. Must be unique.
- minLength: 1
- type: string
- required:
- - headers
- - name
- type: object
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type: object
- remove:
- description: Remove defines which request headers will be removed before forwarding to the upstream.
- properties:
- builtIn:
- description: BuiltIn allows configuring a set of predefined upstream request headers.
- properties:
- alternativeForwardedHeaders:
- default: true
- description: |-
- AlternativeForwardedHeaders removes downstream request headers which could potentially
- be abused to alter the upstream's view of the remote connection.
- type: boolean
- type: object
- custom:
- description: Custom allows configuring additional upstream request headers.
- items:
- properties:
- headers:
- description: Headers to remove.
- items:
- description: |-
- HeaderMatcher defines a matcher for an HTTP header.
- At least one of name and value must be set.
- properties:
- name:
- description: Name defines the name of a header.
- properties:
- matcher:
- description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a header.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- minItems: 1
- type: array
- name:
- description: Name describing the configured operation. Must be unique.
- minLength: 1
- type: string
- required:
- - headers
- - name
- type: object
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type: object
- response:
- description: Response defines manipulations on upstream response headers.
- properties:
- add:
- description: Add defines which response headers will be added before forwarding to the downstream.
- properties:
- builtIn:
- description: BuiltIn allows configuring a set of predefined upstream response headers.
- properties:
- csp:
- default: true
- description: |-
- CSP sets a content security policy which allows only same-origin requests except for images
- if the 'Content-Security-Policy' header is not set by the upstream.
- type: boolean
- featurePolicy:
- default: false
- description: |-
- FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features
- if the 'Feature-Policy' header is not set by the upstream.
- **Deprecated:** Use permissionsPolicy instead.
- type: boolean
- hsts:
- default: true
- description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream.
- type: boolean
- hstsPreload:
- default: false
- description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload.
- type: boolean
- permissionsPolicy:
- default: true
- description: |-
- PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features
- if the 'Permissions-Policy' header is not set by the upstream.
- type: boolean
- referrerPolicy:
- default: true
- description: |-
- ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests
- if the 'Referrer-Policy' header is not set by the upstream.
- type: boolean
- xContentTypeOptions:
- default: true
- description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream.
- type: boolean
- xFrameOptions:
- default: true
- description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream.
- type: boolean
- type: object
- custom:
- description: Custom allows configuring additional upstream response headers.
- items:
- properties:
- headers:
- description: Headers to add.
- items:
- description: HeaderRewritesHeader specifies a header with a particular value
- properties:
- name:
- description: Name defines the name of a header.
- minLength: 1
- type: string
- value:
- description: Value defines the value of a header.
- type: string
- required:
- - name
- - value
- type: object
- minItems: 1
- type: array
- mode:
- default: AddIfAbsent
- description: Mode defines the header addition strategy.
- enum:
- - AddIfAbsent
- - OverwriteOrAdd
- type: string
- name:
- description: Name describing the configured operation.
- minLength: 1
- type: string
- required:
- - headers
- - name
- type: object
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- allow:
- description: |-
- Allow defines which response headers will be forwarded to the downstream.
- This can either be allHeaders or matchingHeaders.
- Default: allHeaders: {}
- properties:
- allHeaders:
- description: AllHeaders specifies that all response headers should be forwarded.
- type: object
- matchingHeaders:
- description: MatchingHeaders specifies which response headers should be forwarded.
- properties:
- builtIn:
- description: BuiltIn allows configuring a set of predefined upstream response header.
- properties:
- standardHeaders:
- default: false
- description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers.
- type: boolean
- type: object
- custom:
- description: Custom allows configuring additional upstream response headers.
- items:
- properties:
- headers:
- description: Headers to allow.
- items:
- description: |-
- HeaderMatcher defines a matcher for an HTTP header.
- At least one of name and value must be set.
- properties:
- name:
- description: Name defines the name of a header.
- properties:
- matcher:
- description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a header.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- minItems: 1
- type: array
- name:
- description: Name describing the configured operation. Must be unique.
- minLength: 1
- type: string
- required:
- - headers
- - name
- type: object
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type: object
- remove:
- description: Remove defines which response headers will be removed before forwarding to the downstream.
- properties:
- builtIn:
- description: BuiltIn allows configuring a set of predefined upstream response headers.
- properties:
- auth:
- description: Auth defines the categories of headers concerning authentication.
- properties:
- basic:
- default: false
- description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication.
- type: boolean
- negotiate:
- default: true
- description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate.
- type: boolean
- ntlm:
- default: true
- description: |-
- NTLM removes upstream response headers that advise clients to authenticate with NTLM.
- By default, these headers are removed, because NTLM pass-through is not supported.
- type: boolean
- type: object
- informationLeakage:
- description: InformationLeakage defines the categories of headers concerning information leakage.
- properties:
- application:
- default: true
- description: Application removes upstream response headers that leak information about the deployed software.
- type: boolean
- server:
- default: true
- description: Server removes upstream response headers that leak information about the server.
- type: boolean
- type: object
- permissiveCors:
- default: true
- description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security.
- type: boolean
- type: object
- custom:
- description: Custom allows configuring additional upstream response headers.
- items:
- properties:
- headers:
- description: Headers to remove.
- items:
- description: |-
- HeaderMatcher defines a matcher for an HTTP header.
- At least one of name and value must be set.
- properties:
- name:
- description: Name defines the name of a header.
- properties:
- matcher:
- description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a header.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- minItems: 1
- type: array
- name:
- description: Name describing the configured remove operation. Must be unique.
- minLength: 1
- type: string
- required:
- - headers
- - name
- type: object
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type: object
- settings:
- description: Settings configures the HeaderRewrites filter.
- properties:
- operationalMode:
- default: Production
- description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses.
- enum:
- - Production
- - Integration
- type: string
- type: object
- type: object
- type: object
- served: true
- storage: true
diff --git a/charts/airlock/microgateway/4.3.2/crds/identitypropagations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/identitypropagations.microgateway.airlock.com.yaml
deleted file mode 100644
index e01a242b16..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/identitypropagations.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,108 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: identitypropagations.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: IdentityPropagation
- listKind: IdentityPropagationList
- plural: identitypropagations
- singular: identitypropagation
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: IdentityPropagation specifies the desired identity propagation.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired identity propagation.
- properties:
- header:
- description: Header configures identity propagation via a request header.
- properties:
- name:
- description: Name of the header to set.
- minLength: 1
- type: string
- value:
- description: Value to propagate to the application.
- properties:
- source:
- description: Source from which to extract the value.
- properties:
- metadata:
- description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key.
- properties:
- key:
- description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`.
- minLength: 1
- type: string
- namespace:
- description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`.
- minLength: 1
- type: string
- required:
- - key
- - namespace
- type: object
- oidc:
- description: OIDC specifies to extract a value from the result of an OpenID Connect flow.
- properties:
- idToken:
- description: IDToken specifies to extract the value from the OpenID Connect ID Token.
- properties:
- claim:
- description: Claim selects the JWT claim from which to extract the value.
- minLength: 1
- type: string
- required:
- - claim
- type: object
- required:
- - idToken
- type: object
- type: object
- required:
- - source
- type: object
- required:
- - name
- - value
- type: object
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources: {}
diff --git a/charts/airlock/microgateway/4.3.2/crds/limits.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/limits.microgateway.airlock.com.yaml
deleted file mode 100644
index 4dad85aaf3..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/limits.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,651 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: limits.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: Limits
- listKind: LimitsList
- plural: limits
- singular: limits
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: Limits contains the configuration for limits.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired limits behavior.
- properties:
- request:
- description: Request defines the limits for requests.
- properties:
- limited:
- description: Limited enables limits on request scope.
- properties:
- exceptions:
- description: Exceptions defines limit exceptions.
- items:
- description: LimitsException defines an exception for limits.
- properties:
- length:
- description: Length defines an exception for length limits based on the data element exceeding the limit.
- properties:
- graphQL:
- description: GraphQL defines a field, argument or value length limit exception for a GraphQL query.
- properties:
- argument:
- description: |-
- Argument restricts the exception to GraphQL queries with a matching argument of a field.
- At least one of field, argument and value must be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- field:
- description: |-
- Field restricts the exception to GraphQL queries with a matching field.
- At least one of field, argument and value must be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: |-
- Value restricts the exception to GraphQL queries with a matching argument value.
- At least one of field, argument and value must be set.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- json:
- description: JSON defines a key and value length limit exception for a JSON property.
- properties:
- jsonPath:
- description: |-
- JSONPath restricts the exception to JSON properties with a matching JSONPath.
- Expressions in JSONPath i.e. `?(expr)` are not supported.
- minLength: 1
- type: string
- required:
- - jsonPath
- type: object
- parameter:
- description: Parameter defines a name and value length limit exception for a parameter.
- properties:
- name:
- description: Name restricts the exception to parameters with a matching name.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- source:
- default: Any
- description: Source restricts the exception to parameters of this kind.
- enum:
- - Query
- - Post
- - Any
- type: string
- required:
- - name
- type: object
- type: object
- requestConditions:
- description: RequestConditions defines additional request properties which must be matched in order for this exception to apply.
- properties:
- header:
- description: Header defines the matching headers of a request.
- properties:
- name:
- description: Name defines the name of a header.
- properties:
- matcher:
- description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a header.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- invert:
- default: false
- description: Invert indicates whether the request condition should be inverted.
- type: boolean
- mediaType:
- description: MediaType defines the matching media type from the content-type header of a request.
- properties:
- matcher:
- description: |-
- NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
- In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- method:
- description: Method defines the matching methods of a request.
- items:
- description: Method defines common HTTP methods.
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - PATCH
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- type: string
- type: array
- path:
- description: Path defines the matching path of a request.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- remoteIP:
- description: RemoteIP defines the matching remote IPs of a request.
- properties:
- cidrRanges:
- description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
- items:
- description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
- format: cidr
- type: string
- minItems: 1
- type: array
- invert:
- default: false
- description: Invert indicates whether the match should be inverted.
- type: boolean
- required:
- - cidrRanges
- type: object
- type: object
- type: object
- type: array
- general:
- description: General defines general request limits.
- properties:
- bodySize:
- anyOf:
- - type: integer
- - type: string
- default: 100Mi
- description: BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective for any request not processed by one of the content parsers (e.g. json) as configured in the Parser CRD. **Note** This limit does not apply to WebSocket or gRPC traffic.
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- pathLength:
- anyOf:
- - type: integer
- - type: string
- default: 1Ki
- description: PathLength defines the maximum path length for all requests (parsed and unparsed).
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- graphQL:
- description: GraphQL defines the limits for GraphQL requests.
- properties:
- nestingDepth:
- default: 10
- description: NestingDepth defines the maximum depth of nesting for GraphQL objects.
- format: int64
- type: integer
- querySize:
- anyOf:
- - type: integer
- - type: string
- default: 1Ki
- description: QuerySize defines the maximum size for GraphQL queries.
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- valueLength:
- anyOf:
- - type: integer
- - type: string
- default: "256"
- description: ValueLength defines the maximum length for GraphQL values.
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- json:
- description: JSON defines the limits for JSON requests.
- properties:
- bodySize:
- anyOf:
- - type: integer
- - type: string
- default: 100Ki
- description: BodySize limits the total size of the JSON request body. It specifies the number of bytes (0 = unlimited).
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- elementCount:
- default: 10000
- description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive).
- format: int64
- type: integer
- keyCount:
- default: 250
- description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive).
- format: int64
- type: integer
- keyLength:
- anyOf:
- - type: integer
- - type: string
- default: "128"
- description: KeyLength defines the maximum length for JSON keys.
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- nestingDepth:
- default: 100
- description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays.
- format: int64
- type: integer
- valueLength:
- anyOf:
- - type: integer
- - type: string
- default: 8Ki
- description: ValueLength defines the maximum length for JSON values.
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- multipart:
- description: Multipart defines the limits for Multipart requests.
- properties:
- bodySize:
- anyOf:
- - type: integer
- - type: string
- default: 100Mi
- description: BodySize limits the total size of the Multipart request body. It specifies the number of bytes (0 = unlimited).
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- parameter:
- description: Parameter defines the limits for request parameters.
- properties:
- bodySize:
- anyOf:
- - type: integer
- - type: string
- default: 100Ki
- description: BodySize limits the total size of the form data body. It specifies the number of bytes (0 = unlimited).
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- count:
- default: 128
- description: Count defines the maximum number of request parameters.
- format: int64
- type: integer
- nameLength:
- anyOf:
- - type: integer
- - type: string
- default: "128"
- description: NameLength defines the maximum length for parameter names.
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- valueLength:
- anyOf:
- - type: integer
- - type: string
- default: 8Ki
- description: ValueLength defines the maximum length for parameter values.
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- unlimited:
- description: Unlimited disables all limits on request scope.
- type: object
- type: object
- settings:
- description: Settings configures the limits filter.
- properties:
- threatHandlingMode:
- default: Block
- description: ThreatHandlingMode specifies how threats should be handled when a limit hits.
- enum:
- - Block
- - LogOnly
- type: string
- type: object
- type: object
- type: object
- served: true
- storage: true
diff --git a/charts/airlock/microgateway/4.3.2/crds/oidcproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/oidcproviders.microgateway.airlock.com.yaml
deleted file mode 100644
index 7d2ef8e9e7..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/oidcproviders.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,305 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: oidcproviders.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: OIDCProvider
- listKind: OIDCProviderList
- plural: oidcproviders
- singular: oidcprovider
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- OIDCProvider specifies an OpenID Provider (OP).
-
-
- {{% notice warning %}} The OIDC feature is currently in an experimental state.
-
-
- We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
- In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- - The state parameter is guessable.
- - Sessions are always shared across all Microgateway Engines using the same Redis instance.
- I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A
- may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs.
-
-
- {{% /notice %}}
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of an OpenID Provider.
- properties:
- static:
- description: Static configures an OpenID Provider by explicitly specifying all endpoints.
- properties:
- endpoints:
- description: Endpoints specifies the OpenID Provider endpoints.
- properties:
- authorization:
- description: Authorization specifies the endpoint to which the authorization request is sent.
- properties:
- uri:
- description: URI specifies the endpoint address.
- format: uri
- minLength: 1
- pattern: ^(http|https)://.*$
- type: string
- required:
- - uri
- type: object
- token:
- description: Token configures the endpoint from which the access, ID and refresh tokens are obtained.
- properties:
- tls:
- description: TLS defines TLS settings.
- properties:
- certificateVerification:
- description: CertificateVerification specifies how the certificate presented by the server is verified.
- properties:
- custom:
- description: |-
- Custom explicitly specifies how the server certificate should be verified.
- Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key.
- properties:
- allowedSANs:
- description: |-
- AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
- Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
- that is to say, the SAN is verified if at least one matcher is matched.
- AllowedSANs requires trustedCA to be set.
- items:
- description: |-
- TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
- Subject Alternative Name of the presented certificate matches one of the specified matchers.
- properties:
- matcher:
- description: Matcher defines the string matcher for the SAN value.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- sanType:
- description: SanType defines the type of SAN matcher.
- enum:
- - DNS
- - Email
- - URI
- - IPAddress
- type: string
- required:
- - matcher
- - sanType
- type: object
- minItems: 1
- type: array
- certificatePinning:
- description: |-
- CertificatePinning defines constraints the presented certificate must fulfill.
- If more than one constraint is configured only one must be satisfied.
- At least one of allowedSPKIs and allowedHashes must be set.
- properties:
- allowedHashes:
- description: |-
- AllowedHashes is a list of hex-encoded SHA-256 hashes.
- If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
- items:
- type: string
- minItems: 1
- type: array
- allowedSPKIs:
- description: |-
- AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
- If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
- items:
- type: string
- minItems: 1
- type: array
- type: object
- crl:
- description: CRL defines the Certificate Revocation List (CRL) settings.
- properties:
- lists:
- description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
- items:
- properties:
- secretRef:
- description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - secretRef
- type: object
- minItems: 1
- type: array
- validationMode:
- default: VerifyChain
- description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
- enum:
- - VerifyLeafCertOnly
- - VerifyChain
- type: string
- type: object
- trustedCA:
- description: TrustedCA defines which CA certificates are trusted.
- properties:
- certificates:
- description: Certificates defines the list of secretRefs containing trusted CA certificates.
- items:
- properties:
- secretRef:
- description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - secretRef
- type: object
- minItems: 1
- type: array
- verificationDepth:
- default: 1
- description: |-
- VerificationDepth specifies the hops in the certificate chain at which validation is performed.
- 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
- format: int32
- type: integer
- required:
- - certificates
- type: object
- type: object
- disabled:
- description: |-
- Disabled specifies to trust any certificate without verification.
- THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
- type: object
- publicCAs:
- description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image.
- type: object
- type: object
- ciphers:
- description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
- items:
- type: string
- minItems: 1
- type: array
- protocol:
- description: Protocol defines the supported TLS protocol versions.
- properties:
- maximum:
- description: Maximum supported TLS version.
- enum:
- - TLSv1_0
- - TLSv1_1
- - TLSv1_2
- - TLSv1_3
- type: string
- minimum:
- description: Minimum supported TLS version.
- enum:
- - TLSv1_0
- - TLSv1_1
- - TLSv1_2
- - TLSv1_3
- type: string
- type: object
- type: object
- uri:
- description: URI specifies the endpoint address.
- format: uri
- minLength: 1
- pattern: ^(http|https)://.*$
- type: string
- required:
- - uri
- type: object
- required:
- - authorization
- - token
- type: object
- required:
- - endpoints
- type: object
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources: {}
diff --git a/charts/airlock/microgateway/4.3.2/crds/oidcrelyingparties.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/oidcrelyingparties.microgateway.airlock.com.yaml
deleted file mode 100644
index b1cba83b16..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/oidcrelyingparties.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,224 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: oidcrelyingparties.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: OIDCRelyingParty
- listKind: OIDCRelyingPartyList
- plural: oidcrelyingparties
- singular: oidcrelyingparty
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP).
-
-
- {{% notice warning %}} The OIDC feature is currently in an experimental state.
-
-
- We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened.
- In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases:
- - The state parameter is guessable.
- - Sessions are always shared across all Microgateway Engines using the same Redis instance.
- I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A
- may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs.
-
-
- {{% /notice %}}
- {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}}
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the OIDC Relying Party configuration.
- properties:
- clientID:
- description: ClientID specifies the OIDCRelyingParty "client_id".
- minLength: 1
- type: string
- credentials:
- description: Credentials used for client authentication on the back-channel with the authorization server.
- properties:
- clientSecret:
- description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP).
- properties:
- method:
- default: BasicAuth
- description: Method specifies in which format the client secret is sent with the authorization request.
- enum:
- - BasicAuth
- - FormURLEncoded
- type: string
- secretRef:
- description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret".
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - secretRef
- type: object
- required:
- - clientSecret
- type: object
- oidcProviderRef:
- description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- pathMapping:
- description: PathMapping configures the action matching.
- properties:
- logoutPath:
- description: LogoutPath specifies which request paths should initiate a logout.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- redirectPath:
- description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- required:
- - logoutPath
- - redirectPath
- type: object
- redirectURI:
- description: |-
- RedirectURI configures the "redirect_uri" parameter included in the authorization request.
- May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'.
- minLength: 1
- type: string
- required:
- - clientID
- - credentials
- - oidcProviderRef
- - pathMapping
- - redirectURI
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources: {}
diff --git a/charts/airlock/microgateway/4.3.2/crds/openapis.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/openapis.microgateway.airlock.com.yaml
deleted file mode 100644
index 7ba7160c52..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/openapis.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,167 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: openapis.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: OpenAPI
- listKind: OpenAPIList
- plural: openapis
- singular: openapi
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: OpenAPI contains the configuration for the OpenAPI specification.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired OpenAPI specification.
- properties:
- response:
- description: Response defines the validation behaviour for responses.
- properties:
- secured:
- description: Secured enables response checking.
- properties:
- validation:
- default: Lax
- description: Validation defines the validation mode for responses.
- enum:
- - Lax
- - Strict
- type: string
- type: object
- unsecured:
- description: Unsecured disables response checking.
- type: object
- type: object
- settings:
- description: Settings defines the settings to configure OpenAPI specification enforcement.
- properties:
- logging:
- description: Logging specifies the access log behavior.
- properties:
- maxFailedSubvalidations:
- default: 10
- description: MaxFailedSubvalidations defines the maximum number of failed subvalidations being logged.
- format: int64
- type: integer
- type: object
- schema:
- description: Schema configures the OpenAPI specification.
- properties:
- source:
- description: Source specifies the OpenAPI specification to be enforced.
- properties:
- configMapRef:
- description: ConfigMapRef references the configmap by its name containing the well-known key 'openapi.json'.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- type: object
- required:
- - source
- type: object
- threatHandlingMode:
- default: Block
- description: ThreatHandlingMode specifies how threats should be handled.
- enum:
- - Block
- - LogOnly
- type: string
- validation:
- description: Validation specifies the patterns for the validation behavior.
- properties:
- authentication:
- description: Authentication defines the settings for the authentication scheme.
- properties:
- oAuth2:
- description: OAuth2 specifies the OAuth2 parameters.
- properties:
- allowedParameters:
- description: AllowedParameters specifies the allowed parameters for the authentication scheme.
- properties:
- builtIn:
- description: BuiltIn allows configuring a set of predefined allowed parameters.
- properties:
- standardParameters:
- default: true
- description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters.
- type: boolean
- type: object
- custom:
- description: Custom allows configuring additional allowed parameters.
- items:
- minLength: 1
- type: string
- minItems: 1
- type: array
- type: object
- type: object
- oidc:
- description: Oidc specifies the OIDC parameters.
- properties:
- allowedParameters:
- description: AllowedParameters specifies the allowed parameters for the authentication scheme.
- properties:
- builtIn:
- description: BuiltIn allows configuring a set of predefined allowed parameters.
- properties:
- standardParameters:
- default: true
- description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters.
- type: boolean
- type: object
- custom:
- description: Custom allows configuring additional allowed parameters.
- items:
- minLength: 1
- type: string
- minItems: 1
- type: array
- type: object
- type: object
- type: object
- type: object
- required:
- - schema
- type: object
- required:
- - settings
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
diff --git a/charts/airlock/microgateway/4.3.2/crds/parsers.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/parsers.microgateway.airlock.com.yaml
deleted file mode 100644
index b3d51efe6b..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/parsers.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,358 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: parsers.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: Parser
- listKind: ParserList
- plural: parsers
- singular: parser
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: Parser contains the configuration for content parsers (default and custom).
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired parser behavior.
- properties:
- request:
- description: Request defines the parsing for downstream requests.
- properties:
- custom:
- description: Custom allows configuring additional rules for parser selection.
- properties:
- rules:
- description: |-
- Rules defines a custom set prepended before built-in rules of enabled request parsers.
- Disable all built-in parsers to overrule them completely.
- items:
- properties:
- action:
- description: |-
- Action specifies what should happen when a request condition matches.
- Only one of parse or skip can be set.
- properties:
- parse:
- description: Parse activates the configured parser.
- properties:
- form:
- description: Form activates the Form parser.
- type: object
- json:
- description: JSON activates the JSON parser.
- type: object
- multipart:
- description: Multipart activates the multipart parser.
- type: object
- type: object
- skip:
- description: Skip disables any content parsing
- type: object
- type: object
- requestConditions:
- description: RequestConditions defines additional request properties which must be matched in order for this rule to apply.
- properties:
- header:
- description: Header defines the matching headers of a request.
- properties:
- name:
- description: Name defines the name of a header.
- properties:
- matcher:
- description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- value:
- description: Value defines the value of a header.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- type: object
- invert:
- default: false
- description: Invert indicates whether the request condition should be inverted.
- type: boolean
- mediaType:
- description: MediaType defines the matching media type from the content-type header of a request.
- properties:
- matcher:
- description: |-
- NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
- In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- method:
- description: Method defines the matching methods of a request.
- items:
- description: Method defines common HTTP methods.
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - PATCH
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- type: string
- type: array
- path:
- description: Path defines the matching path of a request.
- properties:
- matcher:
- description: StringMatcher defines the way to match a string.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- required:
- - matcher
- type: object
- remoteIP:
- description: RemoteIP defines the matching remote IPs of a request.
- properties:
- cidrRanges:
- description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
- items:
- description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
- format: cidr
- type: string
- minItems: 1
- type: array
- invert:
- default: false
- description: Invert indicates whether the match should be inverted.
- type: boolean
- required:
- - cidrRanges
- type: object
- type: object
- required:
- - action
- - requestConditions
- type: object
- type: array
- type: object
- defaultContentType:
- default: application/x-www-form-urlencoded
- description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body.
- minLength: 1
- type: string
- parsers:
- description: Parsers defines the configuration for the available content parsers.
- properties:
- form:
- description: Form defines the configuration for the form parser.
- properties:
- enable:
- default: true
- description: Enable defines whether form payloads are inspected.
- type: boolean
- mediaTypePattern:
- default: .*urlencoded.*
- description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments.
- minLength: 1
- type: string
- type: object
- json:
- description: JSON defines the configuration for the JSON parser.
- properties:
- enable:
- default: true
- description: Enable defines whether json payloads are inspected.
- type: boolean
- mediaTypePattern:
- default: .*json.*
- description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON.
- minLength: 1
- type: string
- type: object
- multipart:
- description: Multipart defines the configuration for the multipart parser.
- properties:
- enable:
- default: true
- description: Enable defines whether multipart payloads are inspected.
- type: boolean
- mediaTypePattern:
- default: .*multipart.*
- description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload.
- minLength: 1
- type: string
- type: object
- type: object
- type: object
- type: object
- type: object
- served: true
- storage: true
diff --git a/charts/airlock/microgateway/4.3.2/crds/redisproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/redisproviders.microgateway.airlock.com.yaml
deleted file mode 100644
index 32a23cbc11..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/redisproviders.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,159 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: redisproviders.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: RedisProvider
- listKind: RedisProviderList
- plural: redisproviders
- singular: redisprovider
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: RedisProvider contains a client configuration for connecting to a Redis database.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of a Redis database client configuration.
- properties:
- auth:
- description: Auth specifies the Redis credentials.
- properties:
- password:
- description: Password specifies the Redis password.
- properties:
- secretRef:
- description: SecretRef selects the secret containing the Redis password under the key 'redis.password'.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - secretRef
- type: object
- username:
- default: default
- description: Username specifies the Redis username to authenticate with.
- minLength: 1
- pattern: ^[^\s]+$
- type: string
- required:
- - password
- type: object
- mode:
- description: Mode configures the redis deployment mode.
- properties:
- standalone:
- description: Standalone specifies the standalone Redis instance to connect to.
- properties:
- host:
- description: Host specifies the IP or hostname.
- minLength: 1
- pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$
- type: string
- port:
- default: 6379
- description: Port specifies the port.
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- type: object
- type: object
- timeouts:
- description: Timeouts specifies the timeouts when interacting with the Redis endpoint.
- properties:
- connect:
- default: 5s
- description: Connect specifies the timeout for establishing a connection.
- type: string
- maxDuration:
- default: 2s
- description: MaxDuration specifies the response timeout.
- type: string
- type: object
- tls:
- description: TLS defines TLS settings. If not specified, TLS is disabled i.e. unencrypted TCP is used when connecting to the Redis instance.
- properties:
- certificateVerification:
- description: CertificateVerification specifies how the certificate presented by the server is verified.
- properties:
- custom:
- description: Custom explicitly specifies how the server certificate should be verified.
- properties:
- trustedCA:
- description: TrustedCA defines which CA certificates are trusted.
- properties:
- certificates:
- description: Certificates defines the list of secretRefs containing trusted CA certificates.
- items:
- properties:
- secretRef:
- description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - secretRef
- type: object
- minItems: 1
- type: array
- required:
- - certificates
- type: object
- required:
- - trustedCA
- type: object
- disabled:
- description: 'Disabled specifies to trust any certificate without verification. THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. Note: This setting currently also disables TLS SNI.'
- type: object
- publicCAs:
- description: PublicCAs specifies to only accept certificates with a SAN matching the host and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Session Agent’s base image.
- type: object
- type: object
- type: object
- required:
- - mode
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
diff --git a/charts/airlock/microgateway/4.3.2/crds/sessionhandlings.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/sessionhandlings.microgateway.airlock.com.yaml
deleted file mode 100644
index da22e63a57..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/sessionhandlings.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,77 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: sessionhandlings.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: SessionHandling
- listKind: SessionHandlingList
- plural: sessionhandlings
- singular: sessionhandling
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: |-
- SessionHandling contains the configuration for session handling.
-
-
- {{% notice warning %}} The Session Handling feature (required for OIDC) is currently in an experimental state.
-
-
- We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as high-availability Redis configurations (e.g. Sentinel/Cluster) are not yet supported.
- {{% /notice %}}
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired session handling behavior.
- properties:
- persistence:
- description: Persistence configures where to store the session state.
- properties:
- redisProviderRef:
- description: RedisProviderRef specifies to cache session information in the provided Redis instance.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - redisProviderRef
- type: object
- required:
- - persistence
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
diff --git a/charts/airlock/microgateway/4.3.2/crds/sidecargateways.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/sidecargateways.microgateway.airlock.com.yaml
deleted file mode 100644
index c9ec220a86..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/sidecargateways.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,758 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: sidecargateways.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: SidecarGateway
- listKind: SidecarGatewayList
- plural: sidecargateways
- singular: sidecargateway
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .status.status
- name: Status
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired sidecar gateway behavior.
- properties:
- applications:
- description: Applications defines applications which run on different ports.
- items:
- properties:
- containerPort:
- default: 8080
- description: |-
- ContainerPort refers to the container port.
- This must be a valid port number, 0 < x < 65536.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- downstream:
- description: Downstream defines the downstream configuration for this application
- properties:
- protocol:
- description: |-
- Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set.
- Default: auto: {}
- properties:
- auto:
- description: Auto specifies that the protocol should be inferred.
- properties:
- http2:
- description: HTTP2 specifies the settings for when HTTP/2 is inferred.
- properties:
- allowConnect:
- default: false
- description: Allows proxying Websocket and other upgrades over H2 connect.
- type: boolean
- type: object
- type: object
- http1:
- description: HTTP1 specifies that the client is assumed to speak HTTP/1.1.
- type: object
- http2:
- description: HTTP2 specifies that the client is assumed to speak HTTP/2.
- properties:
- allowConnect:
- default: false
- description: Allows proxying Websocket and other upgrades over H2 connect.
- type: boolean
- type: object
- type: object
- remoteIP:
- description: |-
- RemoteIP defines how the remote IP of a client is propagated.
- Default: xff: {...}
- properties:
- connectionIP:
- description: ConnectionIP configures to use the source IP address of the direct downstream connection.
- type: object
- customHeader:
- description: CustomHeader specifies to use a custom header for remote IP extraction.
- properties:
- headerName:
- description: HeaderName specifies the name of the custom header containing the remote IP.
- minLength: 1
- type: string
- required:
- default: true
- description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403.
- type: boolean
- required:
- - headerName
- type: object
- xff:
- description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction.
- properties:
- numTrustedHops:
- default: 1
- description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry.
- format: int32
- minimum: 1
- type: integer
- type: object
- type: object
- requestNormalizations:
- description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching.
- properties:
- mergeSlashes:
- default: true
- description: MergeSlashes ensures that adjacent slashes in the path are merged into one.
- type: boolean
- normalizePath:
- default: true
- description: NormalizePath ensures normalization according to RFC 3986 without case normalization.
- type: boolean
- type: object
- restrictions:
- description: Restrictions defines restrictions for downstream.
- properties:
- http:
- description: HTTP defines limits for the HTTP protocol.
- properties:
- headersLength:
- anyOf:
- - type: integer
- - type: string
- default: 60Ki
- description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response.
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- timeouts:
- description: Timeouts defines timeouts for downstream
- properties:
- http:
- description: HTTP defines the settings for HTTP timeouts.
- properties:
- idle:
- default: 5m
- description: |-
- Idle defines the settings for the idle timeout when no data is sent or received.
- A value of 0 will completely disable the timeout.
- Default: 5m
- type: string
- maxDuration:
- default: 5m
- description: |-
- MaxDuration defines the total duration for a HTTP request/response stream.
- A value of 0 will completely disable the timeout.
- Default: 5m
- type: string
- requestHeaders:
- default: 10s
- description: |-
- RequestHeaders defines the duration before all request headers must be received.
- A value of 0 will completely disable the timeout.
- Default: 10s
- type: string
- type: object
- type: object
- tls:
- description: TLS defines the TLS settings.
- properties:
- ciphers:
- description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
- items:
- type: string
- minItems: 1
- type: array
- clientCertificate:
- description: |-
- ClientCertificate defines the TLS settings for verification of client certificates.
- At most one of ignored, optional and required can be set.
- Default: ignored: {}
- properties:
- ignored:
- description: Ignored disables verification of the client certificate.
- type: object
- optional:
- description: |-
- Optional enables verification of the client certificate if one is presented.
- In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate.
- properties:
- crl:
- description: CRL defines the Certificate Revocation List (CRL) settings.
- properties:
- lists:
- description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
- items:
- properties:
- secretRef:
- description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - secretRef
- type: object
- minItems: 1
- type: array
- validationMode:
- default: VerifyChain
- description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
- enum:
- - VerifyLeafCertOnly
- - VerifyChain
- type: string
- type: object
- trustedCA:
- description: TrustedCA defines which CA certificates are trusted.
- properties:
- certificates:
- description: Certificates defines the list of secretRefs containing trusted CA certificates.
- items:
- properties:
- secretRef:
- description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - secretRef
- type: object
- minItems: 1
- type: array
- verificationDepth:
- default: 1
- description: |-
- VerificationDepth specifies the hops in the certificate chain at which validation is performed.
- 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
- format: int32
- type: integer
- required:
- - certificates
- type: object
- required:
- - trustedCA
- type: object
- required:
- description: |-
- Required contains settings for client certificate verification. A client must present a valid certificate.
- At least one of trustedCA and certificatePinning must be set.
- properties:
- allowedSANs:
- description: |-
- AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
- Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics,
- that is to say, the SAN is verified if at least one matcher is matched.
- AllowedSANs requires trustedCA to be set.
- items:
- description: |-
- TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the
- Subject Alternative Name of the presented certificate matches one of the specified matchers.
- properties:
- matcher:
- description: Matcher defines the string matcher for the SAN value.
- properties:
- contains:
- description: |-
- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- exact:
- description: |-
- Exact defines an explicit match on the string specified here.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- ignoreCase:
- default: false
- description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
- type: boolean
- prefix:
- description: |-
- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- regex:
- description: |-
- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
- The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- suffix:
- description: |-
- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
- Only one of exact, prefix, suffix, regex or contains can be set.
- minLength: 1
- type: string
- type: object
- sanType:
- description: SanType defines the type of SAN matcher.
- enum:
- - DNS
- - Email
- - URI
- - IPAddress
- type: string
- required:
- - matcher
- - sanType
- type: object
- minItems: 1
- type: array
- certificatePinning:
- description: |-
- CertificatePinning defines the constraints a client certificate must fulfill.
- If more than one constraint is configured only one must be satisfied.
- At least one of allowedSPKIs and allowedHashes must be set.
- properties:
- allowedHashes:
- description: |-
- AllowedHashes is a list of hex-encoded SHA-256 hashes.
- If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
- items:
- type: string
- minItems: 1
- type: array
- allowedSPKIs:
- description: |-
- AllowedSPKIs is a list of base64-encoded SHA-256 hashes.
- If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
- items:
- type: string
- minItems: 1
- type: array
- type: object
- crl:
- description: CRL defines the Certificate Revocation List (CRL) settings.
- properties:
- lists:
- description: Lists defines the list of secretRefs containing Certificate Revocation Lists.
- items:
- properties:
- secretRef:
- description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - secretRef
- type: object
- minItems: 1
- type: array
- validationMode:
- default: VerifyChain
- description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked.
- enum:
- - VerifyLeafCertOnly
- - VerifyChain
- type: string
- type: object
- trustedCA:
- description: TrustedCA defines which CA certificates are trusted.
- properties:
- certificates:
- description: Certificates defines the list of secretRefs containing trusted CA certificates.
- items:
- properties:
- secretRef:
- description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - secretRef
- type: object
- minItems: 1
- type: array
- verificationDepth:
- default: 1
- description: |-
- VerificationDepth specifies the hops in the certificate chain at which validation is performed.
- 1 means that either the leaf or the signing CA must be in the set of trusted certificates.
- format: int32
- type: integer
- required:
- - certificates
- type: object
- type: object
- type: object
- enable:
- default: false
- description: Enable defines if the downstream connection is encrypted.
- type: boolean
- protocol:
- description: Protocol defines the supported TLS protocol versions.
- properties:
- maximum:
- description: Maximum supported TLS version.
- enum:
- - TLSv1_0
- - TLSv1_1
- - TLSv1_2
- - TLSv1_3
- type: string
- minimum:
- description: Minimum supported TLS version.
- enum:
- - TLSv1_0
- - TLSv1_1
- - TLSv1_2
- - TLSv1_3
- type: string
- type: object
- secretRef:
- description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls).
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- xfcc:
- description: |-
- XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values:
- _Sanitize_: Do not send the XFCC header to the next hop. This is the default value.
- _ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request.
- _AppendAndForward_: When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it.
- _SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
- _AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.
- Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http)
- enum:
- - Sanitize
- - ForwardOnly
- - AppendAndForward
- - SanitizeAndSet
- - AlwaysForwardOnly
- type: string
- type: object
- type: object
- envoyHTTPFilterRefs:
- description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters.
- properties:
- prepend:
- description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway.
- items:
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- type: array
- type: object
- routes:
- description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies.
- items:
- description: |-
- SidecarGatewayApplicationRoute defines the security configurations for different paths.
- At most one of secured and unsecured can be set.
- Default: secured: {...}
- properties:
- pathPrefix:
- default: /
- description: PathPrefix defines the path prefix used during route selection.
- minLength: 1
- type: string
- secured:
- description: Secured enables WAF processing for this route.
- properties:
- accessControlRef:
- description: |-
- AccessControlRef selects the relevant AccessControl configuration resource.
- If undefined, Airlock Microgateway does not perform any access control.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- contentSecurityRef:
- description: |-
- ContentSecurityRef selects the relevant ContentSecurity configuration resource.
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- type: object
- unsecured:
- description: |-
- Unsecured disables all WAF functionality and therefore protection for this route.
- WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged.
- type: object
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - pathPrefix
- x-kubernetes-list-type: map
- telemetryRef:
- description: |-
- TelemetryRef selects the relevant Telemetry configuration resource.
- If undefined, default settings are applied, designed to work with most upstream web application services.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- upstream:
- description: Upstream defines the upstream configuration for this application
- properties:
- protocol:
- description: |-
- Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set.
- Default: auto: {}
- properties:
- auto:
- description: Auto specifies to negotiate the protocol with TLS ALPN (if TLS is enabled) or, as a fallback, use the same protocol that is used by the downstream connection.
- properties:
- http2:
- description: HTTP2 specifies the settings for when HTTP/2 is inferred.
- properties:
- allowConnect:
- default: false
- description: Allows proxying Websocket and other upgrades over H2 connect.
- type: boolean
- type: object
- type: object
- http1:
- description: HTTP1 specifies to use HTTP/1.1.
- type: object
- http2:
- description: HTTP2 specifies to use HTTP/2.
- properties:
- allowConnect:
- default: false
- description: Allows proxying Websocket and other upgrades over H2 connect.
- type: boolean
- type: object
- type: object
- timeouts:
- description: Timeouts defines the timeout settings.
- properties:
- http:
- description: HTTP defines the settings for HTTP timeouts.
- properties:
- idle:
- description: |-
- Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited.
- A value of 0 will completely disable the timeout.
- type: string
- maxDuration:
- default: 15s
- description: |-
- MaxDuration defines the total duration for a HTTP request/response stream.
- Default: 15s
- type: string
- type: object
- type: object
- tls:
- description: TLS defines the TLS settings.
- properties:
- ciphers:
- description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration.
- items:
- type: string
- minItems: 1
- type: array
- enable:
- default: false
- description: Enable defines if the upstream connection is encrypted.
- type: boolean
- protocol:
- description: Protocol defines the supported TLS protocol versions.
- properties:
- maximum:
- description: Maximum supported TLS version.
- enum:
- - TLSv1_0
- - TLSv1_1
- - TLSv1_2
- - TLSv1_3
- type: string
- minimum:
- description: Minimum supported TLS version.
- enum:
- - TLSv1_0
- - TLSv1_1
- - TLSv1_2
- - TLSv1_3
- type: string
- type: object
- type: object
- type: object
- type: object
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - containerPort
- x-kubernetes-list-type: map
- envoyClusterRefs:
- description: EnvoyClusterRefs selects the relevant EnvoyClusters.
- items:
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- podSelector:
- description: PodSelector defines to which Pods the configuration will be applied to.
- properties:
- matchLabels:
- additionalProperties:
- type: string
- description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels.
- type: object
- type: object
- sessionHandlingRef:
- description: SessionHandlingRef selects the SessionHandling configuration to apply.
- properties:
- name:
- description: Name of the resource
- minLength: 1
- type: string
- required:
- - name
- type: object
- required:
- - applications
- type: object
- status:
- description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date.
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- description: Last time the condition transitioned from one status to another.
- format: date-time
- type: string
- message:
- description: A human-readable message indicating details about the transition.
- type: string
- reason:
- description: The reason for the condition's last transition.
- type: string
- status:
- description: Status of the condition, one of True, False, Unknown.
- type: string
- type:
- description: Type of SidecarGateway condition.
- type: string
- required:
- - status
- - type
- type: object
- type: array
- pods:
- items:
- properties:
- envoyConfig:
- description: EnvoyConfig indicates the name of the EnvoyConfig CR for the Pod.
- type: string
- name:
- description: Name indicates the name of a Pod selected by the SidecarGateway.
- type: string
- sessionAgentSecret:
- type: string
- required:
- - name
- type: object
- type: array
- status:
- type: string
- unmanagedPods:
- items:
- properties:
- managedBy:
- description: ManagedBy indicates the Airlock Microgateway Operator instance which manages this Pod.
- type: string
- name:
- description: Name indicates the name of a Pod selected by the SidecarGateway.
- type: string
- sessionAgentSecret:
- type: string
- required:
- - name
- type: object
- type: array
- required:
- - status
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/charts/airlock/microgateway/4.3.2/crds/telemetries.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/telemetries.microgateway.airlock.com.yaml
deleted file mode 100644
index 47d03cd4cd..0000000000
--- a/charts/airlock/microgateway/4.3.2/crds/telemetries.microgateway.airlock.com.yaml
+++ /dev/null
@@ -1,96 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.3.2
- name: telemetries.microgateway.airlock.com
-spec:
- group: microgateway.airlock.com
- names:
- categories:
- - airlock-microgateway
- kind: Telemetry
- listKind: TelemetryList
- plural: telemetries
- singular: telemetry
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: Telemetry contains the configuration for telemetry (logging, metrics & tracing).
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Specification of the desired telemetry behavior.
- properties:
- correlation:
- description: Correlation defines the correlation aspects of Telemetry.
- properties:
- idSource:
- description: IDSource specifies how an external correlation ID should be obtained for a request. If not specified, no correlation ID will be logged.
- properties:
- header:
- description: Header specifies to extract the correlation ID from a request header. If the header is absent from a request, no correlation ID will be logged.
- properties:
- name:
- default: X-Correlation-Id
- description: Name of the header (case-insensitive) from which to extract the correlation ID.
- minLength: 1
- type: string
- type: object
- required:
- - header
- type: object
- request:
- description: Request defines the request related correlation settings of Telemetry.
- properties:
- allowDownstreamRequestID:
- default: true
- description: AllowDownstreamRequestID defines whether trace sampling will consider a provided x-request-id.
- type: boolean
- alterRequestID:
- default: true
- description: AlterRequestID defines whether to alter the UUID to reflect the trace sampling decision. If disabled no modification to the UUID will be performed, this may break tracing in the upstream.
- type: boolean
- type: object
- type: object
- logging:
- description: Logging defines the logging aspects of Telemetry.
- properties:
- accessLog:
- description: AccessLog defines the access log settings of Telemetry.
- properties:
- format:
- description: Format defines the Access Log format of the sidecar.
- properties:
- json:
- description: JSON defines the Access Log format as JSON.
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- type: object
- type: object
- type: object
- type: object
- served: true
- storage: true
diff --git a/charts/airlock/microgateway/4.3.2/dashboards/blockLogs.json b/charts/airlock/microgateway/4.3.2/dashboards/blockLogs.json
deleted file mode 100644
index ef0ce6d624..0000000000
--- a/charts/airlock/microgateway/4.3.2/dashboards/blockLogs.json
+++ /dev/null
@@ -1,510 +0,0 @@
-{
- "__inputs": [
- {
- "name": "DS_LOKI",
- "label": "Loki",
- "description": "",
- "type": "datasource",
- "pluginId": "loki",
- "pluginName": "Loki"
- },
- {
- "name": "DS_PROMETHEUS",
- "label": "Prometheus",
- "description": "",
- "type": "datasource",
- "pluginId": "prometheus",
- "pluginName": "Prometheus"
- }
- ],
- "__elements": {},
- "__requires": [
- {
- "type": "grafana",
- "id": "grafana",
- "name": "Grafana",
- "version": "10.2.0"
- },
- {
- "type": "datasource",
- "id": "loki",
- "name": "Loki",
- "version": "1.0.0"
- },
- {
- "type": "datasource",
- "id": "prometheus",
- "name": "Prometheus",
- "version": "1.0.0"
- },
- {
- "type": "panel",
- "id": "table",
- "name": "Table",
- "version": ""
- }
- ],
- "annotations": {
- "list": [
- {
- "builtIn": 1,
- "datasource": {
- "type": "grafana",
- "uid": "-- Grafana --"
- },
- "enable": true,
- "hide": true,
- "iconColor": "rgba(0, 211, 255, 1)",
- "name": "Annotations & Alerts",
- "type": "dashboard"
- }
- ]
- },
- "description": "Blocked requests by Airlock Microgateway retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for even a more granular filtering of the logs.",
- "editable": true,
- "fiscalYearStartMonth": 0,
- "graphTooltip": 0,
- "id": null,
- "links": [
- {
- "asDropdown": true,
- "icon": "external link",
- "includeVars": true,
- "keepTime": true,
- "tags": [
- "airlock-microgateway"
- ],
- "targetBlank": true,
- "title": "Airlock Microgateway",
- "tooltip": "",
- "type": "dashboards",
- "url": ""
- }
- ],
- "panels": [
- {
- "datasource": {
- "type": "loki",
- "uid": "${DS_LOKI}"
- },
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "text",
- "mode": "fixed"
- },
- "custom": {
- "align": "auto",
- "cellOptions": {
- "type": "auto"
- },
- "filterable": true,
- "inspect": true
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- }
- },
- "overrides": [
- {
- "matcher": {
- "id": "byName",
- "options": "Namespace"
- },
- "properties": [
- {
- "id": "custom.width",
- "value": 221
- },
- {
- "id": "custom.filterable"
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Timestamp"
- },
- "properties": [
- {
- "id": "custom.width",
- "value": 214
- },
- {
- "id": "unit",
- "value": "dateTimeAsIso"
- },
- {
- "id": "custom.filterable"
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Method"
- },
- "properties": [
- {
- "id": "custom.width",
- "value": 89
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Client IP"
- },
- "properties": [
- {
- "id": "custom.width",
- "value": 138
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Request ID"
- },
- "properties": [
- {
- "id": "custom.width",
- "value": 328
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Block Type"
- },
- "properties": [
- {
- "id": "custom.width",
- "value": 116
- },
- {
- "id": "custom.filterable",
- "value": false
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Request Size"
- },
- "properties": [
- {
- "id": "custom.width",
- "value": 126
- },
- {
- "id": "unit",
- "value": "bytes"
- },
- {
- "id": "custom.align",
- "value": "right"
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Attack Type"
- },
- "properties": [
- {
- "id": "custom.width",
- "value": 217
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Application"
- },
- "properties": [
- {
- "id": "custom.width",
- "value": 207
- }
- ]
- }
- ]
- },
- "gridPos": {
- "h": 27,
- "w": 24,
- "x": 0,
- "y": 0
- },
- "id": 2,
- "options": {
- "cellHeight": "sm",
- "footer": {
- "countRows": false,
- "enablePagination": true,
- "fields": "",
- "reducer": [
- "sum"
- ],
- "show": false
- },
- "showHeader": true,
- "sortBy": []
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "loki",
- "uid": "${DS_LOKI}"
- },
- "editorMode": "code",
- "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_deny_rule\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.deny_rules.matches\"\n| label_format block_type=\"deny_rules\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule_key }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"",
- "hide": false,
- "queryType": "range",
- "refId": "Deny Rule Blocks"
- },
- {
- "datasource": {
- "type": "loki",
- "uid": "${DS_LOKI}"
- },
- "editorMode": "code",
- "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_limit\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.limits.matches\"\n| label_format block_type=\"limits\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"",
- "hide": false,
- "queryType": "range",
- "refId": "Limit Blocks"
- },
- {
- "datasource": {
- "type": "loki",
- "uid": "${DS_LOKI}"
- },
- "editorMode": "code",
- "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_openapi\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.openapi.reference\", constraint=\"airlock.openapi.request.failed_validation.constraint\", position=\"airlock.openapi.request.failed_validation.position\", message=\"airlock.openapi.request.failed_validation.message\"\n| label_format block_type=\"openapi\", attack_type=\"openapi\", details=`{{.reference }}: {{.constraint }} at {{ .position }} ({{ .message }})` | block_type=~\"${blockType:regex}\"",
- "hide": false,
- "queryType": "range",
- "refId": "OpenAPI Blocks"
- },
- {
- "datasource": {
- "type": "loki",
- "uid": "${DS_LOKI}"
- },
- "editorMode": "code",
- "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_parser\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", attack_type=\"airlock.parser\", failed_check=\"airlock.parser.matches[0].failed_check\", message=\"airlock.parser.matches[0].message\"\n| label_format block_type=\"parsing\", attack_type=\"parsing\", details=`{{.failed_check}}: {{.message}}` | block_type=~\"${blockType:regex}\"",
- "hide": false,
- "queryType": "range",
- "refId": "Parser Blocks"
- },
- {
- "datasource": {
- "type": "loki",
- "uid": "${DS_LOKI}"
- },
- "editorMode": "code",
- "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_graphql\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.graphql.reference\", message=\"airlock.graphql.request.failed_validation.message\"\n| label_format block_type=\"graphql\", attack_type=\"graphql\", details=`{{ .reference }}: {{ .message }}` | block_type=~\"${blockType:regex}\"",
- "hide": false,
- "queryType": "range",
- "refId": "GraphQL Blocks"
- }
- ],
- "title": "Blocked Request logs",
- "transformations": [
- {
- "id": "merge",
- "options": {}
- },
- {
- "id": "extractFields",
- "options": {
- "format": "json",
- "source": "labels"
- }
- },
- {
- "id": "filterFieldsByName",
- "options": {
- "byVariable": false,
- "include": {
- "names": [
- "Time",
- "attack_type",
- "block_type",
- "client_ip",
- "details",
- "http_method",
- "namespace",
- "request_id",
- "request_size",
- "url",
- "pod"
- ]
- }
- }
- },
- {
- "id": "organize",
- "options": {
- "excludeByName": {
- "Line": true,
- "id": true,
- "labelTypes": true,
- "labels": true,
- "tsNs": false
- },
- "includeByName": {},
- "indexByName": {
- "Time": 0,
- "attack_type": 7,
- "block_type": 6,
- "client_ip": 9,
- "details": 8,
- "http_method": 3,
- "namespace": 1,
- "pod": 2,
- "request_id": 10,
- "request_size": 5,
- "url": 4
- },
- "renameByName": {
- "Time": "Timestamp",
- "attack_type": "Attack Type",
- "block_type": "Block Type",
- "client_ip": "Client IP",
- "details": "Details",
- "http_method": "Method",
- "namespace": "Namespace",
- "pod": "Pod",
- "request_id": "Request ID",
- "request_size": "Request Size",
- "tsNs": "",
- "url": "Path"
- }
- }
- }
- ],
- "type": "table"
- }
- ],
- "schemaVersion": 39,
- "tags": [
- "airlock-microgateway"
- ],
- "templating": {
- "list": [
- {
- "current": {
- "selected": false,
- "text": "Loki",
- "value": "P8E80F9AEF21F6940"
- },
- "hide": 2,
- "includeAll": false,
- "label": "DS_LOKI",
- "multi": false,
- "name": "DS_LOKI",
- "options": [],
- "query": "loki",
- "refresh": 1,
- "regex": "",
- "skipUrlSync": false,
- "type": "datasource"
- },
- {
- "allValue": ".*",
- "current": {},
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "definition": "label_values(microgateway_license_http_rq_total,namespace)",
- "hide": 0,
- "includeAll": true,
- "label": "Application Namespace",
- "multi": true,
- "name": "namespace",
- "options": [],
- "query": {
- "qryType": 1,
- "query": "label_values(microgateway_license_http_rq_total,namespace)",
- "refId": "PrometheusVariableQueryEditor-VariableQuery"
- },
- "refresh": 2,
- "regex": "",
- "skipUrlSync": false,
- "sort": 5,
- "type": "query"
- },
- {
- "allValue": ".*",
- "current": {},
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
- "hide": 0,
- "includeAll": true,
- "label": "Block Type",
- "multi": true,
- "name": "blockType",
- "options": [],
- "query": {
- "qryType": 1,
- "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
- "refId": "PrometheusVariableQueryEditor-VariableQuery"
- },
- "refresh": 2,
- "regex": "",
- "skipUrlSync": false,
- "sort": 5,
- "type": "query"
- },
- {
- "current": {
- "selected": false,
- "text": "Prometheus",
- "value": "PBFA97CFB590B2093"
- },
- "hide": 2,
- "includeAll": false,
- "label": "DS_PROMETHEUS",
- "multi": false,
- "name": "DS_PROMETHEUS",
- "options": [],
- "query": "prometheus",
- "refresh": 1,
- "regex": "",
- "skipUrlSync": false,
- "type": "datasource"
- }
- ]
- },
- "time": {
- "from": "now-15m",
- "to": "now"
- },
- "timeRangeUpdatedDuringEditOrView": false,
- "timepicker": {},
- "timezone": "browser",
- "title": "Airlock Microgateway Blocked Request Logs",
- "uid": "adnyzcvwnyadcc",
- "version": 3,
- "weekStart": ""
-}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.3.2/dashboards/blockMetrics.json b/charts/airlock/microgateway/4.3.2/dashboards/blockMetrics.json
deleted file mode 100644
index ba383d22e8..0000000000
--- a/charts/airlock/microgateway/4.3.2/dashboards/blockMetrics.json
+++ /dev/null
@@ -1,758 +0,0 @@
-{
- "__inputs": [
- {
- "name": "DS_PROMETHEUS",
- "label": "Prometheus",
- "description": "",
- "type": "datasource",
- "pluginId": "prometheus",
- "pluginName": "Prometheus"
- }
- ],
- "__elements": {},
- "__requires": [
- {
- "type": "panel",
- "id": "barchart",
- "name": "Bar chart",
- "version": ""
- },
- {
- "type": "grafana",
- "id": "grafana",
- "name": "Grafana",
- "version": "10.2.0"
- },
- {
- "type": "datasource",
- "id": "prometheus",
- "name": "Prometheus",
- "version": "1.0.0"
- },
- {
- "type": "panel",
- "id": "stat",
- "name": "Stat",
- "version": ""
- },
- {
- "type": "panel",
- "id": "timeseries",
- "name": "Time series",
- "version": ""
- }
- ],
- "annotations": {
- "list": [
- {
- "builtIn": 1,
- "datasource": {
- "type": "grafana",
- "uid": "-- Grafana --"
- },
- "enable": true,
- "hide": true,
- "iconColor": "rgba(0, 211, 255, 1)",
- "name": "Annotations & Alerts",
- "type": "dashboard"
- }
- ]
- },
- "description": "Metrics on requests blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.",
- "editable": true,
- "fiscalYearStartMonth": 0,
- "graphTooltip": 0,
- "id": null,
- "links": [
- {
- "asDropdown": true,
- "icon": "external link",
- "includeVars": true,
- "keepTime": true,
- "tags": [
- "airlock-microgateway"
- ],
- "targetBlank": true,
- "title": "Airlock Microgateway",
- "tooltip": "",
- "type": "dashboards",
- "url": ""
- }
- ],
- "panels": [
- {
- "gridPos": {
- "h": 1,
- "w": 24,
- "x": 0,
- "y": 0
- },
- "id": 6,
- "title": "Airlock Microgateway Block Metrics",
- "type": "row"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Total number of requests processed by Airlock Microgateway.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "text",
- "mode": "fixed"
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "short"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 4,
- "w": 4,
- "x": 0,
- "y": 1
- },
- "id": 1,
- "options": {
- "colorMode": "value",
- "graphMode": "none",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showPercentChange": false,
- "textMode": "auto",
- "wideLayout": true
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "disableTextWrap": false,
- "editorMode": "code",
- "exemplar": false,
- "expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
- "format": "time_series",
- "fullMetaSearch": false,
- "hide": false,
- "includeNullMetadata": true,
- "instant": true,
- "legendFormat": "Processed Requests",
- "range": false,
- "refId": "A",
- "useBackend": false
- }
- ],
- "title": "Requests",
- "type": "stat"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "text",
- "mode": "fixed"
- },
- "mappings": [
- {
- "options": {
- "match": "nan",
- "result": {
- "index": 0,
- "text": "n/a"
- }
- },
- "type": "special"
- }
- ],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "percentunit"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 4,
- "w": 4,
- "x": 4,
- "y": 1
- },
- "id": 2,
- "options": {
- "colorMode": "value",
- "graphMode": "area",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "last"
- ],
- "fields": "",
- "values": false
- },
- "showPercentChange": false,
- "textMode": "auto",
- "wideLayout": true
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "disableTextWrap": false,
- "editorMode": "code",
- "exemplar": false,
- "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))",
- "fullMetaSearch": false,
- "includeNullMetadata": true,
- "instant": true,
- "legendFormat": "Blocked Requests (%)",
- "range": false,
- "refId": "A",
- "useBackend": false
- }
- ],
- "title": "% Blocked Requests",
- "type": "stat"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "blue",
- "mode": "fixed"
- },
- "custom": {
- "axisBorderShow": false,
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "left",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "insertNulls": false,
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "blue",
- "value": null
- }
- ]
- }
- },
- "overrides": [
- {
- "matcher": {
- "id": "byName",
- "options": "% Blocks"
- },
- "properties": [
- {
- "id": "custom.axisPlacement",
- "value": "right"
- },
- {
- "id": "unit",
- "value": "percentunit"
- },
- {
- "id": "color",
- "value": {
- "fixedColor": "orange",
- "mode": "fixed"
- }
- },
- {
- "id": "max",
- "value": 1
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Requests per second"
- },
- "properties": [
- {
- "id": "unit",
- "value": "short"
- },
- {
- "id": "custom.fillOpacity",
- "value": 25
- }
- ]
- }
- ]
- },
- "gridPos": {
- "h": 10,
- "w": 20,
- "x": 0,
- "y": 5
- },
- "id": 3,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "timezone": [
- ""
- ],
- "tooltip": {
- "maxHeight": 600,
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))",
- "instant": false,
- "legendFormat": "Requests per second",
- "range": true,
- "refId": "Requests per Second"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))",
- "hide": false,
- "instant": false,
- "legendFormat": "% Blocks",
- "range": true,
- "refId": "Blocks"
- }
- ],
- "title": "Requests vs. % Blocks",
- "type": "timeseries"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Blocked requests by block type.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "super-light-orange",
- "mode": "fixed"
- },
- "custom": {
- "axisBorderShow": false,
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisGridShow": true,
- "axisLabel": "",
- "axisPlacement": "auto",
- "fillOpacity": 80,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineWidth": 0,
- "scaleDistribution": {
- "type": "linear"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "fieldMinMax": false,
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "none"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 11,
- "w": 10,
- "x": 0,
- "y": 15
- },
- "id": 4,
- "options": {
- "barRadius": 0,
- "barWidth": 0.8,
- "fullHighlight": false,
- "groupWidth": 0.7,
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": false
- },
- "orientation": "horizontal",
- "showValue": "never",
- "stacking": "none",
- "tooltip": {
- "maxHeight": 600,
- "mode": "single",
- "sort": "asc"
- },
- "xField": "block_type",
- "xTickLabelRotation": 0,
- "xTickLabelSpacing": 0
- },
- "pluginVersion": "10.4.3",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
- "format": "time_series",
- "instant": true,
- "legendFormat": "__auto",
- "range": false,
- "refId": "A"
- }
- ],
- "title": "Block Type",
- "transformations": [
- {
- "id": "reduce",
- "options": {
- "includeTimeField": false,
- "labelsToFields": true,
- "mode": "seriesToRows",
- "reducers": [
- "sum"
- ]
- }
- }
- ],
- "type": "barchart"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Blocked requests by attack type, which are subsets of the various block types.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "light-orange",
- "mode": "fixed"
- },
- "custom": {
- "axisBorderShow": false,
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "fillOpacity": 80,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "lineWidth": 1,
- "scaleDistribution": {
- "type": "linear"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 11,
- "w": 10,
- "x": 10,
- "y": 15
- },
- "id": 5,
- "options": {
- "barRadius": 0,
- "barWidth": 0.8,
- "fullHighlight": false,
- "groupWidth": 0.7,
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": false
- },
- "orientation": "horizontal",
- "showValue": "never",
- "stacking": "none",
- "tooltip": {
- "maxHeight": 600,
- "mode": "single",
- "sort": "none"
- },
- "xField": "attack_type",
- "xTickLabelRotation": 0,
- "xTickLabelSpacing": 0
- },
- "pluginVersion": "10.4.3",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "round(sum by (attack_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
- "instant": true,
- "legendFormat": "__auto",
- "range": false,
- "refId": "A"
- }
- ],
- "title": "Attack Type",
- "transformations": [
- {
- "id": "reduce",
- "options": {
- "labelsToFields": true,
- "reducers": [
- "sum"
- ]
- }
- }
- ],
- "type": "barchart"
- }
- ],
- "refresh": "",
- "schemaVersion": 39,
- "tags": [
- "airlock-microgateway"
- ],
- "templating": {
- "list": [
- {
- "current": {
- "selected": false,
- "text": "Prometheus",
- "value": "PBFA97CFB590B2093"
- },
- "hide": 2,
- "includeAll": false,
- "label": "Datasource Prometheus",
- "multi": false,
- "name": "DS_PROMETHEUS",
- "options": [],
- "query": "prometheus",
- "refresh": 1,
- "regex": "",
- "skipUrlSync": false,
- "type": "datasource"
- },
- {
- "current": {
- "selected": false,
- "text": "Loki",
- "value": "P8E80F9AEF21F6940"
- },
- "hide": 2,
- "includeAll": false,
- "label": "DS_LOKI",
- "multi": false,
- "name": "DS_LOKI",
- "options": [],
- "query": "loki",
- "refresh": 1,
- "regex": "",
- "skipUrlSync": false,
- "type": "datasource"
- },
- {
- "allValue": ".*",
- "current": {},
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "definition": "label_values(microgateway_license_valid,namespace)",
- "hide": 0,
- "includeAll": true,
- "label": "Operator Namespace",
- "multi": true,
- "name": "operator_namespace",
- "options": [],
- "query": {
- "qryType": 1,
- "query": "label_values(microgateway_license_valid,namespace)",
- "refId": "PrometheusVariableQueryEditor-VariableQuery"
- },
- "refresh": 2,
- "regex": ".*",
- "skipUrlSync": false,
- "sort": 0,
- "type": "query"
- },
- {
- "allValue": ".*",
- "current": {},
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "definition": "label_values(microgateway_license_http_rq_total,namespace)",
- "hide": 0,
- "includeAll": true,
- "label": "Application Namespace",
- "multi": true,
- "name": "namespace",
- "options": [],
- "query": {
- "qryType": 1,
- "query": "label_values(microgateway_license_http_rq_total,namespace)",
- "refId": "PrometheusVariableQueryEditor-VariableQuery"
- },
- "refresh": 2,
- "regex": "",
- "skipUrlSync": false,
- "sort": 5,
- "type": "query"
- },
- {
- "allValue": ".*",
- "current": {},
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
- "hide": 0,
- "includeAll": true,
- "label": "Block Type",
- "multi": true,
- "name": "blockType",
- "options": [],
- "query": {
- "qryType": 1,
- "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)",
- "refId": "PrometheusVariableQueryEditor-VariableQuery"
- },
- "refresh": 2,
- "regex": "",
- "skipUrlSync": false,
- "sort": 5,
- "type": "query"
- }
- ]
- },
- "time": {
- "from": "now-24h",
- "to": "now"
- },
- "timeRangeUpdatedDuringEditOrView": false,
- "timepicker": {
- "hidden": false
- },
- "timezone": "browser",
- "title": "Airlock Microgateway Block Metrics",
- "uid": "ddnqoczu7qvb4cdd3dd",
- "version": 3,
- "weekStart": ""
-}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.3.2/dashboards/license.json b/charts/airlock/microgateway/4.3.2/dashboards/license.json
deleted file mode 100644
index b9d5777e23..0000000000
--- a/charts/airlock/microgateway/4.3.2/dashboards/license.json
+++ /dev/null
@@ -1,521 +0,0 @@
-{
- "__inputs": [
- {
- "name": "DS_PROMETHEUS",
- "label": "Prometheus",
- "description": "",
- "type": "datasource",
- "pluginId": "prometheus",
- "pluginName": "Prometheus"
- }
- ],
- "__elements": {},
- "__requires": [
- {
- "type": "grafana",
- "id": "grafana",
- "name": "Grafana",
- "version": "10.2.0"
- },
- {
- "type": "datasource",
- "id": "prometheus",
- "name": "Prometheus",
- "version": "1.0.0"
- },
- {
- "type": "panel",
- "id": "stat",
- "name": "Stat",
- "version": ""
- },
- {
- "type": "panel",
- "id": "timeseries",
- "name": "Time series",
- "version": ""
- }
- ],
- "annotations": {
- "list": [
- {
- "builtIn": 1,
- "datasource": {
- "type": "grafana",
- "uid": "-- Grafana --"
- },
- "enable": true,
- "hide": true,
- "iconColor": "rgba(0, 211, 255, 1)",
- "name": "Annotations & Alerts",
- "type": "dashboard"
- }
- ]
- },
- "editable": true,
- "fiscalYearStartMonth": 0,
- "graphTooltip": 0,
- "id": null,
- "links": [
- {
- "asDropdown": true,
- "icon": "external link",
- "includeVars": true,
- "keepTime": true,
- "tags": [
- "airlock-microgateway"
- ],
- "targetBlank": true,
- "title": "Airlock Microgateway",
- "tooltip": "",
- "type": "dashboards",
- "url": ""
- }
- ],
- "panels": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "License status of Airlock Microgateway.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [
- {
- "options": {
- "0": {
- "color": "red",
- "index": 1,
- "text": "Invalid"
- },
- "1": {
- "color": "green",
- "index": 0,
- "text": "Valid"
- }
- },
- "type": "value"
- }
- ],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 4,
- "w": 3,
- "x": 0,
- "y": 0
- },
- "id": 1,
- "options": {
- "colorMode": "value",
- "graphMode": "area",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showPercentChange": false,
- "textMode": "auto",
- "wideLayout": true
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})",
- "instant": true,
- "legendFormat": "License Status",
- "range": false,
- "refId": "Licenses"
- }
- ],
- "title": "License Status",
- "type": "stat"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Expiry date of the Airlock Microgateway license associated with the selected operator.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "text",
- "mode": "fixed"
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "time: L"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 4,
- "w": 4,
- "x": 3,
- "y": 0
- },
- "id": 4,
- "options": {
- "colorMode": "value",
- "graphMode": "none",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showPercentChange": false,
- "textMode": "auto",
- "wideLayout": true
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "min(microgateway_license_expiry_timestamp_seconds{namespace=~\"${operator_namespace.regex}\"})*1000",
- "instant": true,
- "legendFormat": "Expiry Date (MM/DD/YYYY)",
- "range": false,
- "refId": "A"
- }
- ],
- "title": "License Expiry Date",
- "type": "stat"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Number of licensed requests for applications protected by Airlock Microgateway.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "text",
- "mode": "fixed"
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "short"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 4,
- "w": 4,
- "x": 7,
- "y": 0
- },
- "id": 6,
- "options": {
- "colorMode": "value",
- "graphMode": "none",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showPercentChange": false,
- "textMode": "auto",
- "wideLayout": true
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "sum(microgateway_license_max_rq_count_per_month{namespace=~\"${operator_namespace.regex}\"})",
- "instant": true,
- "legendFormat": "Licensed Requests",
- "range": false,
- "refId": "A"
- }
- ],
- "title": "Licensed Requests",
- "type": "stat"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Estimated number of requests protected by Airlock Microgateway over 30 days based on the last 7 days.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "text",
- "mode": "fixed"
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "short"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 4,
- "w": 5,
- "x": 11,
- "y": 0
- },
- "id": 2,
- "options": {
- "colorMode": "value",
- "graphMode": "none",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showPercentChange": false,
- "textMode": "auto",
- "wideLayout": true
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "sum(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d]))/7*30",
- "instant": true,
- "legendFormat": "Estimated Requests",
- "range": false,
- "refId": "A"
- }
- ],
- "title": "Requests over 30 days (estimated)",
- "type": "stat"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Number of requests per week processed by Airlock Microgateway.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "blue",
- "mode": "fixed"
- },
- "custom": {
- "axisBorderShow": false,
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "insertNulls": false,
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "short"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 12,
- "w": 16,
- "x": 0,
- "y": 4
- },
- "id": 5,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "maxHeight": 600,
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "expr": "sum(avg_over_time(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d])[2m:30s]))",
- "instant": false,
- "legendFormat": "# Requests per week",
- "range": true,
- "refId": "A"
- }
- ],
- "title": "Processed Requests per week",
- "type": "timeseries"
- }
- ],
- "schemaVersion": 39,
- "tags": [
- "airlock-microgateway"
- ],
- "templating": {
- "list": [
- {
- "current": {
- "selected": false,
- "text": "Prometheus",
- "value": "PBFA97CFB590B2093"
- },
- "hide": 2,
- "includeAll": false,
- "label": "DS_PROMETHEUS",
- "multi": false,
- "name": "DS_PROMETHEUS",
- "options": [],
- "query": "prometheus",
- "refresh": 1,
- "regex": "",
- "skipUrlSync": false,
- "type": "datasource"
- },
- {
- "allValue": ".*",
- "current": {},
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "definition": "label_values(microgateway_license_valid,namespace)",
- "description": "",
- "hide": 0,
- "includeAll": false,
- "label": "Operator Namespace",
- "multi": false,
- "name": "operator_namespace",
- "options": [],
- "query": {
- "qryType": 1,
- "query": "label_values(microgateway_license_valid,namespace)",
- "refId": "PrometheusVariableQueryEditor-VariableQuery"
- },
- "refresh": 2,
- "regex": "",
- "skipUrlSync": false,
- "sort": 0,
- "type": "query"
- }
- ]
- },
- "time": {
- "from": "now-7d",
- "to": "now"
- },
- "timeRangeUpdatedDuringEditOrView": false,
- "timepicker": {},
- "timezone": "browser",
- "title": "Airlock Microgateway License",
- "uid": "cdpq79bzrr01se",
- "version": 2,
- "weekStart": ""
-}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.3.2/dashboards/overview.json b/charts/airlock/microgateway/4.3.2/dashboards/overview.json
deleted file mode 100644
index 0942766217..0000000000
--- a/charts/airlock/microgateway/4.3.2/dashboards/overview.json
+++ /dev/null
@@ -1,1138 +0,0 @@
-{
- "__inputs": [
- {
- "name": "DS_PROMETHEUS",
- "label": "Prometheus",
- "description": "",
- "type": "datasource",
- "pluginId": "prometheus",
- "pluginName": "Prometheus"
- }
- ],
- "__elements": {},
- "__requires": [
- {
- "type": "grafana",
- "id": "grafana",
- "name": "Grafana",
- "version": "10.2.0"
- },
- {
- "type": "datasource",
- "id": "prometheus",
- "name": "Prometheus",
- "version": "1.0.0"
- },
- {
- "type": "panel",
- "id": "stat",
- "name": "Stat",
- "version": ""
- },
- {
- "type": "panel",
- "id": "table",
- "name": "Table",
- "version": ""
- },
- {
- "type": "panel",
- "id": "timeseries",
- "name": "Time series",
- "version": ""
- }
- ],
- "annotations": {
- "list": [
- {
- "builtIn": 1,
- "datasource": {
- "type": "grafana",
- "uid": "-- Grafana --"
- },
- "enable": true,
- "hide": true,
- "iconColor": "rgba(0, 211, 255, 1)",
- "name": "Annotations & Alerts",
- "type": "dashboard"
- }
- ]
- },
- "editable": true,
- "fiscalYearStartMonth": 0,
- "graphTooltip": 0,
- "id": null,
- "links": [
- {
- "asDropdown": true,
- "icon": "external link",
- "includeVars": true,
- "keepTime": true,
- "tags": [
- "airlock-microgateway"
- ],
- "targetBlank": true,
- "title": "Airlock Microgateway",
- "tooltip": "",
- "type": "dashboards",
- "url": ""
- }
- ],
- "panels": [
- {
- "gridPos": {
- "h": 1,
- "w": 24,
- "x": 0,
- "y": 0
- },
- "id": 3,
- "title": "Overview",
- "type": "row"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Number of pods that are protected by Airlock Microgateway.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "text",
- "value": null
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 4,
- "w": 3,
- "x": 0,
- "y": 1
- },
- "id": 11,
- "options": {
- "colorMode": "value",
- "graphMode": "none",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "last"
- ],
- "fields": "",
- "values": false
- },
- "showPercentChange": false,
- "textMode": "auto",
- "wideLayout": true
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "sum(microgateway_sidecars{namespace=~\"${operator_namespace.regex}\"})",
- "instant": true,
- "legendFormat": "Protected Pods",
- "range": false,
- "refId": "A"
- }
- ],
- "title": "Protected Pods",
- "type": "stat"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Total number of requests processed by Airlock Microgateway.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "text",
- "mode": "fixed"
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "short"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 4,
- "w": 3,
- "x": 3,
- "y": 1
- },
- "id": 4,
- "options": {
- "colorMode": "value",
- "graphMode": "none",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "last"
- ],
- "fields": "",
- "values": false
- },
- "showPercentChange": false,
- "textMode": "auto",
- "wideLayout": true
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "disableTextWrap": false,
- "editorMode": "code",
- "exemplar": false,
- "expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))",
- "format": "time_series",
- "fullMetaSearch": false,
- "hide": false,
- "includeNullMetadata": true,
- "instant": true,
- "legendFormat": "Processed Requests",
- "range": false,
- "refId": "A",
- "useBackend": false
- }
- ],
- "title": "Requests",
- "type": "stat"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "text",
- "mode": "fixed"
- },
- "mappings": [
- {
- "options": {
- "match": "nan",
- "result": {
- "index": 0,
- "text": "n/a"
- }
- },
- "type": "special"
- }
- ],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "percentunit"
- },
- "overrides": []
- },
- "gridPos": {
- "h": 4,
- "w": 3,
- "x": 6,
- "y": 1
- },
- "id": 5,
- "options": {
- "colorMode": "value",
- "graphMode": "area",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "last"
- ],
- "fields": "",
- "values": false
- },
- "showPercentChange": false,
- "textMode": "auto",
- "wideLayout": true
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "disableTextWrap": false,
- "editorMode": "code",
- "exemplar": false,
- "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))",
- "fullMetaSearch": false,
- "includeNullMetadata": true,
- "instant": true,
- "legendFormat": "Blocked Requests (%)",
- "range": false,
- "refId": "A",
- "useBackend": false
- }
- ],
- "title": "% Blocked Requests",
- "type": "stat"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "License status of Airlock Microgateway.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [
- {
- "options": {
- "0": {
- "color": "red",
- "index": 1,
- "text": "Invalid"
- },
- "1": {
- "color": "green",
- "index": 0,
- "text": "Valid"
- }
- },
- "type": "value"
- }
- ],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- }
- },
- "overrides": []
- },
- "gridPos": {
- "h": 4,
- "w": 3,
- "x": 9,
- "y": 1
- },
- "id": 10,
- "options": {
- "colorMode": "value",
- "graphMode": "area",
- "justifyMode": "auto",
- "orientation": "auto",
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
- ],
- "fields": "",
- "values": false
- },
- "showPercentChange": false,
- "textMode": "auto",
- "wideLayout": true
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})",
- "instant": true,
- "legendFormat": "License Status",
- "range": false,
- "refId": "Licenses"
- }
- ],
- "title": "License",
- "type": "stat"
- },
- {
- "gridPos": {
- "h": 1,
- "w": 24,
- "x": 0,
- "y": 5
- },
- "id": 2,
- "title": "Blocks",
- "type": "row"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "fixedColor": "blue",
- "mode": "fixed"
- },
- "custom": {
- "axisBorderShow": false,
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "left",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "insertNulls": false,
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "blue",
- "value": null
- }
- ]
- }
- },
- "overrides": [
- {
- "matcher": {
- "id": "byName",
- "options": "% Blocks"
- },
- "properties": [
- {
- "id": "custom.axisPlacement",
- "value": "right"
- },
- {
- "id": "unit",
- "value": "percentunit"
- },
- {
- "id": "color",
- "value": {
- "fixedColor": "orange",
- "mode": "fixed"
- }
- },
- {
- "id": "max",
- "value": 1
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Requests per second"
- },
- "properties": [
- {
- "id": "unit",
- "value": "short"
- },
- {
- "id": "custom.fillOpacity",
- "value": 25
- }
- ]
- }
- ]
- },
- "gridPos": {
- "h": 10,
- "w": 12,
- "x": 0,
- "y": 6
- },
- "id": 6,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "timezone": [
- ""
- ],
- "tooltip": {
- "maxHeight": 600,
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "exemplar": false,
- "expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))",
- "instant": false,
- "legendFormat": "Requests per second",
- "range": true,
- "refId": "Requests per Second"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))",
- "hide": false,
- "instant": false,
- "legendFormat": "% Blocks",
- "range": true,
- "refId": "Blocks"
- }
- ],
- "title": "Requests vs. % Blocks",
- "type": "timeseries"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Requests blocked by Airlock Microgateway categorized by their corresponding type.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "custom": {
- "align": "auto",
- "cellOptions": {
- "barAlignment": 0,
- "drawStyle": "line",
- "gradientMode": "none",
- "hideValue": false,
- "lineInterpolation": "linear",
- "lineStyle": {
- "dash": [
- 10,
- 10
- ],
- "fill": "solid"
- },
- "showPoints": "never",
- "spanNulls": false,
- "type": "sparkline"
- },
- "inspect": false
- },
- "displayName": "Block Type",
- "fieldMinMax": false,
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- }
- },
- "overrides": [
- {
- "matcher": {
- "id": "byName",
- "options": "block_type"
- },
- "properties": [
- {
- "id": "custom.width",
- "value": 153
- },
- {
- "id": "custom.cellOptions",
- "value": {
- "type": "auto"
- }
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "Trend #Block Types"
- },
- "properties": [
- {
- "id": "color",
- "value": {
- "fixedColor": "orange",
- "mode": "fixed"
- }
- }
- ]
- }
- ]
- },
- "gridPos": {
- "h": 10,
- "w": 12,
- "x": 12,
- "y": 6
- },
- "id": 7,
- "options": {
- "cellHeight": "lg",
- "footer": {
- "countRows": false,
- "enablePagination": false,
- "fields": [
- "Value"
- ],
- "reducer": [
- "sum"
- ],
- "show": false
- },
- "showHeader": false,
- "sortBy": [
- {
- "desc": true,
- "displayName": "block_type"
- }
- ]
- },
- "pluginVersion": "11.0.0",
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "expr": "sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m] offset -1m))/(60000/$__interval_ms)",
- "format": "time_series",
- "instant": false,
- "legendFormat": "__auto",
- "range": true,
- "refId": "Block Types"
- }
- ],
- "title": "Blocked Requests by Type",
- "transformations": [
- {
- "id": "timeSeriesTable",
- "options": {
- "A": {
- "timeField": "Time"
- },
- "Block Types": {
- "stat": "sum",
- "timeField": "Time"
- }
- }
- }
- ],
- "type": "table"
- },
- {
- "gridPos": {
- "h": 1,
- "w": 24,
- "x": 0,
- "y": 16
- },
- "id": 1,
- "title": "Latency",
- "type": "row"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Percentiles of the application downstream latency over one minute.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisBorderShow": false,
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "insertNulls": false,
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "ms"
- },
- "overrides": [
- {
- "matcher": {
- "id": "byName",
- "options": "25th Percentile"
- },
- "properties": [
- {
- "id": "color",
- "value": {
- "fixedColor": "super-light-purple",
- "mode": "fixed"
- }
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "50th Percentile"
- },
- "properties": [
- {
- "id": "color",
- "value": {
- "fixedColor": "purple",
- "mode": "fixed"
- }
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "95th Percentile"
- },
- "properties": [
- {
- "id": "color",
- "value": {
- "fixedColor": "dark-purple",
- "mode": "fixed"
- }
- }
- ]
- }
- ]
- },
- "gridPos": {
- "h": 9,
- "w": 12,
- "x": 0,
- "y": 17
- },
- "id": 8,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "maxHeight": 600,
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "expr": "histogram_quantile(0.25, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))",
- "instant": false,
- "legendFormat": "25th Percentile",
- "range": true,
- "refId": "25th Percentile"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "expr": "histogram_quantile(0.5, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))",
- "hide": false,
- "instant": false,
- "legendFormat": "50th Percentile",
- "range": true,
- "refId": "50th Percentile"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "expr": "histogram_quantile(0.95, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))",
- "hide": false,
- "instant": false,
- "legendFormat": "95th Percentile",
- "range": true,
- "refId": "95th Percentile"
- }
- ],
- "title": "Application Downstream Latency",
- "type": "timeseries"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "description": "Percentiles of the Airlock Microgateway processing time over one minute.",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "palette-classic"
- },
- "custom": {
- "axisBorderShow": false,
- "axisCenteredZero": false,
- "axisColorMode": "text",
- "axisLabel": "",
- "axisPlacement": "auto",
- "barAlignment": 0,
- "drawStyle": "line",
- "fillOpacity": 0,
- "gradientMode": "none",
- "hideFrom": {
- "legend": false,
- "tooltip": false,
- "viz": false
- },
- "insertNulls": false,
- "lineInterpolation": "linear",
- "lineWidth": 1,
- "pointSize": 5,
- "scaleDistribution": {
- "type": "linear"
- },
- "showPoints": "auto",
- "spanNulls": false,
- "stacking": {
- "group": "A",
- "mode": "none"
- },
- "thresholdsStyle": {
- "mode": "off"
- }
- },
- "mappings": [],
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "green",
- "value": null
- }
- ]
- },
- "unit": "ms"
- },
- "overrides": [
- {
- "matcher": {
- "id": "byName",
- "options": "25th Percentile"
- },
- "properties": [
- {
- "id": "color",
- "value": {
- "fixedColor": "super-light-purple",
- "mode": "fixed"
- }
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "50th Percentile"
- },
- "properties": [
- {
- "id": "color",
- "value": {
- "fixedColor": "purple",
- "mode": "fixed"
- }
- }
- ]
- },
- {
- "matcher": {
- "id": "byName",
- "options": "95th Percentile"
- },
- "properties": [
- {
- "id": "color",
- "value": {
- "fixedColor": "dark-purple",
- "mode": "fixed"
- }
- }
- ]
- }
- ]
- },
- "gridPos": {
- "h": 9,
- "w": 12,
- "x": 12,
- "y": 17
- },
- "id": 9,
- "options": {
- "legend": {
- "calcs": [],
- "displayMode": "list",
- "placement": "bottom",
- "showLegend": true
- },
- "tooltip": {
- "maxHeight": 600,
- "mode": "single",
- "sort": "none"
- }
- },
- "targets": [
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "expr": "histogram_quantile(0.25, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))",
- "instant": false,
- "legendFormat": "25th Percentile",
- "range": true,
- "refId": "0.25 Percentile"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "expr": "histogram_quantile(0.5, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))",
- "hide": false,
- "instant": false,
- "legendFormat": "50th Percentile",
- "range": true,
- "refId": "0.5 Percentile"
- },
- {
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "editorMode": "code",
- "expr": "histogram_quantile(0.95, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))",
- "hide": false,
- "instant": false,
- "legendFormat": "95th Percentile",
- "range": true,
- "refId": "0.95 Percentile"
- }
- ],
- "title": "Airlock Microgateway Processing Time",
- "type": "timeseries"
- }
- ],
- "refresh": "",
- "schemaVersion": 39,
- "tags": [
- "airlock-microgateway"
- ],
- "templating": {
- "list": [
- {
- "current": {
- "selected": false,
- "text": "Prometheus",
- "value": "PBFA97CFB590B2093"
- },
- "hide": 2,
- "includeAll": false,
- "label": "DS_PROMETHEUS",
- "multi": false,
- "name": "DS_PROMETHEUS",
- "options": [],
- "query": "prometheus",
- "refresh": 1,
- "regex": "",
- "skipUrlSync": false,
- "type": "datasource"
- },
- {
- "allValue": ".*",
- "current": {},
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "definition": "label_values(microgateway_license_valid,namespace)",
- "hide": 0,
- "includeAll": true,
- "label": "Operator Namespace",
- "multi": true,
- "name": "operator_namespace",
- "options": [],
- "query": {
- "qryType": 1,
- "query": "label_values(microgateway_license_valid,namespace)",
- "refId": "PrometheusVariableQueryEditor-VariableQuery"
- },
- "refresh": 2,
- "regex": ".*",
- "skipUrlSync": false,
- "sort": 0,
- "type": "query"
- },
- {
- "allValue": ".*",
- "current": {},
- "datasource": {
- "type": "prometheus",
- "uid": "${DS_PROMETHEUS}"
- },
- "definition": "label_values(microgateway_license_http_rq_total,namespace)",
- "hide": 0,
- "includeAll": true,
- "label": "Application Namespace",
- "multi": true,
- "name": "namespace",
- "options": [],
- "query": {
- "qryType": 1,
- "query": "label_values(microgateway_license_http_rq_total,namespace)",
- "refId": "PrometheusVariableQueryEditor-VariableQuery"
- },
- "refresh": 2,
- "regex": "",
- "skipUrlSync": false,
- "sort": 0,
- "type": "query"
- }
- ]
- },
- "time": {
- "from": "now-24h",
- "to": "now"
- },
- "timeRangeUpdatedDuringEditOrView": false,
- "timepicker": {},
- "timezone": "browser",
- "title": "Airlock Microgateway Overview",
- "uid": "fdp5jb8fnrmyoa",
- "version": 1,
- "weekStart": ""
-}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.3.2/gke-values.yaml b/charts/airlock/microgateway/4.3.2/gke-values.yaml
new file mode 100644
index 0000000000..d6d5c21d14
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/gke-values.yaml
@@ -0,0 +1,4 @@
+# values for deploying on GKE
+
+config:
+ cniBinDir: "/home/kubernetes/bin"
diff --git a/charts/airlock/microgateway/4.3.2/openshift-values.yaml b/charts/airlock/microgateway/4.3.2/openshift-values.yaml
new file mode 100644
index 0000000000..3b1d6cccde
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/openshift-values.yaml
@@ -0,0 +1,15 @@
+# values for deploying on OpenShift
+
+rbac:
+ createSCCRole: true
+
+privileged: true
+
+multusNetworkAttachmentDefinition:
+ create: true
+ namespace: default
+
+config:
+ installMode: "standalone"
+ cniNetDir: "/etc/cni/multus/net.d"
+ cniBinDir: "/var/lib/cni/bin"
diff --git a/charts/airlock/microgateway/4.3.2/questions.yml b/charts/airlock/microgateway/4.3.2/questions.yml
new file mode 100644
index 0000000000..73ed44d646
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/questions.yml
@@ -0,0 +1,18 @@
+questions:
+ - variable: config.cniNetDir
+ required: true
+ type: string
+ label: CNI Network Configuration Directory
+ group: "CNI Settings"
+ description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
+ - variable: config.cniBinDir
+ required: true
+ type: string
+ label: CNI Plugin Binaries Directory
+ group: "CNI Settings"
+ description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
+ - variable: config.installMode
+ required: true
+ label: CNI Plugin Installation Mode
+ group: "CNI Settings"
+ description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."
diff --git a/charts/airlock/microgateway/4.3.2/templates/NOTES.txt b/charts/airlock/microgateway/4.3.2/templates/NOTES.txt
index 6e5ce218ae..bb94ff521e 100644
--- a/charts/airlock/microgateway/4.3.2/templates/NOTES.txt
+++ b/charts/airlock/microgateway/4.3.2/templates/NOTES.txt
@@ -1,47 +1,15 @@
-Thank you for installing Airlock Microgateway.
+Thank you for installing Airlock Microgateway CNI.
-Please ensure the following prerequisites are fulfilled:
-* Cert-Manager is installed.
- https://cert-manager.io/docs/installation/helm/
-* Airlock Microgateway CNI is also installed on the cluster.
- https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni
-* A valid Airlock Microgateway license is deployed in the Kubernetes secret 'airlock-microgateway-license'.
- * Get a free Community license: https://airlock.com/en/microgateway-community
- * Order a Premium license: https://airlock.com/en/microgateway-premium
+Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution.
+For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}.
+The chapter 'Setup > Installation' describes how to set those settings correctly.
Further information:
-* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}
-* CRD API reference documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/api/crds
+* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}
* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm
-{{- if .Values.crds.skipVersionCheck }}
-Warning: CRD version check skipped
-{{- else -}}
-{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}}
-{{- if $outdatedCRDs -}}
- {{- fail (printf `
-
-Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'.
-Therefore, the CRDs must be manually upgraded with the following command before deploying this chart:
-
-kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts
-
-If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.`
- .Chart.AppVersion)
- -}}
-{{- end -}}
-{{- end -}}
-{{- if .Values.tests.enabled -}}
- {{- if .Values.operator.watchNamespaces -}}
- {{- if not (has .Release.Namespace .Values.operator.watchNamespaces) -}}
- {{- fail (printf `
-
-To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values.
-`
- .Release.Namespace)
- -}}
- {{- end -}}
- {{- end -}}
-{{- end }}
+Next steps:
+* Install Airlock Microgateway (if not done already)
+ https://artifacthub.io/packages/helm/airlock-microgateway/microgateway
Your release version is {{ .Chart.Version }}.
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.3.2/templates/_helpers.tpl b/charts/airlock/microgateway/4.3.2/templates/_helpers.tpl
index 733ba96486..996491a873 100644
--- a/charts/airlock/microgateway/4.3.2/templates/_helpers.tpl
+++ b/charts/airlock/microgateway/4.3.2/templates/_helpers.tpl
@@ -1,16 +1,14 @@
{{/*
Expand the name of the chart.
-We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
-and the longest explicit suffix is 14 characters.
*/}}
-{{- define "airlock-microgateway.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }}
+{{- define "airlock-microgateway-cni.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
-{{- define "airlock-microgateway.image" -}}
+{{- define "airlock-microgateway-cni.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
@@ -22,19 +20,19 @@ Convert an image configuration object into an image ref string.
{{/*
Create a default fully qualified app name.
-We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
-and the longest implicit suffix is 27 characters.
+We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
+and the longest suffix is 13 characters.
If release name contains chart name it will be used as a full name.
*/}}
-{{- define "airlock-microgateway.fullname" -}}
+{{- define "airlock-microgateway-cni.fullname" -}}
{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }}
+{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 36 | trimSuffix "-" }}
+{{- .Release.Name | trunc 50 | trimSuffix "-" }}
{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }}
+{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
@@ -42,112 +40,62 @@ If release name contains chart name it will be used as a full name.
{{/*
Create chart name and version as used by the chart label.
*/}}
-{{- define "airlock-microgateway.chart" -}}
+{{- define "airlock-microgateway-cni.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
-{{- define "airlock-microgateway.sharedLabels" -}}
-helm.sh/chart: {{ include "airlock-microgateway.chart" . }}
+{{- define "airlock-microgateway-cni.labels" -}}
+helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
+{{ include "airlock-microgateway-cni.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
-app.kubernetes.io/part-of: {{ .Chart.Name }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
-Common Selector labels
+Common labels without component
*/}}
-{{- define "airlock-microgateway.sharedSelectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
+{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
+{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
+{{ unset $labels "app.kubernetes.io/component" | toYaml }}
{{- end }}
{{/*
-Restricted Container Security Context
+Selector labels
*/}}
-{{- define "airlock-microgateway.restrictedSecurityContext" -}}
-allowPrivilegeEscalation: false
-privileged: false
-runAsNonRoot: true
-capabilities:
- drop: ["ALL"]
-readOnlyRootFilesystem: true
-seccompProfile:
- type: RuntimeDefault
+{{- define "airlock-microgateway-cni.selectorLabels" -}}
+app.kubernetes.io/component: cni-plugin-installer
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
{{- end }}
-{{/* Precondition: May only be used if AppVersion is isSemver */}}
-{{- define "airlock-microgateway.supportedCRDVersionPattern" -}}
-{{- $version := (semver .Chart.AppVersion) -}}
-{{- if $version.Prerelease -}}
->= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }}
-{{- else -}}
->= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0
-{{- end -}}
-{{- end -}}
-
-{{- define "airlock-microgateway.outdatedCRDs" -}}
-{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}}
- {{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}}
- {{- range $path, $_ := .Files.Glob "crds/*.yaml" -}}
- {{- $api := ($.Files.Get $path | fromYaml).metadata.name -}}
- {{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}}
- {{- $isOutdated := false -}}
- {{- if $crd -}}
- {{/* If CRD is already present in the cluster, it must have the minimum supported version */}}
- {{- $isOutdated = true -}}
- {{- if hasKey $crd.metadata "labels" -}}
- {{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}}
- {{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}}
- {{- if (semverCompare $supportedVersion $crdVersion) }}
- {{- $isOutdated = false -}}
- {{- end }}
- {{- end -}}
- {{- end -}}
- {{- end -}}
- {{- if $isOutdated }}
-{{ base $path }}
- {{- end }}
- {{- end -}}
-{{- end -}}
-{{- end -}}
+{{/*
+Create the name of the service account to use for the CNI Plugin
+*/}}
+{{- define "airlock-microgateway-cni.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
-{{- define "airlock-microgateway.isSemver" -}}
+{{- define "airlock-microgateway-cni.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
-{{- define "airlock-microgateway.docsVersion" -}}
-{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
+{{- define "airlock-microgateway-cni.docsVersion" -}}
+{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}
-
-{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}}
-{{- $list := list -}}
-{{- with .matchLabels -}}
- {{- range $key, $value := . -}}
- {{- $list = append $list (printf "%s=%s" $key $value) -}}
- {{- end -}}
-{{- end -}}
-{{- with .matchExpressions -}}
- {{- range . -}}
- {{- if has .operator (list "In" "NotIn") -}}
- {{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}}
- {{- else if eq .operator "Exists" -}}
- {{- $list = append $list .key -}}
- {{- else if eq .operator "DoesNotExist" -}}
- {{- $list = append $list (printf "!%s" .key) -}}
- {{- end -}}
- {{- end -}}
-{{- end -}}
-{{- join "," $list -}}
-{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.3.2/templates/clusterrole.yaml b/charts/airlock/microgateway/4.3.2/templates/clusterrole.yaml
new file mode 100644
index 0000000000..ef88ac7836
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/templates/clusterrole.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - patch
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.3.2/templates/clusterrolebinding.yaml b/charts/airlock/microgateway/4.3.2/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..04f87cb0fa
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/templates/clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.3.2/templates/configmap.yaml b/charts/airlock/microgateway/4.3.2/templates/configmap.yaml
new file mode 100644
index 0000000000..b880116ef9
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/templates/configmap.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+data:
+ plugin-conf.json: |-
+ {
+ "type": "{{ include "airlock-microgateway-cni.fullname" . }}",
+ "debug": {{ eq .Values.config.logLevel "debug" }},
+ "logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log",
+ "kubernetes": {
+ "kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig",
+ "excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }}
+ }
+ }
diff --git a/charts/airlock/microgateway/4.3.2/templates/daemonset.yaml b/charts/airlock/microgateway/4.3.2/templates/daemonset.yaml
new file mode 100644
index 0000000000..4ba9f2669c
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/templates/daemonset.yaml
@@ -0,0 +1,136 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ selector:
+ matchLabels:
+ {{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ annotations:
+ checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+ kubectl.kubernetes.io/default-container: cni-installer
+ {{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 8 }}
+ {{- with .Values.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ containers:
+ - args:
+ - --log-level
+ - "{{ .Values.config.logLevel }}"
+ env:
+ - name: CNI_NETWORK_CONFIG
+ valueFrom:
+ configMapKeyRef:
+ key: plugin-conf.json
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ - name: CNI_BIN_DIR
+ value: /host/opt/cni/bin
+ - name: CNI_NET_DIR
+ value: /host/etc/cni/net.d
+ - name: KUBECONFIG_FILE_NAME
+ value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig"
+ - name: INSTALL_MODE
+ value: {{ .Values.config.installMode }}
+ - name: KUBERNETES_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ image: {{ include "airlock-microgateway-cni.image" .Values.image }}
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cni-installer
+ {{- with .Values.resources }}
+ resources:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ startupProbe:
+ exec:
+ command:
+ - /cni-installer
+ - probe
+ failureThreshold: 5
+ initialDelaySeconds: 3
+ periodSeconds: 3
+ timeoutSeconds: 3
+ readinessProbe:
+ exec:
+ command:
+ - /cni-installer
+ - probe
+ failureThreshold: 1
+ periodSeconds: 60
+ timeoutSeconds: 3
+ securityContext:
+ allowPrivilegeEscalation: {{ .Values.privileged }}
+ capabilities:
+ drop:
+ - ALL
+ privileged: {{ .Values.privileged }}
+ readOnlyRootFilesystem: true
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ seccompProfile:
+ type: RuntimeDefault
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ - mountPath: /run/cni-installer
+ name: cni-installer-status
+ hostNetwork: true
+ priorityClassName: system-node-critical
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 0
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+ terminationGracePeriodSeconds: 5
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ tolerations:
+ - effect: NoSchedule
+ operator: Exists
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ volumes:
+ - hostPath:
+ path: "{{ .Values.config.cniBinDir }}"
+ type: Directory
+ name: cni-bin-dir
+ - hostPath:
+ path: "{{ .Values.config.cniNetDir }}"
+ type: Directory
+ name: cni-net-dir
+ - emptyDir: {}
+ name: cni-installer-status
diff --git a/charts/airlock/microgateway/4.3.2/templates/network-attachment-definition.yaml b/charts/airlock/microgateway/4.3.2/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..5d657e309c
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/templates/network-attachment-definition.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.multusNetworkAttachmentDefinition.create -}}
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/_rbac.gen.tpl b/charts/airlock/microgateway/4.3.2/templates/operator/_rbac.gen.tpl
deleted file mode 100644
index 83b314cbcf..0000000000
--- a/charts/airlock/microgateway/4.3.2/templates/operator/_rbac.gen.tpl
+++ /dev/null
@@ -1,237 +0,0 @@
-{{/* AUTOGENERATED FILE DO NOT EDIT */}}
-
-{{/*
-Operator rbac permission rules
-*/}}
-{{- define "airlock-microgateway-operator.rbacRules" -}}
-- apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - ""
- resources:
- - pods/finalizers
- verbs:
- - update
-- apiGroups:
- - ""
- resources:
- - pods/status
- verbs:
- - patch
- - update
-- apiGroups:
- - ""
- resources:
- - secrets
- verbs:
- - create
- - delete
- - get
- - list
- - update
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - accesscontrols
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - contentsecurities
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - denyrules
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - envoyclusters
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - envoyconfigurations
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - envoyconfigurations/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - envoyhttpfilters
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - graphqls
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - headerrewrites
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - identitypropagations
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - limits
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - oidcproviders
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - oidcrelyingparties
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - openapis
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - parsers
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - redisproviders
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - sessionhandlings
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - sidecargateways
- verbs:
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - sidecargateways/finalizers
- verbs:
- - update
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - sidecargateways/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - microgateway.airlock.com
- resources:
- - telemetries
- verbs:
- - get
- - list
- - watch
-{{- end }}
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/_webhooks.gen.tpl b/charts/airlock/microgateway/4.3.2/templates/operator/_webhooks.gen.tpl
deleted file mode 100644
index 02e3048904..0000000000
--- a/charts/airlock/microgateway/4.3.2/templates/operator/_webhooks.gen.tpl
+++ /dev/null
@@ -1,339 +0,0 @@
-{{/* AUTOGENERATED FILE DO NOT EDIT */}}
-
-{{/*
-Operator mutating webhooks
-*/}}
-{{- define "airlock-microgateway-operator.mutatingWebhooks" -}}
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /mutate-v1-pod
- failurePolicy: Fail
- name: mutate-pod.microgateway.airlock.com
- reinvocationPolicy: IfNeeded
- rules:
- - apiGroups:
- - ""
- apiVersions:
- - v1
- operations:
- - CREATE
- resources:
- - pods
- sideEffects: None
- objectSelector:
- matchLabels:
- sidecar.microgateway.airlock.com/inject: "true"
-{{- end }}
-
-{{/*
-Operator validating webhooks
-*/}}
-{{- define "airlock-microgateway-operator.validatingWebhooks" -}}
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-v1-pod
- failurePolicy: Fail
- name: validate-pod.microgateway.airlock.com
- rules:
- - apiGroups:
- - ""
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - pods
- sideEffects: None
- objectSelector:
- matchLabels:
- sidecar.microgateway.airlock.com/inject: "true"
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol
- failurePolicy: Fail
- name: validate-accesscontrol.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - accesscontrols
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-denyrules
- failurePolicy: Fail
- name: validate-denyrules.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - denyrules
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-envoycluster
- failurePolicy: Fail
- name: validate-envoycluster.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - envoyclusters
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter
- failurePolicy: Fail
- name: validate-envoyhttpfilter.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - envoyhttpfilters
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-graphql
- failurePolicy: Fail
- name: validate-graphql.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - graphqls
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites
- failurePolicy: Fail
- name: validate-headerrewrites.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - headerrewrites
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation
- failurePolicy: Fail
- name: validate-identitypropagation.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - identitypropagations
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-limits
- failurePolicy: Fail
- name: validate-limits.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - limits
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider
- failurePolicy: Fail
- name: validate-oidcprovider.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - oidcproviders
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty
- failurePolicy: Fail
- name: validate-oidcrelyingparty.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - oidcrelyingparties
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-openapi
- failurePolicy: Fail
- name: validate-openapi.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - openapis
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-parser
- failurePolicy: Fail
- name: validate-parser.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - parsers
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-redisprovider
- failurePolicy: Fail
- name: validate-redisprovider.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - redisproviders
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: airlock-microgateway-operator-webhook
- namespace: '{{ .Release.Namespace }}'
- path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway
- failurePolicy: Fail
- name: validate-sidecargateway.microgateway.airlock.com
- rules:
- - apiGroups:
- - microgateway.airlock.com
- apiVersions:
- - v1alpha1
- operations:
- - CREATE
- - UPDATE
- resources:
- - sidecargateways
- sideEffects: None
-{{- end }}
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/configmap.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/configmap.yaml
deleted file mode 100644
index 95e52d7df1..0000000000
--- a/charts/airlock/microgateway/4.3.2/templates/operator/configmap.yaml
+++ /dev/null
@@ -1,394 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-config
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-data:
- engine_bootstrap_config_template.yaml: |
- # Base configuration, admin interface on port 19000
- admin:
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- dynamic_resources:
- cds_config:
- initial_fetch_timeout: 10s
- resource_api_version: V3
- api_config_source:
- api_type: GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
- rate_limit_settings:
- max_tokens: 5
- fill_rate: 0.2
- lds_config:
- resource_api_version: V3
- initial_fetch_timeout: 10s
- api_config_source:
- api_type: GRPC
- transport_api_version: V3
- grpc_services:
- - envoy_grpc:
- cluster_name: xds_cluster
- set_node_on_first_message_only: true
- # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC
- rate_limit_settings:
- max_tokens: 5
- fill_rate: 0.2
- static_resources:
- listeners:
- - name: probe
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19001
- filter_chains:
- - filters:
- - name: http_connection_manager
- typed_config:
- '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: probe
- codec_type: AUTO
- http2_protocol_options:
- initial_connection_window_size: 1048576
- initial_stream_window_size: 65536
- max_concurrent_streams: 100
- route_config:
- name: probe
- virtual_hosts:
- - name: probe
- domains:
- - '*'
- routes:
- - name: ready
- match:
- path: /ready
- headers:
- - name: ':method'
- string_match:
- exact: 'GET'
- route:
- cluster: airlock_microgateway_engine_admin
- http_filters:
- - name: envoy.filters.http.router
- typed_config:
- '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- - name: metrics
- address:
- socket_address:
- address: 0.0.0.0
- port_value: 19002
- filter_chains:
- - filters:
- - name: http_connection_manager
- typed_config:
- '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
- stat_prefix: metrics
- codec_type: AUTO
- http2_protocol_options:
- initial_connection_window_size: 1048576
- initial_stream_window_size: 65536
- max_concurrent_streams: 100
- route_config:
- name: metrics
- virtual_hosts:
- - name: metrics
- domains:
- - '*'
- routes:
- - name: metrics
- match:
- path: /metrics
- headers:
- - name: ':method'
- string_match:
- exact: 'GET'
- route:
- prefix_rewrite: '/stats/prometheus'
- cluster: airlock_microgateway_engine_admin
- http_filters:
- - name: envoy.filters.http.router
- typed_config:
- '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- clusters:
- - name: xds_cluster
- connect_timeout: 1s
- type: STRICT_DNS
- load_assignment:
- cluster_name: xds_cluster
- endpoints:
- - lb_endpoints:
- - endpoint:
- address:
- socket_address:
- address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local
- port_value: 13377
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 360s
- timeout: 5s
- transport_socket:
- name: envoy.transport_sockets.tls
- typed_config:
- '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- common_tls_context:
- tls_params:
- tls_minimum_protocol_version: TLSv1_3
- tls_maximum_protocol_version: TLSv1_3
- validation_context_sds_secret_config:
- name: validation_context_sds
- sds_config:
- resource_api_version: V3
- path_config_source:
- path: /etc/envoy/validation_context_sds_secret.yaml
- watched_directory:
- path: /etc/envoy/
- tls_certificate_sds_secret_configs:
- - name: tls_certificate_sds
- sds_config:
- resource_api_version: V3
- path_config_source:
- path: /etc/envoy/tls_certificate_sds_secret.yaml
- watched_directory:
- path: /etc/envoy/
- - name: airlock_microgateway_engine_admin
- connect_timeout: 1s
- type: STATIC
- load_assignment:
- cluster_name: airlock_microgateway_engine_admin
- endpoints:
- - lb_endpoints:
- - endpoint:
- address:
- socket_address:
- address: 127.0.0.1
- port_value: 19000
- typed_extension_protocol_options:
- envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
- '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
- explicit_http_config:
- http2_protocol_options:
- connection_keepalive:
- interval: 360s
- timeout: 5s
- stats_config:
- stats_tags:
- - tag_name: "block_type"
- regex: "\\.(block_type\\.([^.]+))"
- - tag_name: "attack_type"
- regex: "\\.(attack_type\\.([^.]+))"
- - tag_name: "envoy_cluster_name"
- regex: "\\.(cluster\\.([^.]+))"
- - tag_name: "version"
- regex: "\\.(version\\.([^.]+))"
- use_all_default_tags: true
- overload_manager:
- resource_monitors:
- - name: "envoy.resource_monitors.global_downstream_max_connections"
- typed_config:
- "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
- max_active_downstream_connections: 50000
- bootstrap_extensions:
- - name: airlock.bootstrap.engine_build_info
- typed_config:
- '@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats
- application_log_config:
- log_format:
- text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}'
- engine_container_template.yaml: |
- name: "$(ENGINE_NAME)"
- image: "$(ENGINE_IMAGE)"
- imagePullPolicy: {{ .Values.engine.image.pullPolicy }}
- args:
- - "--config-path"
- - "/etc/envoy/bootstrap_config.yaml"
- - "--base-id"
- - "$(BASE_ID)"
- - "--file-flush-interval-msec"
- - '1000'
- - "--drain-time-s"
- - '60'
- - "--service-node"
- - "$(POD_NAME).$(POD_NAMESPACE)"
- - "--service-cluster"
- - "$(APP_NAME).$(POD_NAMESPACE)"
- - "--log-path"
- - "/dev/stdout"
- - "--log-level"
- - "$(LOG_LEVEL)"
- volumeMounts:
- - name: airlock-microgateway-bootstrap-secret-volume
- mountPath: /etc/envoy
- readOnly: true
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: POD_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.podIP
- ports:
- - containerPort: 13378
- protocol: TCP
- - containerPort: 19001
- protocol: TCP
- - containerPort: 19002
- protocol: TCP
- livenessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- initialDelaySeconds: 5
- periodSeconds: 5
- failureThreshold: 5
- successThreshold: 1
- timeoutSeconds: 1
- readinessProbe:
- httpGet:
- path: /ready
- port: 19001
- scheme: HTTP
- initialDelaySeconds: 5
- periodSeconds: 5
- failureThreshold: 3
- successThreshold: 1
- timeoutSeconds: 1
- securityContext:
- {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
- runAsUser: $(SECURITYCONTEXT_UID)
- {{- with .Values.engine.resources }}
- resources:
- {{- toYaml . | nindent 6 }}
- {{- end }}
- session_agent_container_template.yaml: |
- name: "$(SESSION_AGENT_NAME)"
- image: "$(SESSION_AGENT_IMAGE)"
- imagePullPolicy: {{ .Values.sessionAgent.image.pullPolicy }}
- args:
- - "--port"
- - "19004"
- - "--config-path"
- - "/etc/microgateway-session-agent/config.json"
- volumeMounts:
- - name: airlock-microgateway-session-agent-volume
- mountPath: /etc/microgateway-session-agent
- readOnly: true
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- ports:
- - containerPort: 19004
- livenessProbe:
- {{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}}
- grpc:
- port: 19004
- {{- else }}
- tcpSocket:
- port: 19004
- {{- end }}
- initialDelaySeconds: 5
- periodSeconds: 5
- failureThreshold: 5
- successThreshold: 1
- timeoutSeconds: 5
- readinessProbe:
- {{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}}
- grpc:
- port: 19004
- {{- else }}
- tcpSocket:
- port: 19004
- {{- end }}
- initialDelaySeconds: 5
- periodSeconds: 5
- failureThreshold: 3
- successThreshold: 1
- timeoutSeconds: 5
- securityContext:
- {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
- runAsUser: $(SECURITYCONTEXT_UID)
- {{- with .Values.sessionAgent.resources }}
- resources:
- {{- toYaml . | nindent 6 }}
- {{- end }}
- network_validator_container_template.yaml: |
- name: "$(NETWORK_VALIDATOR_NAME)"
- image: "$(NETWORK_VALIDATOR_IMAGE)"
- imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }}
- command: ["/bin/sh", "-c"]
- args:
- - |-
- echo 'pong' | nc -v -l 127.0.0.1 13378 &
- for i in 1 2 3; do
- sleep 1s
- if r=$(echo 'ping' | nc -v -q 0 127.0.0.1 19003) && [ $r == pong ]; then
- echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log
- exit 0
- fi
- done
- echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log
- exit 1
- securityContext:
- {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
- runAsUser: $(SECURITYCONTEXT_UID)
- operator_config.yaml: |
- apiVersion: config.airlock.com/v1alpha1
- kind: OperatorConfig
- health:
- healthProbeBindAddress: :8081
- metrics:
- bindAddress: 0.0.0.0:8080
- webhook:
- port: 9443
- deployment:
- sidecar:
- engineContainerTemplate: "/sidecar/engine_container_template.yaml"
- networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml"
- sessionAgentContainerTemplate: "/sidecar/session_agent_container_template.yaml"
- engine:
- bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml"
- log:
- level: {{ .Values.operator.config.logLevel }}
- {{- with $.Values.operator.watchNamespaceSelector }}
- namespaces:
- selector:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with $.Values.operator.watchNamespaces }}
- namespaces:
- list:
- {{- toYaml . | nindent 8 }}
- {{- end }}
diff --git a/charts/airlock/microgateway/4.3.2/templates/scc-role.yaml b/charts/airlock/microgateway/4.3.2/templates/scc-role.yaml
new file mode 100644
index 0000000000..8627486928
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/templates/scc-role.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.rbac.createSCCRole -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+rules:
+- apiGroups:
+ - security.openshift.io
+ resourceNames:
+ - privileged
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - use
+{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.3.2/templates/scc-rolebinding.yaml b/charts/airlock/microgateway/4.3.2/templates/scc-rolebinding.yaml
new file mode 100644
index 0000000000..ebd02982c0
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/templates/scc-rolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.rbac.createSCCRole -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
+subjects:
+- kind: ServiceAccount
+ name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.3.2/templates/serviceaccount.yaml b/charts/airlock/microgateway/4.3.2/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..3dc8d58eae
--- /dev/null
+++ b/charts/airlock/microgateway/4.3.2/templates/serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.3.2/templates/tests/rbac.yaml b/charts/airlock/microgateway/4.3.2/templates/tests/rbac.yaml
index 93bd4cd1bd..744799333f 100644
--- a/charts/airlock/microgateway/4.3.2/templates/tests/rbac.yaml
+++ b/charts/airlock/microgateway/4.3.2/templates/tests/rbac.yaml
@@ -2,142 +2,63 @@
apiVersion: v1
kind: ServiceAccount
metadata:
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
- namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
- namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
subjects:
- kind: ServiceAccount
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
- namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- - microgateway.airlock.com
+ - "apps"
resources:
- - sidecargateways
+ - daemonsets
resourceNames:
- - "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
+ - {{ include "airlock-microgateway-cni.fullname" . }}
verbs:
- - get
- - list
- - watch
- - delete
+ - get
+ - watch
+ - list
- apiGroups:
- - microgateway.airlock.com
+ - ""
resources:
- - sidecargateways
+ - pods
+ - pods/log
verbs:
- - create
+ - get
+ - list
+{{- if .Values.rbac.createSCCRole }}
- apiGroups:
- - ""
- resources:
- - events
- verbs:
- - list
-- apiGroups:
- - "apps"
- resources:
- - deployments
+ - security.openshift.io
resourceNames:
- - "{{ include "airlock-microgateway.operator.fullname" . }}"
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - "apps"
- resources:
- - statefulsets
- - statefulsets/scale
- resourceNames:
- - "{{ include "airlock-microgateway.fullname" . }}-test-backend"
- verbs:
- - get
- - list
- - watch
- - patch
-- apiGroups:
- - ""
- resources:
- - pods
- - pods/log
- - pods/status
- - pods/attach
- resourceNames:
- - "{{ include "airlock-microgateway.fullname" . }}-test-backend-0"
- - "{{ include "airlock-microgateway.fullname" . }}-test-valid-request"
- - "{{ include "airlock-microgateway.fullname" . }}-test-injection-request"
- verbs:
- - get
- - list
- - create
- - watch
- - delete
-- apiGroups:
- - ""
+ - privileged
resources:
- - pods
+ - securitycontextconstraints
verbs:
- - create
-{{- if .Values.operator.watchNamespaceSelector }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/component: tests
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
-subjects:
- - kind: ServiceAccount
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
- namespace: {{ .Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/component: tests
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
-rules:
-- apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - list
-{{- end }}
+ - use
+{{- end -}}
{{- end -}}
diff --git a/charts/airlock/microgateway/4.3.2/templates/tests/test-install.yaml b/charts/airlock/microgateway/4.3.2/templates/tests/test-install.yaml
index ab82abea73..12d8c8de78 100644
--- a/charts/airlock/microgateway/4.3.2/templates/tests/test-install.yaml
+++ b/charts/airlock/microgateway/4.3.2/templates/tests/test-install.yaml
@@ -2,14 +2,11 @@
apiVersion: v1
kind: Pod
metadata:
- name: "{{ include "airlock-microgateway.fullname" . }}-test-install"
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install"
namespace: {{ .Release.Namespace }}
labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: test-install
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- sidecar.istio.io/inject: "false"
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation
@@ -19,209 +16,88 @@ spec:
- name: test
image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
securityContext:
- {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
+ allowPrivilegeEscalation: {{ .Values.privileged }}
+ capabilities:
+ drop:
+ - ALL
+ privileged: {{ .Values.privileged }}
+ readOnlyRootFilesystem: true
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ readOnly: true
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ readOnly: true
command:
- sh
- -c
- |
set -eu
- clean_up() {
- echo ""
- echo "### Clean up test resources"
- kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
- echo ""
- echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'"
- kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s
- sleep 3s
- echo ""
- }
-
fail() {
+ echo "Error: ${1}"
echo ""
- echo "### Error: ${1}"
- echo ""
-
- if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then
- echo ""
- echo 'Microgateway Sidecargateway status:'
- kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true
- echo ""
- echo ""
- fi
-
- if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then
- echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':"
- kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true
- echo ""
- echo ""
- echo 'Logs of Nginx container:'
- kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true
- echo ""
- echo ""
- # Wait for engine logs
- sleep 10s
- echo 'Logs of Microgateway Engine container:'
- kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true
- fi
-
+ echo 'CNI installer logs:'
+ kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer
exit 1
}
- create_sidecargateway() {
- # create SidecarGateway resource for testing purposes
- kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
- kubectl apply -f - </dev/null 2>&1; do sleep 1s; i=$((i+1)); done
- kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
- kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
+ containsMGWCNIConf() {
+ cat "${1}" | grep -qe '"type":.*"{{ include "airlock-microgateway-cni.fullname" . }}"'
}
- {{- if .Values.operator.watchNamespaceSelector }}
- echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'"
- if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then
- labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}')
- fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"`
- .Release.Namespace
- (replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2)))
- }}
- fi
- echo ""
- {{- end }}
-
- trap clean_up EXIT
- echo ""
-
- echo "### Waiting for Microgateway Operator Deployments to be ready"
- if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \
- deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then
- fail 'Timout occurred'
- fi
- echo ""
-
- echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica"
- # scale to zero replicas to ensure no pods are present from previous runs
- kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s
- kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s
- echo ""
-
- echo "### Waiting for backend pod"
- i=0
- while true; do
- if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then
- break
- elif [ $i -gt 3 ]; then
- fail 'Pod not ready'
- fi
- sleep 2s
- i=$((i+1))
- done
-
- echo "### Checking Microgateway Engine sidecar container was injected"
- if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then
- fail 'Microgateway Engine sidecar container not injected'
- fi
- echo "True"
- echo ""
-
- echo "### Checking for valid license"
- i=0
- while true; do
- if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then
- break
- elif [ $i -gt 30 ]; then
- fail 'Microgateway license is missing or invalid'
- fi
- sleep 2s
- i=$((i+1))
- done
- echo "True"
- echo ""
-
- echo "### Create SidecarGateway resource for testing"
- if ! create_sidecargateway ; then
- fail 'Creation of SidecarGateway resource failed'
- fi
- echo ""
-
- echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready"
- if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then
- fail 'Timout occurred'
- fi
- echo ""
-
- echo "### Waiting for 'engine-config-valid' condition"
- if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then
- fail 'Configuration was never accepted by the Microgateway Engine'
+ if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then
+ fail 'CNI DaemonSet rollout did not complete within timeout'
fi
- sleep 5s
- echo ""
- echo ""
- echo "### Checking whether a valid request is successful and returns HTTP status code '200'"
- out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true)
- echo "Response:"
- echo "${out}"
- if ! echo "${out}" | grep -q "200 OK"; then
- fail 'A valid request was not successful'
+ echo "Checking whether CNI binary was installed"
+ if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then
+ fail 'CNI binary was not installed'
fi
- echo ""
- echo ""
- echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'"
- out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true)
- echo "Response:"
- echo "${out}"
- if ! echo "${out}" | grep -q "400 Bad Request"; then
- fail 'A malicious request was not blocked'
+ echo "Checking whether CNI kubeconfig was installed"
+ if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then
+ fail 'CNI kubeconfig was not created'
fi
- echo ""
- echo ""
- echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded"
- exit 0
- serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests"
+ echo "Checking whether CNI configuration was written"
+ case {{ .Values.config.installMode }} in
+ "chained")
+ for file in "/host/etc/cni/net.d/"*.conflist; do
+ if containsMGWCNIConf "${file}"; then
+ echo "Success"
+ exit 0
+ fi
+ done
+ ;;
+ "standalone")
+ if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then
+ echo "Success"
+ exit 0
+ fi
+ ;;
+ "manual")
+ echo "- Skipping because we are in 'manual' install mode"
+ echo "Success"
+ exit 0
+ ;;
+ esac
+
+ fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found'
+ serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ volumes:
+ - hostPath:
+ path: "{{ .Values.config.cniBinDir }}"
+ type: Directory
+ name: cni-bin-dir
+ - hostPath:
+ path: "{{ .Values.config.cniNetDir }}"
+ type: Directory
+ name: cni-net-dir
{{- end -}}
diff --git a/charts/airlock/microgateway/4.3.2/values.schema.json b/charts/airlock/microgateway/4.3.2/values.schema.json
index 173d6b084c..e087bd7004 100644
--- a/charts/airlock/microgateway/4.3.2/values.schema.json
+++ b/charts/airlock/microgateway/4.3.2/values.schema.json
@@ -14,15 +14,6 @@
"commonAnnotations": {
"$ref": "#/definitions/StringMap"
},
- "crds": {
- "type": "object",
- "properties": {
- "skipVersionCheck": {
- "type": "boolean"
- }
- },
- "additionalProperties": false
- },
"imagePullSecrets": {
"type": "array",
"items": {
@@ -39,304 +30,120 @@
"additionalProperties": true
}
},
- "operator": {
+ "image": {
+ "$ref": "#/definitions/Image"
+ },
+ "podAnnotations": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "podLabels": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "nodeSelector": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "affinity": {
+ "type": "object"
+ },
+ "rbac": {
"type": "object",
"properties": {
- "replicaCount": {
- "type": "integer",
- "minimum": 0
- },
- "updateStrategy": {
- "$ref": "#/definitions/UpdateStrategy"
- },
- "image": {
- "$ref": "#/definitions/Image"
- },
- "podAnnotations": {
- "$ref": "#/definitions/StringMap"
- },
- "podLabels": {
- "$ref": "#/definitions/StringMap"
- },
- "serviceAnnotations": {
- "$ref": "#/definitions/StringMap"
- },
- "serviceLabels": {
- "$ref": "#/definitions/StringMap"
- },
- "resources": {
- "type": "object"
- },
- "nodeSelector": {
- "$ref": "#/definitions/StringMap"
- },
- "tolerations": {
- "type": "array",
- "items": {
- "type": "object"
- }
- },
- "affinity": {
- "type": "object"
- },
- "config": {
- "type": "object",
- "properties": {
- "logLevel": {
- "type": "string",
- "enum": [
- "debug",
- "info",
- "warn",
- "error"
- ]
- }
- },
- "required": [
- "logLevel"
- ],
- "additionalProperties": false
- },
- "serviceAccount": {
- "type": "object",
- "properties": {
- "create": {
- "type": "boolean"
- },
- "annotations": {
- "$ref": "#/definitions/StringMap"
- },
- "name": {
- "type": "string"
- }
- },
- "required": [
- "annotations",
- "create",
- "name"
- ],
- "additionalProperties": false
- },
- "watchNamespaces": {
- "type": "array",
- "items": {
- "type": "string"
- }
- },
- "watchNamespaceSelector": {
- "$ref": "#/definitions/LabelSelector"
- },
- "rbac": {
- "type": "object",
- "properties": {
- "create": {
- "type": "boolean"
- }
- },
- "required": [
- "create"
- ],
- "additionalProperties": false
+ "create": {
+ "type": "boolean"
},
- "serviceMonitor": {
- "type": "object",
- "properties": {
- "create": {
- "type": "boolean"
- },
- "labels": {
- "$ref": "#/definitions/StringMap"
- }
- },
- "required": [
- "create"
- ],
- "additionalProperties": false
+ "createSCCRole": {
+ "type": "boolean"
}
},
- "oneOf": [
- {
- "properties": {
- "watchNamespaces": {
- "minItems": 1
- },
- "watchNamespaceSelector": {
- "additionalProperties": false
- }
- }
- },
- {
- "properties": {
- "watchNamespaces": {
- "maxItems": 0
- },
- "watchNamespaceSelector": {
- "$ref": "#/definitions/LabelSelector"
- }
- }
- }
- ],
"required": [
- "affinity",
- "config",
- "image",
- "updateStrategy",
- "nodeSelector",
- "podAnnotations",
- "podLabels",
- "rbac",
- "replicaCount",
- "resources",
- "serviceAccount",
- "serviceAnnotations",
- "serviceLabels",
- "serviceMonitor",
- "tolerations"
+ "create",
+ "createSCCRole"
],
"additionalProperties": false
},
- "engine": {
+ "privileged": {
+ "type": "boolean"
+ },
+ "serviceAccount": {
"type": "object",
"properties": {
- "image": {
- "$ref": "#/definitions/Image"
+ "create": {
+ "type": "boolean"
},
- "resources": {
- "type": "object"
+ "annotations": {
+ "$ref": "#/definitions/StringMap"
},
- "sidecar": {
- "type": "object",
- "properties":{
- "podMonitor": {
- "type": "object",
- "properties": {
- "create": {
- "type": "boolean"
- },
- "labels": {
- "$ref": "#/definitions/StringMap"
- }
- },
- "required": [
- "create"
- ],
- "additionalProperties": false
- }
- },
- "required": [
- "podMonitor"
- ],
- "additionalProperties": false
- }
- },
- "required": [
- "image",
- "resources",
- "sidecar"
- ],
- "additionalProperties": false
- },
- "networkValidator": {
- "type": "object",
- "properties": {
- "image": {
- "$ref": "#/definitions/Image"
+ "name": {
+ "type": "string"
}
},
"required": [
- "image"
+ "annotations",
+ "create",
+ "name"
],
"additionalProperties": false
},
- "sessionAgent": {
+ "multusNetworkAttachmentDefinition": {
"type": "object",
"properties": {
- "image": {
- "$ref": "#/definitions/Image"
+ "create": {
+ "type": "boolean"
},
- "resources": {
- "type": "object"
+ "namespace": {
+ "type": "string"
}
},
"required": [
- "image",
- "resources"
+ "create",
+ "namespace"
],
"additionalProperties": false
},
- "license": {
+ "config": {
"type": "object",
"properties": {
- "secretName": {
+ "installMode": {
+ "type": "string",
+ "enum": [
+ "chained",
+ "standalone",
+ "manual"
+ ]
+ },
+ "logLevel": {
+ "type": "string",
+ "enum": [
+ "debug",
+ "info",
+ "warn",
+ "error"
+ ]
+ },
+ "cniNetDir": {
"type": "string",
"minLength": 1
- }
- },
- "required": [
- "secretName"
- ],
- "additionalProperties": false
- },
- "dashboards": {
- "type": "object",
- "properties" : {
- "create": {
- "type": "boolean"
},
- "config": {
- "type": "object",
- "properties": {
- "grafana": {
- "type": "object",
- "properties": {
- "folderAnnotation": {
- "$ref": "#/definitions/NameValuePair"
- },
- "dashboardLabel": {
- "$ref": "#/definitions/NameValuePair"
- }
- },
- "required": [
- "folderAnnotation",
- "dashboardLabel"
- ],
- "additionalProperties": false
- }
- },
- "required": [
- "grafana"
- ],
- "additionalProperties": false
+ "cniBinDir": {
+ "type": "string",
+ "minLength": 1
},
- "instances": {
- "type": "object",
- "properties": {
- "overview": {
- "$ref": "#/definitions/DashboardInstance"
- },
- "license" : {
- "$ref": "#/definitions/DashboardInstance"
- },
- "blockMetrics" : {
- "$ref": "#/definitions/DashboardInstance"
- },
- "blockLogs" : {
- "$ref": "#/definitions/DashboardInstance"
- }
- },
- "required": [
- "overview",
- "license",
- "blockMetrics",
- "blockLogs"
- ],
- "additionalProperties": false
+ "excludeNamespaces": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
}
},
"required": [
- "create",
- "config",
- "instances"
+ "cniBinDir",
+ "cniNetDir",
+ "excludeNamespaces",
+ "installMode",
+ "logLevel"
],
"additionalProperties": false
},
@@ -357,18 +164,22 @@
}
},
"required": [
+ "affinity",
"commonAnnotations",
"commonLabels",
- "crds",
- "engine",
+ "config",
"fullnameOverride",
+ "image",
"imagePullSecrets",
- "license",
+ "multusNetworkAttachmentDefinition",
"nameOverride",
- "operator",
- "networkValidator",
- "sessionAgent",
- "dashboards",
+ "nodeSelector",
+ "podAnnotations",
+ "podLabels",
+ "privileged",
+ "rbac",
+ "resources",
+ "serviceAccount",
"tests"
],
"additionalProperties": false,
@@ -409,132 +220,6 @@
"tag"
],
"additionalProperties": false
- },
- "LabelSelector": {
- "type": "object",
- "properties": {
- "matchExpressions": {
- "type": "array",
- "items": {
- "type": "object",
- "required": [
- "key",
- "operator"
- ],
- "properties": {
- "key": {
- "type": "string"
- },
- "operator": {
- "type": "string"
- },
- "values": {
- "type": "array",
- "items": {
- "type": "string"
- }
- }
- },
- "additionalProperties": false
- }
- },
- "matchLabels": {
- "$ref": "#/definitions/StringMap"
- }
- },
- "additionalProperties": false
- },
- "UpdateStrategy": {
- "type": "object",
- "oneOf" : [
- {
- "properties": {
- "type": {
- "$ref": "#/definitions/RecreateType"
- }
- },
- "required": [
- "type"
- ],
- "additionalProperties": false
- },
- {
- "properties": {
- "type": {
- "$ref": "#/definitions/RollingUpdateType"
- },
- "rollingUpdate": {
- "$ref": "#/definitions/RollingUpdate"
- }
- },
- "required": [
- "type"
- ],
- "additionalProperties": false
- }
- ]
- },
- "RecreateType": {
- "type": "string",
- "enum": [
- "Recreate"
- ]
- },
- "RollingUpdateType": {
- "type": "string",
- "enum": [
- "RollingUpdate"
- ]
- },
- "RollingUpdate": {
- "type": "object",
- "properties": {
- "maxSurge": {
- "type": ["integer", "string"],
- "minimum": 0,
- "pattern": "^\\d+%?$"
- },
- "maxUnavailable": {
- "type": ["integer", "string"],
- "minimum": 0,
- "pattern": "^\\d+%?$"
- }
- },
- "anyOf": [
- {"required": ["maxSurge"]},
- {"required": ["maxUnavailable"]}
- ],
- "additionalProperties": false
- },
- "DashboardInstance" : {
- "type" : "object",
- "properties" : {
- "create" : {
- "type" : "boolean"
- }
- },
- "required" : [
- "create"
- ],
- "additionalProperties": false
- },
- "NameValuePair" : {
- "type" : "object",
- "properties" : {
- "name" : {
- "type": "string",
- "minLength": 1
- },
- "value" : {
- "type" : "string",
- "minLength": 1
- }
- },
- "required" : [
- "name",
- "value"
- ],
- "additionalProperties": false
}
}
}
diff --git a/charts/airlock/microgateway/4.3.2/values.yaml b/charts/airlock/microgateway/4.3.2/values.yaml
index 36f513b486..5aa03a45c8 100644
--- a/charts/airlock/microgateway/4.3.2/values.yaml
+++ b/charts/airlock/microgateway/4.3.2/values.yaml
@@ -1,4 +1,4 @@
-# -- Allows overriding the name to use instead of "microgateway".
+# -- Allows overriding the name to use instead of "microgateway-cni".
nameOverride: ""
# -- Allows overriding the name to use as full name of resources.
fullnameOverride: ""
@@ -10,203 +10,75 @@ commonAnnotations: {}
imagePullSecrets: []
# - name: myRegistryKeySecretName
-crds:
- # -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs.
- # The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster
- # when performing a "helm install/upgrade".
- skipVersionCheck: false
-operator:
- # -- Number of replicas for the operator Deployment.
- replicaCount: 2
- # -- Specifies the operator update strategy.
- updateStrategy:
- type: RollingUpdate
- # Specifies the Airlock Microgateway Operator image.
- image:
- # -- Image repository from which to pull the Airlock Microgateway Operator image.
- repository: "quay.io/airlock/microgateway-operator"
- # -- Image tag to pull.
- tag: "4.3.2"
- # -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63").
- # Overrides tag when specified.
- digest: "sha256:d22f2ca35603b805caa67dd07aba524c3e4d68c3b59f7ddfc0e22e7fc09a200c"
- # -- Pull policy for this image.
- pullPolicy: IfNotPresent
- # -- Annotations to add to all Pods.
- podAnnotations: {}
- # -- Labels to add to all Pods.
- podLabels: {}
- # -- Annotations to add to the Service.
- serviceAnnotations: {}
- # prometheus.io/scrape: "true"
- # prometheus.io/port: "8080"
-
- # -- Labels to add to the Service.
- serviceLabels: {}
- # -- Resource restrictions to apply to the operator container.
- resources: {}
- # We recommend at least the following resource specification.
- # limits:
- # cpu: 1000m
- # memory: 512Mi
- # requests:
- # cpu: 100m
- # memory: 512Mi
-
- # -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes.
- nodeSelector: {}
- # -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes.
- tolerations: []
- # -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling.
- affinity: {}
- # Parameters for the operator configuration.
- config:
- # -- Operator application log level.
- logLevel: "info"
- # Configures the generation of the ServiceAccount.
- serviceAccount:
- # -- Whether a ServiceAccount should be created.
- create: true
- # -- Annotations to add to the ServiceAccount.
- annotations: {}
- # -- Name of the ServiceAccount to use.
- # If not set and create is true, a name is generated using the fullname template.
- name: ""
- # -- Allows to restrict the operator to specific namespaces, depending on your needs.
- # For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`).
- # In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace.
- # For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`.
- # An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty.
- # Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces.
- # Please note that this feature requires a Premium license.
- watchNamespaces: []
- # -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector.
- # It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator.
- # This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings).
- # An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty.
- # Please note that this feature requires a Premium license.
- watchNamespaceSelector: {}
- # For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements.
- # matchLabels:
- # microgateway.airlock.com/enable: "true"
- # matchExpressions:
- # - { key: environment, operator: NotIn, values: [dev] }
-
- # Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above.
- rbac:
- # -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function.
- create: true
- # Configures the generation of a Prometheus Operator ServiceMonitor.
- serviceMonitor:
- # -- Whether to create a ServiceMonitor resource for monitoring.
- create: false
- # -- Labels to add to the ServiceMonitor.
- labels: {}
- # release: ""
-engine:
- # Specifies the Airlock Microgateway Engine image.
- image:
- # -- Image repository from which to pull the Airlock Microgateway Engine image.
- repository: "quay.io/airlock/microgateway-engine"
- # -- Image tag to pull.
- tag: "4.3.2"
- # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
- # Overrides tag when specified.
- digest: "sha256:8d42759d999e6b69efa9ef1ecfdc84dc1f8f6f1ca822c8d2d3ef8ff1e335b9c9"
- # -- Pull policy for this image.
- pullPolicy: IfNotPresent
- # -- Resource restrictions to apply to the Airlock Microgateway Engine container.
- resources: {}
- # We recommend at least the following resource specification.
- # limits:
- # cpu: 500m
- # memory: 128Mi
- # requests:
- # cpu: 10m
- # memory: 40Mi
-
- # Additional configuration when deployed as a sidecar.
- sidecar:
- # Configures the generation of a Prometheus Operator PodMonitor.
- podMonitor:
- # -- Whether to create a PodMonitor resource for monitoring.
- create: false
- # -- Labels to add to the PodMonitor.
- labels: {}
- # release: ""
-networkValidator:
- # Specifies the Airlock Microgateway Network Validator image to be injected as an init-container.
- image:
- # -- Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container.
- repository: "cgr.dev/chainguard/netcat"
- # -- Image tag to pull.
- tag: ""
- # -- SHA256 image digest to pull (in the format "sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd").
- # Overrides tag when specified.
- digest: "sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd"
- # -- Pull policy for this image.
- pullPolicy: IfNotPresent
-sessionAgent:
- # Specifies the Airlock Microgateway Session Agent image.
- image:
- # -- Image repository from which to pull the Airlock Microgateway Session Agent image.
- repository: "quay.io/airlock/microgateway-session-agent"
- # -- Image tag to pull.
- tag: "4.3.2"
- # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
- # Overrides tag when specified.
- digest: "sha256:d487f4099c267310debffe5d5cac168deeddf6082dafbee352550f2792b9609c"
- # -- Pull policy for this image.
- pullPolicy: IfNotPresent
- # -- Resource restrictions to apply to the Airlock Microgateway Session Agent container.
- resources: {}
- # We recommend at least the following resource specification.
- # limits:
- # cpu: 150m
- # memory: 32Mi
- # requests:
- # cpu: 10m
- # memory: 8Mi
-license:
- # -- Name of the secret containing the "microgateway-license.txt" key.
- secretName: "airlock-microgateway-license"
-# Creates dashboards in the form of ConfigMaps that can be imported
-# by Grafana using its sidecar setup.
-dashboards:
- # -- Whether to create any ConfigMaps containing Grafana dashboards to import.
+# Specifies the Airlock Microgateway CNI image.
+image:
+ # -- Image repository from which to pull the Airlock Microgateway CNI image.
+ repository: "quay.io/airlock/microgateway-cni"
+ # -- Image tag to pull.
+ tag: "4.3.2"
+ # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a").
+ # Overrides tag when specified.
+ digest: "sha256:ed5ec546a65f0ae0bc3e058aafc1d2aa4848996b9f415fe6232486934443b460"
+ # -- Pull policy for this image.
+ pullPolicy: IfNotPresent
+# -- Annotations to add to all Pods.
+podAnnotations: {}
+# -- Labels to add to all Pods.
+podLabels: {}
+# -- Resource restrictions to apply to the CNI installer container.
+resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes.
+nodeSelector:
+ kubernetes.io/os: linux
+# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes.
+affinity: {}
+# Configures the generation of RBAC Roles and RoleBindings.
+rbac:
+ # -- Whether to create RBAC resources which are required for the CNI plugin to function.
+ create: true
+ # -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint.
+ createSCCRole: false
+# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift).
+privileged: false
+# Configures the generation of the ServiceAccount.
+serviceAccount:
+ # -- Whether a ServiceAccount should be created.
+ create: true
+ # -- Annotations to add to the ServiceAccount.
+ annotations: {}
+ # -- Name of the ServiceAccount to use.
+ # If not set and create is true, a name is generated using the fullname template.
+ name: ""
+# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift)
+multusNetworkAttachmentDefinition:
+ # -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods.
create: false
- config:
- # Configures the necessary label and annotations along with their values
- # to enable Grafana to correctly identify the ConfigMaps containing
- # dashboards and file them within a dedicated folder in the dashboard overview.
- # These settings need to match the Grafana sidecar configuration.
- grafana:
- folderAnnotation:
- # -- Name of the annotation containing the folder name to file dashboards into.
- name: "grafana_folder"
- # -- Name of the folder dashboards are filed into within the Grafana UI.
- value: "Airlock Microgateway"
- dashboardLabel:
- # -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards.
- name: "grafana_dashboard"
- # -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards.
- value: "1"
- instances:
- # Available dashboard instances that can be individually created/deployed.
- overview:
- # -- Whether to create the overview dashboard.
- create: true
- license:
- # -- Whether to create the license dashboard.
- create: true
- blockMetrics:
- # -- Whether to create the block metrics dashboard.
- create: true
- blockLogs:
- # -- Whether to create the block logs dashboard.
- create: true
-# Check whether the installation of the Airlock Microgateway Helm Chart was successful.
-# Requires a secret with a valid Airlock Microgateway license key already to be present.
+ # -- Namespace in which the NetworkAttachmentDefinition is deployed.
+ # Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces
+ # may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation
+ namespace: default
+# Parameters for the CNI installer configuration.
+config:
+ # -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers),
+ # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift)
+ # or in `manual` mode, where no CNI network configuration is written.
+ installMode: "chained"
+ # -- Log level for the CNI installer and plugin.
+ logLevel: info
+ # -- Directory where the CNI config files reside on the host.
+ # This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
+ # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node.
+ cniNetDir: "/etc/cni/net.d"
+ # -- Directory where the CNI plugin binaries reside on the host.
+ # This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
+ # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node.
+ cniBinDir: "/opt/cni/bin"
+ # -- Namespaces for which this CNI plugin should not apply any modifications.
+ excludeNamespaces:
+ - kube-system
tests:
# -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
# If set to false, `helm test` will not run any tests.
diff --git a/charts/airlock/microgateway/4.4.1/.helmignore b/charts/airlock/microgateway/4.4.1/.helmignore
index 101ff5ac56..8561d28926 100644
--- a/charts/airlock/microgateway/4.4.1/.helmignore
+++ b/charts/airlock/microgateway/4.4.1/.helmignore
@@ -21,8 +21,7 @@
.idea/
*.tmproj
.vscode/
-# CRDs kustomization.yaml
-/crds/kustomization.yaml
+
# Helm unit tests
/tests
/validation
diff --git a/charts/airlock/microgateway/4.4.1/Chart.yaml b/charts/airlock/microgateway/4.4.1/Chart.yaml
index 4e46fe73fa..4abf51221f 100644
--- a/charts/airlock/microgateway/4.4.1/Chart.yaml
+++ b/charts/airlock/microgateway/4.4.1/Chart.yaml
@@ -9,15 +9,15 @@ annotations:
- name: Airlock Microgateway Forum
url: https://forum.airlock.com/
catalog.cattle.io/certified: partner
- catalog.cattle.io/display-name: Airlock Microgateway
+ catalog.cattle.io/display-name: Airlock Microgateway CNI
catalog.cattle.io/kube-version: '>=1.25.0-0'
catalog.cattle.io/release-name: ""
- charts.openshift.io/name: Airlock Microgateway
+ charts.openshift.io/name: Airlock Microgateway CNI
apiVersion: v2
appVersion: 4.4.1
-description: A Helm chart for deploying the Airlock Microgateway
+description: A Helm chart for deploying the Airlock Microgateway CNI plugin
home: https://www.airlock.com/en/microgateway
-icon: file://assets/icons/microgateway.svg
+icon: file://assets/icons/microgateway-cni.svg
keywords:
- WAF
- Web Application Firewall
@@ -30,14 +30,13 @@ keywords:
- Filtering
- DevSecOps
- shift left
-- control plane
-- Operator
+- CNI
kubeVersion: '>=1.25.0-0'
maintainers:
- email: support@airlock.com
name: Airlock
url: https://www.airlock.com/
-name: microgateway
+name: microgateway-cni
sources:
- https://github.com/airlock/microgateway
type: application
diff --git a/charts/airlock/microgateway/4.4.1/README.md b/charts/airlock/microgateway/4.4.1/README.md
index 1c976c66c6..77c0a31b47 100644
--- a/charts/airlock/microgateway/4.4.1/README.md
+++ b/charts/airlock/microgateway/4.4.1/README.md
@@ -1,4 +1,4 @@
-# Airlock Microgateway
+# Airlock Microgateway CNI
 
@@ -40,58 +40,43 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co
The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
## Prerequisites
-* (Recommended) [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Required for [data plane mode sidecar](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000137))
-* [Airlock Microgateway License](#obtain-airlock-microgateway-license)
-* [cert-manager](https://cert-manager.io/)
* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
-In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license.
-For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
-### Obtain Airlock Microgateway License
-1. Either request a community or premium license
- * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community)
- * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium)
-2. Check your inbox and save the license file microgateway-license.txt locally.
-
-> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type.
-### Deploy cert-manager
-```bash
-helm repo add jetstack https://charts.jetstack.io
-helm install cert-manager jetstack/cert-manager --version 'v1.16.1' -n cert-manager --create-namespace --set crds.enabled=true --wait
-```
-
-## Deploy Airlock Microgateway Operator
-
-> This guide assumes a microgateway-license.txt file is present in the working directory.
-
-1. Install CRDs and Operator.
+## Deploy Airlock Microgateway CNI
+1. Install the CNI Plugin with Helm.
+ > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni).
```bash
- # Create namespace
- kubectl create namespace airlock-microgateway-system
-
- # Install License
- kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
-
- # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
- helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.4.1' --wait
+ # Standard setup
+ helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+ kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
+ ```
+ ```bash
+ # GKE setup
+ helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.1/deploy/charts/airlock-microgateway-cni/gke-values.yaml
+ kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
+ ```
+ ```bash
+ # OpenShift setup
+ helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.1/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
+ kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
```
+ > **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details).
2. (Recommended) You can verify the correctness of the installation with `helm test`.
```bash
- helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.1'
- helm test airlock-microgateway -n airlock-microgateway-system --logs
- helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.1'
+ # Standard and GKE setup
+ helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+ helm test airlock-microgateway-cni -n kube-system --logs
+ helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+ ```
+ ```bash
+ # OpenShift setup
+ helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
+ helm test airlock-microgateway-cni -n openshift-operators --logs
+ helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
```
-### Upgrading CRDs
-
-The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster.
-CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
-```bash
-kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.4.1 --server-side --force-conflicts
-```
-
-**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.
+ Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error.
## Support
@@ -104,67 +89,33 @@ For the community edition, check our **[Airlock community forum](https://forum.a
| Key | Type | Default | Description |
|-----|------|---------|-------------|
+| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. |
| commonAnnotations | object | `{}` | Annotations to add to all resources. |
| commonLabels | object | `{}` | Labels to add to all resources. |
-| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". |
-| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. |
-| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. |
-| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. |
-| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. |
-| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. |
-| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. |
-| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. |
-| dashboards.instances.headerLogs.create | bool | `true` | Whether to create the header rewrite logs dashboard. |
-| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. |
-| dashboards.instances.logOnlyLogs.create | bool | `true` | Whether to create the log only logs dashboard. |
-| dashboards.instances.logOnlyMetrics.create | bool | `true` | Whether to create the log only metrics dashboard |
-| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. |
-| engine.image.digest | string | `"sha256:06573ef5e6769dbd6eb8606e34c56f1ad2084b6adcae9925b1d2d153a45cbc47"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
-| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
-| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. |
-| engine.image.tag | string | `"4.4.1"` | Image tag to pull. |
-| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. |
-| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. |
-| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. |
+| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. |
+| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. |
+| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. |
+| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. |
+| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. |
| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
+| image.digest | string | `"sha256:fa2f5d8587024f0d0b29505204c964002cfd7facf79748ccc98b8caf1a70f0d8"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. |
+| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
+| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. |
+| image.tag | string | `"4.4.1"` | Image tag to pull. |
| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
-| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. |
-| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". |
-| networkValidator.image.digest | string | `"sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c"` | SHA256 image digest to pull (in the format "sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c"). Overrides tag when specified. |
-| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
-| networkValidator.image.repository | string | `"cgr.dev/chainguard/netcat"` | Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. |
-| networkValidator.image.tag | string | `""` | Image tag to pull. |
-| networkValidator.resources | object | `{"limits":{"cpu":"25m","memory":"12Mi"},"requests":{"cpu":"5m","memory":"1Mi"}}` | Resource restrictions to apply to the Airlock Microgateway Network Validator init-container. |
-| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. |
-| operator.config.logLevel | string | `"info"` | Operator application log level. |
-| operator.gatewayAPI.controllerName | string | `"microgateway.airlock.com/gatewayclass-controller"` | Controller name referred in the GatewayClasses managed by this operator. The value must be a path prefixed by the domain `microgateway.airlock.com`. |
-| operator.gatewayAPI.enabled | bool | `false` | Whether to enable the Kubernetes Gateway API related controllers. Requires that the gateway.networking.k8s.io/v1 resources are installed on the cluster. |
-| operator.image.digest | string | `"sha256:1133c3e59418eec1721683e68dd19faca577609ace6eebd010a56e52b1f75789"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. |
-| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
-| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. |
-| operator.image.tag | string | `"4.4.1"` | Image tag to pull. |
-| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. |
-| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. |
-| operator.podLabels | object | `{}` | Labels to add to all Pods. |
-| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. |
-| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. |
-| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. |
-| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
-| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
-| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
-| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. |
-| operator.serviceLabels | object | `{}` | Labels to add to the Service. |
-| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. |
-| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. |
-| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. |
-| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. |
-| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. |
-| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. |
-| sessionAgent.image.digest | string | `"sha256:733a25f61ea7cf43c0a46da7d3ecb9a263bda49bf60e1fd8e4162be33aa24b7b"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
-| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
-| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. |
-| sessionAgent.image.tag | string | `"4.4.1"` | Image tag to pull. |
-| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. |
+| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. |
+| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation |
+| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". |
+| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. |
+| podAnnotations | object | `{}` | Annotations to add to all Pods. |
+| podLabels | object | `{}` | Labels to add to all Pods. |
+| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). |
+| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. |
+| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. |
+| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
+| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
+| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
## License
diff --git a/charts/airlock/microgateway/4.4.1/app-readme.md b/charts/airlock/microgateway/4.4.1/app-readme.md
deleted file mode 100644
index e32cac0259..0000000000
--- a/charts/airlock/microgateway/4.4.1/app-readme.md
+++ /dev/null
@@ -1,28 +0,0 @@
-# Airlock Microgateway
-
-*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
-
-## Features
-* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection.
-* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
-* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
-* Content security filters for protecting against known attacks (OWASP Top 10)
-* Access control to allow only authenticated users to access the protected services
-* API security features like JSON parsing or OpenAPI specification enforcement
-
-For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
-
-## Requirements
-* [Airlock Microgateway CNI Helm Chart](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Also available as Rancher Chart)
-* [Airlock Microgateway License](https://github.com/airlock/microgateway?tab=readme-ov-file#obtain-airlock-microgateway-license) (After obtaining the license install it according to the [documentation](https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-operator))
-* [cert-manager](https://cert-manager.io/docs/installation/)
-
-## Documentation and links
-
-Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
-
-* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
-* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
-* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html)
-* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
-* [GitHub](https://github.com/airlock/microgateway)
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/gke-values.yaml b/charts/airlock/microgateway/4.4.1/gke-values.yaml
new file mode 100644
index 0000000000..d6d5c21d14
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/gke-values.yaml
@@ -0,0 +1,4 @@
+# values for deploying on GKE
+
+config:
+ cniBinDir: "/home/kubernetes/bin"
diff --git a/charts/airlock/microgateway/4.4.1/openshift-values.yaml b/charts/airlock/microgateway/4.4.1/openshift-values.yaml
new file mode 100644
index 0000000000..3b1d6cccde
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/openshift-values.yaml
@@ -0,0 +1,15 @@
+# values for deploying on OpenShift
+
+rbac:
+ createSCCRole: true
+
+privileged: true
+
+multusNetworkAttachmentDefinition:
+ create: true
+ namespace: default
+
+config:
+ installMode: "standalone"
+ cniNetDir: "/etc/cni/multus/net.d"
+ cniBinDir: "/var/lib/cni/bin"
diff --git a/charts/airlock/microgateway/4.4.1/questions.yml b/charts/airlock/microgateway/4.4.1/questions.yml
new file mode 100644
index 0000000000..73ed44d646
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/questions.yml
@@ -0,0 +1,18 @@
+questions:
+ - variable: config.cniNetDir
+ required: true
+ type: string
+ label: CNI Network Configuration Directory
+ group: "CNI Settings"
+ description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host."
+ - variable: config.cniBinDir
+ required: true
+ type: string
+ label: CNI Plugin Binaries Directory
+ group: "CNI Settings"
+ description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host."
+ - variable: config.installMode
+ required: true
+ label: CNI Plugin Installation Mode
+ group: "CNI Settings"
+ description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment."
diff --git a/charts/airlock/microgateway/4.4.1/templates/NOTES.txt b/charts/airlock/microgateway/4.4.1/templates/NOTES.txt
index a607483f9c..bb94ff521e 100644
--- a/charts/airlock/microgateway/4.4.1/templates/NOTES.txt
+++ b/charts/airlock/microgateway/4.4.1/templates/NOTES.txt
@@ -1,61 +1,15 @@
-Thank you for installing Airlock Microgateway.
-{{- if .Values.operator.gatewayAPI.enabled }}
+Thank you for installing Airlock Microgateway CNI.
-K8s Gateway API support enabled.
-Note that the K8s Gateway API support is an incubating Airlock Microgateway feature. We encourage you to try the installation and configuration for testing and evaluation. Your feedback is welcome.
-
- {{- if or .Values.operator.watchNamespaces .Values.operator.watchNamespaceSelector -}}
- {{- fail `
-
-K8s Gateway API is only supported using the 'AllNamespaces' installation mode type, ensure that 'operator.watchNamespaces' and 'operator.watchNamespaceSelector' are not configured.
-`
- -}}
- {{- end -}}
-{{- end }}
-
-Please ensure the following prerequisites are fulfilled:
-* cert-manager is installed.
- https://cert-manager.io/docs/installation/helm/
-* A valid Airlock Microgateway license is deployed in the Kubernetes secret '{{ .Release.Namespace }}/{{ .Values.license.secretName }}'
- * Get a free Community license: https://airlock.com/en/microgateway-community
- * Order a Premium license: https://airlock.com/en/microgateway-premium
-* Airlock Microgateway CNI is installed on the cluster, when running data plane mode sidecar
- https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni.
- For more information about data plane modes, see https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/#data/1660804709650.html
+Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution.
+For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}.
+The chapter 'Setup > Installation' describes how to set those settings correctly.
Further information:
-* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}
-* CRD API reference documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/api/crds
+* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}
* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm
-{{- if .Values.crds.skipVersionCheck }}
-
-Warning: CRD version check skipped
-{{- else -}}
-{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}}
-{{- if $outdatedCRDs -}}
- {{- fail (printf `
-
-Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'.
-Therefore, the CRDs must be manually upgraded with the following command before deploying this chart:
-
-kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts
-
-If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.`
- .Chart.AppVersion)
- -}}
-{{- end -}}
-{{- end -}}
-{{- if .Values.tests.enabled -}}
- {{- if .Values.operator.watchNamespaces -}}
- {{- if not (has .Release.Namespace .Values.operator.watchNamespaces) -}}
- {{- fail (printf `
-To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values.
-`
- .Release.Namespace)
- -}}
- {{- end -}}
- {{- end -}}
-{{- end }}
+Next steps:
+* Install Airlock Microgateway (if not done already)
+ https://artifacthub.io/packages/helm/airlock-microgateway/microgateway
Your release version is {{ .Chart.Version }}.
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/_helpers.tpl b/charts/airlock/microgateway/4.4.1/templates/_helpers.tpl
index 733ba96486..996491a873 100644
--- a/charts/airlock/microgateway/4.4.1/templates/_helpers.tpl
+++ b/charts/airlock/microgateway/4.4.1/templates/_helpers.tpl
@@ -1,16 +1,14 @@
{{/*
Expand the name of the chart.
-We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
-and the longest explicit suffix is 14 characters.
*/}}
-{{- define "airlock-microgateway.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }}
+{{- define "airlock-microgateway-cni.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Convert an image configuration object into an image ref string.
*/}}
-{{- define "airlock-microgateway.image" -}}
+{{- define "airlock-microgateway-cni.image" -}}
{{- if .digest -}}
{{- printf "%s@%s" .repository .digest -}}
{{- else if .tag -}}
@@ -22,19 +20,19 @@ Convert an image configuration object into an image ref string.
{{/*
Create a default fully qualified app name.
-We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
-and the longest implicit suffix is 27 characters.
+We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
+and the longest suffix is 13 characters.
If release name contains chart name it will be used as a full name.
*/}}
-{{- define "airlock-microgateway.fullname" -}}
+{{- define "airlock-microgateway-cni.fullname" -}}
{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }}
+{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 36 | trimSuffix "-" }}
+{{- .Release.Name | trunc 50 | trimSuffix "-" }}
{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }}
+{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
@@ -42,112 +40,62 @@ If release name contains chart name it will be used as a full name.
{{/*
Create chart name and version as used by the chart label.
*/}}
-{{- define "airlock-microgateway.chart" -}}
+{{- define "airlock-microgateway-cni.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
-{{- define "airlock-microgateway.sharedLabels" -}}
-helm.sh/chart: {{ include "airlock-microgateway.chart" . }}
+{{- define "airlock-microgateway-cni.labels" -}}
+helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }}
+{{ include "airlock-microgateway-cni.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
-app.kubernetes.io/part-of: {{ .Chart.Name }}
{{- with .Values.commonLabels }}
{{ toYaml .}}
{{- end }}
{{- end }}
{{/*
-Common Selector labels
+Common labels without component
*/}}
-{{- define "airlock-microgateway.sharedSelectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
+{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}}
+{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}}
+{{ unset $labels "app.kubernetes.io/component" | toYaml }}
{{- end }}
{{/*
-Restricted Container Security Context
+Selector labels
*/}}
-{{- define "airlock-microgateway.restrictedSecurityContext" -}}
-allowPrivilegeEscalation: false
-privileged: false
-runAsNonRoot: true
-capabilities:
- drop: ["ALL"]
-readOnlyRootFilesystem: true
-seccompProfile:
- type: RuntimeDefault
+{{- define "airlock-microgateway-cni.selectorLabels" -}}
+app.kubernetes.io/component: cni-plugin-installer
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }}
{{- end }}
-{{/* Precondition: May only be used if AppVersion is isSemver */}}
-{{- define "airlock-microgateway.supportedCRDVersionPattern" -}}
-{{- $version := (semver .Chart.AppVersion) -}}
-{{- if $version.Prerelease -}}
->= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }}
-{{- else -}}
->= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0
-{{- end -}}
-{{- end -}}
-
-{{- define "airlock-microgateway.outdatedCRDs" -}}
-{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}}
- {{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}}
- {{- range $path, $_ := .Files.Glob "crds/*.yaml" -}}
- {{- $api := ($.Files.Get $path | fromYaml).metadata.name -}}
- {{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}}
- {{- $isOutdated := false -}}
- {{- if $crd -}}
- {{/* If CRD is already present in the cluster, it must have the minimum supported version */}}
- {{- $isOutdated = true -}}
- {{- if hasKey $crd.metadata "labels" -}}
- {{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}}
- {{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}}
- {{- if (semverCompare $supportedVersion $crdVersion) }}
- {{- $isOutdated = false -}}
- {{- end }}
- {{- end -}}
- {{- end -}}
- {{- end -}}
- {{- if $isOutdated }}
-{{ base $path }}
- {{- end }}
- {{- end -}}
-{{- end -}}
-{{- end -}}
+{{/*
+Create the name of the service account to use for the CNI Plugin
+*/}}
+{{- define "airlock-microgateway-cni.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
-{{- define "airlock-microgateway.isSemver" -}}
+{{- define "airlock-microgateway-cni.isSemver" -}}
{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
{{- end -}}
-{{- define "airlock-microgateway.docsVersion" -}}
-{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
+{{- define "airlock-microgateway-cni.docsVersion" -}}
+{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
{{- $version := (semver .Chart.AppVersion) -}}
{{- $version.Major }}.{{ $version.Minor -}}
{{- else -}}
{{- print "latest" -}}
{{- end -}}
{{- end -}}
-
-{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}}
-{{- $list := list -}}
-{{- with .matchLabels -}}
- {{- range $key, $value := . -}}
- {{- $list = append $list (printf "%s=%s" $key $value) -}}
- {{- end -}}
-{{- end -}}
-{{- with .matchExpressions -}}
- {{- range . -}}
- {{- if has .operator (list "In" "NotIn") -}}
- {{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}}
- {{- else if eq .operator "Exists" -}}
- {{- $list = append $list .key -}}
- {{- else if eq .operator "DoesNotExist" -}}
- {{- $list = append $list (printf "!%s" .key) -}}
- {{- end -}}
- {{- end -}}
-{{- end -}}
-{{- join "," $list -}}
-{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/clusterrole.yaml b/charts/airlock/microgateway/4.4.1/templates/clusterrole.yaml
new file mode 100644
index 0000000000..ef88ac7836
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/templates/clusterrole.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - patch
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/templates/clusterrolebinding.yaml b/charts/airlock/microgateway/4.4.1/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..04f87cb0fa
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/templates/clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/templates/configmap.yaml b/charts/airlock/microgateway/4.4.1/templates/configmap.yaml
new file mode 100644
index 0000000000..b880116ef9
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/templates/configmap.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+data:
+ plugin-conf.json: |-
+ {
+ "type": "{{ include "airlock-microgateway-cni.fullname" . }}",
+ "debug": {{ eq .Values.config.logLevel "debug" }},
+ "logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log",
+ "kubernetes": {
+ "kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig",
+ "excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }}
+ }
+ }
diff --git a/charts/airlock/microgateway/4.4.1/templates/daemonset.yaml b/charts/airlock/microgateway/4.4.1/templates/daemonset.yaml
new file mode 100644
index 0000000000..4ba9f2669c
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/templates/daemonset.yaml
@@ -0,0 +1,136 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ selector:
+ matchLabels:
+ {{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ annotations:
+ checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+ kubectl.kubernetes.io/default-container: cni-installer
+ {{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 8 }}
+ {{- with .Values.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ containers:
+ - args:
+ - --log-level
+ - "{{ .Values.config.logLevel }}"
+ env:
+ - name: CNI_NETWORK_CONFIG
+ valueFrom:
+ configMapKeyRef:
+ key: plugin-conf.json
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ - name: CNI_BIN_DIR
+ value: /host/opt/cni/bin
+ - name: CNI_NET_DIR
+ value: /host/etc/cni/net.d
+ - name: KUBECONFIG_FILE_NAME
+ value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig"
+ - name: INSTALL_MODE
+ value: {{ .Values.config.installMode }}
+ - name: KUBERNETES_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ image: {{ include "airlock-microgateway-cni.image" .Values.image }}
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: cni-installer
+ {{- with .Values.resources }}
+ resources:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ startupProbe:
+ exec:
+ command:
+ - /cni-installer
+ - probe
+ failureThreshold: 5
+ initialDelaySeconds: 3
+ periodSeconds: 3
+ timeoutSeconds: 3
+ readinessProbe:
+ exec:
+ command:
+ - /cni-installer
+ - probe
+ failureThreshold: 1
+ periodSeconds: 60
+ timeoutSeconds: 3
+ securityContext:
+ allowPrivilegeEscalation: {{ .Values.privileged }}
+ capabilities:
+ drop:
+ - ALL
+ privileged: {{ .Values.privileged }}
+ readOnlyRootFilesystem: true
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ seccompProfile:
+ type: RuntimeDefault
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ - mountPath: /run/cni-installer
+ name: cni-installer-status
+ hostNetwork: true
+ priorityClassName: system-node-critical
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 0
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+ terminationGracePeriodSeconds: 5
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ tolerations:
+ - effect: NoSchedule
+ operator: Exists
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ volumes:
+ - hostPath:
+ path: "{{ .Values.config.cniBinDir }}"
+ type: Directory
+ name: cni-bin-dir
+ - hostPath:
+ path: "{{ .Values.config.cniNetDir }}"
+ type: Directory
+ name: cni-net-dir
+ - emptyDir: {}
+ name: cni-installer-status
diff --git a/charts/airlock/microgateway/4.4.1/templates/network-attachment-definition.yaml b/charts/airlock/microgateway/4.4.1/templates/network-attachment-definition.yaml
new file mode 100644
index 0000000000..5d657e309c
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/templates/network-attachment-definition.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.multusNetworkAttachmentDefinition.create -}}
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}
+ namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/_operator_helpers.tpl b/charts/airlock/microgateway/4.4.1/templates/operator/_operator_helpers.tpl
deleted file mode 100644
index a540ff9f4f..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/_operator_helpers.tpl
+++ /dev/null
@@ -1,42 +0,0 @@
-{{/*
-Create a default fully qualified name for operator components.
-*/}}
-{{- define "airlock-microgateway.operator.fullname" -}}
-{{ include "airlock-microgateway.fullname" . }}-operator
-{{- end }}
-
-
-{{/*
-Common operator labels
-*/}}
-{{- define "airlock-microgateway.operator.labels" -}}
-{{ include "airlock-microgateway.sharedLabels" . }}
-{{ include "airlock-microgateway.operator.selectorLabels" . }}
-{{- end }}
-
-{{/*
-Operator Selector labels
-*/}}
-{{- define "airlock-microgateway.operator.selectorLabels" -}}
-{{ include "airlock-microgateway.sharedSelectorLabels" . }}
-app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-operator
-app.kubernetes.io/component: controller
-{{- end }}
-
-{{/*
-Create the name of the service account to use for the operator
-*/}}
-{{- define "airlock-microgateway.operator.serviceAccountName" -}}
-{{- if .Values.operator.serviceAccount.create }}
-{{- default (include "airlock-microgateway.operator.fullname" .) .Values.operator.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.operator.serviceAccount.name }}
-{{- end }}
-{{- end }}
-
-{{/*
-ServiceMonitor metrics regex pattern for leader only metrics
-*/}}
-{{- define "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" -}}
-^(microgateway_license|microgateway_sidecars).*$
-{{- end }}
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/dashboard-configmap.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/dashboard-configmap.yaml
deleted file mode 100644
index b71ac89b65..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/dashboard-configmap.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-{{- if .Values.dashboards.create -}}
-{{- range $instance := (keys .Values.dashboards.instances | sortAlpha) -}}
-{{- $dashboard := get $.Values.dashboards.instances $instance -}}
-{{- if $dashboard.create }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "airlock-microgateway.fullname" $ }}-dashboard-{{ $instance | lower }}
- namespace: {{ $.Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }}
- {{- with $.Values.dashboards.config.grafana.dashboardLabel -}}
- {{- .name | nindent 4 -}}: {{ .value | quote }}
- {{- end }}
- annotations:
- {{- with $.Values.dashboards.config.grafana.folderAnnotation -}}
- {{- .name | nindent 4 -}}: {{ .value | quote }}
- {{- end }}
- {{- with $.Values.commonAnnotations }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
-data:
- {{- printf "%s.json" $instance | nindent 2 }}: |-
- {{- ($.Files.Get (printf "dashboards/%s.json" $instance)) | nindent 4 -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/deployment.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/deployment.yaml
deleted file mode 100644
index db340cdecc..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/deployment.yaml
+++ /dev/null
@@ -1,143 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- replicas: {{ .Values.operator.replicaCount }}
- {{- with .Values.operator.updateStrategy }}
- strategy:
- {{- toYaml . | trim | nindent 4 }}
- {{- end }}
- selector:
- matchLabels:
- {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
- template:
- metadata:
- annotations:
- checksum/config: {{ include (print $.Template.BasePath "/operator/configmap.yaml") . | sha256sum }}
- kubectl.kubernetes.io/default-container: manager
- {{- with mustMerge .Values.operator.podAnnotations .Values.commonAnnotations}}
- {{- toYaml . | nindent 8 }}
- {{- end }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 8 }}
- {{- with .Values.operator.podLabels }}
- {{- toYaml . | nindent 8 }}
- {{- end }}
- spec:
- containers:
- - args:
- - --config=operator_config.yaml
- env:
- - name: ENGINE_IMAGE
- value: {{ include "airlock-microgateway.image" .Values.engine.image }}
- - name: NETWORK_VALIDATOR_IMAGE
- value: {{ include "airlock-microgateway.image" .Values.networkValidator.image }}
- - name: SESSION_AGENT_IMAGE
- value: {{ include "airlock-microgateway.image" .Values.sessionAgent.image }}
- - name: OPERATOR_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: OPERATOR_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- image: {{ include "airlock-microgateway.image" .Values.operator.image }}
- imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
- livenessProbe:
- httpGet:
- path: /healthz
- port: 8081
- initialDelaySeconds: 15
- periodSeconds: 20
- timeoutSeconds: 5
- name: manager
- ports:
- - containerPort: 9443
- name: webhook-server
- protocol: TCP
- - containerPort: 13377
- name: xds-server
- protocol: TCP
- - containerPort: 8080
- protocol: TCP
- - containerPort: 8081
- protocol: TCP
- readinessProbe:
- httpGet:
- path: /readyz
- port: 8081
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- {{- with .Values.operator.resources }}
- resources:
- {{- toYaml . | nindent 10 }}
- {{- end }}
- securityContext:
- {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 10 }}
- terminationMessagePath: /dev/termination-log
- terminationMessagePolicy: FallbackToLogsOnError
- volumeMounts:
- - mountPath: /tmp/k8s-webhook-server/serving-certs
- name: cert
- readOnly: true
- - mountPath: /opt/airlock/license/
- name: airlock-microgateway-license
- readOnly: true
- - mountPath: /operator_config.yaml
- name: operator-config
- subPath: operator_config.yaml
- - mountPath: /sidecar/engine_container_template.yaml
- name: operator-config
- subPath: engine_container_template.yaml
- - mountPath: /sidecar/network_validator_container_template.yaml
- name: operator-config
- subPath: network_validator_container_template.yaml
- - mountPath: /sidecar/session_agent_container_template.yaml
- name: operator-config
- subPath: session_agent_container_template.yaml
- - mountPath: /engine_bootstrap_config_template.yaml
- name: operator-config
- subPath: engine_bootstrap_config_template.yaml
- securityContext:
- runAsNonRoot: true
- serviceAccountName: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
- terminationGracePeriodSeconds: 10
- {{- with .Values.imagePullSecrets }}
- imagePullSecrets:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.operator.nodeSelector }}
- nodeSelector:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.operator.tolerations }}
- tolerations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.operator.affinity }}
- affinity:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- volumes:
- - name: cert
- secret:
- defaultMode: 420
- secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert
- - name: airlock-microgateway-license
- secret:
- defaultMode: 292
- optional: true
- secretName: {{ .Values.license.secretName }}
- - configMap:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-config
- name: operator-config
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/manager-role.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/manager-role.yaml
deleted file mode 100644
index 90335bcfe1..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/manager-role.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-{{- if .Values.operator.rbac.create }}
-{{- if empty .Values.operator.watchNamespaces }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-rules:
-{{ include "airlock-microgateway-operator.rbacRules" . -}}
-{{- else }}
-{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager
- namespace: {{ $namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }}
- {{- with $.Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-rules:
-{{ include "airlock-microgateway-operator.rbacRules" $ }}
----
-{{- end -}}
-{{- end -}}
-{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/manager-rolebinding.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/manager-rolebinding.yaml
deleted file mode 100644
index ae99cfb7b6..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/manager-rolebinding.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-{{- if .Values.operator.rbac.create }}
-{{- if empty .Values.operator.watchNamespaces }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }}
-subjects:
- - kind: ServiceAccount
- name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-{{- else }}
-{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager
- namespace: {{ $namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }}
- {{- with $.Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager
-subjects:
- - kind: ServiceAccount
- name: {{ include "airlock-microgateway.operator.serviceAccountName" $ }}
- namespace: {{ $.Release.Namespace }}
----
-{{- end -}}
-{{- end -}}
-{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/metrics-service.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/metrics-service.yaml
deleted file mode 100644
index 34d23f6d67..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/metrics-service.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: airlock-microgateway-operator-metrics
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.operator.serviceLabels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- ports:
- - appProtocol: http
- name: metrics
- port: 8080
- protocol: TCP
- selector:
- {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
----
-apiVersion: v1
-kind: Service
-metadata:
- name: airlock-microgateway-operator-leader-metrics
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.operator.serviceLabels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- operator.microgateway.airlock.com/isLeader: "true"
- {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- ports:
- - appProtocol: http
- name: metrics
- port: 8080
- protocol: TCP
- selector:
- {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
- operator.microgateway.airlock.com/isLeader: "true"
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/mutating-webhook.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/mutating-webhook.yaml
deleted file mode 100644
index 311f9726ad..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/mutating-webhook.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- annotations:
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
- {{- with .Values.commonAnnotations }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
-webhooks:
-{{- range $webhook := (include "airlock-microgateway-operator.mutatingWebhooks" .) | fromYamlArray }}
-- {{ toYaml $webhook | indent 2 | trim }}
- {{- with $.Values.operator.watchNamespaceSelector }}
- namespaceSelector:
- {{- toYaml . | nindent 4 }}
- {{- end }}
- {{- with $.Values.operator.watchNamespaces }}
- namespaceSelector:
- matchExpressions:
- - key: kubernetes.io/metadata.name
- operator: In
- values:
- {{- toYaml . | nindent 10 }}
- {{- end }}
-{{- end }}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/podmonitor.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/podmonitor.yaml
deleted file mode 100644
index 1fe34fcb35..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/podmonitor.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-{{- if .Values.engine.sidecar.podMonitor.create }}
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
- name: {{ include "airlock-microgateway.fullname" . }}-engine
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.engine.sidecar.podMonitor.labels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- namespaceSelector:
- any: true
- selector:
- matchLabels:
- sidecar.microgateway.airlock.com/inject: "true"
- microgateway.airlock.com/managedBy: {{ .Release.Namespace }}
- podMetricsEndpoints:
- - targetPort: 19002
- path: /metrics
- scheme: http
-{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/role.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/role.yaml
deleted file mode 100644
index 5378be8ef9..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/role.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-{{- if .Values.operator.rbac.create -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-rules:
- - apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
- - apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - patch
- - delete
- - apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
-{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/rolebinding.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/rolebinding.yaml
deleted file mode 100644
index bafec10156..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/rolebinding.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-{{- if .Values.operator.rbac.create -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election
-subjects:
- - kind: ServiceAccount
- name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
-{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/selfsigned-issuer.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/selfsigned-issuer.yaml
deleted file mode 100644
index 466c56338e..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/selfsigned-issuer.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- selfSigned: {}
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/serviceaccount.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/serviceaccount.yaml
deleted file mode 100644
index 434d7e9d30..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/serviceaccount.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-{{- if .Values.operator.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ include "airlock-microgateway.operator.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with mustMerge .Values.operator.serviceAccount.annotations .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/servicemonitor.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/servicemonitor.yaml
deleted file mode 100644
index ff85a9a310..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/servicemonitor.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-{{- if .Values.operator.serviceMonitor.create }}
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.operator.serviceMonitor.labels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- selector:
- matchLabels:
- {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
- matchExpressions:
- - { key: "operator.microgateway.airlock.com/isLeader", operator: DoesNotExist }
- endpoints:
- - path: /metrics
- port: metrics
- scheme: http
- metricRelabelings:
- - sourceLabels:
- - __name__
- regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }}
- action: drop
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-leader
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.operator.serviceMonitor.labels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- selector:
- matchLabels:
- {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }}
- operator.microgateway.airlock.com/isLeader: "true"
- endpoints:
- - path: /metrics
- port: metrics
- scheme: http
- metricRelabelings:
- - sourceLabels:
- - __name__
- regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }}
- action: keep
-{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/serving-certificate.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/serving-certificate.yaml
deleted file mode 100644
index 60b92e1e2c..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/serving-certificate.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- dnsNames:
- - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc
- - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local
- issuerRef:
- kind: Issuer
- name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer
- secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/validating-webhook.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/validating-webhook.yaml
deleted file mode 100644
index 5d6b4396ba..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/validating-webhook.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- annotations:
- cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert
- {{- with .Values.commonAnnotations }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
-webhooks:
-{{- range $webhook := (include "airlock-microgateway-operator.validatingWebhooks" .) | fromYamlArray }}
-- {{ toYaml $webhook | indent 2 | trim }}
- {{- with $.Values.operator.watchNamespaceSelector }}
- namespaceSelector:
- {{- toYaml . | nindent 4 }}
- {{- end }}
- {{- with $.Values.operator.watchNamespaces }}
- namespaceSelector:
- matchExpressions:
- - key: kubernetes.io/metadata.name
- operator: In
- values:
- {{- toYaml . | nindent 10 }}
- {{- end }}
-{{- end }}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/webhook-service.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/webhook-service.yaml
deleted file mode 100644
index 477ea839f3..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/webhook-service.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: airlock-microgateway-operator-webhook
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.operator.serviceLabels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- ports:
- - appProtocol: https
- name: webhook
- port: 443
- protocol: TCP
- targetPort: 9443
- selector:
- {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/xds-service.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/xds-service.yaml
deleted file mode 100644
index 81b41acf5b..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/operator/xds-service.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: airlock-microgateway-operator-xds
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "airlock-microgateway.operator.labels" . | nindent 4 }}
- {{- with .Values.operator.serviceLabels }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- ports:
- - appProtocol: grpc
- name: xds
- port: 13377
- protocol: TCP
- targetPort: 13377
- selector:
- {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }}
- operator.microgateway.airlock.com/isLeader: "true"
diff --git a/charts/airlock/microgateway/4.4.1/templates/scc-role.yaml b/charts/airlock/microgateway/4.4.1/templates/scc-role.yaml
new file mode 100644
index 0000000000..8627486928
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/templates/scc-role.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.rbac.createSCCRole -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+rules:
+- apiGroups:
+ - security.openshift.io
+ resourceNames:
+ - privileged
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - use
+{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/scc-rolebinding.yaml b/charts/airlock/microgateway/4.4.1/templates/scc-rolebinding.yaml
new file mode 100644
index 0000000000..ebd02982c0
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/templates/scc-rolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.rbac.createSCCRole -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged
+subjects:
+- kind: ServiceAccount
+ name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/templates/serviceaccount.yaml b/charts/airlock/microgateway/4.4.1/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..3dc8d58eae
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.1/templates/serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "airlock-microgateway-cni.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "airlock-microgateway-cni.labels" . | nindent 4 }}
+ {{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/templates/tests/rbac.yaml b/charts/airlock/microgateway/4.4.1/templates/tests/rbac.yaml
index 93bd4cd1bd..744799333f 100644
--- a/charts/airlock/microgateway/4.4.1/templates/tests/rbac.yaml
+++ b/charts/airlock/microgateway/4.4.1/templates/tests/rbac.yaml
@@ -2,142 +2,63 @@
apiVersion: v1
kind: ServiceAccount
metadata:
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
- namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
- namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
subjects:
- kind: ServiceAccount
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: tests
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
- namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- - microgateway.airlock.com
+ - "apps"
resources:
- - sidecargateways
+ - daemonsets
resourceNames:
- - "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
+ - {{ include "airlock-microgateway-cni.fullname" . }}
verbs:
- - get
- - list
- - watch
- - delete
+ - get
+ - watch
+ - list
- apiGroups:
- - microgateway.airlock.com
+ - ""
resources:
- - sidecargateways
+ - pods
+ - pods/log
verbs:
- - create
+ - get
+ - list
+{{- if .Values.rbac.createSCCRole }}
- apiGroups:
- - ""
- resources:
- - events
- verbs:
- - list
-- apiGroups:
- - "apps"
- resources:
- - deployments
+ - security.openshift.io
resourceNames:
- - "{{ include "airlock-microgateway.operator.fullname" . }}"
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - "apps"
- resources:
- - statefulsets
- - statefulsets/scale
- resourceNames:
- - "{{ include "airlock-microgateway.fullname" . }}-test-backend"
- verbs:
- - get
- - list
- - watch
- - patch
-- apiGroups:
- - ""
- resources:
- - pods
- - pods/log
- - pods/status
- - pods/attach
- resourceNames:
- - "{{ include "airlock-microgateway.fullname" . }}-test-backend-0"
- - "{{ include "airlock-microgateway.fullname" . }}-test-valid-request"
- - "{{ include "airlock-microgateway.fullname" . }}-test-injection-request"
- verbs:
- - get
- - list
- - create
- - watch
- - delete
-- apiGroups:
- - ""
+ - privileged
resources:
- - pods
+ - securitycontextconstraints
verbs:
- - create
-{{- if .Values.operator.watchNamespaceSelector }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/component: tests
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
-subjects:
- - kind: ServiceAccount
- name: "{{ include "airlock-microgateway.fullname" . }}-tests"
- namespace: {{ .Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/component: tests
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
-rules:
-- apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - list
-{{- end }}
+ - use
+{{- end -}}
{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/templates/tests/service.yaml b/charts/airlock/microgateway/4.4.1/templates/tests/service.yaml
deleted file mode 100644
index 30ddc278d6..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/tests/service.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-{{- if .Values.tests.enabled -}}
-apiVersion: v1
-kind: Service
-metadata:
- name: "{{ include "airlock-microgateway.fullname" . }}-test-service"
- namespace: {{ .Release.Namespace }}
- labels:
- app: test-service
- app.kubernetes.io/component: test-install
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
-spec:
- selector:
- app.kubernetes.io/component: test-install
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
- {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
- ports:
- - name: http
- port: 8080
- targetPort: 8080
-{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/tests/statefulset.yaml b/charts/airlock/microgateway/4.4.1/templates/tests/statefulset.yaml
deleted file mode 100644
index 710a7b9f67..0000000000
--- a/charts/airlock/microgateway/4.4.1/templates/tests/statefulset.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-{{- if .Values.tests.enabled -}}
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
- name: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
- namespace: {{ .Release.Namespace }}
- labels:
- app.kubernetes.io/component: test-install
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
-spec:
- serviceName: nginx
- replicas: 0
- selector:
- matchLabels:
- app.kubernetes.io/component: test-install
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
- {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 6 }}
- template:
- metadata:
- annotations:
- k8s.v1.cni.cncf.io/networks: default/airlock-microgateway-cni
- labels:
- sidecar.microgateway.airlock.com/inject: "true"
- sidecar.istio.io/inject: "false"
- app.kubernetes.io/component: test-install
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- app: "{{ include "airlock-microgateway.fullname" . }}-test-backend"
- {{- include "airlock-microgateway.sharedLabels" . | nindent 8 }}
- {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 8 }}
- spec:
- containers:
- - image: cgr.dev/chainguard/nginx
- name: nginx
- ports:
- - containerPort: 8080
- volumeMounts:
- - mountPath: /var/lib/nginx/tmp/
- name: nginx-tmp
- - mountPath: /var/run
- name: nginx-run
- securityContext:
- {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 12 }}
- {{- with .Values.imagePullSecrets }}
- imagePullSecrets:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- volumes:
- - emptyDir: {}
- name: nginx-tmp
- - emptyDir: {}
- name: nginx-run
-{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.1/templates/tests/test-install.yaml b/charts/airlock/microgateway/4.4.1/templates/tests/test-install.yaml
index 721ae2b82e..12d8c8de78 100644
--- a/charts/airlock/microgateway/4.4.1/templates/tests/test-install.yaml
+++ b/charts/airlock/microgateway/4.4.1/templates/tests/test-install.yaml
@@ -2,14 +2,11 @@
apiVersion: v1
kind: Pod
metadata:
- name: "{{ include "airlock-microgateway.fullname" . }}-test-install"
+ name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install"
namespace: {{ .Release.Namespace }}
labels:
+ {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }}
app.kubernetes.io/component: test-install
- app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
- sidecar.istio.io/inject: "false"
- {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
- {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation
@@ -19,209 +16,88 @@ spec:
- name: test
image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
securityContext:
- {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
+ allowPrivilegeEscalation: {{ .Values.privileged }}
+ capabilities:
+ drop:
+ - ALL
+ privileged: {{ .Values.privileged }}
+ readOnlyRootFilesystem: true
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ readOnly: true
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ readOnly: true
command:
- sh
- -c
- |
set -eu
- clean_up() {
- echo ""
- echo "### Clean up test resources"
- kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
- echo ""
- echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'"
- kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s
- sleep 3s
- echo ""
- }
-
fail() {
+ echo "Error: ${1}"
echo ""
- echo "### Error: ${1}"
- echo ""
-
- if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then
- echo ""
- echo 'Microgateway Sidecargateway status:'
- kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true
- echo ""
- echo ""
- fi
-
- if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then
- echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':"
- kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true
- echo ""
- echo ""
- echo 'Logs of Nginx container:'
- kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true
- echo ""
- echo ""
- # Wait for engine logs
- sleep 10s
- echo 'Logs of Microgateway Engine container:'
- kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true
- fi
-
+ echo 'CNI installer logs:'
+ kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer
exit 1
}
- create_sidecargateway() {
- # create SidecarGateway resource for testing purposes
- kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
- kubectl apply -f - </dev/null 2>&1; do sleep 1s; i=$((i+1)); done
- kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
- kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
+ containsMGWCNIConf() {
+ cat "${1}" | grep -qe '"type":.*"{{ include "airlock-microgateway-cni.fullname" . }}"'
}
- {{- if .Values.operator.watchNamespaceSelector }}
- echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'"
- if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then
- labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}')
- fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"`
- .Release.Namespace
- (replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2)))
- }}
- fi
- echo ""
- {{- end }}
-
- trap clean_up EXIT
- echo ""
-
- echo "### Waiting for Microgateway Operator Deployments to be ready"
- if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \
- deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then
- fail 'Timeout occurred'
- fi
- echo ""
-
- echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica"
- # scale to zero replicas to ensure no pods are present from previous runs
- kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s
- kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s
- echo ""
-
- echo "### Waiting for backend pod"
- i=0
- while true; do
- if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then
- break
- elif [ $i -gt 3 ]; then
- fail 'Pod not ready'
- fi
- sleep 2s
- i=$((i+1))
- done
-
- echo "### Checking Microgateway Engine sidecar container was injected"
- if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then
- fail 'Microgateway Engine sidecar container not injected'
- fi
- echo "True"
- echo ""
-
- echo "### Checking for valid license"
- i=0
- while true; do
- if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then
- break
- elif [ $i -gt 30 ]; then
- fail 'Microgateway license is missing or invalid'
- fi
- sleep 2s
- i=$((i+1))
- done
- echo "True"
- echo ""
-
- echo "### Create SidecarGateway resource for testing"
- if ! create_sidecargateway ; then
- fail 'Creation of SidecarGateway resource failed'
- fi
- echo ""
-
- echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready"
- if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then
- fail 'Timeout occurred'
- fi
- echo ""
-
- echo "### Waiting for 'engine-config-valid' condition"
- if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then
- fail 'Configuration was never accepted by the Microgateway Engine'
+ if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then
+ fail 'CNI DaemonSet rollout did not complete within timeout'
fi
- sleep 5s
- echo ""
- echo ""
- echo "### Checking whether a valid request is successful and returns HTTP status code '200'"
- out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true)
- echo "Response:"
- echo "${out}"
- if ! echo "${out}" | grep -q "200 OK"; then
- fail 'A valid request was not successful'
+ echo "Checking whether CNI binary was installed"
+ if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then
+ fail 'CNI binary was not installed'
fi
- echo ""
- echo ""
- echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'"
- out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true)
- echo "Response:"
- echo "${out}"
- if ! echo "${out}" | grep -q "400 Bad Request"; then
- fail 'A malicious request was not blocked'
+ echo "Checking whether CNI kubeconfig was installed"
+ if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then
+ fail 'CNI kubeconfig was not created'
fi
- echo ""
- echo ""
- echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded"
- exit 0
- serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests"
+ echo "Checking whether CNI configuration was written"
+ case {{ .Values.config.installMode }} in
+ "chained")
+ for file in "/host/etc/cni/net.d/"*.conflist; do
+ if containsMGWCNIConf "${file}"; then
+ echo "Success"
+ exit 0
+ fi
+ done
+ ;;
+ "standalone")
+ if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then
+ echo "Success"
+ exit 0
+ fi
+ ;;
+ "manual")
+ echo "- Skipping because we are in 'manual' install mode"
+ echo "Success"
+ exit 0
+ ;;
+ esac
+
+ fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found'
+ serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests"
+ volumes:
+ - hostPath:
+ path: "{{ .Values.config.cniBinDir }}"
+ type: Directory
+ name: cni-bin-dir
+ - hostPath:
+ path: "{{ .Values.config.cniNetDir }}"
+ type: Directory
+ name: cni-net-dir
{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.1/values.schema.json b/charts/airlock/microgateway/4.4.1/values.schema.json
index 05c7d77175..e087bd7004 100644
--- a/charts/airlock/microgateway/4.4.1/values.schema.json
+++ b/charts/airlock/microgateway/4.4.1/values.schema.json
@@ -14,15 +14,6 @@
"commonAnnotations": {
"$ref": "#/definitions/StringMap"
},
- "crds": {
- "type": "object",
- "properties": {
- "skipVersionCheck": {
- "type": "boolean"
- }
- },
- "additionalProperties": false
- },
"imagePullSecrets": {
"type": "array",
"items": {
@@ -39,336 +30,120 @@
"additionalProperties": true
}
},
- "operator": {
+ "image": {
+ "$ref": "#/definitions/Image"
+ },
+ "podAnnotations": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "podLabels": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "nodeSelector": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "affinity": {
+ "type": "object"
+ },
+ "rbac": {
"type": "object",
"properties": {
- "replicaCount": {
- "type": "integer",
- "minimum": 0
- },
- "updateStrategy": {
- "$ref": "#/definitions/UpdateStrategy"
- },
- "image": {
- "$ref": "#/definitions/Image"
- },
- "podAnnotations": {
- "$ref": "#/definitions/StringMap"
- },
- "podLabels": {
- "$ref": "#/definitions/StringMap"
- },
- "serviceAnnotations": {
- "$ref": "#/definitions/StringMap"
- },
- "serviceLabels": {
- "$ref": "#/definitions/StringMap"
- },
- "resources": {
- "type": "object"
- },
- "nodeSelector": {
- "$ref": "#/definitions/StringMap"
- },
- "tolerations": {
- "type": "array",
- "items": {
- "type": "object"
- }
- },
- "affinity": {
- "type": "object"
- },
- "config": {
- "type": "object",
- "properties": {
- "logLevel": {
- "type": "string",
- "enum": [
- "debug",
- "info",
- "warn",
- "error"
- ]
- }
- },
- "required": [
- "logLevel"
- ],
- "additionalProperties": false
- },
- "serviceAccount": {
- "type": "object",
- "properties": {
- "create": {
- "type": "boolean"
- },
- "annotations": {
- "$ref": "#/definitions/StringMap"
- },
- "name": {
- "type": "string"
- }
- },
- "required": [
- "annotations",
- "create",
- "name"
- ],
- "additionalProperties": false
- },
- "watchNamespaces": {
- "type": "array",
- "items": {
- "type": "string"
- }
- },
- "watchNamespaceSelector": {
- "$ref": "#/definitions/LabelSelector"
- },
- "rbac": {
- "type": "object",
- "properties": {
- "create": {
- "type": "boolean"
- }
- },
- "required": [
- "create"
- ],
- "additionalProperties": false
- },
- "serviceMonitor": {
- "type": "object",
- "properties": {
- "create": {
- "type": "boolean"
- },
- "labels": {
- "$ref": "#/definitions/StringMap"
- }
- },
- "required": [
- "create"
- ],
- "additionalProperties": false
+ "create": {
+ "type": "boolean"
},
- "gatewayAPI": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean"
- },
- "controllerName" : {
- "type": "string",
- "pattern": "^microgateway\\.airlock\\.com\/[A-Za-z0-9\/\\-._~%!$&'()*+,;=:]+$"
- }
- },
- "required": [
- "enabled"
- ],
- "additionalProperties": false
+ "createSCCRole": {
+ "type": "boolean"
}
},
- "oneOf": [
- {
- "properties": {
- "watchNamespaces": {
- "minItems": 1
- },
- "watchNamespaceSelector": {
- "additionalProperties": false
- }
- }
- },
- {
- "properties": {
- "watchNamespaces": {
- "maxItems": 0
- },
- "watchNamespaceSelector": {
- "$ref": "#/definitions/LabelSelector"
- }
- }
- }
- ],
"required": [
- "affinity",
- "config",
- "image",
- "updateStrategy",
- "nodeSelector",
- "podAnnotations",
- "podLabels",
- "rbac",
- "replicaCount",
- "resources",
- "serviceAccount",
- "serviceAnnotations",
- "serviceLabels",
- "serviceMonitor",
- "tolerations"
+ "create",
+ "createSCCRole"
],
"additionalProperties": false
},
- "engine": {
+ "privileged": {
+ "type": "boolean"
+ },
+ "serviceAccount": {
"type": "object",
"properties": {
- "image": {
- "$ref": "#/definitions/Image"
+ "create": {
+ "type": "boolean"
},
- "resources": {
- "type": "object"
+ "annotations": {
+ "$ref": "#/definitions/StringMap"
},
- "sidecar": {
- "type": "object",
- "properties":{
- "podMonitor": {
- "type": "object",
- "properties": {
- "create": {
- "type": "boolean"
- },
- "labels": {
- "$ref": "#/definitions/StringMap"
- }
- },
- "required": [
- "create"
- ],
- "additionalProperties": false
- }
- },
- "required": [
- "podMonitor"
- ],
- "additionalProperties": false
+ "name": {
+ "type": "string"
}
},
"required": [
- "image",
- "resources",
- "sidecar"
+ "annotations",
+ "create",
+ "name"
],
"additionalProperties": false
},
- "networkValidator": {
+ "multusNetworkAttachmentDefinition": {
"type": "object",
"properties": {
- "image": {
- "$ref": "#/definitions/Image"
+ "create": {
+ "type": "boolean"
},
- "resources": {
- "type": "object"
+ "namespace": {
+ "type": "string"
}
},
"required": [
- "image",
- "resources"
+ "create",
+ "namespace"
],
"additionalProperties": false
},
- "sessionAgent": {
+ "config": {
"type": "object",
"properties": {
- "image": {
- "$ref": "#/definitions/Image"
+ "installMode": {
+ "type": "string",
+ "enum": [
+ "chained",
+ "standalone",
+ "manual"
+ ]
},
- "resources": {
- "type": "object"
- }
- },
- "required": [
- "image",
- "resources"
- ],
- "additionalProperties": false
- },
- "license": {
- "type": "object",
- "properties": {
- "secretName": {
+ "logLevel": {
+ "type": "string",
+ "enum": [
+ "debug",
+ "info",
+ "warn",
+ "error"
+ ]
+ },
+ "cniNetDir": {
"type": "string",
"minLength": 1
- }
- },
- "required": [
- "secretName"
- ],
- "additionalProperties": false
- },
- "dashboards": {
- "type": "object",
- "properties" : {
- "create": {
- "type": "boolean"
},
- "config": {
- "type": "object",
- "properties": {
- "grafana": {
- "type": "object",
- "properties": {
- "folderAnnotation": {
- "$ref": "#/definitions/NameValuePair"
- },
- "dashboardLabel": {
- "$ref": "#/definitions/NameValuePair"
- }
- },
- "required": [
- "folderAnnotation",
- "dashboardLabel"
- ],
- "additionalProperties": false
- }
- },
- "required": [
- "grafana"
- ],
- "additionalProperties": false
+ "cniBinDir": {
+ "type": "string",
+ "minLength": 1
},
- "instances": {
- "type": "object",
- "properties": {
- "overview": {
- "$ref": "#/definitions/DashboardInstance"
- },
- "license" : {
- "$ref": "#/definitions/DashboardInstance"
- },
- "blockMetrics" : {
- "$ref": "#/definitions/DashboardInstance"
- },
- "blockLogs" : {
- "$ref": "#/definitions/DashboardInstance"
- },
- "headerLogs" : {
- "$ref": "#/definitions/DashboardInstance"
- },
- "logOnlyMetrics" : {
- "$ref": "#/definitions/DashboardInstance"
- },
- "logOnlyLogs" : {
- "$ref": "#/definitions/DashboardInstance"
- }
- },
- "required": [
- "overview",
- "license",
- "blockMetrics",
- "blockLogs",
- "headerLogs",
- "logOnlyMetrics",
- "logOnlyLogs"
- ],
- "additionalProperties": false
+ "excludeNamespaces": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
}
},
"required": [
- "create",
- "config",
- "instances"
+ "cniBinDir",
+ "cniNetDir",
+ "excludeNamespaces",
+ "installMode",
+ "logLevel"
],
"additionalProperties": false
},
@@ -389,18 +164,22 @@
}
},
"required": [
+ "affinity",
"commonAnnotations",
"commonLabels",
- "crds",
- "engine",
+ "config",
"fullnameOverride",
+ "image",
"imagePullSecrets",
- "license",
+ "multusNetworkAttachmentDefinition",
"nameOverride",
- "operator",
- "networkValidator",
- "sessionAgent",
- "dashboards",
+ "nodeSelector",
+ "podAnnotations",
+ "podLabels",
+ "privileged",
+ "rbac",
+ "resources",
+ "serviceAccount",
"tests"
],
"additionalProperties": false,
@@ -441,132 +220,6 @@
"tag"
],
"additionalProperties": false
- },
- "LabelSelector": {
- "type": "object",
- "properties": {
- "matchExpressions": {
- "type": "array",
- "items": {
- "type": "object",
- "required": [
- "key",
- "operator"
- ],
- "properties": {
- "key": {
- "type": "string"
- },
- "operator": {
- "type": "string"
- },
- "values": {
- "type": "array",
- "items": {
- "type": "string"
- }
- }
- },
- "additionalProperties": false
- }
- },
- "matchLabels": {
- "$ref": "#/definitions/StringMap"
- }
- },
- "additionalProperties": false
- },
- "UpdateStrategy": {
- "type": "object",
- "oneOf" : [
- {
- "properties": {
- "type": {
- "$ref": "#/definitions/RecreateType"
- }
- },
- "required": [
- "type"
- ],
- "additionalProperties": false
- },
- {
- "properties": {
- "type": {
- "$ref": "#/definitions/RollingUpdateType"
- },
- "rollingUpdate": {
- "$ref": "#/definitions/RollingUpdate"
- }
- },
- "required": [
- "type"
- ],
- "additionalProperties": false
- }
- ]
- },
- "RecreateType": {
- "type": "string",
- "enum": [
- "Recreate"
- ]
- },
- "RollingUpdateType": {
- "type": "string",
- "enum": [
- "RollingUpdate"
- ]
- },
- "RollingUpdate": {
- "type": "object",
- "properties": {
- "maxSurge": {
- "type": ["integer", "string"],
- "minimum": 0,
- "pattern": "^\\d+%?$"
- },
- "maxUnavailable": {
- "type": ["integer", "string"],
- "minimum": 0,
- "pattern": "^\\d+%?$"
- }
- },
- "anyOf": [
- {"required": ["maxSurge"]},
- {"required": ["maxUnavailable"]}
- ],
- "additionalProperties": false
- },
- "DashboardInstance" : {
- "type" : "object",
- "properties" : {
- "create" : {
- "type" : "boolean"
- }
- },
- "required" : [
- "create"
- ],
- "additionalProperties": false
- },
- "NameValuePair" : {
- "type" : "object",
- "properties" : {
- "name" : {
- "type": "string",
- "minLength": 1
- },
- "value" : {
- "type" : "string",
- "minLength": 1
- }
- },
- "required" : [
- "name",
- "value"
- ],
- "additionalProperties": false
}
}
}
diff --git a/charts/airlock/microgateway/4.4.1/values.yaml b/charts/airlock/microgateway/4.4.1/values.yaml
index f0f598ea17..d1116802db 100644
--- a/charts/airlock/microgateway/4.4.1/values.yaml
+++ b/charts/airlock/microgateway/4.4.1/values.yaml
@@ -1,4 +1,4 @@
-# -- Allows overriding the name to use instead of "microgateway".
+# -- Allows overriding the name to use instead of "microgateway-cni".
nameOverride: ""
# -- Allows overriding the name to use as full name of resources.
fullnameOverride: ""
@@ -10,227 +10,75 @@ commonAnnotations: {}
imagePullSecrets: []
# - name: myRegistryKeySecretName
-crds:
- # -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs.
- # The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster
- # when performing a "helm install/upgrade".
- skipVersionCheck: false
-operator:
- # -- Number of replicas for the operator Deployment.
- replicaCount: 2
- # -- Specifies the operator update strategy.
- updateStrategy:
- type: RollingUpdate
- # Specifies the Airlock Microgateway Operator image.
- image:
- # -- Image repository from which to pull the Airlock Microgateway Operator image.
- repository: "quay.io/airlock/microgateway-operator"
- # -- Image tag to pull.
- tag: "4.4.1"
- # -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63").
- # Overrides tag when specified.
- digest: "sha256:1133c3e59418eec1721683e68dd19faca577609ace6eebd010a56e52b1f75789"
- # -- Pull policy for this image.
- pullPolicy: IfNotPresent
- # -- Annotations to add to all Pods.
- podAnnotations: {}
- # -- Labels to add to all Pods.
- podLabels: {}
- # -- Annotations to add to the Service.
- serviceAnnotations: {}
- # prometheus.io/scrape: "true"
- # prometheus.io/port: "8080"
-
- # -- Labels to add to the Service.
- serviceLabels: {}
- # -- Resource restrictions to apply to the operator container.
- resources: {}
- # We recommend at least the following resource specification.
- # limits:
- # cpu: 1000m
- # memory: 512Mi
- # requests:
- # cpu: 100m
- # memory: 512Mi
-
- # -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes.
- nodeSelector: {}
- # -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes.
- tolerations: []
- # -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling.
- affinity: {}
- # Parameters for the operator configuration.
- config:
- # -- Operator application log level.
- logLevel: "info"
- # Configures the generation of the ServiceAccount.
- serviceAccount:
- # -- Whether a ServiceAccount should be created.
- create: true
- # -- Annotations to add to the ServiceAccount.
- annotations: {}
- # -- Name of the ServiceAccount to use.
- # If not set and create is true, a name is generated using the fullname template.
- name: ""
- # -- Allows to restrict the operator to specific namespaces, depending on your needs.
- # For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`).
- # In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace.
- # For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`.
- # An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty.
- # Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces.
- # Please note that this feature requires a Premium license.
- watchNamespaces: []
- # -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector.
- # It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator.
- # This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings).
- # An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty.
- # Please note that this feature requires a Premium license.
- watchNamespaceSelector: {}
- # For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements.
- # matchLabels:
- # microgateway.airlock.com/enable: "true"
- # matchExpressions:
- # - { key: environment, operator: NotIn, values: [dev] }
-
- # Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above.
- rbac:
- # -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function.
- create: true
- # Configures the generation of a Prometheus Operator ServiceMonitor.
- serviceMonitor:
- # -- Whether to create a ServiceMonitor resource for monitoring.
- create: false
- # -- Labels to add to the ServiceMonitor.
- labels: {}
- # release: ""
- # Configures the Kubernetes Gateway API integration.
- gatewayAPI:
- # -- Whether to enable the Kubernetes Gateway API related controllers.
- # Requires that the gateway.networking.k8s.io/v1 resources are installed on the cluster.
- enabled: false
- # -- Controller name referred in the GatewayClasses managed by this operator. The value must be a path prefixed by the domain `microgateway.airlock.com`.
- controllerName: microgateway.airlock.com/gatewayclass-controller
-engine:
- # Specifies the Airlock Microgateway Engine image.
- image:
- # -- Image repository from which to pull the Airlock Microgateway Engine image.
- repository: "quay.io/airlock/microgateway-engine"
- # -- Image tag to pull.
- tag: "4.4.1"
- # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
- # Overrides tag when specified.
- digest: "sha256:06573ef5e6769dbd6eb8606e34c56f1ad2084b6adcae9925b1d2d153a45cbc47"
- # -- Pull policy for this image.
- pullPolicy: IfNotPresent
- # -- Resource restrictions to apply to the Airlock Microgateway Engine container.
- resources: {}
- # We recommend at least the following resource specification.
- # limits:
- # cpu: 500m
- # memory: 128Mi
- # requests:
- # cpu: 10m
- # memory: 40Mi
-
- # Additional configuration when deployed as a sidecar.
- sidecar:
- # Configures the generation of a Prometheus Operator PodMonitor.
- podMonitor:
- # -- Whether to create a PodMonitor resource for monitoring.
- create: false
- # -- Labels to add to the PodMonitor.
- labels: {}
- # release: ""
-networkValidator:
- # Specifies the Airlock Microgateway Network Validator image to be injected as an init-container.
- image:
- # -- Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container.
- repository: "cgr.dev/chainguard/netcat"
- # -- Image tag to pull.
- tag: ""
- # -- SHA256 image digest to pull (in the format "sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c").
- # Overrides tag when specified.
- digest: "sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c"
- # -- Pull policy for this image.
- pullPolicy: IfNotPresent
- # -- Resource restrictions to apply to the Airlock Microgateway Network Validator init-container.
- resources:
- limits:
- cpu: 25m
- memory: 12Mi
- requests:
- cpu: 5m
- memory: 1Mi
-sessionAgent:
- # Specifies the Airlock Microgateway Session Agent image.
- image:
- # -- Image repository from which to pull the Airlock Microgateway Session Agent image.
- repository: "quay.io/airlock/microgateway-session-agent"
- # -- Image tag to pull.
- tag: "4.4.1"
- # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
- # Overrides tag when specified.
- digest: "sha256:733a25f61ea7cf43c0a46da7d3ecb9a263bda49bf60e1fd8e4162be33aa24b7b"
- # -- Pull policy for this image.
- pullPolicy: IfNotPresent
- # -- Resource restrictions to apply to the Airlock Microgateway Session Agent container.
- resources: {}
- # We recommend at least the following resource specification.
- # limits:
- # cpu: 150m
- # memory: 32Mi
- # requests:
- # cpu: 10m
- # memory: 8Mi
-license:
- # -- Name of the secret containing the "microgateway-license.txt" key.
- secretName: "airlock-microgateway-license"
-# Creates dashboards in the form of ConfigMaps that can be imported
-# by Grafana using its sidecar setup.
-dashboards:
- # -- Whether to create any ConfigMaps containing Grafana dashboards to import.
+# Specifies the Airlock Microgateway CNI image.
+image:
+ # -- Image repository from which to pull the Airlock Microgateway CNI image.
+ repository: "quay.io/airlock/microgateway-cni"
+ # -- Image tag to pull.
+ tag: "4.4.1"
+ # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a").
+ # Overrides tag when specified.
+ digest: "sha256:fa2f5d8587024f0d0b29505204c964002cfd7facf79748ccc98b8caf1a70f0d8"
+ # -- Pull policy for this image.
+ pullPolicy: IfNotPresent
+# -- Annotations to add to all Pods.
+podAnnotations: {}
+# -- Labels to add to all Pods.
+podLabels: {}
+# -- Resource restrictions to apply to the CNI installer container.
+resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes.
+nodeSelector:
+ kubernetes.io/os: linux
+# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes.
+affinity: {}
+# Configures the generation of RBAC Roles and RoleBindings.
+rbac:
+ # -- Whether to create RBAC resources which are required for the CNI plugin to function.
+ create: true
+ # -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint.
+ createSCCRole: false
+# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift).
+privileged: false
+# Configures the generation of the ServiceAccount.
+serviceAccount:
+ # -- Whether a ServiceAccount should be created.
+ create: true
+ # -- Annotations to add to the ServiceAccount.
+ annotations: {}
+ # -- Name of the ServiceAccount to use.
+ # If not set and create is true, a name is generated using the fullname template.
+ name: ""
+# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift)
+multusNetworkAttachmentDefinition:
+ # -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods.
create: false
- config:
- # Configures the necessary label and annotations along with their values
- # to enable Grafana to correctly identify the ConfigMaps containing
- # dashboards and file them within a dedicated folder in the dashboard overview.
- # These settings need to match the Grafana sidecar configuration.
- grafana:
- folderAnnotation:
- # -- Name of the annotation containing the folder name to file dashboards into.
- name: "grafana_folder"
- # -- Name of the folder dashboards are filed into within the Grafana UI.
- value: "Airlock Microgateway"
- dashboardLabel:
- # -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards.
- name: "grafana_dashboard"
- # -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards.
- value: "1"
- instances:
- # Available dashboard instances that can be individually created/deployed.
- overview:
- # -- Whether to create the overview dashboard.
- create: true
- license:
- # -- Whether to create the license dashboard.
- create: true
- blockMetrics:
- # -- Whether to create the block metrics dashboard.
- create: true
- blockLogs:
- # -- Whether to create the block logs dashboard.
- create: true
- headerLogs:
- # -- Whether to create the header rewrite logs dashboard.
- create: true
- logOnlyMetrics:
- # -- Whether to create the log only metrics dashboard
- create: true
- logOnlyLogs:
- # -- Whether to create the log only logs dashboard.
- create: true
-# Check whether the installation of the Airlock Microgateway Helm Chart was successful.
-# Requires a secret with a valid Airlock Microgateway license key already to be present.
+ # -- Namespace in which the NetworkAttachmentDefinition is deployed.
+ # Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces
+ # may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation
+ namespace: default
+# Parameters for the CNI installer configuration.
+config:
+ # -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers),
+ # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift)
+ # or in `manual` mode, where no CNI network configuration is written.
+ installMode: "chained"
+ # -- Log level for the CNI installer and plugin.
+ logLevel: info
+ # -- Directory where the CNI config files reside on the host.
+ # This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
+ # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node.
+ cniNetDir: "/etc/cni/net.d"
+ # -- Directory where the CNI plugin binaries reside on the host.
+ # This path can either be found in the documentation of your Kubernetes distribution or CNI provider.
+ # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node.
+ cniBinDir: "/opt/cni/bin"
+ # -- Namespaces for which this CNI plugin should not apply any modifications.
+ excludeNamespaces:
+ - kube-system
tests:
# -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
# If set to false, `helm test` will not run any tests.
diff --git a/charts/airlock/microgateway/4.4.2/.helmignore b/charts/airlock/microgateway/4.4.2/.helmignore
new file mode 100644
index 0000000000..101ff5ac56
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.2/.helmignore
@@ -0,0 +1,28 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# CRDs kustomization.yaml
+/crds/kustomization.yaml
+# Helm unit tests
+/tests
+/validation
diff --git a/charts/airlock/microgateway/4.4.2/Chart.yaml b/charts/airlock/microgateway/4.4.2/Chart.yaml
new file mode 100644
index 0000000000..b6482891ea
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.2/Chart.yaml
@@ -0,0 +1,44 @@
+annotations:
+ artifacthub.io/category: security
+ artifacthub.io/license: MIT
+ artifacthub.io/links: |
+ - name: Airlock Microgateway Documentation
+ url: https://docs.airlock.com/microgateway/4.4/
+ - name: Airlock Microgateway Labs
+ url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
+ - name: Airlock Microgateway Forum
+ url: https://forum.airlock.com/
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Airlock Microgateway
+ catalog.cattle.io/kube-version: '>=1.25.0-0'
+ catalog.cattle.io/release-name: ""
+ charts.openshift.io/name: Airlock Microgateway
+apiVersion: v2
+appVersion: 4.4.2
+description: A Helm chart for deploying the Airlock Microgateway
+home: https://www.airlock.com/en/microgateway
+icon: file://assets/icons/microgateway.svg
+keywords:
+- WAF
+- Web Application Firewall
+- WAAP
+- Web Application and API protection
+- OWASP
+- Airlock
+- Microgateway
+- Security
+- Filtering
+- DevSecOps
+- shift left
+- control plane
+- Operator
+kubeVersion: '>=1.25.0-0'
+maintainers:
+- email: support@airlock.com
+ name: Airlock
+ url: https://www.airlock.com/
+name: microgateway
+sources:
+- https://github.com/airlock/microgateway
+type: application
+version: 4.4.2
diff --git a/charts/airlock/microgateway/4.4.2/README.md b/charts/airlock/microgateway/4.4.2/README.md
new file mode 100644
index 0000000000..01064a740c
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.2/README.md
@@ -0,0 +1,186 @@
+# Airlock Microgateway
+
+ 
+
+*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.*
+
+
+
+
+
+
+
+Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability.
+__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.4.2).__
+
+### Features
+* Kubernetes native integration with sidecar injection and Gateway API support
+* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction
+* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication
+* Content security filters for protecting against known attacks (OWASP Top 10)
+* Access control using OpenID Connect to allow only authenticated users to access the protected services
+* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation
+
+For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**.
+
+## Documentation and links
+
+Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
+
+* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html)
+* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html)
+* [Installation](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000138)
+* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html)
+* [GitHub](https://github.com/airlock/microgateway)
+
+# Quick start guide
+
+The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**.
+
+## Prerequisites
+* (Recommended) [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Required for [data plane mode sidecar](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000137))
+* [Airlock Microgateway License](#obtain-airlock-microgateway-license)
+* [cert-manager](https://cert-manager.io/)
+* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0)
+
+In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license.
+For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
+### Obtain Airlock Microgateway License
+1. Either request a community or premium license
+ * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community)
+ * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium)
+2. Check your inbox and save the license file microgateway-license.txt locally.
+
+> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type.
+### Deploy cert-manager
+```bash
+helm repo add jetstack https://charts.jetstack.io
+helm install cert-manager jetstack/cert-manager --version 'v1.16.1' -n cert-manager --create-namespace --set crds.enabled=true --wait
+```
+
+## Deploy Airlock Microgateway Operator
+
+> This guide assumes a microgateway-license.txt file is present in the working directory.
+
+1. Install CRDs and Operator.
+ ```bash
+ # Create namespace
+ kubectl create namespace airlock-microgateway-system
+
+ # Install License
+ kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
+
+ # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
+ helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.4.2' --wait
+ ```
+
+2. (Recommended) You can verify the correctness of the installation with `helm test`.
+ ```bash
+ helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.2'
+ helm test airlock-microgateway -n airlock-microgateway-system --logs
+ helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.2'
+ ```
+
+### Upgrading CRDs
+
+The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster.
+CRDs should instead be manually upgraded before upgrading the Operator itself via the following command:
+```bash
+kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.4.2 --server-side --force-conflicts
+```
+
+**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts.
+
+## Support
+
+### Premium support
+If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process).
+
+### Community support
+For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question.
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| commonAnnotations | object | `{}` | Annotations to add to all resources. |
+| commonLabels | object | `{}` | Labels to add to all resources. |
+| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". |
+| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. |
+| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. |
+| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. |
+| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. |
+| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. |
+| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. |
+| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. |
+| dashboards.instances.headerLogs.create | bool | `true` | Whether to create the header rewrite logs dashboard. |
+| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. |
+| dashboards.instances.logOnlyLogs.create | bool | `true` | Whether to create the log only logs dashboard. |
+| dashboards.instances.logOnlyMetrics.create | bool | `true` | Whether to create the log only metrics dashboard |
+| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. |
+| engine.image.digest | string | `"sha256:d37457ebd3a48e34e0f09f2ea207a963582222809ac836002351dc7d1e3788f0"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
+| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
+| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. |
+| engine.image.tag | string | `"4.4.2"` | Image tag to pull. |
+| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. |
+| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. |
+| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. |
+| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. |
+| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. |
+| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. |
+| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". |
+| networkValidator.image.digest | string | `"sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c"` | SHA256 image digest to pull (in the format "sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c"). Overrides tag when specified. |
+| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
+| networkValidator.image.repository | string | `"cgr.dev/chainguard/netcat"` | Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. |
+| networkValidator.image.tag | string | `""` | Image tag to pull. |
+| networkValidator.resources | object | `{"limits":{"cpu":"25m","memory":"12Mi"},"requests":{"cpu":"5m","memory":"1Mi"}}` | Resource restrictions to apply to the Airlock Microgateway Network Validator init-container. |
+| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. |
+| operator.config.logLevel | string | `"info"` | Operator application log level. |
+| operator.gatewayAPI.controllerName | string | `"microgateway.airlock.com/gatewayclass-controller"` | Controller name referred in the GatewayClasses managed by this operator. The value must be a path prefixed by the domain `microgateway.airlock.com`. |
+| operator.gatewayAPI.enabled | bool | `false` | Whether to enable the Kubernetes Gateway API related controllers. Requires that the gateway.networking.k8s.io/v1 resources are installed on the cluster. |
+| operator.image.digest | string | `"sha256:f5b3b8e728fcc1ab15e8b8401ac120f810b8228488b380cc23497d3e82414d71"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. |
+| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
+| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. |
+| operator.image.tag | string | `"4.4.2"` | Image tag to pull. |
+| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. |
+| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. |
+| operator.podLabels | object | `{}` | Labels to add to all Pods. |
+| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. |
+| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. |
+| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. |
+| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. |
+| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. |
+| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
+| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. |
+| operator.serviceLabels | object | `{}` | Labels to add to the Service. |
+| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. |
+| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. |
+| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. |
+| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. |
+| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. |
+| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. |
+| sessionAgent.image.digest | string | `"sha256:5d355747e98fc2c81996cfc6e13b1800181357f5a78e2ac01ab31509127a1f4c"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. |
+| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. |
+| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. |
+| sessionAgent.image.tag | string | `"4.4.2"` | Image tag to pull. |
+| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. |
+| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. |
+
+## License
+View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image.
+* Decompiling or reverse engineering is not permitted.
+* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
+
+Airlock® is a security innovation by [ergon](https://www.ergon.ch/en)
+
+
+
+
+
+
+
+
+
diff --git a/charts/airlock/microgateway/4.3.2/app-readme.md b/charts/airlock/microgateway/4.4.2/app-readme.md
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/app-readme.md
rename to charts/airlock/microgateway/4.4.2/app-readme.md
diff --git a/charts/airlock/microgateway/4.4.1/crds/accesscontrols.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/accesscontrols.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/accesscontrols.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/accesscontrols.microgateway.airlock.com.yaml
index c10c65c1f5..d80a6ff54f 100644
--- a/charts/airlock/microgateway/4.4.1/crds/accesscontrols.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/accesscontrols.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: accesscontrols.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/contentsecurities.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/contentsecurities.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/contentsecurities.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/contentsecurities.microgateway.airlock.com.yaml
index cbe6fb3a1a..b13c3f0a41 100644
--- a/charts/airlock/microgateway/4.4.1/crds/contentsecurities.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/contentsecurities.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: contentsecurities.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/contentsecuritypolicies.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/contentsecuritypolicies.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/contentsecuritypolicies.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/contentsecuritypolicies.microgateway.airlock.com.yaml
index 3fd1d7545f..7e7e50c6a4 100644
--- a/charts/airlock/microgateway/4.4.1/crds/contentsecuritypolicies.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/contentsecuritypolicies.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
gateway.networking.k8s.io/policy: direct
name: contentsecuritypolicies.microgateway.airlock.com
spec:
diff --git a/charts/airlock/microgateway/4.4.1/crds/denyrules.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/denyrules.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/denyrules.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/denyrules.microgateway.airlock.com.yaml
index 234190a289..19fee1945a 100644
--- a/charts/airlock/microgateway/4.4.1/crds/denyrules.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/denyrules.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: denyrules.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/envoyclusters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/envoyclusters.microgateway.airlock.com.yaml
similarity index 98%
rename from charts/airlock/microgateway/4.4.1/crds/envoyclusters.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/envoyclusters.microgateway.airlock.com.yaml
index 4127d53eb9..a3901b35d1 100644
--- a/charts/airlock/microgateway/4.4.1/crds/envoyclusters.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/envoyclusters.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: envoyclusters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/envoyconfigurations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/envoyconfigurations.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/envoyconfigurations.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/envoyconfigurations.microgateway.airlock.com.yaml
index a71ef4cc26..36a9607f68 100644
--- a/charts/airlock/microgateway/4.4.1/crds/envoyconfigurations.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/envoyconfigurations.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: envoyconfigurations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/envoyhttpfilters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/envoyhttpfilters.microgateway.airlock.com.yaml
similarity index 98%
rename from charts/airlock/microgateway/4.4.1/crds/envoyhttpfilters.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/envoyhttpfilters.microgateway.airlock.com.yaml
index 358e1973d1..87779d4f7c 100644
--- a/charts/airlock/microgateway/4.4.1/crds/envoyhttpfilters.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/envoyhttpfilters.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: envoyhttpfilters.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/graphqls.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/graphqls.microgateway.airlock.com.yaml
similarity index 98%
rename from charts/airlock/microgateway/4.4.1/crds/graphqls.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/graphqls.microgateway.airlock.com.yaml
index 39046d24c5..5e772ae2bc 100644
--- a/charts/airlock/microgateway/4.4.1/crds/graphqls.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/graphqls.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: graphqls.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/headerrewrites.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/headerrewrites.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/headerrewrites.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/headerrewrites.microgateway.airlock.com.yaml
index d99797f1ef..dc03897ce4 100644
--- a/charts/airlock/microgateway/4.4.1/crds/headerrewrites.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/headerrewrites.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: headerrewrites.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/identitypropagations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/identitypropagations.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/identitypropagations.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/identitypropagations.microgateway.airlock.com.yaml
index a51e475457..e89b0ae802 100644
--- a/charts/airlock/microgateway/4.4.1/crds/identitypropagations.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/identitypropagations.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: identitypropagations.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/jwks.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/jwks.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/jwks.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/jwks.microgateway.airlock.com.yaml
index a780e6a346..2dff1bd5f9 100644
--- a/charts/airlock/microgateway/4.4.1/crds/jwks.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/jwks.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: jwks.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/limits.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/limits.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/limits.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/limits.microgateway.airlock.com.yaml
index 89ba9977c8..86ee39a9ea 100644
--- a/charts/airlock/microgateway/4.4.1/crds/limits.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/limits.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: limits.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/oidcproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/oidcproviders.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/oidcproviders.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/oidcproviders.microgateway.airlock.com.yaml
index 9777a206bb..03b0c617a0 100644
--- a/charts/airlock/microgateway/4.4.1/crds/oidcproviders.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/oidcproviders.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: oidcproviders.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/oidcrelyingparties.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/oidcrelyingparties.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/oidcrelyingparties.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/oidcrelyingparties.microgateway.airlock.com.yaml
index 4005300a32..f6a19311ff 100644
--- a/charts/airlock/microgateway/4.4.1/crds/oidcrelyingparties.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/oidcrelyingparties.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: oidcrelyingparties.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/openapis.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/openapis.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/openapis.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/openapis.microgateway.airlock.com.yaml
index 2531bc3343..da5f869a38 100644
--- a/charts/airlock/microgateway/4.4.1/crds/openapis.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/openapis.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: openapis.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/parsers.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/parsers.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/parsers.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/parsers.microgateway.airlock.com.yaml
index 5ed82205d1..151e6c6ed5 100644
--- a/charts/airlock/microgateway/4.4.1/crds/parsers.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/parsers.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: parsers.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/redisproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/redisproviders.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/redisproviders.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/redisproviders.microgateway.airlock.com.yaml
index 65c785f0a1..e3587e2252 100644
--- a/charts/airlock/microgateway/4.4.1/crds/redisproviders.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/redisproviders.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: redisproviders.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/sessionhandlings.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/sessionhandlings.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/sessionhandlings.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/sessionhandlings.microgateway.airlock.com.yaml
index 81ed6ac882..3c9be2feb2 100644
--- a/charts/airlock/microgateway/4.4.1/crds/sessionhandlings.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/sessionhandlings.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: sessionhandlings.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/sidecargateways.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/sidecargateways.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/sidecargateways.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/sidecargateways.microgateway.airlock.com.yaml
index 7229bacc0c..f4237c2ecc 100644
--- a/charts/airlock/microgateway/4.4.1/crds/sidecargateways.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/sidecargateways.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: sidecargateways.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/crds/telemetries.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.2/crds/telemetries.microgateway.airlock.com.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/crds/telemetries.microgateway.airlock.com.yaml
rename to charts/airlock/microgateway/4.4.2/crds/telemetries.microgateway.airlock.com.yaml
index 96ef223f2b..6d35fcbcc9 100644
--- a/charts/airlock/microgateway/4.4.1/crds/telemetries.microgateway.airlock.com.yaml
+++ b/charts/airlock/microgateway/4.4.2/crds/telemetries.microgateway.airlock.com.yaml
@@ -5,7 +5,7 @@ metadata:
controller-gen.kubebuilder.io/version: v0.16.4
labels:
app.kubernetes.io/name: airlock-microgateway-operator
- app.kubernetes.io/version: 4.4.1
+ app.kubernetes.io/version: 4.4.2
name: telemetries.microgateway.airlock.com
spec:
group: microgateway.airlock.com
diff --git a/charts/airlock/microgateway/4.4.1/dashboards/blockLogs.json b/charts/airlock/microgateway/4.4.2/dashboards/blockLogs.json
similarity index 100%
rename from charts/airlock/microgateway/4.4.1/dashboards/blockLogs.json
rename to charts/airlock/microgateway/4.4.2/dashboards/blockLogs.json
diff --git a/charts/airlock/microgateway/4.4.1/dashboards/blockMetrics.json b/charts/airlock/microgateway/4.4.2/dashboards/blockMetrics.json
similarity index 100%
rename from charts/airlock/microgateway/4.4.1/dashboards/blockMetrics.json
rename to charts/airlock/microgateway/4.4.2/dashboards/blockMetrics.json
diff --git a/charts/airlock/microgateway/4.4.1/dashboards/headerLogs.json b/charts/airlock/microgateway/4.4.2/dashboards/headerLogs.json
similarity index 100%
rename from charts/airlock/microgateway/4.4.1/dashboards/headerLogs.json
rename to charts/airlock/microgateway/4.4.2/dashboards/headerLogs.json
diff --git a/charts/airlock/microgateway/4.4.1/dashboards/license.json b/charts/airlock/microgateway/4.4.2/dashboards/license.json
similarity index 100%
rename from charts/airlock/microgateway/4.4.1/dashboards/license.json
rename to charts/airlock/microgateway/4.4.2/dashboards/license.json
diff --git a/charts/airlock/microgateway/4.4.1/dashboards/logOnlyLogs.json b/charts/airlock/microgateway/4.4.2/dashboards/logOnlyLogs.json
similarity index 100%
rename from charts/airlock/microgateway/4.4.1/dashboards/logOnlyLogs.json
rename to charts/airlock/microgateway/4.4.2/dashboards/logOnlyLogs.json
diff --git a/charts/airlock/microgateway/4.4.1/dashboards/logOnlyMetrics.json b/charts/airlock/microgateway/4.4.2/dashboards/logOnlyMetrics.json
similarity index 100%
rename from charts/airlock/microgateway/4.4.1/dashboards/logOnlyMetrics.json
rename to charts/airlock/microgateway/4.4.2/dashboards/logOnlyMetrics.json
diff --git a/charts/airlock/microgateway/4.4.1/dashboards/overview.json b/charts/airlock/microgateway/4.4.2/dashboards/overview.json
similarity index 100%
rename from charts/airlock/microgateway/4.4.1/dashboards/overview.json
rename to charts/airlock/microgateway/4.4.2/dashboards/overview.json
diff --git a/charts/airlock/microgateway/4.4.2/templates/NOTES.txt b/charts/airlock/microgateway/4.4.2/templates/NOTES.txt
new file mode 100644
index 0000000000..a607483f9c
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.2/templates/NOTES.txt
@@ -0,0 +1,61 @@
+Thank you for installing Airlock Microgateway.
+{{- if .Values.operator.gatewayAPI.enabled }}
+
+K8s Gateway API support enabled.
+Note that the K8s Gateway API support is an incubating Airlock Microgateway feature. We encourage you to try the installation and configuration for testing and evaluation. Your feedback is welcome.
+
+ {{- if or .Values.operator.watchNamespaces .Values.operator.watchNamespaceSelector -}}
+ {{- fail `
+
+K8s Gateway API is only supported using the 'AllNamespaces' installation mode type, ensure that 'operator.watchNamespaces' and 'operator.watchNamespaceSelector' are not configured.
+`
+ -}}
+ {{- end -}}
+{{- end }}
+
+Please ensure the following prerequisites are fulfilled:
+* cert-manager is installed.
+ https://cert-manager.io/docs/installation/helm/
+* A valid Airlock Microgateway license is deployed in the Kubernetes secret '{{ .Release.Namespace }}/{{ .Values.license.secretName }}'
+ * Get a free Community license: https://airlock.com/en/microgateway-community
+ * Order a Premium license: https://airlock.com/en/microgateway-premium
+* Airlock Microgateway CNI is installed on the cluster, when running data plane mode sidecar
+ https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni.
+ For more information about data plane modes, see https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/#data/1660804709650.html
+
+Further information:
+* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}
+* CRD API reference documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/api/crds
+* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm
+{{- if .Values.crds.skipVersionCheck }}
+
+Warning: CRD version check skipped
+{{- else -}}
+{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}}
+{{- if $outdatedCRDs -}}
+ {{- fail (printf `
+
+Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'.
+Therefore, the CRDs must be manually upgraded with the following command before deploying this chart:
+
+kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts
+
+If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.`
+ .Chart.AppVersion)
+ -}}
+{{- end -}}
+{{- end -}}
+{{- if .Values.tests.enabled -}}
+ {{- if .Values.operator.watchNamespaces -}}
+ {{- if not (has .Release.Namespace .Values.operator.watchNamespaces) -}}
+ {{- fail (printf `
+
+To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values.
+`
+ .Release.Namespace)
+ -}}
+ {{- end -}}
+ {{- end -}}
+{{- end }}
+
+Your release version is {{ .Chart.Version }}.
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.4.2/templates/_helpers.tpl b/charts/airlock/microgateway/4.4.2/templates/_helpers.tpl
new file mode 100644
index 0000000000..733ba96486
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.2/templates/_helpers.tpl
@@ -0,0 +1,153 @@
+{{/*
+Expand the name of the chart.
+We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
+and the longest explicit suffix is 14 characters.
+*/}}
+{{- define "airlock-microgateway.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Convert an image configuration object into an image ref string.
+*/}}
+{{- define "airlock-microgateway.image" -}}
+ {{- if .digest -}}
+ {{- printf "%s@%s" .repository .digest -}}
+ {{- else if .tag -}}
+ {{- printf "%s:%s" .repository .tag -}}
+ {{- else -}}
+ {{- printf "%s" .repository -}}
+ {{- end -}}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec)
+and the longest implicit suffix is 27 characters.
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "airlock-microgateway.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 36 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "airlock-microgateway.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "airlock-microgateway.sharedLabels" -}}
+helm.sh/chart: {{ include "airlock-microgateway.chart" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/part-of: {{ .Chart.Name }}
+{{- with .Values.commonLabels }}
+{{ toYaml .}}
+{{- end }}
+{{- end }}
+
+{{/*
+Common Selector labels
+*/}}
+{{- define "airlock-microgateway.sharedSelectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Restricted Container Security Context
+*/}}
+{{- define "airlock-microgateway.restrictedSecurityContext" -}}
+allowPrivilegeEscalation: false
+privileged: false
+runAsNonRoot: true
+capabilities:
+ drop: ["ALL"]
+readOnlyRootFilesystem: true
+seccompProfile:
+ type: RuntimeDefault
+{{- end }}
+
+{{/* Precondition: May only be used if AppVersion is isSemver */}}
+{{- define "airlock-microgateway.supportedCRDVersionPattern" -}}
+{{- $version := (semver .Chart.AppVersion) -}}
+{{- if $version.Prerelease -}}
+>= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }}
+{{- else -}}
+>= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0
+{{- end -}}
+{{- end -}}
+
+{{- define "airlock-microgateway.outdatedCRDs" -}}
+{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}}
+ {{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}}
+ {{- range $path, $_ := .Files.Glob "crds/*.yaml" -}}
+ {{- $api := ($.Files.Get $path | fromYaml).metadata.name -}}
+ {{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}}
+ {{- $isOutdated := false -}}
+ {{- if $crd -}}
+ {{/* If CRD is already present in the cluster, it must have the minimum supported version */}}
+ {{- $isOutdated = true -}}
+ {{- if hasKey $crd.metadata "labels" -}}
+ {{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}}
+ {{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}}
+ {{- if (semverCompare $supportedVersion $crdVersion) }}
+ {{- $isOutdated = false -}}
+ {{- end }}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+ {{- if $isOutdated }}
+{{ base $path }}
+ {{- end }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "airlock-microgateway.isSemver" -}}
+{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}}
+{{- end -}}
+
+{{- define "airlock-microgateway.docsVersion" -}}
+{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}}
+ {{- $version := (semver .Chart.AppVersion) -}}
+ {{- $version.Major }}.{{ $version.Minor -}}
+{{- else -}}
+ {{- print "latest" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}}
+{{- $list := list -}}
+{{- with .matchLabels -}}
+ {{- range $key, $value := . -}}
+ {{- $list = append $list (printf "%s=%s" $key $value) -}}
+ {{- end -}}
+{{- end -}}
+{{- with .matchExpressions -}}
+ {{- range . -}}
+ {{- if has .operator (list "In" "NotIn") -}}
+ {{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}}
+ {{- else if eq .operator "Exists" -}}
+ {{- $list = append $list .key -}}
+ {{- else if eq .operator "DoesNotExist" -}}
+ {{- $list = append $list (printf "!%s" .key) -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- join "," $list -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/_operator_helpers.tpl b/charts/airlock/microgateway/4.4.2/templates/operator/_operator_helpers.tpl
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/_operator_helpers.tpl
rename to charts/airlock/microgateway/4.4.2/templates/operator/_operator_helpers.tpl
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/_rbac.gen.tpl b/charts/airlock/microgateway/4.4.2/templates/operator/_rbac.gen.tpl
similarity index 100%
rename from charts/airlock/microgateway/4.4.1/templates/operator/_rbac.gen.tpl
rename to charts/airlock/microgateway/4.4.2/templates/operator/_rbac.gen.tpl
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/_webhooks.gen.tpl b/charts/airlock/microgateway/4.4.2/templates/operator/_webhooks.gen.tpl
similarity index 100%
rename from charts/airlock/microgateway/4.4.1/templates/operator/_webhooks.gen.tpl
rename to charts/airlock/microgateway/4.4.2/templates/operator/_webhooks.gen.tpl
diff --git a/charts/airlock/microgateway/4.4.1/templates/operator/configmap.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/configmap.yaml
similarity index 99%
rename from charts/airlock/microgateway/4.4.1/templates/operator/configmap.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/configmap.yaml
index 276a632e86..a9c07b5f16 100644
--- a/charts/airlock/microgateway/4.4.1/templates/operator/configmap.yaml
+++ b/charts/airlock/microgateway/4.4.2/templates/operator/configmap.yaml
@@ -125,6 +125,7 @@ data:
- name: xds_cluster
connect_timeout: 1s
type: STRICT_DNS
+ respect_dns_ttl: true
load_assignment:
cluster_name: xds_cluster
endpoints:
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/dashboard-configmap.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/dashboard-configmap.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/dashboard-configmap.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/dashboard-configmap.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/deployment.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/deployment.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/deployment.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/deployment.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/manager-role.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/manager-role.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/manager-role.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/manager-role.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/manager-rolebinding.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/manager-rolebinding.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/manager-rolebinding.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/manager-rolebinding.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/metrics-service.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/metrics-service.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/metrics-service.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/metrics-service.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/mutating-webhook.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/mutating-webhook.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/mutating-webhook.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/mutating-webhook.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/podmonitor.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/podmonitor.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/podmonitor.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/podmonitor.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/role.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/role.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/role.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/role.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/rolebinding.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/rolebinding.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/rolebinding.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/rolebinding.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/selfsigned-issuer.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/selfsigned-issuer.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/selfsigned-issuer.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/selfsigned-issuer.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/serviceaccount.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/serviceaccount.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/serviceaccount.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/serviceaccount.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/servicemonitor.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/servicemonitor.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/servicemonitor.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/servicemonitor.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/serving-certificate.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/serving-certificate.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/serving-certificate.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/serving-certificate.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/validating-webhook.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/validating-webhook.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/validating-webhook.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/validating-webhook.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/webhook-service.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/webhook-service.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/webhook-service.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/webhook-service.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/xds-service.yaml b/charts/airlock/microgateway/4.4.2/templates/operator/xds-service.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/operator/xds-service.yaml
rename to charts/airlock/microgateway/4.4.2/templates/operator/xds-service.yaml
diff --git a/charts/airlock/microgateway/4.4.2/templates/tests/rbac.yaml b/charts/airlock/microgateway/4.4.2/templates/tests/rbac.yaml
new file mode 100644
index 0000000000..93bd4cd1bd
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.2/templates/tests/rbac.yaml
@@ -0,0 +1,143 @@
+{{- if .Values.tests.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/component: tests
+ app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
+ {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
+ name: "{{ include "airlock-microgateway.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/component: tests
+ app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
+ {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
+ name: "{{ include "airlock-microgateway.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: "{{ include "airlock-microgateway.fullname" . }}-tests"
+subjects:
+- kind: ServiceAccount
+ name: "{{ include "airlock-microgateway.fullname" . }}-tests"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app.kubernetes.io/component: tests
+ app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
+ {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
+ name: "{{ include "airlock-microgateway.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways
+ resourceNames:
+ - "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway"
+ verbs:
+ - get
+ - list
+ - watch
+ - delete
+- apiGroups:
+ - microgateway.airlock.com
+ resources:
+ - sidecargateways
+ verbs:
+ - create
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - list
+- apiGroups:
+ - "apps"
+ resources:
+ - deployments
+ resourceNames:
+ - "{{ include "airlock-microgateway.operator.fullname" . }}"
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - "apps"
+ resources:
+ - statefulsets
+ - statefulsets/scale
+ resourceNames:
+ - "{{ include "airlock-microgateway.fullname" . }}-test-backend"
+ verbs:
+ - get
+ - list
+ - watch
+ - patch
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - pods/log
+ - pods/status
+ - pods/attach
+ resourceNames:
+ - "{{ include "airlock-microgateway.fullname" . }}-test-backend-0"
+ - "{{ include "airlock-microgateway.fullname" . }}-test-valid-request"
+ - "{{ include "airlock-microgateway.fullname" . }}-test-injection-request"
+ verbs:
+ - get
+ - list
+ - create
+ - watch
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - create
+{{- if .Values.operator.watchNamespaceSelector }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/component: tests
+ app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
+ {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
+ name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
+subjects:
+ - kind: ServiceAccount
+ name: "{{ include "airlock-microgateway.fullname" . }}-tests"
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/component: tests
+ app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
+ {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
+ name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}"
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - list
+{{- end }}
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.3.2/templates/tests/service.yaml b/charts/airlock/microgateway/4.4.2/templates/tests/service.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/tests/service.yaml
rename to charts/airlock/microgateway/4.4.2/templates/tests/service.yaml
diff --git a/charts/airlock/microgateway/4.3.2/templates/tests/statefulset.yaml b/charts/airlock/microgateway/4.4.2/templates/tests/statefulset.yaml
similarity index 100%
rename from charts/airlock/microgateway/4.3.2/templates/tests/statefulset.yaml
rename to charts/airlock/microgateway/4.4.2/templates/tests/statefulset.yaml
diff --git a/charts/airlock/microgateway/4.4.2/templates/tests/test-install.yaml b/charts/airlock/microgateway/4.4.2/templates/tests/test-install.yaml
new file mode 100644
index 0000000000..721ae2b82e
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.2/templates/tests/test-install.yaml
@@ -0,0 +1,227 @@
+{{- if .Values.tests.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "airlock-microgateway.fullname" . }}-test-install"
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/component: test-install
+ app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests
+ sidecar.istio.io/inject: "false"
+ {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }}
+ {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }}
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+spec:
+ restartPolicy: Never
+ containers:
+ - name: test
+ image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
+ securityContext:
+ {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }}
+ command:
+ - sh
+ - -c
+ - |
+ set -eu
+
+ clean_up() {
+ echo ""
+ echo "### Clean up test resources"
+ kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
+ echo ""
+ echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'"
+ kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s
+ sleep 3s
+ echo ""
+ }
+
+ fail() {
+ echo ""
+ echo "### Error: ${1}"
+ echo ""
+
+ if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then
+ echo ""
+ echo 'Microgateway Sidecargateway status:'
+ kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true
+ echo ""
+ echo ""
+ fi
+
+ if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then
+ echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':"
+ kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true
+ echo ""
+ echo ""
+ echo 'Logs of Nginx container:'
+ kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true
+ echo ""
+ echo ""
+ # Wait for engine logs
+ sleep 10s
+ echo 'Logs of Microgateway Engine container:'
+ kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true
+ fi
+
+ exit 1
+ }
+
+ create_sidecargateway() {
+ # create SidecarGateway resource for testing purposes
+ kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true
+ kubectl apply -f - </dev/null 2>&1; do sleep 1s; i=$((i+1)); done
+ kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
+ kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request
+ }
+
+ {{- if .Values.operator.watchNamespaceSelector }}
+ echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'"
+ if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then
+ labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}')
+ fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"`
+ .Release.Namespace
+ (replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2)))
+ }}
+ fi
+ echo ""
+ {{- end }}
+
+ trap clean_up EXIT
+ echo ""
+
+ echo "### Waiting for Microgateway Operator Deployments to be ready"
+ if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \
+ deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then
+ fail 'Timeout occurred'
+ fi
+ echo ""
+
+ echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica"
+ # scale to zero replicas to ensure no pods are present from previous runs
+ kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s
+ kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s
+ echo ""
+
+ echo "### Waiting for backend pod"
+ i=0
+ while true; do
+ if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then
+ break
+ elif [ $i -gt 3 ]; then
+ fail 'Pod not ready'
+ fi
+ sleep 2s
+ i=$((i+1))
+ done
+
+ echo "### Checking Microgateway Engine sidecar container was injected"
+ if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then
+ fail 'Microgateway Engine sidecar container not injected'
+ fi
+ echo "True"
+ echo ""
+
+ echo "### Checking for valid license"
+ i=0
+ while true; do
+ if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then
+ break
+ elif [ $i -gt 30 ]; then
+ fail 'Microgateway license is missing or invalid'
+ fi
+ sleep 2s
+ i=$((i+1))
+ done
+ echo "True"
+ echo ""
+
+ echo "### Create SidecarGateway resource for testing"
+ if ! create_sidecargateway ; then
+ fail 'Creation of SidecarGateway resource failed'
+ fi
+ echo ""
+
+ echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready"
+ if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then
+ fail 'Timeout occurred'
+ fi
+ echo ""
+
+ echo "### Waiting for 'engine-config-valid' condition"
+ if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then
+ fail 'Configuration was never accepted by the Microgateway Engine'
+ fi
+ sleep 5s
+ echo ""
+ echo ""
+
+ echo "### Checking whether a valid request is successful and returns HTTP status code '200'"
+ out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true)
+ echo "Response:"
+ echo "${out}"
+ if ! echo "${out}" | grep -q "200 OK"; then
+ fail 'A valid request was not successful'
+ fi
+ echo ""
+ echo ""
+
+ echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'"
+ out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true)
+ echo "Response:"
+ echo "${out}"
+ if ! echo "${out}" | grep -q "400 Bad Request"; then
+ fail 'A malicious request was not blocked'
+ fi
+ echo ""
+ echo ""
+
+ echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded"
+ exit 0
+ serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests"
+{{- end -}}
diff --git a/charts/airlock/microgateway/4.4.2/values.schema.json b/charts/airlock/microgateway/4.4.2/values.schema.json
new file mode 100644
index 0000000000..05c7d77175
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.2/values.schema.json
@@ -0,0 +1,572 @@
+{
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
+ "type": "object",
+ "properties": {
+ "nameOverride": {
+ "type": "string"
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "commonLabels": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "commonAnnotations": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "crds": {
+ "type": "object",
+ "properties": {
+ "skipVersionCheck": {
+ "type": "boolean"
+ }
+ },
+ "additionalProperties": false
+ },
+ "imagePullSecrets": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "minLength": 1
+ }
+ },
+ "required": [
+ "name"
+ ],
+ "additionalProperties": true
+ }
+ },
+ "operator": {
+ "type": "object",
+ "properties": {
+ "replicaCount": {
+ "type": "integer",
+ "minimum": 0
+ },
+ "updateStrategy": {
+ "$ref": "#/definitions/UpdateStrategy"
+ },
+ "image": {
+ "$ref": "#/definitions/Image"
+ },
+ "podAnnotations": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "podLabels": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "serviceAnnotations": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "serviceLabels": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "nodeSelector": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "tolerations": {
+ "type": "array",
+ "items": {
+ "type": "object"
+ }
+ },
+ "affinity": {
+ "type": "object"
+ },
+ "config": {
+ "type": "object",
+ "properties": {
+ "logLevel": {
+ "type": "string",
+ "enum": [
+ "debug",
+ "info",
+ "warn",
+ "error"
+ ]
+ }
+ },
+ "required": [
+ "logLevel"
+ ],
+ "additionalProperties": false
+ },
+ "serviceAccount": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "annotations": {
+ "$ref": "#/definitions/StringMap"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "annotations",
+ "create",
+ "name"
+ ],
+ "additionalProperties": false
+ },
+ "watchNamespaces": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "watchNamespaceSelector": {
+ "$ref": "#/definitions/LabelSelector"
+ },
+ "rbac": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "create"
+ ],
+ "additionalProperties": false
+ },
+ "serviceMonitor": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "labels": {
+ "$ref": "#/definitions/StringMap"
+ }
+ },
+ "required": [
+ "create"
+ ],
+ "additionalProperties": false
+ },
+ "gatewayAPI": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "controllerName" : {
+ "type": "string",
+ "pattern": "^microgateway\\.airlock\\.com\/[A-Za-z0-9\/\\-._~%!$&'()*+,;=:]+$"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "oneOf": [
+ {
+ "properties": {
+ "watchNamespaces": {
+ "minItems": 1
+ },
+ "watchNamespaceSelector": {
+ "additionalProperties": false
+ }
+ }
+ },
+ {
+ "properties": {
+ "watchNamespaces": {
+ "maxItems": 0
+ },
+ "watchNamespaceSelector": {
+ "$ref": "#/definitions/LabelSelector"
+ }
+ }
+ }
+ ],
+ "required": [
+ "affinity",
+ "config",
+ "image",
+ "updateStrategy",
+ "nodeSelector",
+ "podAnnotations",
+ "podLabels",
+ "rbac",
+ "replicaCount",
+ "resources",
+ "serviceAccount",
+ "serviceAnnotations",
+ "serviceLabels",
+ "serviceMonitor",
+ "tolerations"
+ ],
+ "additionalProperties": false
+ },
+ "engine": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "$ref": "#/definitions/Image"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "sidecar": {
+ "type": "object",
+ "properties":{
+ "podMonitor": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "labels": {
+ "$ref": "#/definitions/StringMap"
+ }
+ },
+ "required": [
+ "create"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "required": [
+ "podMonitor"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "required": [
+ "image",
+ "resources",
+ "sidecar"
+ ],
+ "additionalProperties": false
+ },
+ "networkValidator": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "$ref": "#/definitions/Image"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "required": [
+ "image",
+ "resources"
+ ],
+ "additionalProperties": false
+ },
+ "sessionAgent": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "$ref": "#/definitions/Image"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "required": [
+ "image",
+ "resources"
+ ],
+ "additionalProperties": false
+ },
+ "license": {
+ "type": "object",
+ "properties": {
+ "secretName": {
+ "type": "string",
+ "minLength": 1
+ }
+ },
+ "required": [
+ "secretName"
+ ],
+ "additionalProperties": false
+ },
+ "dashboards": {
+ "type": "object",
+ "properties" : {
+ "create": {
+ "type": "boolean"
+ },
+ "config": {
+ "type": "object",
+ "properties": {
+ "grafana": {
+ "type": "object",
+ "properties": {
+ "folderAnnotation": {
+ "$ref": "#/definitions/NameValuePair"
+ },
+ "dashboardLabel": {
+ "$ref": "#/definitions/NameValuePair"
+ }
+ },
+ "required": [
+ "folderAnnotation",
+ "dashboardLabel"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "required": [
+ "grafana"
+ ],
+ "additionalProperties": false
+ },
+ "instances": {
+ "type": "object",
+ "properties": {
+ "overview": {
+ "$ref": "#/definitions/DashboardInstance"
+ },
+ "license" : {
+ "$ref": "#/definitions/DashboardInstance"
+ },
+ "blockMetrics" : {
+ "$ref": "#/definitions/DashboardInstance"
+ },
+ "blockLogs" : {
+ "$ref": "#/definitions/DashboardInstance"
+ },
+ "headerLogs" : {
+ "$ref": "#/definitions/DashboardInstance"
+ },
+ "logOnlyMetrics" : {
+ "$ref": "#/definitions/DashboardInstance"
+ },
+ "logOnlyLogs" : {
+ "$ref": "#/definitions/DashboardInstance"
+ }
+ },
+ "required": [
+ "overview",
+ "license",
+ "blockMetrics",
+ "blockLogs",
+ "headerLogs",
+ "logOnlyMetrics",
+ "logOnlyLogs"
+ ],
+ "additionalProperties": false
+ }
+ },
+ "required": [
+ "create",
+ "config",
+ "instances"
+ ],
+ "additionalProperties": false
+ },
+ "tests": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "additionalProperties": false
+ },
+ "global": {
+ "type": "object"
+ }
+ },
+ "required": [
+ "commonAnnotations",
+ "commonLabels",
+ "crds",
+ "engine",
+ "fullnameOverride",
+ "imagePullSecrets",
+ "license",
+ "nameOverride",
+ "operator",
+ "networkValidator",
+ "sessionAgent",
+ "dashboards",
+ "tests"
+ ],
+ "additionalProperties": false,
+ "definitions": {
+ "StringMap": {
+ "type": "object",
+ "additionalProperties": {
+ "type": "string"
+ }
+ },
+ "Image": {
+ "type": "object",
+ "properties": {
+ "repository": {
+ "type": "string",
+ "minLength": 1
+ },
+ "tag": {
+ "type": "string"
+ },
+ "digest": {
+ "type": "string",
+ "pattern": "^$|^sha256:[a-f0-9]{64}$"
+ },
+ "pullPolicy": {
+ "type": "string",
+ "enum": [
+ "Always",
+ "IfNotPresent",
+ "Never"
+ ]
+ }
+ },
+ "required": [
+ "digest",
+ "pullPolicy",
+ "repository",
+ "tag"
+ ],
+ "additionalProperties": false
+ },
+ "LabelSelector": {
+ "type": "object",
+ "properties": {
+ "matchExpressions": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "required": [
+ "key",
+ "operator"
+ ],
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "matchLabels": {
+ "$ref": "#/definitions/StringMap"
+ }
+ },
+ "additionalProperties": false
+ },
+ "UpdateStrategy": {
+ "type": "object",
+ "oneOf" : [
+ {
+ "properties": {
+ "type": {
+ "$ref": "#/definitions/RecreateType"
+ }
+ },
+ "required": [
+ "type"
+ ],
+ "additionalProperties": false
+ },
+ {
+ "properties": {
+ "type": {
+ "$ref": "#/definitions/RollingUpdateType"
+ },
+ "rollingUpdate": {
+ "$ref": "#/definitions/RollingUpdate"
+ }
+ },
+ "required": [
+ "type"
+ ],
+ "additionalProperties": false
+ }
+ ]
+ },
+ "RecreateType": {
+ "type": "string",
+ "enum": [
+ "Recreate"
+ ]
+ },
+ "RollingUpdateType": {
+ "type": "string",
+ "enum": [
+ "RollingUpdate"
+ ]
+ },
+ "RollingUpdate": {
+ "type": "object",
+ "properties": {
+ "maxSurge": {
+ "type": ["integer", "string"],
+ "minimum": 0,
+ "pattern": "^\\d+%?$"
+ },
+ "maxUnavailable": {
+ "type": ["integer", "string"],
+ "minimum": 0,
+ "pattern": "^\\d+%?$"
+ }
+ },
+ "anyOf": [
+ {"required": ["maxSurge"]},
+ {"required": ["maxUnavailable"]}
+ ],
+ "additionalProperties": false
+ },
+ "DashboardInstance" : {
+ "type" : "object",
+ "properties" : {
+ "create" : {
+ "type" : "boolean"
+ }
+ },
+ "required" : [
+ "create"
+ ],
+ "additionalProperties": false
+ },
+ "NameValuePair" : {
+ "type" : "object",
+ "properties" : {
+ "name" : {
+ "type": "string",
+ "minLength": 1
+ },
+ "value" : {
+ "type" : "string",
+ "minLength": 1
+ }
+ },
+ "required" : [
+ "name",
+ "value"
+ ],
+ "additionalProperties": false
+ }
+ }
+}
diff --git a/charts/airlock/microgateway/4.4.2/values.yaml b/charts/airlock/microgateway/4.4.2/values.yaml
new file mode 100644
index 0000000000..e26a8b6331
--- /dev/null
+++ b/charts/airlock/microgateway/4.4.2/values.yaml
@@ -0,0 +1,237 @@
+# -- Allows overriding the name to use instead of "microgateway".
+nameOverride: ""
+# -- Allows overriding the name to use as full name of resources.
+fullnameOverride: ""
+# -- Labels to add to all resources.
+commonLabels: {}
+# -- Annotations to add to all resources.
+commonAnnotations: {}
+# -- ImagePullSecrets to use when pulling images.
+imagePullSecrets: []
+# - name: myRegistryKeySecretName
+
+crds:
+ # -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs.
+ # The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster
+ # when performing a "helm install/upgrade".
+ skipVersionCheck: false
+operator:
+ # -- Number of replicas for the operator Deployment.
+ replicaCount: 2
+ # -- Specifies the operator update strategy.
+ updateStrategy:
+ type: RollingUpdate
+ # Specifies the Airlock Microgateway Operator image.
+ image:
+ # -- Image repository from which to pull the Airlock Microgateway Operator image.
+ repository: "quay.io/airlock/microgateway-operator"
+ # -- Image tag to pull.
+ tag: "4.4.2"
+ # -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63").
+ # Overrides tag when specified.
+ digest: "sha256:f5b3b8e728fcc1ab15e8b8401ac120f810b8228488b380cc23497d3e82414d71"
+ # -- Pull policy for this image.
+ pullPolicy: IfNotPresent
+ # -- Annotations to add to all Pods.
+ podAnnotations: {}
+ # -- Labels to add to all Pods.
+ podLabels: {}
+ # -- Annotations to add to the Service.
+ serviceAnnotations: {}
+ # prometheus.io/scrape: "true"
+ # prometheus.io/port: "8080"
+
+ # -- Labels to add to the Service.
+ serviceLabels: {}
+ # -- Resource restrictions to apply to the operator container.
+ resources: {}
+ # We recommend at least the following resource specification.
+ # limits:
+ # cpu: 1000m
+ # memory: 512Mi
+ # requests:
+ # cpu: 100m
+ # memory: 512Mi
+
+ # -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes.
+ nodeSelector: {}
+ # -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes.
+ tolerations: []
+ # -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling.
+ affinity: {}
+ # Parameters for the operator configuration.
+ config:
+ # -- Operator application log level.
+ logLevel: "info"
+ # Configures the generation of the ServiceAccount.
+ serviceAccount:
+ # -- Whether a ServiceAccount should be created.
+ create: true
+ # -- Annotations to add to the ServiceAccount.
+ annotations: {}
+ # -- Name of the ServiceAccount to use.
+ # If not set and create is true, a name is generated using the fullname template.
+ name: ""
+ # -- Allows to restrict the operator to specific namespaces, depending on your needs.
+ # For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`).
+ # In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace.
+ # For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`.
+ # An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty.
+ # Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces.
+ # Please note that this feature requires a Premium license.
+ watchNamespaces: []
+ # -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector.
+ # It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator.
+ # This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings).
+ # An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty.
+ # Please note that this feature requires a Premium license.
+ watchNamespaceSelector: {}
+ # For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements.
+ # matchLabels:
+ # microgateway.airlock.com/enable: "true"
+ # matchExpressions:
+ # - { key: environment, operator: NotIn, values: [dev] }
+
+ # Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above.
+ rbac:
+ # -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function.
+ create: true
+ # Configures the generation of a Prometheus Operator ServiceMonitor.
+ serviceMonitor:
+ # -- Whether to create a ServiceMonitor resource for monitoring.
+ create: false
+ # -- Labels to add to the ServiceMonitor.
+ labels: {}
+ # release: ""
+ # Configures the Kubernetes Gateway API integration.
+ gatewayAPI:
+ # -- Whether to enable the Kubernetes Gateway API related controllers.
+ # Requires that the gateway.networking.k8s.io/v1 resources are installed on the cluster.
+ enabled: false
+ # -- Controller name referred in the GatewayClasses managed by this operator. The value must be a path prefixed by the domain `microgateway.airlock.com`.
+ controllerName: microgateway.airlock.com/gatewayclass-controller
+engine:
+ # Specifies the Airlock Microgateway Engine image.
+ image:
+ # -- Image repository from which to pull the Airlock Microgateway Engine image.
+ repository: "quay.io/airlock/microgateway-engine"
+ # -- Image tag to pull.
+ tag: "4.4.2"
+ # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
+ # Overrides tag when specified.
+ digest: "sha256:d37457ebd3a48e34e0f09f2ea207a963582222809ac836002351dc7d1e3788f0"
+ # -- Pull policy for this image.
+ pullPolicy: IfNotPresent
+ # -- Resource restrictions to apply to the Airlock Microgateway Engine container.
+ resources: {}
+ # We recommend at least the following resource specification.
+ # limits:
+ # cpu: 500m
+ # memory: 128Mi
+ # requests:
+ # cpu: 10m
+ # memory: 40Mi
+
+ # Additional configuration when deployed as a sidecar.
+ sidecar:
+ # Configures the generation of a Prometheus Operator PodMonitor.
+ podMonitor:
+ # -- Whether to create a PodMonitor resource for monitoring.
+ create: false
+ # -- Labels to add to the PodMonitor.
+ labels: {}
+ # release: ""
+networkValidator:
+ # Specifies the Airlock Microgateway Network Validator image to be injected as an init-container.
+ image:
+ # -- Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container.
+ repository: "cgr.dev/chainguard/netcat"
+ # -- Image tag to pull.
+ tag: ""
+ # -- SHA256 image digest to pull (in the format "sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c").
+ # Overrides tag when specified.
+ digest: "sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c"
+ # -- Pull policy for this image.
+ pullPolicy: IfNotPresent
+ # -- Resource restrictions to apply to the Airlock Microgateway Network Validator init-container.
+ resources:
+ limits:
+ cpu: 25m
+ memory: 12Mi
+ requests:
+ cpu: 5m
+ memory: 1Mi
+sessionAgent:
+ # Specifies the Airlock Microgateway Session Agent image.
+ image:
+ # -- Image repository from which to pull the Airlock Microgateway Session Agent image.
+ repository: "quay.io/airlock/microgateway-session-agent"
+ # -- Image tag to pull.
+ tag: "4.4.2"
+ # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3").
+ # Overrides tag when specified.
+ digest: "sha256:5d355747e98fc2c81996cfc6e13b1800181357f5a78e2ac01ab31509127a1f4c"
+ # -- Pull policy for this image.
+ pullPolicy: IfNotPresent
+ # -- Resource restrictions to apply to the Airlock Microgateway Session Agent container.
+ resources: {}
+ # We recommend at least the following resource specification.
+ # limits:
+ # cpu: 150m
+ # memory: 32Mi
+ # requests:
+ # cpu: 10m
+ # memory: 8Mi
+license:
+ # -- Name of the secret containing the "microgateway-license.txt" key.
+ secretName: "airlock-microgateway-license"
+# Creates dashboards in the form of ConfigMaps that can be imported
+# by Grafana using its sidecar setup.
+dashboards:
+ # -- Whether to create any ConfigMaps containing Grafana dashboards to import.
+ create: false
+ config:
+ # Configures the necessary label and annotations along with their values
+ # to enable Grafana to correctly identify the ConfigMaps containing
+ # dashboards and file them within a dedicated folder in the dashboard overview.
+ # These settings need to match the Grafana sidecar configuration.
+ grafana:
+ folderAnnotation:
+ # -- Name of the annotation containing the folder name to file dashboards into.
+ name: "grafana_folder"
+ # -- Name of the folder dashboards are filed into within the Grafana UI.
+ value: "Airlock Microgateway"
+ dashboardLabel:
+ # -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards.
+ name: "grafana_dashboard"
+ # -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards.
+ value: "1"
+ instances:
+ # Available dashboard instances that can be individually created/deployed.
+ overview:
+ # -- Whether to create the overview dashboard.
+ create: true
+ license:
+ # -- Whether to create the license dashboard.
+ create: true
+ blockMetrics:
+ # -- Whether to create the block metrics dashboard.
+ create: true
+ blockLogs:
+ # -- Whether to create the block logs dashboard.
+ create: true
+ headerLogs:
+ # -- Whether to create the header rewrite logs dashboard.
+ create: true
+ logOnlyMetrics:
+ # -- Whether to create the log only metrics dashboard
+ create: true
+ logOnlyLogs:
+ # -- Whether to create the log only logs dashboard.
+ create: true
+# Check whether the installation of the Airlock Microgateway Helm Chart was successful.
+# Requires a secret with a valid Airlock Microgateway license key already to be present.
+tests:
+ # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts).
+ # If set to false, `helm test` will not run any tests.
+ enabled: false
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/CONTRIBUTING.md b/charts/cockroach-labs/cockroachdb/15.0.2/CONTRIBUTING.md
new file mode 100644
index 0000000000..e248d72e11
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/CONTRIBUTING.md
@@ -0,0 +1,14 @@
+# Contributing
+
+Contributions are welcome!
+
+For every change, please increment the `version` contained in
+[Chart.yaml](https://github.com/cockroachdb/helm-charts/blob/master/cockroachdb/Chart.yaml).
+The `version` roughly follows the [SEMVER](https://semver.org/) versioning
+pattern. For changes which do not affect backwards compatibility, the PATCH or
+MINOR version must be incremented, e.g. `4.1.3` -> `4.1.4`. For changes which
+affect the backwards compatibility of the chart, the major version must be
+incremented, e.g. `4.1.3` -> `5.0.0`. Examples of changes which affect backwards
+compatibility include any major version releases of CockroachDB, as well as any
+breaking changes to the CockroachDB chart templates.
+
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/Chart.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/Chart.yaml
new file mode 100644
index 0000000000..67aa282cdd
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/Chart.yaml
@@ -0,0 +1,18 @@
+annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: CockroachDB
+ catalog.cattle.io/kube-version: '>=1.8-0'
+ catalog.cattle.io/release-name: cockroachdb
+apiVersion: v1
+appVersion: 24.3.1
+description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
+home: https://www.cockroachlabs.com
+icon: file://assets/icons/cockroachdb.png
+kubeVersion: '>=1.8-0'
+maintainers:
+- email: helm-charts@cockroachlabs.com
+ name: cockroachlabs
+name: cockroachdb
+sources:
+- https://github.com/cockroachdb/cockroach
+version: 15.0.2
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/README.md b/charts/cockroach-labs/cockroachdb/15.0.2/README.md
new file mode 100644
index 0000000000..6a93040501
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/README.md
@@ -0,0 +1,596 @@
+
+# CockroachDB Helm Chart
+
+[CockroachDB](https://github.com/cockroachdb/cockroach) - the open source, cloud-native distributed SQL database.
+
+## Documentation
+
+Below is a brief overview of operating the CockroachDB Helm Chart and some specific implementation details. For additional information on deploying CockroachDB, please see:
+>
+
+Note that the documentation requires Helm 3.0 or higher.
+
+## Prerequisites Details
+
+* Kubernetes 1.8
+* PV support on the underlying infrastructure (only if using `storage.persistentVolume`). [Docker for windows hostpath provisioner is not supported](https://github.com/cockroachdb/docs/issues/3184).
+* If you want to secure your cluster to use TLS certificates for all network communication, [Helm must be installed with RBAC privileges](https://helm.sh/docs/topics/rbac/) or else you will get an "attempt to grant extra privileges" error.
+
+## StatefulSet Details
+
+*
+
+## StatefulSet Caveats
+
+*
+
+## Chart Details
+
+This chart will do the following:
+
+* Set up a dynamically scalable CockroachDB cluster using a Kubernetes StatefulSet.
+
+## Add the CockroachDB Repository
+
+```shell
+$ helm repo add cockroachdb https://charts.cockroachdb.com/
+```
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```shell
+$ helm install my-release cockroachdb/cockroachdb
+```
+
+Note that for a production cluster, you will likely want to override the following parameters in [`values.yaml`](values.yaml) with your own values.
+
+- `statefulset.resources.requests.memory` and `statefulset.resources.limits.memory` allocate memory resources to CockroachDB pods in your cluster.
+- `conf.cache` and `conf.max-sql-memory` are memory limits that we recommend setting to 1/4 of the above resource allocation. When running CockroachDB, you must set these limits explicitly to avoid running out of memory.
+- `storage.persistentVolume.size` defaults to `100Gi` of disk space per pod, which you may increase or decrease for your use case.
+- `storage.persistentVolume.storageClass` uses the default storage class for your environment. We strongly recommend that you specify a storage class which uses an SSD.
+- `tls.enabled` must be set to `yes`/`true` to deploy in secure mode.
+
+For more information on overriding the `values.yaml` parameters, please see:
+>
+
+Confirm that all pods are `Running` successfully and init has been completed:
+
+```shell
+$ kubectl get pods
+
+NAME READY STATUS RESTARTS AGE
+my-release-cockroachdb-0 1/1 Running 0 1m
+my-release-cockroachdb-1 1/1 Running 0 1m
+my-release-cockroachdb-2 1/1 Running 0 1m
+my-release-cockroachdb-init-k6jcr 0/1 Completed 0 1m
+```
+
+Confirm that persistent volumes are created and claimed for each pod:
+
+```shell
+$ kubectl get pv
+
+NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
+pvc-64878ebf-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-0 standard 51s
+pvc-64945b4f-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-1 standard 51s
+pvc-649d920d-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-2 standard 51s
+```
+
+### Running in secure mode
+
+In order to set up a secure cockroachdb cluster set `tls.enabled` to `yes`/`true`
+
+There are 3 ways to configure a secure cluster, with this chart. This all relates to how the certificates are issued:
+
+* Self-signer (default)
+* Cert-manager
+* Manual
+
+#### Self-signer
+
+This is the default behaviour, and requires no configuration beyond setting certificate durations if user wants to set custom duration.
+
+If you are running in this mode, self-signed certificates are created by self-signed utility for the nodes and root client and are stored in a secret.
+You can look for the certificates created:
+```shell
+$ kubectl get secrets
+
+crdb-cockroachdb-ca-secret Opaque 2 23s
+crdb-cockroachdb-client-secret kubernetes.io/tls 3 22s
+crdb-cockroachdb-node-secret kubernetes.io/tls 3 23s
+```
+
+
+#### Manual
+
+If you wish to supply the certificates to the nodes yourself set `tls.certs.provided` to `yes`/`true`. You may want to use this if you want to use a different certificate authority from the one being used by Kubernetes or if your Kubernetes cluster doesn't fully support certificate-signing requests. To use this, first set up your certificates and load them into your Kubernetes cluster as Secrets using the commands below:
+
+```shell
+$ mkdir certs
+$ mkdir my-safe-directory
+$ cockroach cert create-ca --certs-dir=certs --ca-key=my-safe-directory/ca.key
+$ cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key
+$ kubectl create secret generic cockroachdb-root --from-file=certs
+secret/cockroachdb-root created
+$ cockroach cert create-node --certs-dir=certs --ca-key=my-safe-directory/ca.key localhost 127.0.0.1 my-release-cockroachdb-public my-release-cockroachdb-public.my-namespace my-release-cockroachdb-public.my-namespace.svc.cluster.local *.my-release-cockroachdb *.my-release-cockroachdb.my-namespace *.my-release-cockroachdb.my-namespace.svc.cluster.local
+$ kubectl create secret generic cockroachdb-node --from-file=certs
+secret/cockroachdb-node created
+```
+
+> Note: The subject alternative names are based on a release called `my-release` in the `my-namespace` namespace. Make sure they match the services created with the release during `helm install`
+
+If your certificates are stored in tls secrets such as secrets generated by cert-manager, the secret will contain files named:
+
+* `ca.crt`
+* `tls.crt`
+* `tls.key`
+
+Cockroachdb, however, expects the files to be named like this:
+
+* `ca.crt`
+* `node.crt`
+* `node.key`
+* `client.root.crt`
+* `client.root.key`
+
+By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correct filenames, when they are mounted to the cockroachdb pods.
+
+#### Cert-manager
+
+If you wish to supply certificates with [cert-manager][3], set
+
+* `tls.certs.certManager` to `yes`/`true`
+* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
+
+Example issuer:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cockroachdb-ca
+ namespace: cockroachdb
+data:
+ tls.crt: [BASE64 Encoded ca.crt]
+ tls.key: [BASE64 Encoded ca.key]
+type: kubernetes.io/tls
+---
+apiVersion: cert-manager.io/v1alpha3
+kind: Issuer
+metadata:
+ name: cockroachdb-cert-issuer
+ namespace: cockroachdb
+spec:
+ ca:
+ secretName: cockroachdb-ca
+```
+
+## Upgrading the cluster
+
+### Chart version 3.0.0 and after
+
+Launch a temporary interactive pod and start the built-in SQL client:
+
+```shell
+$ kubectl run cockroachdb --rm -it \
+--image=cockroachdb/cockroach \
+--restart=Never \
+-- sql --insecure --host=my-release-cockroachdb-public
+```
+
+> If you are running in secure mode, you will have to provide a client certificate to the cluster in order to authenticate, so the above command will not work. See [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/client-secure.yaml) for an example of how to set up an interactive SQL shell against a secure cluster or [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/example-app-secure.yaml) for an example application connecting to a secure cluster.
+
+Set `cluster.preserve_downgrade_option`, where `$current_version` is the CockroachDB version currently running (e.g., `19.2`):
+
+```sql
+> SET CLUSTER SETTING cluster.preserve_downgrade_option = '$current_version';
+```
+
+Exit the shell and delete the temporary pod:
+
+```sql
+> \q
+```
+
+Kick off the upgrade process by changing the new Docker image, where `$new_version` is the CockroachDB version to which you are upgrading:
+
+```shell
+$ helm upgrade my-release cockroachdb/cockroachdb \
+--set image.tag=$new_version \
+--reuse-values
+```
+
+Kubernetes will carry out a safe [rolling upgrade](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets) of your CockroachDB nodes one-by-one.
+
+However, the upgrade will fail if it involves adding new Persistent Volume Claim (PVC) to the existing pods (e.g. enabling WAL Failover, pushing logs to a separate volume, etc.). In such cases, kindly repeat the following steps for each pod:
+1. Delete the statefulset
+```shell
+$ kubectl delete sts my-release-cockroachdb --cascade=orphan
+```
+The statefulset name can be found by running `kubectl get sts`. Note the `--cascade=orphan` flag used to prevent the deletion of pods.
+
+2. Delete the pod
+```shell
+$ kubectl delete pod my-release-cockroachdb-
+```
+
+3. Upgrade Helm chart
+```shell
+$ helm upgrade my-release cockroachdb/cockroachdb
+```
+Kindly update the values.yaml file or provide the necessary flags to the `helm upgrade` command. This step will recreate the pod with the new PVCs.
+
+Note that the above steps need to be repeated for each pod in the CockroachDB cluster. This will ensure that the cluster is upgraded without any downtime.
+Given the manual process involved, it is likely to cause network churn as cockroachdb will try to rebalance data across the other nodes. We are working on an automated solution to handle this scenario.
+
+Monitor the cluster's pods until all have been successfully restarted:
+
+```shell
+$ kubectl get pods
+
+NAME READY STATUS RESTARTS AGE
+my-release-cockroachdb-0 1/1 Running 0 2m
+my-release-cockroachdb-1 1/1 Running 0 3m
+my-release-cockroachdb-2 1/1 Running 0 3m
+my-release-cockroachdb-3 0/1 ContainerCreating 0 25s
+my-release-cockroachdb-init-nwjkh 0/1 ContainerCreating 0 6s
+```
+
+```shell
+$ kubectl get pods \
+-o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[0].image}{"\n"}'
+
+my-release-cockroachdb-0 cockroachdb/cockroach:v24.3.1
+my-release-cockroachdb-1 cockroachdb/cockroach:v24.3.1
+my-release-cockroachdb-2 cockroachdb/cockroach:v24.3.1
+my-release-cockroachdb-3 cockroachdb/cockroach:v24.3.1
+```
+
+Resume normal operations. Once you are comfortable that the stability and performance of the cluster is what you'd expect post-upgrade, finalize the upgrade:
+
+```shell
+$ kubectl run cockroachdb --rm -it \
+--image=cockroachdb/cockroach \
+--restart=Never \
+-- sql --insecure --host=my-release-cockroachdb-public
+```
+
+```sql
+> RESET CLUSTER SETTING cluster.preserve_downgrade_option;
+> \q
+```
+
+### Chart versions prior to 3.0.0
+
+Due to a change in the label format in version 3.0.0 of this chart, upgrading requires that you delete the StatefulSet. Luckily there is a way to do it without actually deleting all the resources managed by the StatefulSet. Use the workaround below to upgrade from charts versions previous to 3.0.0:
+
+Get the new labels from the specs rendered by Helm:
+
+```shell
+$ helm template -f deploy.vals.yml cockroachdb/cockroachdb -x templates/statefulset.yaml \
+| yq r - spec.template.metadata.labels
+
+app.kubernetes.io/name: cockroachdb
+app.kubernetes.io/instance: my-release
+app.kubernetes.io/component: cockroachdb
+```
+
+Place the new labels on all pods of the StatefulSet (change `my-release-cockroachdb-0` to the name of each pod):
+
+```shell
+$ kubectl label pods my-release-cockroachdb-0 \
+app.kubernetes.io/name=cockroachdb \
+app.kubernetes.io/instance=my-release \
+app.kubernetes.io/component=cockroachdb
+```
+
+Delete the StatefulSet without deleting pods:
+
+```shell
+$ kubectl delete statefulset my-release-cockroachdb --cascade=false
+```
+
+Verify that no pod is deleted and then upgrade as normal. A new StatefulSet will be created, taking over the management of the existing pods and upgrading them if needed.
+
+### See also
+
+For more information about upgrading a cluster to the latest major release of CockroachDB, see [Upgrade to CockroachDB](https://www.cockroachlabs.com/docs/stable/upgrade-cockroach-version.html).
+
+Note that there are sometimes backward-incompatible changes to SQL features between major CockroachDB releases. For details, see the [Upgrade Policy](https://www.cockroachlabs.com/docs/cockroachcloud/upgrade-policy).
+
+## Configuration
+
+The following table lists the configurable parameters of the CockroachDB chart and their default values.
+For details see the [`values.yaml`](values.yaml) file.
+
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
+| `clusterDomain` | Cluster's default DNS domain | `cluster.local` |
+| `conf.attrs` | CockroachDB node attributes | `[]` |
+| `conf.cache` | Size of CockroachDB's in-memory cache | `25%` |
+| `conf.cluster-name` | Name of CockroachDB cluster | `""` |
+| `conf.disable-cluster-name-verification` | Disable CockroachDB cluster name verification | `no` |
+| `conf.join` | List of already-existing CockroachDB instances | `[]` |
+| `conf.log` | Logging configuration | `{}` |
+| `conf.max-disk-temp-storage` | Max storage capacity for temp data | `0` |
+| `conf.max-offset` | Max allowed clock offset for CockroachDB cluster | `500ms` |
+| `conf.max-sql-memory` | Max memory to use processing SQL querie | `25%` |
+| `conf.locality` | Locality attribute for this deployment | `""` |
+| `conf.single-node` | Disable CockroachDB clustering (standalone mode) | `no` |
+| `conf.sql-audit-dir` | Directory for SQL audit log | `""` |
+| `conf.port` | WARNING this parameter is deprecated and will be removed in future version. Use `service.ports.grpc.internal.port` instead | `""` |
+| `conf.http-port` | WARNING this parameter is deprecated and will be removed in future version. Use `service.ports.http.port` instead | `""` |
+| `conf.path` | CockroachDB data directory mount path | `cockroach-data` |
+| `conf.store.enabled` | Enable store configuration for CockroachDB | `false` |
+| `conf.store.count` | Number of data stores per node | `1` |
+| `conf.store.type` | CockroachDB storage type | `""` |
+| `conf.store.size` | CockroachDB storage size | `""` |
+| `conf.store.attrs` | CockroachDB storage attributes | `""` |
+| `conf.wal-failover` | CockroachDB WAL Failover configuration | `{}` |
+| `image.repository` | Container image name | `cockroachdb/cockroach` |
+| `image.tag` | Container image tag | `v24.3.1` |
+| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
+| `image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` |
+| `statefulset.replicas` | StatefulSet replicas number | `3` |
+| `statefulset.updateStrategy` | Update strategy for StatefulSet Pods | `{"type": "RollingUpdate"}` |
+| `statefulset.podManagementPolicy` | `OrderedReady`/`Parallel` Pods creation/deletion order | `Parallel` |
+| `statefulset.budget.maxUnavailable` | k8s PodDisruptionBudget parameter | `1` |
+| `statefulset.args` | Extra command-line arguments | `[]` |
+| `statefulset.env` | Extra env vars | `[]` |
+| `statefulset.secretMounts` | Additional Secrets to mount at cluster members | `[]` |
+| `statefulset.labels` | Additional labels of StatefulSet and its Pods | `{"app.kubernetes.io/component": "cockroachdb"}` |
+| `statefulset.annotations` | Additional annotations of StatefulSet Pods | `{}` |
+| `statefulset.nodeAffinity` | [Node affinity rules][2] of StatefulSet Pods | `{}` |
+| `statefulset.podAffinity` | [Inter-Pod affinity rules][1] of StatefulSet Pods | `{}` |
+| `statefulset.podAntiAffinity` | [Anti-affinity rules][1] of StatefulSet Pods | auto |
+| `statefulset.podAntiAffinity.topologyKey` | The topologyKey for auto [anti-affinity rules][1] | `kubernetes.io/hostname` |
+| `statefulset.podAntiAffinity.type` | Type of auto [anti-affinity rules][1] | `soft` |
+| `statefulset.podAntiAffinity.weight` | Weight for `soft` auto [anti-affinity rules][1] | `100` |
+| `statefulset.nodeSelector` | Node labels for StatefulSet Pods assignment | `{}` |
+| `statefulset.priorityClassName` | [PriorityClassName][4] for StatefulSet Pods | `""` |
+| `statefulset.tolerations` | Node taints to tolerate by StatefulSet Pods | `[]` |
+| `statefulset.topologySpreadConstraints` | [Topology Spread Constraints rules][5] of StatefulSet Pods | auto |
+| `statefulset.topologySpreadConstraints.maxSkew` | Degree to which Pods may be unevenly distributed | `1` |
+| `statefulset.topologySpreadConstraints.topologyKey` | The key of node labels | `topology.kubernetes.io/zone` |
+| `statefulset.topologySpreadConstraints.whenUnsatisfiable` | `ScheduleAnyway`/`DoNotSchedule` for unsatisfiable constraints | `ScheduleAnyway` |
+| `statefulset.resources` | Resource requests and limits for StatefulSet Pods | `{}` |
+| `statefulset.customLivenessProbe` | Custom Liveness probe | `{}` |
+| `statefulset.customReadinessProbe` | Custom Rediness probe | `{}` |
+| `statefulset.customStartupProbe` | Custom Startup probe | `{}` |
+| `statefulset.terminationGracePeriodSeconds` | Termination grace period for CRDB statefulset pods | `300` |
+| `service.ports.grpc.external.port` | CockroachDB primary serving port in Services | `26257` |
+| `service.ports.grpc.external.name` | CockroachDB primary serving port name in Services | `grpc` |
+| `service.ports.grpc.internal.port` | CockroachDB inter-communication port in Pods and Services | `26257` |
+| `service.ports.grpc.internal.name` | CockroachDB inter-communication port name in Services | `grpc-internal` |
+| `service.ports.http.port` | CockroachDB HTTP port in Pods and Services | `8080` |
+| `service.ports.http.name` | CockroachDB HTTP port name in Services | `http` |
+| `service.public.type` | Public Service type | `ClusterIP` |
+| `service.public.labels` | Additional labels of public Service | `{"app.kubernetes.io/component": "cockroachdb"}` |
+| `service.public.annotations` | Additional annotations of public Service | `{}` |
+| `service.discovery.labels` | Additional labels of discovery Service | `{"app.kubernetes.io/component": "cockroachdb"}` |
+| `service.discovery.annotations` | Additional annotations of discovery Service | `{}` |
+| `ingress.enabled` | Enable ingress resource for CockroachDB | `false` |
+| `ingress.labels` | Additional labels of Ingress | `{}` |
+| `ingress.annotations` | Additional annotations of Ingress | `{}` |
+| `ingress.paths` | Paths for the default host | `[/]` |
+| `ingress.hosts` | CockroachDB Ingress hostnames | `[]` |
+| `ingress.tls[0].hosts` | CockroachDB Ingress tls hostnames | `nil` |
+| `ingress.tls[0].secretName` | CockroachDB Ingress tls secret name | `nil` |
+| `prometheus.enabled` | Enable automatic monitoring of all instances when Prometheus is running | `true` |
+| `serviceMonitor.enabled` | Create [ServiceMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor) Resource for scraping metrics using [PrometheusOperator](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md#prometheus-operator) | `false` |
+| `serviceMonitor.labels` | Additional labels of ServiceMonitor | `{}` |
+| `serviceMonitor.annotations` | Additional annotations of ServiceMonitor | `{}` |
+| `serviceMonitor.interval` | ServiceMonitor scrape metrics interval | `10s` |
+| `serviceMonitor.scrapeTimeout` | ServiceMonitor scrape timeout | `nil` |
+| `serviceMonitor.tlsConfig` | Additional TLS configuration of ServiceMonitor | `{}` |
+| `serviceMonitor.namespaced` | Limit ServiceMonitor to current namespace | `false` |
+| `storage.hostPath` | Absolute path on host to store data | `""` |
+| `storage.persistentVolume.enabled` | Whether to use PersistentVolume to store data | `yes` |
+| `storage.persistentVolume.size` | PersistentVolume size | `100Gi` |
+| `storage.persistentVolume.storageClass` | PersistentVolume class | `""` |
+| `storage.persistentVolume.labels` | Additional labels of PersistentVolumeClaim | `{}` |
+| `storage.persistentVolume.annotations` | Additional annotations of PersistentVolumeClaim | `{}` |
+| `init.labels` | Additional labels of init Job and its Pod | `{"app.kubernetes.io/component": "init"}` |
+| `init.jobAnnotations` | Additional annotations of the init Job itself | `{}` |
+| `init.annotations` | Additional annotations of the Pod of init Job | `{}` |
+| `init.affinity` | [Affinity rules][2] of init Job Pod | `{}` |
+| `init.nodeSelector` | Node labels for init Job Pod assignment | `{}` |
+| `init.tolerations` | Node taints to tolerate by init Job Pod | `[]` |
+| `init.resources` | Resource requests and limits for the `cluster-init` container | `{}` |
+| `init.terminationGracePeriodSeconds` | Termination grace period for CRDB init job | `300` |
+| `tls.enabled` | Whether to run securely using TLS certificates | `no` |
+| `tls.serviceAccount.create` | Whether to create a new RBAC service account | `yes` |
+| `tls.serviceAccount.name` | Name of RBAC service account to use | `""` |
+| `tls.copyCerts.image` | Image used in copy certs init container | `busybox` |
+| `tls.copyCerts.resources` | Resource requests and limits for the `copy-certs` container | `{}` |
+| `tls.certs.provided` | Bring your own certs scenario, i.e certificates are provided | `no` |
+| `tls.certs.clientRootSecret` | If certs are provided, secret name for client root cert | `cockroachdb-root` |
+| `tls.certs.nodeSecret` | If certs are provided, secret name for node cert | `cockroachdb-node` |
+| `tls.certs.tlsSecret` | Own certs are stored in TLS secret | `no` |
+| `tls.certs.selfSigner.enabled` | Whether cockroachdb should generate its own self-signed certs | `true` |
+| `tls.certs.selfSigner.caProvided` | Bring your own CA scenario. This CA will be used to generate node and client cert | `false` |
+| `tls.certs.selfSigner.caSecret` | If CA is provided, secret name for CA cert | `""` |
+| `tls.certs.selfSigner.minimumCertDuration` | Minimum cert duration for all the certs, all certs duration will be validated against this duration | `624h` |
+| `tls.certs.selfSigner.caCertDuration` | Duration of CA cert in hour | `43824h` |
+| `tls.certs.selfSigner.caCertExpiryWindow` | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated | `648h` |
+| `tls.certs.selfSigner.clientCertDuration` | Duration of client cert in hour | `672h |
+| `tls.certs.selfSigner.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
+| `tls.certs.selfSigner.nodeCertDuration` | Duration of node cert in hour | `8760h` |
+| `tls.certs.selfSigner.nodeCertExpiryWindow` | Expiry window of node cert means a window before actual expiry in which node certs should be rotated | `168h` |
+| `tls.certs.selfSigner.rotateCerts` | Whether to rotate the certs generate by cockroachdb | `true` |
+| `tls.certs.selfSigner.readinessWait` | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true | `30s` |
+| `tls.certs.selfSigner.podUpdateTimeout` | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true | `2m` |
+| `tls.certs.certManager` | Provision certificates with cert-manager | `false` |
+| `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` |
+| `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` |
+| `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` |
+| `tls.certs.certManagerIssuer.caCertDuration` | Duration of CA cert in hour | `43824h` |
+| `tls.certs.certManagerIssuer.caCertExpiryWindow` | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated | `648h` |
+| `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` |
+| `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
+| `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` |
+| `tls.certs.certManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` |
+| `tls.selfSigner.image.repository` | Image to use for self signing TLS certificates | `cockroachlabs-helm-charts/cockroach-self-signer-cert`|
+| `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` |
+| `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` |
+| `tls.selfSigner.image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` |
+| `networkPolicy.enabled` | Enable NetworkPolicy for CockroachDB's Pods | `no` |
+| `networkPolicy.ingress.grpc` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` |
+| `networkPolicy.ingress.http` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` |
+
+
+Override the default parameters using the `--set key=value[,key=value]` argument to `helm install`.
+
+Alternatively, a YAML file that specifies custom values for the parameters can be provided while installing the chart. For example:
+
+```shell
+$ helm install my-release -f my-values.yaml cockroachdb/cockroachdb
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## Deep dive
+
+### Connecting to the CockroachDB cluster
+
+Once you've created the cluster, you can start talking to it by connecting to its `-public` Service. CockroachDB is PostgreSQL wire protocol compatible, so there's a [wide variety of supported clients](https://www.cockroachlabs.com/docs/install-client-drivers.html). As an example, we'll open up a SQL shell using CockroachDB's built-in shell and play around with it a bit, like this (likely needing to replace `my-release-cockroachdb-public` with the name of the `-public` Service that was created with your installed chart):
+
+```shell
+$ kubectl run cockroach-client --rm -it \
+--image=cockroachdb/cockroach \
+--restart=Never \
+-- sql --insecure --host my-release-cockroachdb-public
+```
+```
+Waiting for pod default/cockroach-client to be running, status is Pending,
+pod ready: false
+If you don't see a command prompt, try pressing enter.
+root@my-release-cockroachdb-public:26257> SHOW DATABASES;
++--------------------+
+| Database |
++--------------------+
+| information_schema |
+| pg_catalog |
+| system |
++--------------------+
+(3 rows)
+root@my-release-cockroachdb-public:26257> CREATE DATABASE bank;
+CREATE DATABASE
+root@my-release-cockroachdb-public:26257> CREATE TABLE bank.accounts (id INT
+PRIMARY KEY, balance DECIMAL);
+CREATE TABLE
+root@my-release-cockroachdb-public:26257> INSERT INTO bank.accounts VALUES
+(1234, 10000.50);
+INSERT 1
+root@my-release-cockroachdb-public:26257> SELECT * FROM bank.accounts;
++------+---------+
+| id | balance |
++------+---------+
+| 1234 | 10000.5 |
++------+---------+
+(1 row)
+root@my-release-cockroachdb-public:26257> \q
+Waiting for pod default/cockroach-client to terminate, status is Running
+pod "cockroach-client" deleted
+```
+
+> If you are running in secure mode, you will have to provide a client certificate to the cluster in order to authenticate, so the above command will not work. See [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/client-secure.yaml) for an example of how to set up an interactive SQL shell against a secure cluster or [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/example-app-secure.yaml) for an example application connecting to a secure cluster.
+
+### Cluster health
+
+Because our pod spec includes regular health checks of the CockroachDB processes, simply running `kubectl get pods` and looking at the `STATUS` column is sufficient to determine the health of each instance in the cluster.
+
+If you want more detailed information about the cluster, the best place to look is the Admin UI.
+
+### Accessing the Admin UI
+
+If you want to see information about how the cluster is doing, you can try pulling up the CockroachDB Admin UI by port-forwarding from your local machine to one of the pods (replacing `my-release-cockroachdb-0` with the name of one of your pods:
+
+```shell
+$ kubectl port-forward my-release-cockroachdb-0 8080
+```
+
+You should then be able to access the Admin UI by visiting in your web browser.
+
+### Failover
+
+If any CockroachDB member fails, it is restarted or recreated automatically by the Kubernetes infrastructure, and will re-join the cluster automatically when it comes back up. You can test this scenario by killing any of the CockroachDB pods:
+
+```shell
+$ kubectl delete pod my-release-cockroachdb-1
+```
+
+```shell
+$ kubectl get pods -l "app.kubernetes.io/instance=my-release,app.kubernetes.io/component=cockroachdb"
+
+NAME READY STATUS RESTARTS AGE
+my-release-cockroachdb-0 1/1 Running 0 5m
+my-release-cockroachdb-2 1/1 Running 0 5m
+```
+
+After a while:
+
+```shell
+$ kubectl get pods -l "app.kubernetes.io/instance=my-release,app.kubernetes.io/component=cockroachdb"
+
+NAME READY STATUS RESTARTS AGE
+my-release-cockroachdb-0 1/1 Running 0 5m
+my-release-cockroachdb-1 1/1 Running 0 20s
+my-release-cockroachdb-2 1/1 Running 0 5m
+```
+
+You can check the state of re-joining from the new pod's logs:
+
+```shell
+$ kubectl logs my-release-cockroachdb-1
+
+[...]
+I161028 19:32:09.754026 1 server/node.go:586 [n1] node connected via gossip and
+verified as part of cluster {"35ecbc27-3f67-4e7d-9b8f-27c31aae17d6"}
+[...]
+cockroachdb-0.my-release-cockroachdb.default.svc.cluster.local:26257
+build: beta-20161027-55-gd2d3c7f @ 2016/10/28 19:27:25 (go1.7.3)
+admin: http://0.0.0.0:8080
+sql:
+postgresql://root@my-release-cockroachdb-1.my-release-cockroachdb.default.svc.cluster.local:26257?sslmode=disable
+logs: cockroach-data/logs
+store[0]: path=cockroach-data
+status: restarted pre-existing node
+clusterID: {35ecbc27-3f67-4e7d-9b8f-27c31aae17d6}
+nodeID: 2
+[...]
+```
+
+### NetworkPolicy
+
+To enable NetworkPolicy for CockroachDB, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `yes`/`true`.
+
+For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the `DefaultDeny` Namespace annotation. Note: this will enforce policy for _all_ pods in the Namespace:
+
+```shell
+$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
+```
+
+For more precise policy, set `networkPolicy.ingress.grpc` and `networkPolicy.ingress.http` rules. This will only allow pods that match the provided rules to connect to CockroachDB.
+
+### Scaling
+
+Scaling should be managed via the `helm upgrade` command. After resizing your cluster on your cloud environment (e.g., GKE or EKS), run the following command to add a pod. This assumes you scaled from 3 to 4 nodes:
+
+```shell
+$ helm upgrade \
+my-release \
+cockroachdb/cockroachdb \
+--set statefulset.replicas=4 \
+--reuse-values
+```
+
+Note, that if you are running in secure mode (`tls.enabled` is `yes`/`true`) and increase the size of your cluster, you will also have to approve the CSR (certificate-signing request) of each new node (using `kubectl get csr` and `kubectl certificate approve`).
+
+[1]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+[2]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+[3]: https://cert-manager.io/
+[4]: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+[5]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/app-readme.md b/charts/cockroach-labs/cockroachdb/15.0.2/app-readme.md
new file mode 100644
index 0000000000..8fcc1fd6fb
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/app-readme.md
@@ -0,0 +1,9 @@
+# CockroachDB Chart
+
+CockroachDB is a Distributed SQL database that runs natively in Kubernetes. It gives you resilient, horizontal scale across multiple clouds with always-on availability and data partitioned by location.
+
+CockroachDB scales horizontally without reconfiguration or need for a massive architectural overhaul. Simply add a new node to the cluster and CockroachDB takes care of the underlying complexity.
+
+ - Scale by simply adding new nodes to a CockroachDB cluster
+ - Automate balancing and distribution of ranges, not shards
+ - Optimize server utilization evenly across all nodes
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/NOTES.txt b/charts/cockroach-labs/cockroachdb/15.0.2/templates/NOTES.txt
new file mode 100644
index 0000000000..13b421f624
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/NOTES.txt
@@ -0,0 +1,50 @@
+CockroachDB can be accessed via port {{ .Values.service.ports.grpc.external.port }} at the
+following DNS name from within your cluster:
+
+{{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }}.svc.cluster.local
+
+Because CockroachDB supports the PostgreSQL wire protocol, you can connect to
+the cluster using any available PostgreSQL client.
+
+{{- if not .Values.tls.enabled }}
+
+For example, you can open up a SQL shell to the cluster by running:
+
+ kubectl run -it --rm cockroach-client \
+ --image=cockroachdb/cockroach \
+ --restart=Never \
+ {{- if .Values.networkPolicy.enabled }}
+ --labels="{{ template "cockroachdb.fullname" . }}-client=true" \
+ {{- end }}
+ --command -- \
+ ./cockroach sql --insecure --host={{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }}
+
+From there, you can interact with the SQL shell as you would any other SQL
+shell, confident that any data you write will be safe and available even if
+parts of your cluster fail.
+{{- else }}
+
+Note that because the cluster is running in secure mode, any client application
+that you attempt to connect will either need to have a valid client certificate
+or a valid username and password.
+{{- end }}
+
+{{- if and (.Values.networkPolicy.enabled) (not (empty .Values.networkPolicy.ingress.grpc)) }}
+
+Note: Since NetworkPolicy is enabled, the only Pods allowed to connect to this
+CockroachDB cluster are:
+
+1. Having the label: "{{ template "cockroachdb.fullname" . }}-client=true"
+
+2. Matching the following rules: {{- toYaml .Values.networkPolicy.ingress.grpc | nindent 0 }}
+{{- end }}
+
+Finally, to open up the CockroachDB admin UI, you can port-forward from your
+local machine into one of the instances in the cluster:
+
+ kubectl port-forward -n {{ .Release.Namespace }} {{ template "cockroachdb.fullname" . }}-0 {{ index .Values.conf `http-port` | int64 }}
+
+Then you can access the admin UI at http{{ if .Values.tls.enabled }}s{{ end }}://localhost:{{ index .Values.conf `http-port` | int64 }}/ in your web browser.
+
+For more information on using CockroachDB, please see the project's docs at:
+https://www.cockroachlabs.com/docs/
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/_helpers.tpl b/charts/cockroach-labs/cockroachdb/15.0.2/templates/_helpers.tpl
new file mode 100644
index 0000000000..3670fccc71
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/_helpers.tpl
@@ -0,0 +1,352 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cockroachdb.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 56 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cockroachdb.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+ {{- .Values.fullnameOverride | trunc 56 | trimSuffix "-" -}}
+{{- else -}}
+ {{- $name := default .Chart.Name .Values.nameOverride -}}
+ {{- if contains $name .Release.Name -}}
+ {{- .Release.Name | trunc 56 | trimSuffix "-" -}}
+ {{- else -}}
+ {{- printf "%s-%s" .Release.Name $name | trunc 56 | trimSuffix "-" -}}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name for cluster scope resource.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name with release namespace appended at the end.
+*/}}
+{{- define "cockroachdb.clusterfullname" -}}
+{{- if .Values.fullnameOverride -}}
+ {{- printf "%s-%s" .Values.fullnameOverride .Release.Namespace | trunc 56 | trimSuffix "-" -}}
+{{- else -}}
+ {{- $name := default .Chart.Name .Values.nameOverride -}}
+ {{- if contains $name .Release.Name -}}
+ {{- printf "%s-%s" .Release.Name .Release.Namespace | trunc 56 | trimSuffix "-" -}}
+ {{- else -}}
+ {{- printf "%s-%s-%s" .Release.Name $name .Release.Namespace | trunc 56 | trimSuffix "-" -}}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cockroachdb.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 56 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the ServiceAccount to use.
+*/}}
+{{- define "cockroachdb.serviceAccount.name" -}}
+{{- if .Values.statefulset.serviceAccount.create -}}
+ {{- default (include "cockroachdb.fullname" .) .Values.statefulset.serviceAccount.name -}}
+{{- else -}}
+ {{- default "default" .Values.statefulset.serviceAccount.name -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for NetworkPolicy.
+*/}}
+{{- define "cockroachdb.networkPolicy.apiVersion" -}}
+{{- if semverCompare ">=1.4-0, <=1.7-0" .Capabilities.KubeVersion.Version -}}
+ {{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.Version -}}
+ {{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for StatefulSets
+*/}}
+{{- define "cockroachdb.statefulset.apiVersion" -}}
+{{- if semverCompare "<1.12-0" .Capabilities.KubeVersion.Version -}}
+ {{- print "apps/v1beta1" -}}
+{{- else -}}
+ {{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return CockroachDB store expression
+*/}}
+{{- define "cockroachdb.conf.store" -}}
+ {{- $isInMemory := eq (.Values.conf.store.type | toString) "mem" -}}
+ {{- $persistentSize := empty .Values.conf.store.size | ternary .Values.storage.persistentVolume.size .Values.conf.store.size -}}
+
+ {{- $store := dict -}}
+ {{- $_ := set $store "type" ($isInMemory | ternary "type=mem" "") -}}
+ {{- if eq .Args.idx 0 -}}
+ {{- $_ := set $store "path" ($isInMemory | ternary "" (print "path=" .Values.conf.path)) -}}
+ {{- else -}}
+ {{- $_ := set $store "path" ($isInMemory | ternary "" (print "path=" .Values.conf.path "-" (add1 .Args.idx))) -}}
+ {{- end -}}
+ {{- $_ := set $store "size" (print "size=" ($isInMemory | ternary .Values.conf.store.size $persistentSize)) -}}
+ {{- $_ := set $store "attrs" (empty .Values.conf.store.attrs | ternary "" (print "attrs=" .Values.conf.store.attrs)) -}}
+
+ {{- compact (values $store) | sortAlpha | join "," -}}
+{{- end -}}
+
+{{/*
+Define the default values for the certificate selfSigner inputs
+*/}}
+{{- define "selfcerts.fullname" -}}
+ {{- printf "%s-%s" (include "cockroachdb.fullname" .) "self-signer" | trunc 56 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "rotatecerts.fullname" -}}
+ {{- printf "%s-%s" (include "cockroachdb.fullname" .) "rotate-self-signer" | trunc 56 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "selfcerts.minimumCertDuration" -}}
+ {{- if .Values.tls.certs.selfSigner.minimumCertDuration -}}
+ {{- print (.Values.tls.certs.selfSigner.minimumCertDuration | trimSuffix "h") -}}
+ {{- else }}
+ {{- $minCertDuration := min (sub (.Values.tls.certs.selfSigner.clientCertDuration | trimSuffix "h" ) (.Values.tls.certs.selfSigner.clientCertExpiryWindow | trimSuffix "h")) (sub (.Values.tls.certs.selfSigner.nodeCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.nodeCertExpiryWindow | trimSuffix "h")) -}}
+ {{- print $minCertDuration -}}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Define the cron schedules for certificate rotate jobs and converting from hours to valid cron string.
+We assume that each month has 31 days, hence the cron job may run few days earlier in a year. In a cron schedule,
+we can not set a cron of more than a year, hence we try to run the cron in such a way that the cron run comes to
+as close possible to the expiry window. However, it is possible that cron may run earlier than the expiry window.
+*/}}
+{{- define "selfcerts.caRotateSchedule" -}}
+{{- $tempHours := sub (.Values.tls.certs.selfSigner.caCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h") -}}
+{{- $days := "*" -}}
+{{- $months := "*" -}}
+{{- $hours := mod $tempHours 24 -}}
+{{- if not (eq $hours $tempHours) -}}
+{{- $tempDays := div $tempHours 24 -}}
+{{- $days = mod $tempDays 31 -}}
+{{- if not (eq $days $tempDays) -}}
+{{- $days = add $days 1 -}}
+{{- $tempMonths := div $tempDays 31 -}}
+{{- $months = mod $tempMonths 12 -}}
+{{- if not (eq $months $tempMonths) -}}
+{{- $months = add $months 1 -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if ne (toString $months) "*" -}}
+{{- $months = printf "*/%s" (toString $months) -}}
+{{- else -}}
+{{- if ne (toString $days) "*" -}}
+{{- $days = printf "*/%s" (toString $days) -}}
+{{- else -}}
+{{- if ne $hours 0 -}}
+{{- $hours = printf "*/%s" (toString $hours) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- printf "0 %s %s %s *" (toString $hours) (toString $days) (toString $months) -}}
+{{- end -}}
+
+{{- define "selfcerts.clientRotateSchedule" -}}
+{{- $tempHours := int64 (include "selfcerts.minimumCertDuration" .) -}}
+{{- $days := "*" -}}
+{{- $months := "*" -}}
+{{- $hours := mod $tempHours 24 -}}
+{{- if not (eq $hours $tempHours) -}}
+{{- $tempDays := div $tempHours 24 -}}
+{{- $days = mod $tempDays 31 -}}
+{{- if not (eq $days $tempDays) -}}
+{{- $days = add $days 1 -}}
+{{- $tempMonths := div $tempDays 31 -}}
+{{- $months = mod $tempMonths 12 -}}
+{{- if not (eq $months $tempMonths) -}}
+{{- $months = add $months 1 -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if ne (toString $months) "*" -}}
+{{- $months = printf "*/%s" (toString $months) -}}
+{{- else -}}
+{{- if ne (toString $days) "*" -}}
+{{- $days = printf "*/%s" (toString $days) -}}
+{{- else -}}
+{{- if ne $hours 0 -}}
+{{- $hours = printf "*/%s" (toString $hours) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- printf "0 %s %s %s *" (toString $hours) (toString $days) (toString $months) -}}
+{{- end -}}
+
+{{/*
+Define the appropriate validations for the certificate selfSigner inputs
+*/}}
+
+{{/*
+Validate that if caProvided is true, then the caSecret must not be empty and secret must be present in the namespace.
+*/}}
+{{- define "cockroachdb.tls.certs.selfSigner.caProvidedValidation" -}}
+{{- if .Values.tls.certs.selfSigner.caProvided -}}
+{{- if eq "" .Values.tls.certs.selfSigner.caSecret -}}
+ {{ fail "CA secret can't be empty if caProvided is set to true" }}
+{{- else -}}
+ {{- if not (lookup "v1" "Secret" .Release.Namespace .Values.tls.certs.selfSigner.caSecret) }}
+ {{ fail "CA secret is not present in the release namespace" }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate that if caCertDuration or caCertExpiryWindow must not be empty and caCertExpiryWindow must be greater than
+minimumCertDuration.
+*/}}
+{{- define "cockroachdb.tls.certs.selfSigner.caCertValidation" -}}
+{{- if not .Values.tls.certs.selfSigner.caProvided -}}
+{{- if or (not .Values.tls.certs.selfSigner.caCertDuration) (not .Values.tls.certs.selfSigner.caCertExpiryWindow) }}
+ {{ fail "CA cert duration or CA cert expiry window can not be empty" }}
+{{- else }}
+{{- if gt (int64 (include "selfcerts.minimumCertDuration" .)) (int64 (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h")) -}}
+ {{ fail "CA cert expiration window should not be less than minimum Cert duration" }}
+{{- end -}}
+{{- if gt (int64 (include "selfcerts.minimumCertDuration" .)) (sub (.Values.tls.certs.selfSigner.caCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h")) -}}
+ {{ fail "CA cert Duration minus CA cert expiration window should not be less than minimum Cert duration" }}
+{{- end -}}
+{{- end -}}
+{{- end }}
+{{- end -}}
+
+{{/*
+Validate that if clientCertDuration must not be empty and it must be greater than minimumCertDuration.
+*/}}
+{{- define "cockroachdb.tls.certs.selfSigner.clientCertValidation" -}}
+{{- if or (not .Values.tls.certs.selfSigner.clientCertDuration) (not .Values.tls.certs.selfSigner.clientCertExpiryWindow) }}
+ {{ fail "Client cert duration can not be empty" }}
+{{- else }}
+{{- if lt (sub (.Values.tls.certs.selfSigner.clientCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.clientCertExpiryWindow | trimSuffix "h")) (int64 (include "selfcerts.minimumCertDuration" .)) }}
+ {{ fail "Client cert duration minus client cert expiry window should not be less than minimum Cert duration" }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Validate that nodeCertDuration must not be empty and nodeCertDuration minus nodeCertExpiryWindow must be greater than minimumCertDuration.
+*/}}
+{{- define "cockroachdb.tls.certs.selfSigner.nodeCertValidation" -}}
+{{- if or (not .Values.tls.certs.selfSigner.nodeCertDuration) (not .Values.tls.certs.selfSigner.nodeCertExpiryWindow) }}
+ {{ fail "Node cert duration can not be empty" }}
+{{- else }}
+{{- if lt (sub (.Values.tls.certs.selfSigner.nodeCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.nodeCertExpiryWindow | trimSuffix "h")) (int64 (include "selfcerts.minimumCertDuration" .))}}
+ {{ fail "Node cert duration minus node cert expiry window should not be less than minimum Cert duration" }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Validate that if user enabled tls, then either self-signed certificates or certificate manager is enabled
+*/}}
+{{- define "cockroachdb.tlsValidation" -}}
+{{- if .Values.tls.enabled -}}
+{{- if and .Values.tls.certs.selfSigner.enabled .Values.tls.certs.certManager -}}
+ {{ fail "Can not enable the self signed certificates and certificate manager at the same time" }}
+{{- end -}}
+{{- if and (not .Values.tls.certs.selfSigner.enabled) (not .Values.tls.certs.certManager) -}}
+ {{- if not .Values.tls.certs.provided -}}
+ {{ fail "You have to enable either self signed certificates or certificate manager, if you have enabled tls" }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+
+{{- define "cockroachdb.tls.certs.selfSigner.validation" -}}
+{{ include "cockroachdb.tls.certs.selfSigner.caProvidedValidation" . }}
+{{ include "cockroachdb.tls.certs.selfSigner.caCertValidation" . }}
+{{ include "cockroachdb.tls.certs.selfSigner.clientCertValidation" . }}
+{{ include "cockroachdb.tls.certs.selfSigner.nodeCertValidation" . }}
+{{- end -}}
+
+{{- define "cockroachdb.securityContext.versionValidation" }}
+{{- /* Allow using `securityContext` for custom images. */}}
+{{- if ne "cockroachdb/cockroach" .Values.image.repository -}}
+ {{ print true }}
+{{- else -}}
+{{- if semverCompare ">=22.1.2" .Values.image.tag -}}
+ {{ print true }}
+{{- else -}}
+{{- if semverCompare ">=21.2.13, <22.1.0" .Values.image.tag -}}
+ {{ print true }}
+{{- else -}}
+ {{ print false }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Validate the log configuration.
+*/}}
+{{- define "cockroachdb.conf.log.validation" -}}
+{{- if and (not .Values.conf.log.enabled) .Values.conf.log.persistentVolume.enabled -}}
+ {{ fail "Persistent volume for logs can only be enabled if logging is enabled" }}
+{{- end -}}
+{{- if and .Values.conf.log.persistentVolume.enabled (dig "file-defaults" "dir" "" .Values.conf.log.config) -}}
+{{- if not (hasPrefix (printf "/cockroach/%s" .Values.conf.log.persistentVolume.path) (dig "file-defaults" "dir" "" .Values.conf.log.config)) }}
+ {{ fail "Log configuration should use the persistent volume if enabled" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cockroachdb.storage.hostPath.computation" -}}
+{{- if hasSuffix "/" .Values.storage.hostPath -}}
+ {{- printf "%s-%d/" (dir .Values.storage.hostPath) (add1 .Args.idx) | quote -}}
+{{- else -}}
+ {{- printf "%s-%d" .Values.storage.hostPath (add1 .Args.idx) | quote -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate the store count configuration.
+*/}}
+{{- define "cockroachdb.conf.store.validation" -}}
+ {{- if and (not .Values.conf.store.enabled) (ne (int .Values.conf.store.count) 1) -}}
+ {{ fail "Store count should be 1 when disabled" }}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Validate the WAL failover configuration.
+*/}}
+{{- define "cockroachdb.conf.wal-failover.validation" -}}
+ {{- with index .Values.conf `wal-failover` -}}
+ {{- if not (mustHas .value (list "" "disabled" "among-stores")) -}}
+ {{- if not (hasPrefix "path=" (.value | toString)) -}}
+ {{ fail "Invalid WAL failover configuration value. Expected either of '', 'disabled', 'among-stores' or 'path='" }}
+ {{- end -}}
+ {{- end -}}
+ {{- if eq .value "among-stores" -}}
+ {{- if or (not $.Values.conf.store.enabled) (eq (int $.Values.conf.store.count) 1) -}}
+ {{ fail "WAL failover among stores requires store enabled with count greater than 1" }}
+ {{- end -}}
+ {{- end -}}
+ {{- if hasPrefix "path=" (.value | toString) -}}
+ {{- if not .persistentVolume.enabled -}}
+ {{ fail "WAL failover to a side disk requires a persistent volume" }}
+ {{- end -}}
+ {{- if and (not (hasPrefix (printf "/cockroach/%s" .persistentVolume.path) (trimPrefix "path=" .value))) (not (hasPrefix .persistentVolume.path (trimPrefix "path=" .value))) -}}
+ {{ fail "WAL failover to a side disk requires a path to the mounted persistent volume" }}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/backendconfig.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/backendconfig.yaml
new file mode 100644
index 0000000000..2edc88619a
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/backendconfig.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.iap.enabled }}
+apiVersion: cloud.google.com/v1beta1
+kind: BackendConfig
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ iap:
+ enabled: true
+ oauthclientCredentials:
+ secretName: {{ template "cockroachdb.fullname" . }}.iap
+ timeoutSec: 120
+{{- end }}
\ No newline at end of file
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.ca.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.ca.yaml
new file mode 100644
index 0000000000..4043fafb0f
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.ca.yaml
@@ -0,0 +1,33 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
+ {{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}-ca-cert
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ duration: {{ .Values.tls.certs.certManagerIssuer.caCertDuration }}
+ renewBefore: {{ .Values.tls.certs.certManagerIssuer.caCertExpiryWindow }}
+ isCA: true
+ secretName: {{ .Values.tls.certs.caSecret }}
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ commonName: root
+ subject:
+ organizations:
+ - Cockroach
+ issuerRef:
+ name: {{ .Values.tls.certs.certManagerIssuer.name }}
+ kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
+ group: {{ .Values.tls.certs.certManagerIssuer.group }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.client.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.client.yaml
new file mode 100644
index 0000000000..dd0272f3e2
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.client.yaml
@@ -0,0 +1,40 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}-root-client
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ duration: {{ .Values.tls.certs.certManagerIssuer.clientCertDuration }}
+ renewBefore: {{ .Values.tls.certs.certManagerIssuer.clientCertExpiryWindow }}
+ usages:
+ - digital signature
+ - key encipherment
+ - client auth
+ privateKey:
+ algorithm: RSA
+ size: 2048
+ commonName: root
+ subject:
+ organizations:
+ - Cockroach
+ secretName: {{ .Values.tls.certs.clientRootSecret }}
+ issuerRef:
+ {{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
+ name: {{ template "cockroachdb.fullname" . }}-ca-issuer
+ kind: Issuer
+ group: cert-manager.io
+ {{- else }}
+ name: {{ .Values.tls.certs.certManagerIssuer.name }}
+ kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
+ group: {{ .Values.tls.certs.certManagerIssuer.group }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.issuer.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.issuer.yaml
new file mode 100644
index 0000000000..5cf579ff9d
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.issuer.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
+ {{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}-ca-issuer
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ ca:
+ secretName: {{ .Values.tls.certs.caSecret }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.node.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.node.yaml
new file mode 100644
index 0000000000..05e909d0b0
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/certificate.node.yaml
@@ -0,0 +1,50 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}-node
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ duration: {{ .Values.tls.certs.certManagerIssuer.nodeCertDuration }}
+ renewBefore: {{ .Values.tls.certs.certManagerIssuer.nodeCertExpiryWindow }}
+ usages:
+ - digital signature
+ - key encipherment
+ - server auth
+ - client auth
+ privateKey:
+ algorithm: RSA
+ size: 2048
+ commonName: node
+ subject:
+ organizations:
+ - Cockroach
+ dnsNames:
+ - "localhost"
+ - "127.0.0.1"
+ - {{ printf "%s-public" (include "cockroachdb.fullname" .) | quote }}
+ - {{ printf "%s-public.%s" (include "cockroachdb.fullname" .) .Release.Namespace | quote }}
+ - {{ printf "%s-public.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }}
+ - {{ printf "*.%s" (include "cockroachdb.fullname" .) | quote }}
+ - {{ printf "*.%s.%s" (include "cockroachdb.fullname" .) .Release.Namespace | quote }}
+ - {{ printf "*.%s.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }}
+ secretName: {{ .Values.tls.certs.nodeSecret }}
+ issuerRef:
+ {{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
+ name: {{ template "cockroachdb.fullname" . }}-ca-issuer
+ kind: Issuer
+ group: cert-manager.io
+ {{- else }}
+ name: {{ .Values.tls.certs.certManagerIssuer.name }}
+ kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
+ group: {{ .Values.tls.certs.certManagerIssuer.group }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/clusterrole.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/clusterrole.yaml
new file mode 100644
index 0000000000..6b8a3dc5f7
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/clusterrole.yaml
@@ -0,0 +1,19 @@
+{{- if and .Values.tls.enabled (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "cockroachdb.clusterfullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+rules:
+ - apiGroups: ["certificates.k8s.io"]
+ resources: ["certificatesigningrequests"]
+ verbs: ["create", "get", "watch"]
+{{- end }}
\ No newline at end of file
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/clusterrolebinding.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..3c18694efd
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/clusterrolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if and .Values.tls.enabled (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "cockroachdb.clusterfullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ template "cockroachdb.clusterfullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "cockroachdb.serviceAccount.name" . }}
+ namespace: {{ .Release.Namespace | quote }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/cronjob-ca-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/cronjob-ca-certSelfSigner.yaml
new file mode 100644
index 0000000000..4cd53900cb
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/cronjob-ca-certSelfSigner.yaml
@@ -0,0 +1,62 @@
+{{- if and .Values.tls.enabled (and .Values.tls.certs.selfSigner.enabled (not .Values.tls.certs.selfSigner.caProvided)) }}
+ {{- if .Values.tls.certs.selfSigner.rotateCerts }}
+ {{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
+apiVersion: batch/v1
+ {{- else }}
+apiVersion: batch/v1beta1
+ {{- end }}
+kind: CronJob
+metadata:
+ name: {{ template "rotatecerts.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+spec:
+ schedule: {{ template "selfcerts.caRotateSchedule" . }}
+ jobTemplate:
+ spec:
+ backoffLimit: 1
+ template:
+ metadata:
+ {{- with .Values.tls.selfSigner.labels }}
+ labels: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.annotations }}
+ annotations: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ spec:
+ restartPolicy: Never
+ {{- with .Values.tls.selfSigner.affinity }}
+ affinity: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.nodeSelector }}
+ nodeSelector: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.tolerations }}
+ tolerations: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ containers:
+ - name: cert-rotate-job
+ image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
+ imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+ args:
+ - rotate
+ - --ca
+ - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
+ - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
+ - --ca-cron={{ template "selfcerts.caRotateSchedule" . }}
+ - --readiness-wait={{ .Values.tls.certs.selfSigner.readinessWait }}
+ - --pod-update-timeout={{ .Values.tls.certs.selfSigner.podUpdateTimeout }}
+ env:
+ - name: STATEFULSET_NAME
+ value: {{ template "cockroachdb.fullname" . }}
+ - name: NAMESPACE
+ value: {{ .Release.Namespace }}
+ - name: CLUSTER_DOMAIN
+ value: {{ .Values.clusterDomain}}
+ serviceAccountName: {{ template "rotatecerts.fullname" . }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/cronjob-client-node-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/cronjob-client-node-certSelfSigner.yaml
new file mode 100644
index 0000000000..d500cbeb6c
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/cronjob-client-node-certSelfSigner.yaml
@@ -0,0 +1,69 @@
+{{- if and .Values.tls.certs.selfSigner.enabled .Values.tls.certs.selfSigner.rotateCerts }}
+ {{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
+apiVersion: batch/v1
+ {{- else }}
+apiVersion: batch/v1beta1
+ {{- end }}
+kind: CronJob
+metadata:
+ name: {{ template "rotatecerts.fullname" . }}-client
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+spec:
+ schedule: {{ template "selfcerts.clientRotateSchedule" . }}
+ jobTemplate:
+ spec:
+ backoffLimit: 1
+ template:
+ metadata:
+ {{- with .Values.tls.selfSigner.labels }}
+ labels: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.annotations }}
+ annotations: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ spec:
+ restartPolicy: Never
+ {{- with .Values.tls.selfSigner.affinity }}
+ affinity: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.nodeSelector }}
+ nodeSelector: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.tolerations }}
+ tolerations: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ containers:
+ - name: cert-rotate-job
+ image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
+ imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+ args:
+ - rotate
+ {{- if .Values.tls.certs.selfSigner.caProvided }}
+ - --ca-secret={{ .Values.tls.certs.selfSigner.caSecret }}
+ {{- else }}
+ - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
+ - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
+ {{- end }}
+ - --client
+ - --client-duration={{ .Values.tls.certs.selfSigner.clientCertDuration }}
+ - --client-expiry={{ .Values.tls.certs.selfSigner.clientCertExpiryWindow }}
+ - --node
+ - --node-duration={{ .Values.tls.certs.selfSigner.nodeCertDuration }}
+ - --node-expiry={{ .Values.tls.certs.selfSigner.nodeCertExpiryWindow }}
+ - --node-client-cron={{ template "selfcerts.clientRotateSchedule" . }}
+ - --readiness-wait={{ .Values.tls.certs.selfSigner.readinessWait }}
+ - --pod-update-timeout={{ .Values.tls.certs.selfSigner.podUpdateTimeout }}
+ env:
+ - name: STATEFULSET_NAME
+ value: {{ template "cockroachdb.fullname" . }}
+ - name: NAMESPACE
+ value: {{ .Release.Namespace }}
+ - name: CLUSTER_DOMAIN
+ value: {{ .Values.clusterDomain}}
+ serviceAccountName: {{ template "rotatecerts.fullname" . }}
+ {{- end}}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/ingress.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/ingress.yaml
new file mode 100644
index 0000000000..2fa6373c87
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/ingress.yaml
@@ -0,0 +1,90 @@
+{{- if .Values.ingress.enabled -}}
+{{- $paths := .Values.ingress.paths -}}
+{{- $ports := .Values.service.ports -}}
+{{- $fullName := include "cockroachdb.fullname" . -}}
+{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+apiVersion: networking.k8s.io/v1
+{{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" }}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+{{- if or .Values.ingress.annotations .Values.iap.enabled }}
+ annotations:
+ {{- range $key, $value := .Values.ingress.annotations }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- if .Values.iap.enabled }}
+ kubernetes.io/ingress.class: "gce"
+ kubernetes.io/ingress.allow-http: "false"
+ {{- end }}
+{{- end }}
+ name: {{ $fullName }}-ingress
+ namespace: {{ .Release.Namespace }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ $.Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
+{{- if .Values.ingress.labels }}
+{{- toYaml .Values.ingress.labels | nindent 4 }}
+{{- end }}
+spec:
+ rules:
+ {{- if .Values.ingress.hosts }}
+ {{- range $host := .Values.ingress.hosts }}
+ - host: {{ $host }}
+ http:
+ paths:
+ {{- range $path := $paths }}
+ - path: {{ $path | quote }}
+ {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+ {{- if $.Values.iap.enabled }}
+ pathType: ImplementationSpecific
+ {{- else }}
+ pathType: Prefix
+ {{- end }}
+ {{- end }}
+ backend:
+ {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+ service:
+ name: {{ $fullName }}-public
+ port:
+ name: {{ $ports.http.name | quote }}
+ {{- else }}
+ serviceName: {{ $fullName }}-public
+ servicePort: {{ $ports.http.name | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- else }}
+ - http:
+ paths:
+ {{- range $path := $paths }}
+ - path: {{ $path | quote }}
+ {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+ {{- if $.Values.iap.enabled }}
+ pathType: ImplementationSpecific
+ {{- else }}
+ pathType: Prefix
+ {{- end }}
+ {{- end }}
+ backend:
+ {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+ service:
+ name: {{ $fullName }}-public
+ port:
+ name: {{ $ports.http.name | quote }}
+ {{- else }}
+ serviceName: {{ $fullName }}-public
+ servicePort: {{ $ports.http.name | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.ingress.tls }}
+ tls:
+{{- toYaml .Values.ingress.tls | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/job-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/job-certSelfSigner.yaml
new file mode 100644
index 0000000000..54ed2cad3e
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/job-certSelfSigner.yaml
@@ -0,0 +1,83 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ template "selfcerts.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ annotations:
+ # This is what defines this resource as a hook. Without this line, the
+ # job is considered part of the release.
+ "helm.sh/hook": pre-install,pre-upgrade
+ "helm.sh/hook-weight": "4"
+ "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+spec:
+ template:
+ metadata:
+ name: {{ template "selfcerts.fullname" . }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.tls.selfSigner.labels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.annotations }}
+ annotations: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+ securityContext:
+ seccompProfile:
+ type: "RuntimeDefault"
+ runAsGroup: 1000
+ runAsUser: 1000
+ fsGroup: 1000
+ runAsNonRoot: true
+ {{- end }}
+ restartPolicy: Never
+ {{- with .Values.tls.selfSigner.affinity }}
+ affinity: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.nodeSelector }}
+ nodeSelector: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.tolerations }}
+ tolerations: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: cert-generate-job
+ image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
+ imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+ args:
+ - generate
+ {{- if .Values.tls.certs.selfSigner.caProvided }}
+ - --ca-secret={{ .Values.tls.certs.selfSigner.caSecret }}
+ {{- else }}
+ - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
+ - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
+ {{- end }}
+ - --client-duration={{ .Values.tls.certs.selfSigner.clientCertDuration }}
+ - --client-expiry={{ .Values.tls.certs.selfSigner.clientCertExpiryWindow }}
+ - --node-duration={{ .Values.tls.certs.selfSigner.nodeCertDuration }}
+ - --node-expiry={{ .Values.tls.certs.selfSigner.nodeCertExpiryWindow }}
+ env:
+ - name: STATEFULSET_NAME
+ value: {{ template "cockroachdb.fullname" . }}
+ - name: NAMESPACE
+ value: {{ .Release.Namespace | quote }}
+ - name: CLUSTER_DOMAIN
+ value: {{ .Values.clusterDomain}}
+ {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ {{- end }}
+ serviceAccountName: {{ template "selfcerts.fullname" . }}
+{{- end}}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/job-cleaner.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/job-cleaner.yaml
new file mode 100644
index 0000000000..1503ac4594
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/job-cleaner.yaml
@@ -0,0 +1,70 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ template "selfcerts.fullname" . }}-cleaner
+ namespace: {{ .Release.Namespace | quote }}
+ annotations:
+ # This is what defines this resource as a hook. Without this line, the
+ # job is considered part of the release.
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+spec:
+ backoffLimit: 1
+ template:
+ metadata:
+ name: {{ template "selfcerts.fullname" . }}-cleaner
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.tls.selfSigner.labels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.annotations }}
+ annotations: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+ securityContext:
+ seccompProfile:
+ type: "RuntimeDefault"
+ runAsGroup: 1000
+ runAsUser: 1000
+ fsGroup: 1000
+ runAsNonRoot: true
+ {{- end }}
+ restartPolicy: Never
+ {{- with .Values.tls.selfSigner.affinity }}
+ affinity: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.nodeSelector }}
+ nodeSelector: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tls.selfSigner.tolerations }}
+ tolerations: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: cleaner
+ image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
+ imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
+ args:
+ - cleanup
+ - --namespace={{ .Release.Namespace }}
+ env:
+ - name: STATEFULSET_NAME
+ value: {{ template "cockroachdb.fullname" . }}
+ {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ {{- end }}
+ serviceAccountName: {{ template "rotatecerts.fullname" . }}
+{{- end}}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/job.init.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/job.init.yaml
new file mode 100644
index 0000000000..dbc1eaa176
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/job.init.yaml
@@ -0,0 +1,303 @@
+{{ $isClusterInitEnabled := and (eq (len .Values.conf.join) 0) (not (index .Values.conf `single-node`)) }}
+{{ $isDatabaseProvisioningEnabled := .Values.init.provisioning.enabled }}
+{{- if or $isClusterInitEnabled $isDatabaseProvisioningEnabled }}
+ {{ template "cockroachdb.tlsValidation" . }}
+kind: Job
+apiVersion: batch/v1
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}-init
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.init.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ annotations:
+ helm.sh/hook: post-install,post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation
+ {{- with .Values.init.jobAnnotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.init.labels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.init.annotations }}
+ annotations: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
+ {{- if and .Values.init.securityContext.enabled }}
+ securityContext:
+ seccompProfile:
+ type: "RuntimeDefault"
+ runAsGroup: 1000
+ runAsUser: 1000
+ fsGroup: 1000
+ runAsNonRoot: true
+ {{- end }}
+ {{- end }}
+ restartPolicy: OnFailure
+ terminationGracePeriodSeconds: {{ .Values.init.terminationGracePeriodSeconds }}
+ {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
+ imagePullSecrets:
+ {{- if .Values.image.credentials }}
+ - name: {{ template "cockroachdb.fullname" . }}.db.registry
+ {{- end }}
+ {{- if and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
+ - name: {{ template "cockroachdb.fullname" . }}.self-signed-certs.registry
+ {{- end }}
+ {{- end }}
+ serviceAccountName: {{ template "cockroachdb.serviceAccount.name" . }}
+ {{- if .Values.tls.enabled }}
+ initContainers:
+ - name: copy-certs
+ image: {{ .Values.tls.copyCerts.image | quote }}
+ imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
+ command:
+ - /bin/sh
+ - -c
+ - "cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key"
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ {{- if and .Values.init.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ {{- end }}
+ volumeMounts:
+ - name: client-certs
+ mountPath: /cockroach-certs/
+ - name: certs-secret
+ mountPath: /certs/
+ {{- with .Values.tls.copyCerts.resources }}
+ resources: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ {{- with .Values.init.affinity }}
+ affinity: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.init.nodeSelector }}
+ nodeSelector: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.init.tolerations }}
+ tolerations: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: cluster-init
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ # Run the command in an `while true` loop because this Job is bound
+ # to come up before the CockroachDB Pods (due to the time needed to
+ # get PersistentVolumes attached to Nodes), and sleeping 5 seconds
+ # between attempts is much better than letting the Pod fail when
+ # the init command does and waiting out Kubernetes' non-configurable
+ # exponential back-off for Pod restarts.
+ # Command completes either when cluster initialization succeeds,
+ # or when cluster has been initialized already.
+ command:
+ - /bin/bash
+ - -c
+ - >-
+ {{- if $isClusterInitEnabled }}
+ initCluster() {
+ while true; do
+ local output=$(
+ set -x;
+
+ /cockroach/cockroach init \
+ {{- if .Values.tls.enabled }}
+ --certs-dir=/cockroach-certs/ \
+ {{- else }}
+ --insecure \
+ {{- end }}
+ {{- with index .Values.conf "cluster-name" }}
+ --cluster-name={{.}} \
+ {{- end }}
+ --host={{ template "cockroachdb.fullname" . }}-0.{{ template "cockroachdb.fullname" . -}}
+ :{{ .Values.service.ports.grpc.internal.port | int64 }} \
+ {{- if .Values.init.pcr.enabled -}}
+ {{- if .Values.init.pcr.isPrimary }}
+ --virtualized \
+ {{- else }}
+ --virtualized-empty \
+ {{- end }}
+ {{- end }}
+ 2>&1);
+
+ local exitCode="$?";
+ echo $output;
+
+ if [[ "$output" =~ .*"Cluster successfully initialized".* || "$output" =~ .*"cluster has already been initialized".* ]]; then
+ break;
+ fi
+
+ echo "Cluster is not ready to be initialized, retrying in 5 seconds"
+ sleep 5;
+ done
+ }
+
+ initCluster;
+ {{- end }}
+
+ {{- if $isDatabaseProvisioningEnabled }}
+ provisionCluster() {
+ while true; do
+ /cockroach/cockroach sql \
+ {{- if .Values.tls.enabled }}
+ --certs-dir=/cockroach-certs/ \
+ {{- else }}
+ --insecure \
+ {{- end }}
+ --host={{ template "cockroachdb.fullname" . }}-0.{{ template "cockroachdb.fullname" . -}}
+ :{{ .Values.service.ports.grpc.internal.port | int64 }} \
+ --execute="
+ {{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }}
+ SET CLUSTER SETTING {{ $clusterSetting }} = '${{ $clusterSetting | replace "." "_" }}_CLUSTER_SETTING';
+ {{- end }}
+
+ {{- range $user := .Values.init.provisioning.users }}
+ CREATE USER IF NOT EXISTS {{ $user.name }} WITH
+ {{- if $user.password }}
+ PASSWORD '${{ $user.name }}_PASSWORD'
+ {{- else }}
+ PASSWORD null
+ {{- end }}
+ {{ join " " $user.options }}
+ ;
+ {{- end }}
+
+ {{- range $database := .Values.init.provisioning.databases }}
+ CREATE DATABASE IF NOT EXISTS {{ $database.name }}
+ {{- if $database.options }}
+ {{ join " " $database.options }}
+ {{- end }}
+ ;
+
+ {{- range $owner := $database.owners }}
+ GRANT ALL ON DATABASE {{ $database.name }} TO {{ $owner }};
+ {{- end }}
+
+ {{- range $owner := $database.owners_with_grant_option }}
+ GRANT ALL ON DATABASE {{ $database.name }} TO {{ $owner }} WITH GRANT OPTION;
+ {{- end }}
+
+ {{- if $database.backup }}
+ CREATE SCHEDULE IF NOT EXISTS {{ $database.name }}_scheduled_backup
+ FOR BACKUP DATABASE {{ $database.name }} INTO '{{ $database.backup.into }}'
+
+ {{- if $database.backup.options }}
+ WITH {{ join "," $database.backup.options }}
+ {{- end }}
+ RECURRING '{{ $database.backup.recurring }}'
+ {{- if $database.backup.fullBackup }}
+ FULL BACKUP '{{ $database.backup.fullBackup }}'
+ {{- else }}
+ FULL BACKUP ALWAYS
+ {{- end }}
+
+ {{- if and $database.backup.schedule $database.backup.schedule.options }}
+ WITH SCHEDULE OPTIONS {{ join "," $database.backup.schedule.options }}
+ {{- end }}
+ ;
+ {{- end }}
+ {{- end }}
+ "
+ &>/dev/null;
+
+ local exitCode="$?";
+
+ if [[ "$exitCode" -eq "0" ]]
+ then break;
+ fi
+
+ sleep 5;
+ done
+
+ echo "Provisioning completed successfully";
+ }
+
+ provisionCluster;
+ {{- end }}
+ env:
+ {{- $secretName := printf "%s-init" (include "cockroachdb.fullname" .) }}
+ {{- range $user := .Values.init.provisioning.users }}
+ {{- if $user.password }}
+ - name: {{ $user.name }}_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $secretName }}
+ key: {{ $user.name }}-password
+ {{- end }}
+ {{- end }}
+ {{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }}
+ {{- if $clusterSettingValue }}
+ - name: {{ $clusterSetting | replace "." "_" }}_CLUSTER_SETTING
+ valueFrom:
+ secretKeyRef:
+ name: {{ $secretName }}
+ key: {{ $clusterSetting | replace "." "-" }}-cluster-setting
+ {{- end }}
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ volumeMounts:
+ - name: client-certs
+ mountPath: /cockroach-certs/
+ {{- end }}
+ {{- with .Values.init.resources }}
+ resources: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- if and .Values.init.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ volumes:
+ - name: client-certs
+ emptyDir: {}
+ {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
+ - name: certs-secret
+ {{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
+ projected:
+ sources:
+ - secret:
+ {{- if .Values.tls.certs.selfSigner.enabled }}
+ name: {{ template "cockroachdb.fullname" . }}-client-secret
+ {{ else }}
+ name: {{ .Values.tls.certs.clientRootSecret }}
+ {{ end -}}
+ items:
+ - key: ca.crt
+ path: ca.crt
+ mode: 0400
+ - key: tls.crt
+ path: client.root.crt
+ mode: 0400
+ - key: tls.key
+ path: client.root.key
+ mode: 0400
+ {{- else }}
+ secret:
+ secretName: {{ .Values.tls.certs.clientRootSecret }}
+ defaultMode: 0400
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/networkpolicy.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..d41afa32ba
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/networkpolicy.yaml
@@ -0,0 +1,59 @@
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ template "cockroachdb.networkPolicy.apiVersion" . }}
+metadata:
+ name: {{ template "cockroachdb.serviceAccount.name" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ ingress:
+ - ports:
+ - port: grpc
+ {{- with .Values.networkPolicy.ingress.grpc }}
+ from:
+ # Allow connections via custom rules.
+ {{- toYaml . | nindent 8 }}
+ # Allow client connection via pre-considered label.
+ - podSelector:
+ matchLabels:
+ {{ template "cockroachdb.fullname" . }}-client: "true"
+ # Allow other CockroachDBs to connect to form a cluster.
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 14 }}
+ {{- end }}
+ {{- if gt (.Values.statefulset.replicas | int64) 1 }}
+ # Allow init Job to connect to bootstrap a cluster.
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.init.labels }}
+ {{- toYaml . | nindent 14 }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ # Allow connections to admin UI and for Prometheus.
+ - ports:
+ - port: http
+ {{- with .Values.networkPolicy.ingress.http }}
+ from: {{- toYaml . | nindent 8 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/poddisruptionbudget.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000..f707e40541
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/poddisruptionbudget.yaml
@@ -0,0 +1,26 @@
+kind: PodDisruptionBudget
+{{- if or (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version) }}
+apiVersion: policy/v1
+{{- else }}
+apiVersion: policy/v1beta1
+{{- end }}
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}-budget
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ maxUnavailable: {{ .Values.statefulset.budget.maxUnavailable | int64 }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/role-certRotateSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/role-certRotateSelfSigner.yaml
new file mode 100644
index 0000000000..f0e2b90cea
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/role-certRotateSelfSigner.yaml
@@ -0,0 +1,27 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "rotatecerts.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create", "get", "update", "delete"]
+ - apiGroups: ["apps"]
+ resources: ["statefulsets"]
+ verbs: ["get"]
+ resourceNames:
+ - {{ template "cockroachdb.fullname" . }}
+ - apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["delete", "get"]
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/role-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/role-certSelfSigner.yaml
new file mode 100644
index 0000000000..1cbaab3dd3
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/role-certSelfSigner.yaml
@@ -0,0 +1,33 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "selfcerts.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ annotations:
+ # This is what defines this resource as a hook. Without this line, the
+ # job is considered part of the release.
+ "helm.sh/hook": pre-install,pre-upgrade
+ "helm.sh/hook-weight": "2"
+ "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create", "get", "update", "delete"]
+ - apiGroups: ["apps"]
+ resources: ["statefulsets"]
+ verbs: ["get"]
+ resourceNames:
+ - {{ template "cockroachdb.fullname" . }}
+ - apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["delete", "get"]
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/role.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/role.yaml
new file mode 100644
index 0000000000..ebe5ce8ae7
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/role.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.tls.enabled }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
+ verbs: ["get"]
+ {{- else }}
+ verbs: ["create", "get"]
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/rolebinding-certRotateSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/rolebinding-certRotateSelfSigner.yaml
new file mode 100644
index 0000000000..c1a45f7977
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/rolebinding-certRotateSelfSigner.yaml
@@ -0,0 +1,23 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "rotatecerts.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "rotatecerts.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "rotatecerts.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/rolebinding-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/rolebinding-certSelfSigner.yaml
new file mode 100644
index 0000000000..5725d02a41
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/rolebinding-certSelfSigner.yaml
@@ -0,0 +1,29 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "selfcerts.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ annotations:
+ # This is what defines this resource as a hook. Without this line, the
+ # job is considered part of the release.
+ "helm.sh/hook": pre-install,pre-upgrade
+ "helm.sh/hook-weight": "3"
+ "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "selfcerts.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "selfcerts.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/rolebinding.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/rolebinding.yaml
new file mode 100644
index 0000000000..00d9f9a551
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/rolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.tls.enabled }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "cockroachdb.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "cockroachdb.serviceAccount.name" . }}
+ namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/secret.backendconfig.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/secret.backendconfig.yaml
new file mode 100644
index 0000000000..61103060a6
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/secret.backendconfig.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.iap.enabled }}
+kind: Secret
+apiVersion: v1
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}.iap
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+type: Opaque
+data:
+ {{- if eq "" .Values.iap.clientId }}
+ {{ fail "iap.clientID can't be empty if iap.enabled is set to true" }}
+ {{- end }}
+ client_id: {{ .Values.iap.clientId | b64enc }}
+ {{- if eq "" .Values.iap.clientSecret }}
+ {{ fail "iap.clientSecret can't be empty if iap.enabled is set to true" }}
+ {{- end }}
+ client_secret: {{ .Values.iap.clientSecret | b64enc }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/secret.logconfig.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/secret.logconfig.yaml
new file mode 100644
index 0000000000..40b929ae75
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/secret.logconfig.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.conf.log.enabled }}
+kind: Secret
+apiVersion: v1
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}-log-config
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+type: Opaque
+stringData:
+ log-config.yaml: |
+ {{- toYaml .Values.conf.log.config | nindent 4 }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/secret.registry.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/secret.registry.yaml
new file mode 100644
index 0000000000..a054069fbc
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/secret.registry.yaml
@@ -0,0 +1,23 @@
+{{- range $name, $cred := dict "db" (.Values.image.credentials) "init-certs" (.Values.tls.selfSigner.image.credentials) }}
+{{- if not (empty $cred) }}
+{{- if or (and (eq $name "init-certs") $.Values.tls.enabled) (ne $name "init-certs") }}
+---
+kind: Secret
+apiVersion: v1
+metadata:
+ name: {{ template "cockroachdb.fullname" $ }}.{{ $name }}.registry
+ namespace: {{ $.Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" $ }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" $ }}
+ app.kubernetes.io/instance: {{ $.Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
+ {{- with $.Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ printf `{"auths":{%s:{"auth":"%s"}}}` ($cred.registry | quote) (printf "%s:%s" $cred.username $cred.password | b64enc) | b64enc | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/secrets.init.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/secrets.init.yaml
new file mode 100644
index 0000000000..4d13a35ffa
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/secrets.init.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.init.provisioning.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}-init
+ namespace: {{ .Release.Namespace | quote }}
+type: Opaque
+stringData:
+
+{{- range $user := .Values.init.provisioning.users }}
+{{- if $user.password }}
+ {{ $user.name }}-password: {{ $user.password | quote }}
+{{- end }}
+{{- end }}
+
+{{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }}
+ {{ $clusterSetting | replace "." "-" }}-cluster-setting: {{ $clusterSettingValue | quote }}
+{{- end }}
+
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/service.discovery.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/service.discovery.yaml
new file mode 100644
index 0000000000..8fe2a427ad
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/service.discovery.yaml
@@ -0,0 +1,64 @@
+# This service only exists to create DNS entries for each pod in
+# the StatefulSet such that they can resolve each other's IP addresses.
+# It does not create a load-balanced ClusterIP and should not be used directly
+# by clients in most circumstances.
+kind: Service
+apiVersion: v1
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.service.discovery.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ annotations:
+ # Use this annotation in addition to the actual field below because the
+ # annotation will stop being respected soon, but the field is broken in
+ # some versions of Kubernetes:
+ # https://github.com/kubernetes/kubernetes/issues/58662
+ service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+ # Enable automatic monitoring of all instances when Prometheus is running
+ # in the cluster.
+ {{- if .Values.prometheus.enabled }}
+ prometheus.io/scrape: "true"
+ prometheus.io/path: _status/vars
+ prometheus.io/port: {{ .Values.service.ports.http.port | quote }}
+ {{- end }}
+ {{- with .Values.service.discovery.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ clusterIP: None
+ # We want all Pods in the StatefulSet to have their addresses published for
+ # the sake of the other CockroachDB Pods even before they're ready, since they
+ # have to be able to talk to each other in order to become ready.
+ publishNotReadyAddresses: true
+ ports:
+ {{- $ports := .Values.service.ports }}
+ # The main port, served by gRPC, serves Postgres-flavor SQL, inter-node
+ # traffic and the CLI.
+ - name: {{ $ports.grpc.external.name | quote }}
+ port: {{ $ports.grpc.external.port | int64 }}
+ targetPort: grpc
+ {{- if ne ($ports.grpc.internal.port | int64) ($ports.grpc.external.port | int64) }}
+ - name: {{ $ports.grpc.internal.name | quote }}
+ port: {{ $ports.grpc.internal.port | int64 }}
+ targetPort: grpc
+ {{- end }}
+ # The secondary port serves the UI as well as health and debug endpoints.
+ - name: {{ $ports.http.name | quote }}
+ port: {{ $ports.http.port | int64 }}
+ targetPort: http
+ selector:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/service.public.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/service.public.yaml
new file mode 100644
index 0000000000..251e9ab084
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/service.public.yaml
@@ -0,0 +1,55 @@
+# This Service is meant to be used by clients of the database.
+# It exposes a ClusterIP that will automatically load balance connections
+# to the different database Pods.
+kind: Service
+apiVersion: v1
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}-public
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.service.public.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if or .Values.service.public.annotations .Values.tls.enabled .Values.iap.enabled }}
+ annotations:
+ {{- with .Values.service.public.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ service.alpha.kubernetes.io/app-protocols: '{"http":"HTTPS"}'
+ {{- end }}
+ {{- if .Values.iap.enabled }}
+ beta.cloud.google.com/backend-config: '{"default": "{{ template "cockroachdb.fullname" . }}"}'
+ {{- end }}
+ {{- end }}
+spec:
+ type: {{ .Values.service.public.type | quote }}
+ ports:
+ {{- $ports := .Values.service.ports }}
+ # The main port, served by gRPC, serves Postgres-flavor SQL, inter-node
+ # traffic and the CLI.
+ - name: {{ $ports.grpc.external.name | quote }}
+ port: {{ $ports.grpc.external.port | int64 }}
+ targetPort: grpc
+ {{- if ne ($ports.grpc.internal.port | int64) ($ports.grpc.external.port | int64) }}
+ - name: {{ $ports.grpc.internal.name | quote }}
+ port: {{ $ports.grpc.internal.port | int64 }}
+ targetPort: grpc
+ {{- end }}
+ # The secondary port serves the UI as well as health and debug endpoints.
+ - name: {{ $ports.http.name | quote }}
+ port: {{ $ports.http.port | int64 }}
+ targetPort: http
+ selector:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceMonitor.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceMonitor.yaml
new file mode 100644
index 0000000000..42f2390b4c
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceMonitor.yaml
@@ -0,0 +1,54 @@
+{{- $serviceMonitor := .Values.serviceMonitor -}}
+{{- $ports := .Values.service.ports -}}
+{{- if $serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- if $serviceMonitor.labels }}
+ {{- toYaml $serviceMonitor.labels | nindent 4 }}
+ {{- end }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if $serviceMonitor.annotations }}
+ annotations:
+ {{- toYaml $serviceMonitor.annotations | nindent 4 }}
+ {{- end }}
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.service.discovery.labels }}
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ namespaceSelector:
+ {{- if $serviceMonitor.namespaced }}
+ matchNames:
+ - {{ .Release.Namespace }}
+ {{- else }}
+ any: true
+ {{- end }}
+ endpoints:
+ - port: {{ $ports.http.name | quote }}
+ path: /_status/vars
+ {{- if $serviceMonitor.interval }}
+ interval: {{ $serviceMonitor.interval }}
+ {{- end }}
+ {{- if $serviceMonitor.scrapeTimeout }}
+ scrapeTimeout: {{ $serviceMonitor.scrapeTimeout }}
+ {{- end }}
+ {{- if .Values.serviceMonitor.tlsConfig }}
+ tlsConfig: {{ toYaml .Values.serviceMonitor.tlsConfig | nindent 6 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceaccount-certRotateSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceaccount-certRotateSelfSigner.yaml
new file mode 100644
index 0000000000..a27cba9219
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceaccount-certRotateSelfSigner.yaml
@@ -0,0 +1,22 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+ {{ template "cockroachdb.tls.certs.selfSigner.validation" . }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+ name: {{ template "rotatecerts.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if .Values.tls.certs.selfSigner.svcAccountAnnotations }}
+ annotations:
+ {{- with .Values.tls.certs.selfSigner.svcAccountAnnotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceaccount-certSelfSigner.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceaccount-certSelfSigner.yaml
new file mode 100644
index 0000000000..3ce2d63e9e
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceaccount-certSelfSigner.yaml
@@ -0,0 +1,25 @@
+{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
+ {{ template "cockroachdb.tls.certs.selfSigner.validation" . }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+ name: {{ template "selfcerts.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ annotations:
+ # This is what defines this resource as a hook. Without this line, the
+ # job is considered part of the release.
+ "helm.sh/hook": pre-install,pre-upgrade
+ "helm.sh/hook-weight": "1"
+ "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+ {{- with .Values.tls.certs.selfSigner.svcAccountAnnotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceaccount.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..3af9be9aa9
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/serviceaccount.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.statefulset.serviceAccount.create }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+ name: {{ template "cockroachdb.serviceAccount.name" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if .Values.statefulset.serviceAccount.annotations }}
+ annotations:
+ {{- with .Values.statefulset.serviceAccount.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/statefulset.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/statefulset.yaml
new file mode 100644
index 0000000000..5be883940f
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/statefulset.yaml
@@ -0,0 +1,563 @@
+{{ template "cockroachdb.conf.log.validation" . }}
+{{ template "cockroachdb.conf.store.validation" . }}
+kind: StatefulSet
+apiVersion: {{ template "cockroachdb.statefulset.apiVersion" . }}
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ helm.sh/chart: {{ template "cockroachdb.chart" . }}
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ serviceName: {{ template "cockroachdb.fullname" . }}
+ replicas: {{ .Values.statefulset.replicas | int64 }}
+ updateStrategy: {{- toYaml .Values.statefulset.updateStrategy | nindent 4 }}
+ podManagementPolicy: {{ .Values.statefulset.podManagementPolicy | quote }}
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.statefulset.annotations }}
+ annotations: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
+ imagePullSecrets:
+ {{- if .Values.image.credentials }}
+ - name: {{ template "cockroachdb.fullname" . }}.db.registry
+ {{- end }}
+ {{- if and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
+ - name: {{ template "cockroachdb.fullname" . }}.self-signed-certs.registry
+ {{- end }}
+ {{- end }}
+ serviceAccountName: {{ template "cockroachdb.serviceAccount.name" . }}
+ {{- if .Values.tls.enabled }}
+ initContainers:
+ - name: copy-certs
+ image: {{ .Values.tls.copyCerts.image | quote }}
+ imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
+ command:
+ - /bin/sh
+ - -c
+ - "cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key"
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ {{- if .Values.statefulset.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ {{- end }}
+ volumeMounts:
+ - name: certs
+ mountPath: /cockroach-certs/
+ - name: certs-secret
+ mountPath: /certs/
+ {{- with .Values.tls.copyCerts.resources }}
+ resources: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- range $ic := .Values.statefulset.initContainers }}
+ - {{- toYaml $ic | nindent 10 }}
+ {{ with $.Values.statefulset.volumeMounts}}
+ volumeMounts:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if or .Values.statefulset.nodeAffinity .Values.statefulset.podAffinity .Values.statefulset.podAntiAffinity }}
+ affinity:
+ {{- with .Values.statefulset.nodeAffinity }}
+ nodeAffinity: {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- with .Values.statefulset.podAffinity }}
+ podAffinity: {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- if .Values.statefulset.podAntiAffinity }}
+ podAntiAffinity:
+ {{- if .Values.statefulset.podAntiAffinity.type }}
+ {{- if eq .Values.statefulset.podAntiAffinity.type "hard" }}
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - topologyKey: {{ .Values.statefulset.podAntiAffinity.topologyKey }}
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 18 }}
+ {{- end }}
+ {{- else if eq .Values.statefulset.podAntiAffinity.type "soft" }}
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: {{ .Values.statefulset.podAntiAffinity.weight | int64 }}
+ podAffinityTerm:
+ topologyKey: {{ .Values.statefulset.podAntiAffinity.topologyKey }}
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 20 }}
+ {{- end }}
+ {{- end }}
+ {{- else }}
+ {{- toYaml .Values.statefulset.podAntiAffinity | nindent 10 }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.Version }}
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.statefulset.labels }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.statefulset.topologySpreadConstraints }}
+ maxSkew: {{ .maxSkew }}
+ topologyKey: {{ .topologyKey }}
+ whenUnsatisfiable: {{ .whenUnsatisfiable }}
+ {{- end }}
+ {{- end }}
+ {{- with .Values.statefulset.nodeSelector }}
+ nodeSelector: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.statefulset.priorityClassName }}
+ priorityClassName: {{ .Values.statefulset.priorityClassName }}
+ {{- end }}
+ {{- with .Values.statefulset.tolerations }}
+ tolerations: {{- toYaml . | nindent 8 }}
+ {{- end }}
+ # No pre-stop hook is required, a SIGTERM plus some time is all that's
+ # needed for graceful shutdown of a node.
+ terminationGracePeriodSeconds: {{ .Values.init.terminationGracePeriodSeconds }}
+ containers:
+ - name: db
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ args:
+ - shell
+ - -ecx
+ # The use of qualified `hostname -f` is crucial:
+ # Other nodes aren't able to look up the unqualified hostname.
+ #
+ # `--join` CLI flag is hardcoded to exactly 3 Pods, because:
+ # 1. Having `--join` value depending on `statefulset.replicas`
+ # will trigger undesired restart of existing Pods when
+ # StatefulSet is scaled up/down. We want to scale without
+ # restarting existing Pods.
+ # 2. At least one Pod in `--join` is enough to successfully
+ # join CockroachDB cluster and gossip with all other existing
+ # Pods, even if there are 3 or more Pods.
+ # 3. It's harmless for `--join` to have 3 Pods even for 1-Pod
+ # clusters, while it gives us opportunity to scale up even if
+ # some Pods of existing cluster are down (for whatever reason).
+ # See details explained here:
+ # https://github.com/helm/charts/pull/18993#issuecomment-558795102
+ - >-
+ exec /cockroach/cockroach
+ {{- if index .Values.conf `single-node` }}
+ start-single-node
+ {{- else }}
+ start --join=
+ {{- if .Values.conf.join }}
+ {{- join `,` .Values.conf.join -}}
+ {{- else }}
+ {{- range $i, $_ := until 3 -}}
+ {{- if gt $i 0 -}},{{- end -}}
+ ${STATEFULSET_NAME}-{{ $i }}.${STATEFULSET_FQDN}:{{ $.Values.service.ports.grpc.internal.port | int64 -}}
+ {{- end -}}
+ {{- end }}
+ {{- with index .Values.conf `cluster-name` }}
+ --cluster-name={{ . }}
+ {{- if index $.Values.conf `disable-cluster-name-verification` }}
+ --disable-cluster-name-verification
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ --advertise-host=$(hostname).${STATEFULSET_FQDN}
+ {{- if .Values.tls.enabled }}
+ --certs-dir=/cockroach/cockroach-certs/
+ {{- else }}
+ --insecure
+ {{- end }}
+ {{- with .Values.conf.attrs }}
+ --attrs={{ join `:` . }}
+ {{- end }}
+ {{- if index .Values.conf `http-port` }}
+ --http-port={{ index .Values.conf `http-port` | int64 }}
+ {{- else }}
+ --http-port={{ index .Values.service.ports.http.port | int64 }}
+ {{- end }}
+ {{- if .Values.conf.port }}
+ --port={{ .Values.conf.port | int64 }}
+ {{- else }}
+ --port={{ .Values.service.ports.grpc.internal.port | int64 }}
+ {{- end }}
+ --cache={{ .Values.conf.cache }}
+ {{- with index .Values.conf `max-disk-temp-storage` }}
+ --max-disk-temp-storage={{ . }}
+ {{- end }}
+ {{- with index .Values.conf `max-offset` }}
+ --max-offset={{ . }}
+ {{- end }}
+ --max-sql-memory={{ index .Values.conf `max-sql-memory` }}
+ {{- with .Values.conf.locality }}
+ --locality={{ . }}
+ {{- end }}
+ {{- with index .Values.conf `sql-audit-dir` }}
+ --sql-audit-dir={{ . }}
+ {{- end }}
+ {{- if .Values.conf.store.enabled }}
+ {{- range $idx := until (int .Values.conf.store.count) }}
+ {{- $_ := set $ "Args" (dict "idx" $idx) }}
+ --store={{ include "cockroachdb.conf.store" $ }}
+ {{- end }}
+ {{- end }}
+ {{- with index .Values.conf `wal-failover` `value` }}
+ {{- template "cockroachdb.conf.wal-failover.validation" $ }}
+ --wal-failover={{ . }}
+ {{- end }}
+ {{- if .Values.conf.log.enabled }}
+ --log-config-file=/cockroach/log-config/log-config.yaml
+ {{- else }}
+ --logtostderr={{ .Values.conf.logtostderr }}
+ {{- end }}
+ {{- range .Values.statefulset.args }}
+ {{ . }}
+ {{- end }}
+ env:
+ - name: STATEFULSET_NAME
+ value: {{ template "cockroachdb.fullname" . }}
+ - name: STATEFULSET_FQDN
+ value: {{ template "cockroachdb.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
+ - name: COCKROACH_CHANNEL
+ value: kubernetes-helm
+ {{- with .Values.statefulset.env }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ ports:
+ - name: grpc
+ {{- if .Values.conf.port }}
+ containerPort: {{ .Values.conf.port | int64 }}
+ {{- else }}
+ containerPort: {{ .Values.service.ports.grpc.internal.port | int64 }}
+ {{- end }}
+ protocol: TCP
+ - name: http
+ {{- if index .Values.conf `http-port` }}
+ containerPort: {{ index .Values.conf `http-port` | int64 }}
+ {{- else }}
+ containerPort: {{ index .Values.service.ports.http.port | int64 }}
+ {{- end }}
+ protocol: TCP
+ volumeMounts:
+ {{- range $i := until (int .Values.conf.store.count) }}
+ {{- if eq $i 0 }}
+ - name: datadir
+ mountPath: /cockroach/{{ $.Values.conf.path }}/
+ {{- else }}
+ - name: datadir-{{ add1 $i }}
+ mountPath: /cockroach/{{ $.Values.conf.path }}-{{ add1 $i }}/
+ {{- end }}
+ {{- end }}
+ {{- with index .Values.conf `wal-failover` `persistentVolume` }}
+ {{- if .enabled }}
+ - name: failoverdir
+ mountPath: /cockroach/{{ .path }}/
+ {{- end }}
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: certs
+ mountPath: /cockroach/cockroach-certs/
+ {{- if .Values.tls.certs.provided }}
+ - name: certs-secret
+ mountPath: /cockroach/certs/
+ {{- end }}
+ {{- end }}
+ {{- range .Values.statefulset.secretMounts }}
+ - name: {{ printf "secret-%s" . | quote }}
+ mountPath: {{ printf "/etc/cockroach/secrets/%s" . | quote }}
+ readOnly: true
+ {{- end }}
+ {{- if .Values.conf.log.enabled }}
+ - name: log-config
+ mountPath: /cockroach/log-config
+ readOnly: true
+ {{- end }}
+ {{- if .Values.conf.log.persistentVolume.enabled }}
+ - name: logsdir
+ mountPath: /cockroach/{{ .Values.conf.log.persistentVolume.path }}/
+ {{- end }}
+ {{- with .Values.statefulset.volumeMounts }}
+ {{ toYaml . | nindent 12 }}
+ {{- end }}
+ {{- if .Values.statefulset.customStartupProbe }}
+ startupProbe:
+ {{ toYaml .Values.statefulset.customStartupProbe | nindent 12 }}
+ {{- end }}
+ livenessProbe:
+ {{- if .Values.statefulset.customLivenessProbe }}
+ {{ toYaml .Values.statefulset.customLivenessProbe | nindent 12 }}
+ {{- else }}
+ httpGet:
+ path: /health
+ port: http
+ {{- if .Values.tls.enabled }}
+ scheme: HTTPS
+ {{- end }}
+ initialDelaySeconds: 30
+ periodSeconds: 5
+ {{- end }}
+ readinessProbe:
+ {{- if .Values.statefulset.customReadinessProbe }}
+ {{ toYaml .Values.statefulset.customReadinessProbe | nindent 12 }}
+ {{- else }}
+ httpGet:
+ path: /health?ready=1
+ port: http
+ {{- if .Values.tls.enabled }}
+ scheme: HTTPS
+ {{- end }}
+ initialDelaySeconds: 10
+ periodSeconds: 5
+ failureThreshold: 2
+ {{- end }}
+ {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
+ {{- if .Values.statefulset.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ {{- end }}
+ {{- end }}
+ {{- with .Values.statefulset.resources }}
+ resources: {{- toYaml . | nindent 12 }}
+ {{- end }}
+ volumes:
+ {{- range $i := until (int .Values.conf.store.count) }}
+ {{- if eq $i 0 }}
+ - name: datadir
+ {{- if $.Values.storage.persistentVolume.enabled }}
+ persistentVolumeClaim:
+ claimName: datadir
+ {{- else if $.Values.storage.hostPath }}
+ hostPath:
+ path: {{ $.Values.storage.hostPath | quote }}
+ {{- else }}
+ emptyDir: {}
+ {{- end }}
+ {{- else }}
+ - name: datadir-{{ add1 $i }}
+ {{- if $.Values.storage.persistentVolume.enabled }}
+ persistentVolumeClaim:
+ claimName: datadir-{{ add1 $i }}
+ {{- else if $.Values.storage.hostPath }}
+ {{- $_ := set $ "Args" (dict "idx" $i) }}
+ hostPath:
+ path: {{ include "cockroachdb.storage.hostPath.computation" $ }}
+ {{- else }}
+ emptyDir: {}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- with index .Values.conf `wal-failover` }}
+ {{- if .value }}
+ - name: failoverdir
+ {{- if .persistentVolume.enabled }}
+ persistentVolumeClaim:
+ claimName: failoverdir
+ {{- else }}
+ emptyDir: {}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- with .Values.statefulset.volumes }}
+ {{ toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: certs
+ emptyDir: {}
+ {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
+ - name: certs-secret
+ {{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
+ projected:
+ sources:
+ - secret:
+ {{- if .Values.tls.certs.selfSigner.enabled }}
+ name: {{ template "cockroachdb.fullname" . }}-node-secret
+ {{ else }}
+ name: {{ .Values.tls.certs.nodeSecret }}
+ {{ end -}}
+ items:
+ - key: ca.crt
+ path: ca.crt
+ mode: 256
+ - key: tls.crt
+ path: node.crt
+ mode: 256
+ - key: tls.key
+ path: node.key
+ mode: 256
+ {{- else }}
+ secret:
+ secretName: {{ .Values.tls.certs.nodeSecret }}
+ defaultMode: 256
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- range .Values.statefulset.secretMounts }}
+ - name: {{ printf "secret-%s" . | quote }}
+ secret:
+ secretName: {{ . | quote }}
+ {{- end }}
+ {{- if .Values.conf.log.enabled }}
+ - name: log-config
+ secret:
+ secretName: {{ template "cockroachdb.fullname" . }}-log-config
+ {{- end }}
+ {{- if .Values.conf.log.enabled }}
+ - name: logsdir
+ {{- if .Values.conf.log.persistentVolume.enabled }}
+ persistentVolumeClaim:
+ claimName: logsdir
+ {{- else }}
+ emptyDir: {}
+ {{- end }}
+ {{- end }}
+ {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
+ {{- if and .Values.securityContext.enabled }}
+ securityContext:
+ seccompProfile:
+ type: "RuntimeDefault"
+ fsGroup: 1000
+ runAsGroup: 1000
+ runAsUser: 1000
+ runAsNonRoot: true
+ {{- end }}
+ {{- end }}
+{{- if or .Values.storage.persistentVolume.enabled (index .Values.conf `wal-failover` `persistentVolume` `enabled`) .Values.conf.log.persistentVolume.enabled }}
+ volumeClaimTemplates:
+ {{- if .Values.storage.persistentVolume.enabled }}
+ {{- range $i := until (int .Values.conf.store.count) }}
+ - metadata:
+ {{- if eq $i 0 }}
+ name: datadir
+ {{- else }}
+ name: datadir-{{ add1 $i }}
+ {{- end }}
+ labels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" $ }}
+ app.kubernetes.io/instance: {{ $.Release.Name | quote }}
+ {{- with $.Values.storage.persistentVolume.labels }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- with $.Values.labels }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- with $.Values.storage.persistentVolume.annotations }}
+ annotations: {{- toYaml . | nindent 10 }}
+ {{- end }}
+ spec:
+ accessModes: ["ReadWriteOnce"]
+ {{- if $.Values.storage.persistentVolume.storageClass }}
+ {{- if (eq "-" $.Values.storage.persistentVolume.storageClass) }}
+ storageClassName: ""
+ {{- else }}
+ storageClassName: {{ $.Values.storage.persistentVolume.storageClass | quote}}
+ {{- end }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ $.Values.storage.persistentVolume.size | quote }}
+ {{- end }}
+ {{- end }}
+ {{- with index .Values.conf `wal-failover` }}
+ {{- if .persistentVolume.enabled }}
+ - metadata:
+ name: failoverdir
+ labels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" $ }}
+ app.kubernetes.io/instance: {{ $.Release.Name | quote }}
+ {{- with .persistentVolume.labels }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- with $.Values.labels }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- with .persistentVolume.annotations }}
+ annotations: {{- toYaml . | nindent 10 }}
+ {{- end }}
+ spec:
+ accessModes: ["ReadWriteOnce"]
+ {{- with .persistentVolume.storageClass }}
+ {{- if eq "-" . }}
+ storageClassName: ""
+ {{- else }}
+ storageClassName: {{ . | quote}}
+ {{- end }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .persistentVolume.size | quote }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.conf.log.persistentVolume.enabled }}
+ - metadata:
+ name: logsdir
+ labels:
+ app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name | quote }}
+ {{- with .Values.conf.log.persistentVolume.labels }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- with .Values.conf.log.persistentVolume.annotations }}
+ annotations: {{- toYaml . | nindent 10 }}
+ {{- end }}
+ spec:
+ accessModes: ["ReadWriteOnce"]
+ {{- if .Values.conf.log.persistentVolume.storageClass }}
+ {{- if (eq "-" .Values.conf.log.persistentVolume.storageClass) }}
+ storageClassName: ""
+ {{- else }}
+ storageClassName: {{ .Values.conf.log.persistentVolume.storageClass | quote}}
+ {{- end }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.conf.log.persistentVolume.size | quote }}
+ {{- end }}
+{{- end }}
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/templates/tests/client.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/templates/tests/client.yaml
new file mode 100644
index 0000000000..8656b8ed68
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/templates/tests/client.yaml
@@ -0,0 +1,65 @@
+kind: Pod
+apiVersion: v1
+metadata:
+ name: {{ template "cockroachdb.fullname" . }}-test
+ namespace: {{ .Release.Namespace | quote }}
+{{- if .Values.networkPolicy.enabled }}
+ labels:
+ {{ template "cockroachdb.fullname" . }}-client: "true"
+{{- end }}
+ annotations:
+ helm.sh/hook: test-success
+spec:
+ restartPolicy: Never
+{{- if .Values.image.credentials }}
+ imagePullSecrets:
+ - name: {{ template "cockroachdb.fullname" . }}.db.registry
+{{- end }}
+ {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
+ volumes:
+ - name: client-certs
+ {{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager }}
+ projected:
+ sources:
+ - secret:
+ name: {{ .Values.tls.certs.clientRootSecret }}
+ items:
+ - key: ca.crt
+ path: ca.crt
+ mode: 0400
+ - key: tls.crt
+ path: client.root.crt
+ mode: 0400
+ - key: tls.key
+ path: client.root.key
+ mode: 0400
+ {{- else }}
+ secret:
+ secretName: {{ .Values.tls.certs.clientRootSecret }}
+ defaultMode: 0400
+ {{- end }}
+ {{- end }}
+ containers:
+ - name: client-test
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
+ volumeMounts:
+ - name: client-certs
+ mountPath: /cockroach-certs
+ {{- end }}
+ command:
+ - /cockroach/cockroach
+ - sql
+ {{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
+ - --certs-dir
+ - /cockroach-certs
+ {{- else }}
+ - --insecure
+ {{- end}}
+ - --host
+ - {{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }}
+ - --port
+ - {{ .Values.service.ports.grpc.external.port | quote }}
+ - -e
+ - SHOW DATABASES;
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/values.schema.json b/charts/cockroach-labs/cockroachdb/15.0.2/values.schema.json
new file mode 100644
index 0000000000..b23c479741
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/values.schema.json
@@ -0,0 +1,97 @@
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "properties": {
+ "tls": {
+ "type": "object",
+ "properties": {
+ "certs": {
+ "type": "object",
+ "properties": {
+ "selfSigner": {
+ "type": "object",
+ "required": ["enabled", "caProvided"],
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "caProvided": {
+ "type": "boolean"
+ }
+ },
+ "if": {
+ "properties": {
+ "enabled": {
+ "const": true
+ }
+ }
+ },
+ "then": {
+ "if": {
+ "properties": {
+ "caProvided": {
+ "const": false
+ }
+ }
+ },
+ "then": {
+ "properties": {
+ "caCertDuration" : {
+ "type": "string",
+ "pattern": "^[0-9]*h$"
+ },
+ "caCertExpiryWindow": {
+ "type": "string",
+ "pattern": "^[0-9]*h$"
+ }
+ }
+ },
+ "properties": {
+ "clientCertDuration": {
+ "type": "string",
+ "pattern": "^[0-9]*h$"
+ },
+ "clientCertExpiryWindow": {
+ "type": "string",
+ "pattern": "^[0-9]*h$"
+ },
+ "nodeCertDuration": {
+ "type": "string",
+ "pattern": "^[0-9]*h$"
+ },
+ "nodeCertExpiryWindow": {
+ "type": "string",
+ "pattern": "^[0-9]*h$"
+ },
+ "rotateCerts": {
+ "type": "boolean"
+ }
+ }
+ }
+ }
+ }
+ },
+ "selfSigner": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "type": "object",
+ "required": ["repository", "tag", "pullPolicy"],
+ "properties": {
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ },
+ "pullPolicy": {
+ "type": "string",
+ "pattern": "^(Always|Never|IfNotPresent)$"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/charts/cockroach-labs/cockroachdb/15.0.2/values.yaml b/charts/cockroach-labs/cockroachdb/15.0.2/values.yaml
new file mode 100644
index 0000000000..1899670463
--- /dev/null
+++ b/charts/cockroach-labs/cockroachdb/15.0.2/values.yaml
@@ -0,0 +1,713 @@
+# Generated file, DO NOT EDIT. Source: build/templates/values.yaml
+# Overrides the chart name against the label "app.kubernetes.io/name: " placed on every resource this chart creates.
+nameOverride: ""
+
+# Override the resource names created by this chart which originally is generated using release and chart name.
+fullnameOverride: ""
+
+image:
+ repository: cockroachdb/cockroach
+ tag: v24.3.1
+ pullPolicy: IfNotPresent
+ credentials: {}
+ # registry: docker.io
+ # username: john_doe
+ # password: changeme
+
+
+# Additional labels to apply to all Kubernetes resources created by this chart.
+labels: {}
+ # app.kubernetes.io/part-of: my-app
+
+
+# Cluster's default DNS domain.
+# You should overwrite it if you're using a different one,
+# otherwise CockroachDB nodes discovery won't work.
+clusterDomain: cluster.local
+
+
+conf:
+ # An ordered list of CockroachDB node attributes.
+ # Attributes are arbitrary strings specifying machine capabilities.
+ # Machine capabilities might include specialized hardware or number of cores
+ # (e.g. "gpu", "x16c").
+ attrs: []
+ # - x16c
+ # - gpu
+
+ # Total size in bytes for caches, shared evenly if there are multiple
+ # storage devices. Size suffixes are supported (e.g. `1GB` and `1GiB`).
+ # A percentage of physical memory can also be specified (e.g. `.25`).
+ cache: 25%
+
+ # Sets a name to verify the identity of a cluster.
+ # The value must match between all nodes specified via `conf.join`.
+ # This can be used as an additional verification when either the node or
+ # cluster, or both, have not yet been initialized and do not yet know their
+ # cluster ID.
+ # To introduce a cluster name into an already-initialized cluster, pair this
+ # option with `conf.disable-cluster-name-verification: yes`.
+ cluster-name: ""
+
+ # Tell the server to ignore `conf.cluster-name` mismatches.
+ # This is meant for use when opting an existing cluster into starting to use
+ # cluster name verification, or when changing the cluster name.
+ # The cluster should be restarted once with `conf.cluster-name` and
+ # `conf.disable-cluster-name-verification: yes` combined, and once all nodes
+ # have been updated to know the new cluster name, the cluster can be restarted
+ # again with `conf.disable-cluster-name-verification: no`.
+ # This option has no effect if `conf.cluster-name` is not specified.
+ disable-cluster-name-verification: false
+
+ # The addresses for connecting a CockroachDB nodes to an existing cluster.
+ # If you are deploying a second CockroachDB instance that should join a first
+ # one, use the below list to join to the existing instance.
+ # Each item in the array should be a FQDN (and port if needed) resolvable by
+ # new Pods.
+ join: []
+
+ # New logging configuration.
+ log:
+ enabled: false
+ # https://www.cockroachlabs.com/docs/v21.1/configure-logs
+ config:
+ # file-defaults:
+ # dir: /cockroach/cockroach-logs
+ # fluent-defaults:
+ # format: json-fluent
+ # sinks:
+ # stderr:
+ # channels: [DEV]
+ persistentVolume:
+ # If enabled, then a PersistentVolumeClaim will be created and
+ # used to store CockroachDB's logs.
+ enabled: false
+ # CockroachDB's logs volume mount path. This gets prepended with
+ # `/cockroach/` in the stateful set. The `conf.log.config` should have
+ # `file-defaults.dir` to specify the log path and should reference the
+ # mounted volume.
+ path: cockroach-logs
+ size: 10Gi
+ # If defined, then `storageClassName: `.
+ # If set to "-", then `storageClassName: ""`, which disables dynamic
+ # provisioning.
+ # If undefined or empty (default), then no `storageClassName` spec is
+ # set, so the default provisioner will be chosen (gp2 on AWS, standard
+ # on GKE, AWS & OpenStack).
+ storageClass: ""
+ # Additional labels to apply to the created PersistentVolumeClaims.
+ labels: {}
+ # Additional annotations to apply to the created PersistentVolumeClaims.
+ annotations: {}
+
+ # Logs at or above this threshold to STDERR. Ignored when "log" is enabled
+ logtostderr: INFO
+
+ # Maximum storage capacity available to store temporary disk-based data for
+ # SQL queries that exceed the memory budget (e.g. join, sorts, etc are
+ # sometimes able to spill intermediate results to disk).
+ # Accepts numbers interpreted as bytes, size suffixes (e.g. `32GB` and
+ # `32GiB`) or a percentage of disk size (e.g. `10%`).
+ # The location of the temporary files is within the first store dir.
+ # If expressed as a percentage, `max-disk-temp-storage` is interpreted
+ # relative to the size of the storage device on which the first store is
+ # placed. The temp space usage is never counted towards any store usage
+ # (although it does share the device with the first store) so, when
+ # configuring this, make sure that the size of this temp storage plus the size
+ # of the first store don't exceed the capacity of the storage device.
+ # If the first store is an in-memory one (i.e. `type=mem`), then this
+ # temporary "disk" data is also kept in-memory.
+ # A percentage value is interpreted as a percentage of the available internal
+ # memory.
+ # max-disk-temp-storage: 0GB
+
+ # Maximum allowed clock offset for the cluster. If observed clock offsets
+ # exceed this limit, servers will crash to minimize the likelihood of
+ # reading inconsistent data. Increasing this value will increase the time
+ # to recovery of failures as well as the frequency of uncertainty-based
+ # read restarts.
+ # Note, that this value must be the same on all nodes in the cluster.
+ # In order to change it, all nodes in the cluster must be stopped
+ # simultaneously and restarted with the new value.
+ # max-offset: 500ms
+
+ # Maximum memory capacity available to store temporary data for SQL clients,
+ # including prepared queries and intermediate data rows during query
+ # execution. Accepts numbers interpreted as bytes, size suffixes
+ # (e.g. `1GB` and `1GiB`) or a percentage of physical memory (e.g. `.25`).
+ max-sql-memory: 25%
+
+ # An ordered, comma-separated list of key-value pairs that describe the
+ # topography of the machine. Topography might include country, datacenter
+ # or rack designations. Data is automatically replicated to maximize
+ # diversities of each tier. The order of tiers is used to determine
+ # the priority of the diversity, so the more inclusive localities like
+ # country should come before less inclusive localities like datacenter.
+ # The tiers and order must be the same on all nodes. Including more tiers
+ # is better than including fewer. For example:
+ # locality: country=us,region=us-west,datacenter=us-west-1b,rack=12
+ # locality: country=ca,region=ca-east,datacenter=ca-east-2,rack=4
+ # locality: planet=earth,province=manitoba,colo=secondary,power=3
+ locality: ""
+
+ # Run CockroachDB instances in standalone mode with replication disabled
+ # (replication factor = 1).
+ # Enabling this option makes the following values to be ignored:
+ # - `conf.cluster-name`
+ # - `conf.disable-cluster-name-verification`
+ # - `conf.join`
+ #
+ # WARNING: Enabling this option makes each deployed Pod as a STANDALONE
+ # CockroachDB instance, so the StatefulSet does NOT FORM A CLUSTER.
+ # Don't use this option for production deployments unless you clearly
+ # understand what you're doing.
+ # Usually, this option is intended to be used in conjunction with
+ # `statefulset.replicas: 1` for temporary one-time deployments (like
+ # running E2E tests, for example).
+ single-node: false
+
+ # If non-empty, create a SQL audit log in the specified directory.
+ sql-audit-dir: ""
+
+ # WARNING this parameter is deprecated and will be removed in a future version. Use `.service.ports.grpc.internal.port` instead
+ port: ""
+
+ # WARNING this parameter is deprecated and will be removed in a future version. Use `.service.ports.http.port` instead
+ http-port: ""
+
+ # CockroachDB's data mount path.
+ # For multi-store configuration, the path for each store is evaluated as:
+ # Store 1: cockroach-data
+ # Store 2: cockroach-data-2
+ # Store N: cockroach-data-N
+ path: cockroach-data
+
+ # CockroachDB's storage configuration https://www.cockroachlabs.com/docs/v21.1/cockroach-start.html#storage
+ # Uses --store flag
+ store:
+ enabled: false
+ # Number of data stores per node.
+ # For multi-store configuration, set this to a value greater than 1.
+ count: 1
+ # Should be empty or 'mem'
+ type:
+ # Required for type=mem. If type and size is empty - storage.persistentVolume.size is used
+ size:
+ # Arbitrary strings, separated by colons, specifying disk type or capability
+ attrs:
+
+ # CockroachDB's WAL failover configuration:
+ # https://www.cockroachlabs.com/docs/stable/cockroach-start#write-ahead-log-wal-failover
+ # Uses `--wal-failover` flag
+ wal-failover:
+ # The value to be passed to the `--wal-failover` flag.
+ # Possible configurations:
+ # 1. ``: If empty, `--wal-failover` is not passed to cockroach start.
+ # 2. `disabled`: Disables WAL failover.
+ # 3. `among-stores`: Enables WAL failover among multiple stores. This requires
+ # `conf.store.count` to be greater than 1.
+ # 4. `path=`: Enables WAL failover to a side disk. This requires
+ # a persistent volume should be mounted at this path (e.g. `path=/cockroach/cockroach-failover`).
+ value:
+
+ persistentVolume:
+ # If enabled, then a PersistentVolumeClaim will be created and
+ # used for WAL failover as a side disk.
+ # https://www.cockroachlabs.com/docs/v24.3/wal-failover#provision-a-single-store-cluster-and-side-disk-for-wal-failover
+ enabled: false
+ # Mount path for the side disk. This gets prepended with `/cockroach/` in the stateful set.
+ path: cockroach-failover
+ size: 25Gi
+ # If defined, then `storageClassName: `.
+ # If set to "-", then `storageClassName: ""`, which disables dynamic
+ # provisioning.
+ # If undefined or empty (default), then no `storageClassName` spec is
+ # set, so the default provisioner will be chosen (gp2 on AWS, standard
+ # on GKE, AWS & OpenStack).
+ storageClass: ""
+ # Additional labels to apply to the created PersistentVolumeClaims.
+ labels: {}
+ # Additional annotations to apply to the created PersistentVolumeClaims.
+ annotations: {}
+
+statefulset:
+ replicas: 3
+ updateStrategy:
+ type: RollingUpdate
+ podManagementPolicy: Parallel
+ budget:
+ maxUnavailable: 1
+
+ # List of additional command-line arguments you want to pass to the
+ # `cockroach start` command.
+ args: []
+ # - --disable-cluster-name-verification
+
+ # List of extra environment variables to pass into container
+ env: []
+ # - name: COCKROACH_ENGINE_MAX_SYNC_DURATION
+ # value: "24h"
+
+ # List of Secrets names in the same Namespace as the CockroachDB cluster,
+ # which shall be mounted into `/etc/cockroach/secrets/` for every cluster
+ # member.
+ secretMounts: []
+
+ # Additional labels to apply to this StatefulSet and all its Pods.
+ labels:
+ app.kubernetes.io/component: cockroachdb
+
+ # Additional annotations to apply to the Pods of this StatefulSet.
+ annotations: {}
+
+ # Affinity rules for scheduling Pods of this StatefulSet on Nodes.
+ # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+ nodeAffinity: {}
+ # Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
+ # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ podAffinity: {}
+ # Anti-affinity rules for scheduling Pods of this StatefulSet.
+ # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ # You may either toggle options below for default anti-affinity rules,
+ # or specify the whole set of anti-affinity rules instead of them.
+ podAntiAffinity:
+ # The topologyKey to be used.
+ # Can be used to spread across different nodes, AZs, regions etc.
+ topologyKey: kubernetes.io/hostname
+ # Type of anti-affinity rules: either `soft`, `hard` or empty value (which
+ # disables anti-affinity rules).
+ type: soft
+ # Weight for `soft` anti-affinity rules.
+ # Does not apply for other anti-affinity types.
+ weight: 100
+
+ # Node selection constraints for scheduling Pods of this StatefulSet.
+ # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+ nodeSelector: {}
+
+ # PriorityClassName given to Pods of this StatefulSet
+ # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+ priorityClassName: ""
+
+ # Taints to be tolerated by Pods of this StatefulSet.
+ # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ tolerations: []
+
+ # https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ topologySpreadConstraints:
+ maxSkew: 1
+ topologyKey: topology.kubernetes.io/zone
+ whenUnsatisfiable: ScheduleAnyway
+
+ # Uncomment the following resources definitions or pass them from
+ # command line to control the CPU and memory resources allocated
+ # by Pods of this StatefulSet.
+ resources: {}
+ # limits:
+ # cpu: 100m
+ # memory: 512Mi
+ # requests:
+ # cpu: 100m
+ # memory: 512Mi
+
+ # terminationGracePeriodSeconds is the duration in seconds the Pod needs to terminate gracefully.
+ terminationGracePeriodSeconds: 300
+
+ # Custom Liveness probe
+ # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
+ customLivenessProbe: {}
+ # httpGet:
+ # path: /health
+ # port: http
+ # scheme: HTTPS
+ # initialDelaySeconds: 30
+ # periodSeconds: 5
+
+ # Custom Rediness probe
+ # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
+ customReadinessProbe: {}
+ # httpGet:
+ # path: /health
+ # port: http
+ # scheme: HTTPS
+ # initialDelaySeconds: 30
+ # periodSeconds: 5
+
+ # Custom Startup Probe
+ # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
+ customStartupProbe: {}
+ # httpGet:
+ # path: /health
+ # port: http
+ # scheme: HTTPS
+ # initialDelaySeconds: 30
+ # periodSeconds: 5
+
+ securityContext:
+ enabled: true
+
+ serviceAccount:
+ # Specifies whether this ServiceAccount should be created.
+ create: true
+ # The name of this ServiceAccount to use.
+ # If not set and `create` is `true`, then service account is auto-generated.
+ # If not set and `create` is `false`, then it uses default service account.
+ name: ""
+ # Additional serviceAccount annotations (e.g. for attaching AWS IAM roles to pods)
+ annotations: {}
+
+ # initContainers allows you to add additional containers to cockroachdb statefulset.
+ initContainers: []
+# - name: "fetch-metadata"
+# image: "badouralix/curl-jq"
+# command:
+# - "sh"
+# - "-c"
+# - "curl -s -H \"Metadata:true\" --noproxy \"*\" \"http://169.254.169.254/metadata/instance?api-version=2021-02-01\" | jq '.' > /metadata/instance_metadata.json"
+# resources: {}
+# # requests:
+# # cpu: "10m"
+# # memory: "128Mi"
+# # limits:
+# # cpu: "10m"
+# # memory: "128Mi"
+# securityContext:
+# allowPrivilegeEscalation: false
+# capabilities:
+# drop:
+# - ALL
+# privileged: false
+# readOnlyRootFilesystem: true
+
+ # volumeMounts are mounted on the same path in the main crdb container and all init containers.
+ volumeMounts: []
+# - name: metadata
+# mountPath: /metadata
+
+ # volumes allows you to add additional volumes to cockroachdb statefulset.
+ volumes: []
+# - name: metadata
+# emptyDir: {}
+
+service:
+ ports:
+ # You can set a different external and internal gRPC ports and their name.
+ grpc:
+ external:
+ port: 26257
+ name: grpc
+ # If the port number is different than `external.port`, then it will be
+ # named as `internal.name` in Service.
+ internal:
+ # CockroachDB's port to listen to inter-communications and client connections.
+ port: 26257
+ # If using Istio set it to `cockroach`.
+ name: grpc-internal
+ http:
+ # CockroachDB's port to listen to HTTP requests.
+ port: 8080
+ name: http
+
+ # This Service is meant to be used by clients of the database.
+ # It exposes a ClusterIP that will automatically load balance connections
+ # to the different database Pods.
+ public:
+ type: ClusterIP
+ # Additional labels to apply to this Service.
+ labels:
+ app.kubernetes.io/component: cockroachdb
+ # Additional annotations to apply to this Service.
+ annotations: {}
+
+ # This service only exists to create DNS entries for each pod in
+ # the StatefulSet such that they can resolve each other's IP addresses.
+ # It does not create a load-balanced ClusterIP and should not be used directly
+ # by clients in most circumstances.
+ discovery:
+ # Additional labels to apply to this Service.
+ labels:
+ app.kubernetes.io/component: cockroachdb
+ # Additional annotations to apply to this Service.
+ annotations: {}
+
+# CockroachDB's ingress for web ui.
+ingress:
+ enabled: false
+ labels: {}
+ annotations: {}
+ # kubernetes.io/ingress.class: nginx
+ # cert-manager.io/cluster-issuer: letsencrypt
+ paths: [/]
+ hosts: []
+ # - cockroachlabs.com
+ tls: []
+ # - hosts: [cockroachlabs.com]
+ # secretName: cockroachlabs-tls
+
+prometheus:
+ enabled: true
+
+securityContext:
+ enabled: true
+
+# CockroachDB's Prometheus operator ServiceMonitor support
+serviceMonitor:
+ enabled: false
+ labels: {}
+ annotations: {}
+ interval: 10s
+ # scrapeTimeout: 10s
+ # Limits the ServiceMonitor to the current namespace if set to `true`.
+ namespaced: false
+
+ # tlsConfig: TLS configuration to use when scraping the endpoint.
+ # Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig
+ tlsConfig: {}
+
+# CockroachDB's data persistence.
+# If neither `persistentVolume` nor `hostPath` is used, then data will be
+# persisted in ad-hoc `emptyDir`.
+storage:
+ # Absolute path on host to store CockroachDB's data.
+ # If not specified, then `emptyDir` will be used instead.
+ # If specified, but `persistentVolume.enabled` is `true`, then has no effect.
+ hostPath: ""
+
+ # If `enabled` is `true` then a PersistentVolumeClaim will be created and
+ # used to store CockroachDB's data, otherwise `hostPath` is used.
+ persistentVolume:
+ enabled: true
+
+ size: 100Gi
+
+ # If defined, then `storageClassName: `.
+ # If set to "-", then `storageClassName: ""`, which disables dynamic
+ # provisioning.
+ # If undefined or empty (default), then no `storageClassName` spec is set,
+ # so the default provisioner will be chosen (gp2 on AWS, standard on
+ # GKE, AWS & OpenStack).
+ storageClass: ""
+
+ # Additional labels to apply to the created PersistentVolumeClaims.
+ labels: {}
+ # Additional annotations to apply to the created PersistentVolumeClaims.
+ annotations: {}
+
+
+# Kubernetes Job which initializes multi-node CockroachDB cluster.
+# It's not created if `statefulset.replicas` is `1`.
+init:
+ # Additional labels to apply to this Job and its Pod.
+ labels:
+ app.kubernetes.io/component: init
+
+ # Additional annotations to apply to this Job.
+ jobAnnotations: {}
+
+ # Additional annotations to apply to the Pod of this Job.
+ annotations: {}
+
+ # Affinity rules for scheduling the Pod of this Job.
+ # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+ affinity: {}
+
+ # Node selection constraints for scheduling the Pod of this Job.
+ # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+ nodeSelector: {}
+
+ # Taints to be tolerated by the Pod of this Job.
+ # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ tolerations: []
+
+ # The init Pod runs at cluster creation to initialize CockroachDB. It finishes
+ # quickly and doesn't continue to consume resources in the Kubernetes
+ # cluster. Normally, you should leave this section commented out, but if your
+ # Kubernetes cluster uses Resource Quotas and requires all pods to specify
+ # resource requests or limits, you can set those here.
+ resources: {}
+ # requests:
+ # cpu: "10m"
+ # memory: "128Mi"
+ # limits:
+ # cpu: "10m"
+ # memory: "128Mi"
+
+ # terminationGracePeriodSeconds is the duration in seconds the Pod needs to terminate gracefully.
+ terminationGracePeriodSeconds: 300
+
+ securityContext:
+ enabled: true
+
+ # Setup Physical Cluster Replication (PCR) between primary and standby cluster.
+ # If isPrimary is set to true, the CockroachDB cluster created is the primary cluster.
+ # If isPrimary is set to false, the CockroachDB cluster created is the standby cluster.
+ pcr:
+ enabled: false
+ # isPrimary: true
+
+ provisioning:
+ enabled: false
+ # https://www.cockroachlabs.com/docs/stable/cluster-settings.html
+ clusterSettings:
+ # cluster.organization: "'FooCorp - Local Testing'"
+ # enterprise.license: "'xxxxx'"
+ users: []
+ # - name:
+ # password:
+ # # https://www.cockroachlabs.com/docs/stable/create-user.html#parameters
+ # options: [LOGIN]
+ databases: []
+ # - name:
+ # # https://www.cockroachlabs.com/docs/stable/create-database.html#parameters
+ # options: [encoding='utf-8']
+ # owners: []
+ # # https://www.cockroachlabs.com/docs/stable/grant.html#parameters
+ # owners_with_grant_option: []
+ # # Backup schedules are not idemponent for now and will fail on next run
+ # # https://github.com/cockroachdb/cockroach/issues/57892
+ # backup:
+ # into: s3://
+ # # Enterprise-only option (revision_history)
+ # # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#backup-options
+ # options: [revision_history]
+ # recurring: '@always'
+ # # Enterprise-only feature. Remove this value to use `FULL BACKUP ALWAYS`
+ # fullBackup: '@daily'
+ # schedule:
+ # # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#schedule-options
+ # options: [first_run = 'now']
+
+
+# Whether to run securely using TLS certificates.
+tls:
+ enabled: true
+ copyCerts:
+ image: busybox
+ certs:
+ # Bring your own certs scenario. If provided, tls.init section will be ignored.
+ provided: false
+ # Secret name for the client root cert.
+ clientRootSecret: cockroachdb-root
+ # Secret name for node cert.
+ nodeSecret: cockroachdb-node
+ # Secret name for CA cert
+ caSecret: cockroach-ca
+ # Enable if the secret is a dedicated TLS.
+ # TLS secrets are created by cert-mananger, for example.
+ tlsSecret: false
+ # Enable if the you want cockroach db to create its own certificates
+ selfSigner:
+ # If set, the cockroach db will generate its own certificates
+ enabled: true
+ # Run selfSigner as non-root
+ securityContext:
+ enabled: true
+ # If set, the user should provide the CA certificate to sign other certificates.
+ caProvided: false
+ # It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.
+ caSecret: ""
+ # Minimum Certificate duration for all the certificates, all certs duration will be validated against this.
+ minimumCertDuration: 624h
+ # Duration of CA certificates in hour
+ caCertDuration: 43800h
+ # Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
+ caCertExpiryWindow: 648h
+ # Duration of Client certificates in hour
+ clientCertDuration: 672h
+ # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+ clientCertExpiryWindow: 48h
+ # Duration of node certificates in hour
+ nodeCertDuration: 8760h
+ # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+ nodeCertExpiryWindow: 168h
+ # If set, the cockroachdb cert selfSigner will rotate the certificates before expiry.
+ rotateCerts: true
+ # Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true
+ readinessWait: 30s
+ # Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true
+ podUpdateTimeout: 2m
+ # ServiceAccount annotations for selfSigner jobs (e.g. for attaching AWS IAM roles to pods)
+ svcAccountAnnotations: {}
+
+ # Use cert-manager to issue certificates for mTLS.
+ certManager: false
+ # Specify an Issuer or a ClusterIssuer to use, when issuing
+ # node and client certificates. The values correspond to the
+ # issuerRef specified in the certificate.
+ certManagerIssuer:
+ group: cert-manager.io
+ kind: Issuer
+ name: cockroachdb
+ # Make it false when you are providing your own CA issuer
+ isSelfSignedIssuer: true
+ # Duration of CA certificates in hour
+ caCertDuration: 43800h
+ # Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
+ caCertExpiryWindow: 648h
+ # Duration of Client certificates in hours
+ clientCertDuration: 672h
+ # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+ clientCertExpiryWindow: 48h
+ # Duration of node certificates in hours
+ nodeCertDuration: 8760h
+ # Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+ nodeCertExpiryWindow: 168h
+
+ selfSigner:
+ # Additional labels to apply to the Pod of this Job.
+ labels: {}
+
+ # Additional annotations to apply to the Pod of this Job.
+ annotations: {}
+
+ # Affinity rules for scheduling the Pod of this Job.
+ # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+ affinity: {}
+
+ # Node selection constraints for scheduling the Pod of this Job.
+ # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+ nodeSelector: {}
+
+ # Taints to be tolerated by the Pod of this Job.
+ # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ tolerations: []
+
+ # Image Placeholder for the selfSigner utility. This will be changed once the CI workflows for the image is in place.
+ image:
+ repository: cockroachlabs-helm-charts/cockroach-self-signer-cert
+ tag: "1.5"
+ pullPolicy: IfNotPresent
+ credentials: {}
+ registry: gcr.io
+ # username: john_doe
+ # password: changeme
+
+networkPolicy:
+ enabled: false
+
+ ingress:
+ # List of sources which should be able to access the CockroachDB Pods via
+ # gRPC port. Items in this list are combined using a logical OR operation.
+ # Rules for allowing inter-communication are applied automatically.
+ # If empty, then connections from any Pod is allowed.
+ grpc: []
+ # - podSelector:
+ # matchLabels:
+ # app.kubernetes.io/name: my-app-django
+ # app.kubernetes.io/instance: my-app
+
+ # List of sources which should be able to access the CockroachDB Pods via
+ # HTTP port. Items in this list are combined using a logical OR operation.
+ # If empty, then connections from any Pod is allowed.
+ http: []
+ # - namespaceSelector:
+ # matchLabels:
+ # project: my-project
+
+# To put the admin interface behind Identity Aware Proxy (IAP) on Google Cloud Platform
+# make sure to set ingress.paths: ['/*']
+iap:
+ enabled: false
+ # Create Google Cloud OAuth credentials and set client id and secret
+ # clientId:
+ # clientSecret:
diff --git a/charts/redpanda/redpanda/5.9.18/.helmignore b/charts/redpanda/redpanda/5.9.18/.helmignore
new file mode 100644
index 0000000000..d5bb5e6ba6
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/.helmignore
@@ -0,0 +1,28 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+README.md.gotmpl
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+*.go
+testdata/
+ci/
diff --git a/charts/redpanda/redpanda/5.9.18/Chart.lock b/charts/redpanda/redpanda/5.9.18/Chart.lock
new file mode 100644
index 0000000000..68f11882f1
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/Chart.lock
@@ -0,0 +1,9 @@
+dependencies:
+- name: console
+ repository: https://charts.redpanda.com
+ version: 0.7.30
+- name: connectors
+ repository: https://charts.redpanda.com
+ version: 0.1.14
+digest: sha256:f83ed4d31b640367a327361d6a431bc14be379efc74fa1df157bd6431b095b68
+generated: "2024-12-09T12:43:30.546065+01:00"
diff --git a/charts/redpanda/redpanda/5.9.18/Chart.yaml b/charts/redpanda/redpanda/5.9.18/Chart.yaml
new file mode 100644
index 0000000000..74e7af5181
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/Chart.yaml
@@ -0,0 +1,38 @@
+annotations:
+ artifacthub.io/images: |
+ - name: redpanda
+ image: docker.redpanda.com/redpandadata/redpanda:v24.3.1
+ - name: busybox
+ image: busybox:latest
+ artifacthub.io/license: Apache-2.0
+ artifacthub.io/links: |
+ - name: Documentation
+ url: https://docs.redpanda.com
+ - name: "Helm (>= 3.10.0)"
+ url: https://helm.sh/docs/intro/install/
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Redpanda
+ catalog.cattle.io/kube-version: '>=1.21-0'
+ catalog.cattle.io/release-name: redpanda
+apiVersion: v2
+appVersion: v24.3.2
+dependencies:
+- condition: console.enabled
+ name: console
+ repository: https://charts.redpanda.com
+ version: '>=0.5 <1.0'
+- condition: connectors.enabled
+ name: connectors
+ repository: https://charts.redpanda.com
+ version: '>=0.1.2 <1.0'
+description: Redpanda is the real-time engine for modern apps.
+icon: file://assets/icons/redpanda.svg
+kubeVersion: '>=1.21-0'
+maintainers:
+- name: redpanda-data
+ url: https://github.com/orgs/redpanda-data/people
+name: redpanda
+sources:
+- https://github.com/redpanda-data/helm-charts
+type: application
+version: 5.9.18
diff --git a/charts/redpanda/redpanda/5.9.18/LICENSE b/charts/redpanda/redpanda/5.9.18/LICENSE
new file mode 100644
index 0000000000..261eeb9e9f
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/charts/redpanda/redpanda/5.9.18/README.md b/charts/redpanda/redpanda/5.9.18/README.md
new file mode 100644
index 0000000000..88ed445940
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/README.md
@@ -0,0 +1,1224 @@
+# Redpanda Helm Chart Specification
+---
+description: Find the default values and descriptions of settings in the Redpanda Helm chart.
+---
+
+  
+
+This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values.
+
+For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/).
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
+
+## Source Code
+
+*
+
+## Requirements
+
+Kubernetes: `>= 1.25.0-0`
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://charts.redpanda.com | connectors | >=0.1.2 <1.0 |
+| https://charts.redpanda.com | console | >=0.5 <1.0 |
+
+## Settings
+
+### [affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=affinity)
+
+Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
+
+**Default:** `{}`
+
+### [auditLogging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging)
+
+Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0.
+
+**Default:**
+
+```
+{"clientMaxBufferSize":16777216,"enabled":false,"enabledEventTypes":null,"excludedPrincipals":null,"excludedTopics":null,"listener":"internal","partitions":12,"queueDrainIntervalMs":500,"queueMaxBufferSizePerShard":1048576,"replicationFactor":null}
+```
+
+### [auditLogging.clientMaxBufferSize](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.clientMaxBufferSize)
+
+Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages.
+
+**Default:** `16777216`
+
+### [auditLogging.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabled)
+
+Enable or disable audit logging, for production clusters we suggest you enable, however, this will only work if you also enable sasl and a listener with sasl enabled.
+
+**Default:** `false`
+
+### [auditLogging.enabledEventTypes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabledEventTypes)
+
+Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`].
+
+**Default:** `nil`
+
+### [auditLogging.excludedPrincipals](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedPrincipals)
+
+List of principals to exclude from auditing, default is null.
+
+**Default:** `nil`
+
+### [auditLogging.excludedTopics](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedTopics)
+
+List of topics to exclude from auditing, default is null.
+
+**Default:** `nil`
+
+### [auditLogging.listener](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.listener)
+
+Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. For external listeners, use the external listener name, such as `default`.
+
+**Default:** `"internal"`
+
+### [auditLogging.partitions](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.partitions)
+
+Integer value defining the number of partitions used by a newly created audit topic.
+
+**Default:** `12`
+
+### [auditLogging.queueDrainIntervalMs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueDrainIntervalMs)
+
+In ms, frequency in which per shard audit logs are batched to client for write to audit log.
+
+**Default:** `500`
+
+### [auditLogging.queueMaxBufferSizePerShard](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueMaxBufferSizePerShard)
+
+Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard.
+
+**Default:** `1048576`
+
+### [auditLogging.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.replicationFactor)
+
+Defines the replication factor for a newly created audit log topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null`
+
+**Default:** `nil`
+
+### [auth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth)
+
+Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/).
+
+**Default:**
+
+```
+{"sasl":{"bootstrapUser":{"mechanism":"SCRAM-SHA-256"},"enabled":false,"mechanism":"SCRAM-SHA-512","secretRef":"redpanda-users","users":[]}}
+```
+
+### [auth.sasl.bootstrapUser](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.bootstrapUser)
+
+Details about how to create the bootstrap user for the cluster. The secretKeyRef is optionally specified. If it is specified, the chart will use a password written to that secret when creating the "kubernetes-controller" bootstrap user. If it is unspecified, then the secret will be generated and stored in the secret "releasename"-bootstrap-user, with the key "password".
+
+**Default:**
+
+```
+{"mechanism":"SCRAM-SHA-256"}
+```
+
+### [auth.sasl.bootstrapUser.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.bootstrapUser.mechanism)
+
+The authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`.
+
+**Default:** `"SCRAM-SHA-256"`
+
+### [auth.sasl.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.enabled)
+
+Enable SASL authentication. If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`.
+
+**Default:** `false`
+
+### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.mechanism)
+
+The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`.
+
+**Default:** `"SCRAM-SHA-512"`
+
+### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.secretRef)
+
+A Secret that contains your superuser credentials. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets).
+
+**Default:** `"redpanda-users"`
+
+### [auth.sasl.users](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.users)
+
+Optional list of superusers. These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. If this list is empty, the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. Uncomment the sample list if you wish to try adding sample sasl users or override to use your own.
+
+**Default:** `[]`
+
+### [clusterDomain](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=clusterDomain)
+
+Default Kubernetes cluster domain.
+
+**Default:** `"cluster.local"`
+
+### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=commonLabels)
+
+Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`.
+
+**Default:** `{}`
+
+### [config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config)
+
+This section contains various settings supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these settings comes with some risk. Use these settings to customize various Redpanda configurations that are not covered in other sections. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. For descriptions of these properties, see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/).
+
+**Default:**
+
+```
+{"cluster":{},"node":{"crash_loop_limit":5},"pandaproxy_client":{},"rpk":{},"schema_registry_client":{},"tunable":{"compacted_log_segment_size":67108864,"kafka_connection_rate_limit":1000,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912}}
+```
+
+### [config.cluster](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.cluster)
+
+[Cluster Configuration Properties](https://docs.redpanda.com/current/reference/properties/cluster-properties/)
+
+**Default:** `{}`
+
+### [config.node](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node)
+
+[Broker (node) Configuration Properties](https://docs.redpanda.com/docs/reference/broker-properties/).
+
+**Default:** `{"crash_loop_limit":5}`
+
+### [config.node.crash_loop_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node.crash_loop_limit)
+
+Crash loop limit A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. This limit prevents a broker from getting stuck in an infinite cycle of crashes. User can disable this crash loop limit check by the following action: * One hour elapses since the last crash * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects * The startup_log file in the node’s data_directory is manually deleted Default to 5 REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit
+
+**Default:** `5`
+
+### [config.tunable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable)
+
+Tunable cluster properties. Deprecated: all settings here may be specified via `config.cluster`.
+
+**Default:**
+
+```
+{"compacted_log_segment_size":67108864,"kafka_connection_rate_limit":1000,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912}
+```
+
+### [config.tunable.compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.compacted_log_segment_size)
+
+See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#compacted_log_segment_size).
+
+**Default:** `67108864`
+
+### [config.tunable.kafka_connection_rate_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.kafka_connection_rate_limit)
+
+See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit).
+
+**Default:** `1000`
+
+### [config.tunable.log_segment_size_max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_max)
+
+See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_max).
+
+**Default:** `268435456`
+
+### [config.tunable.log_segment_size_min](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_min)
+
+See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_min).
+
+**Default:** `16777216`
+
+### [config.tunable.max_compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.max_compacted_log_segment_size)
+
+See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#max_compacted_log_segment_size).
+
+**Default:** `536870912`
+
+### [connectors](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=connectors)
+
+Redpanda Managed Connectors settings For a reference of configuration settings, see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/).
+
+**Default:**
+
+```
+{"deployment":{"create":false},"enabled":false,"test":{"create":false}}
+```
+
+### [console](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=console)
+
+Redpanda Console settings. For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/).
+
+**Default:**
+
+```
+{"config":{},"configmap":{"create":false},"deployment":{"create":false},"enabled":true,"secret":{"create":false}}
+```
+
+### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise)
+
+Enterprise (optional) For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition).
+
+**Default:**
+
+```
+{"license":"","licenseSecretRef":{}}
+```
+
+### [enterprise.license](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.license)
+
+license (optional).
+
+**Default:** `""`
+
+### [enterprise.licenseSecretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.licenseSecretRef)
+
+Secret name and key where the license key is stored.
+
+**Default:** `{}`
+
+### [external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external)
+
+External access settings. For details, see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/).
+
+**Default:**
+
+```
+{"enabled":true,"service":{"enabled":true},"type":"NodePort"}
+```
+
+### [external.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.enabled)
+
+Enable external access for each Service. You can toggle external access for each listener in `listeners..external..enabled`.
+
+**Default:** `true`
+
+### [external.service](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service)
+
+Service allows you to manage the creation of an external kubernetes service object
+
+**Default:** `{"enabled":true}`
+
+### [external.service.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service.enabled)
+
+Enabled if set to false will not create the external service type You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). Set this to false if you rather manage your own service.
+
+**Default:** `true`
+
+### [external.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.type)
+
+External access type. Only `NodePort` and `LoadBalancer` are supported. If undefined, then advertised listeners will be configured in Redpanda, but the helm chart will not create a Service. You must create a Service manually. Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. NodePort is recommended in cases where latency is a priority.
+
+**Default:** `"NodePort"`
+
+### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=fullnameOverride)
+
+Override `redpanda.fullname` template.
+
+**Default:** `""`
+
+### [image](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image)
+
+Redpanda Docker image settings.
+
+**Default:**
+
+```
+{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/redpanda","tag":""}
+```
+
+### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.pullPolicy)
+
+The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`.
+
+**Default:** `"IfNotPresent"`
+
+### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.repository)
+
+Docker repository from which to pull the Redpanda Docker image.
+
+**Default:**
+
+```
+"docker.redpanda.com/redpandadata/redpanda"
+```
+
+### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.tag)
+
+The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags).
+
+**Default:** `Chart.appVersion`.
+
+### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=imagePullSecrets)
+
+Pull secrets may be used to provide credentials to image repositories See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
+
+**Default:** `[]`
+
+### [license_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_key)
+
+DEPRECATED Enterprise license key (optional). For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition).
+
+**Default:** `""`
+
+### [license_secret_ref](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_secret_ref)
+
+DEPRECATED Secret name and secret key where the license key is stored.
+
+**Default:** `{}`
+
+### [listeners](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners)
+
+Listener settings. Override global settings configured above for individual listeners. For details, see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/).
+
+**Default:**
+
+```
+{"admin":{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}},"http":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}},"kafka":{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}},"rpc":{"port":33145,"tls":{"cert":"default","requireClientAuth":false}},"schemaRegistry":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}}
+```
+
+### [listeners.admin](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin)
+
+Admin API listener (only one).
+
+**Default:**
+
+```
+{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}}
+```
+
+### [listeners.admin.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external)
+
+Optional external access settings.
+
+**Default:**
+
+```
+{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}}
+```
+
+### [listeners.admin.external.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default)
+
+Name of the external listener.
+
+**Default:**
+
+```
+{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}
+```
+
+### [listeners.admin.external.default.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default.tls)
+
+The port advertised to this listener's external clients. List one port if you want to use the same port for each broker (would be the case when using NodePort service). Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. If undefined, `listeners.admin.port` is used.
+
+**Default:** `{"cert":"external"}`
+
+### [listeners.admin.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.port)
+
+The port for both internal and external connections to the Admin API.
+
+**Default:** `9644`
+
+### [listeners.admin.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls)
+
+Optional TLS section (required if global TLS is enabled)
+
+**Default:**
+
+```
+{"cert":"default","requireClientAuth":false}
+```
+
+### [listeners.admin.tls.cert](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.cert)
+
+Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs).
+
+**Default:** `"default"`
+
+### [listeners.admin.tls.requireClientAuth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.requireClientAuth)
+
+If true, the truststore file for this listener is included in the ConfigMap.
+
+**Default:** `false`
+
+### [listeners.http](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.http)
+
+HTTP API listeners (aka PandaProxy).
+
+**Default:**
+
+```
+{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}}
+```
+
+### [listeners.kafka](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka)
+
+Kafka API listeners.
+
+**Default:**
+
+```
+{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}}
+```
+
+### [listeners.kafka.external.default.advertisedPorts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.advertisedPorts)
+
+If undefined, `listeners.kafka.external.default.port` is used.
+
+**Default:** `[31092]`
+
+### [listeners.kafka.external.default.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.port)
+
+The port used for external client connections.
+
+**Default:** `9094`
+
+### [listeners.kafka.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.port)
+
+The port for internal client connections.
+
+**Default:** `9093`
+
+### [listeners.rpc](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.rpc)
+
+RPC listener (this is never externally accessible).
+
+**Default:**
+
+```
+{"port":33145,"tls":{"cert":"default","requireClientAuth":false}}
+```
+
+### [listeners.schemaRegistry](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.schemaRegistry)
+
+Schema registry listeners.
+
+**Default:**
+
+```
+{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}
+```
+
+### [logging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging)
+
+Log-level settings.
+
+**Default:**
+
+```
+{"logLevel":"info","usageStats":{"enabled":true}}
+```
+
+### [logging.logLevel](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.logLevel)
+
+Log level Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`.
+
+**Default:** `"info"`
+
+### [logging.usageStats](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.usageStats)
+
+Send usage statistics back to Redpanda Data. For details, see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting).
+
+**Default:** `{"enabled":true}`
+
+### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=monitoring)
+
+Monitoring. This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics.
+
+**Default:**
+
+```
+{"enabled":false,"labels":{},"scrapeInterval":"30s"}
+```
+
+### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nameOverride)
+
+Override `redpanda.name` template.
+
+**Default:** `""`
+
+### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nodeSelector)
+
+Node selection constraints for scheduling Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+
+**Default:** `{}`
+
+### [post_install_job.affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.affinity)
+
+**Default:** `{}`
+
+### [post_install_job.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.enabled)
+
+**Default:** `true`
+
+### [post_install_job.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.annotations)
+
+Annotations to apply (or overwrite the default) to the Pods of this Job.
+
+**Default:** `{}`
+
+### [post_install_job.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.labels)
+
+Labels to apply (or overwrite the default) to the Pods of this Job.
+
+**Default:** `{}`
+
+### [post_install_job.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.spec)
+
+A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details.
+
+**Default:**
+
+```
+{"containers":[{"env":[],"name":"post-install","securityContext":{}}],"securityContext":{}}
+```
+
+### [rackAwareness](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness)
+
+Rack Awareness settings. For details, see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/).
+
+**Default:**
+
+```
+{"enabled":false,"nodeAnnotation":"topology.kubernetes.io/zone"}
+```
+
+### [rackAwareness.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.enabled)
+
+When running in multiple racks or availability zones, use a Kubernetes Node annotation value as the Redpanda rack value. Enabling this requires running with a service account with "get" Node permissions. To have the Helm chart configure these permissions, set `serviceAccount.create=true` and `rbac.enabled=true`.
+
+**Default:** `false`
+
+### [rackAwareness.nodeAnnotation](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.nodeAnnotation)
+
+The common well-known annotation to use as the rack ID. Override this only if you use a custom Node annotation.
+
+**Default:**
+
+```
+"topology.kubernetes.io/zone"
+```
+
+### [rbac](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac)
+
+Role Based Access Control.
+
+**Default:**
+
+```
+{"annotations":{},"enabled":false}
+```
+
+### [rbac.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.annotations)
+
+Annotations to add to the `rbac` resources.
+
+**Default:** `{}`
+
+### [rbac.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.enabled)
+
+Enable for features that need extra privileges. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles.
+
+**Default:** `false`
+
+### [resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources)
+
+Pod resource management. This section simplifies resource allocation by providing a single location where resources are defined. Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates. The default values are for a development environment. Production-level values and other considerations are documented, where those values are different from the default. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/).
+
+**Default:**
+
+```
+{"cpu":{"cores":1},"memory":{"container":{"max":"2.5Gi"}}}
+```
+
+### [resources.cpu](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu)
+
+CPU resources. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources).
+
+**Default:** `{"cores":1}`
+
+### [resources.cpu.cores](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu.cores)
+
+Redpanda makes use of a thread per core model. For details, see this [blog](https://redpanda.com/blog/tpc-buffers). For this reason, Redpanda should only be given full cores. Note: You can increase cores, but decreasing cores is supported only from 24.3 Redpanda version. This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. For production, use `4` or greater. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. See https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy.
+
+**Default:** `1`
+
+### [resources.memory](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory)
+
+Memory resources For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources).
+
+**Default:**
+
+```
+{"container":{"max":"2.5Gi"}}
+```
+
+### [resources.memory.container](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container)
+
+Enables memory locking. For production, set to `true`. enable_memory_locking: false It is recommended to have at least 2Gi of memory per core for the Redpanda binary. This memory is taken from the total memory given to each container. The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for other container processes. So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory requests/limits in the StatefulSet. Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request.
+
+**Default:** `{"max":"2.5Gi"}`
+
+### [resources.memory.container.max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container.max)
+
+Maximum memory count for each Redpanda broker. Equivalent to `resources.limits.memory`. For production, use `10Gi` or greater.
+
+**Default:** `"2.5Gi"`
+
+### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount)
+
+Service account management.
+
+**Default:**
+
+```
+{"annotations":{},"automountServiceAccountToken":false,"create":false,"name":""}
+```
+
+### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.annotations)
+
+Annotations to add to the service account.
+
+**Default:** `{}`
+
+### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.automountServiceAccountToken)
+
+Specifies whether a service account should automount API-Credentials. The token is used in sidecars.controllers
+
+**Default:** `false`
+
+### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.create)
+
+Specifies whether a service account should be created.
+
+**Default:** `false`
+
+### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.name)
+
+The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `redpanda.fullname` template.
+
+**Default:** `""`
+
+### [statefulset.additionalRedpandaCmdFlags](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalRedpandaCmdFlags)
+
+Additional flags to pass to redpanda,
+
+**Default:** `[]`
+
+### [statefulset.additionalSelectorLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalSelectorLabels)
+
+Additional labels to be added to statefulset label selector. For example, `my.k8s.service: redpanda`.
+
+**Default:** `{}`
+
+### [statefulset.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.annotations)
+
+DEPRECATED Please use statefulset.podTemplate.annotations. Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have any dedicated annotation.
+
+**Default:** `{}`
+
+### [statefulset.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.budget.maxUnavailable)
+
+**Default:** `1`
+
+### [statefulset.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumes)
+
+**Default:** `""`
+
+### [statefulset.initContainerImage.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.repository)
+
+**Default:** `"busybox"`
+
+### [statefulset.initContainerImage.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.tag)
+
+**Default:** `"latest"`
+
+### [statefulset.initContainers.configurator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.initContainers.configurator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.
+
+**Default:** `{}`
+
+### [statefulset.initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.extraInitContainers)
+
+**Default:** `""`
+
+### [statefulset.initContainers.fsValidator.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.enabled)
+
+**Default:** `false`
+
+### [statefulset.initContainers.fsValidator.expectedFS](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.expectedFS)
+
+**Default:** `"xfs"`
+
+### [statefulset.initContainers.fsValidator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.initContainers.fsValidator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.
+
+**Default:** `{}`
+
+### [statefulset.initContainers.setDataDirOwnership.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.enabled)
+
+In environments where root is not allowed, you cannot change the ownership of files and directories. Enable `setDataDirOwnership` when using default minikube cluster configuration.
+
+**Default:** `false`
+
+### [statefulset.initContainers.setDataDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.initContainers.setDataDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.
+
+**Default:** `{}`
+
+### [statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.initContainers.setTieredStorageCacheDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.
+
+**Default:** `{}`
+
+### [statefulset.initContainers.tuning.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.initContainers.tuning.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.
+
+**Default:** `{}`
+
+### [statefulset.livenessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.failureThreshold)
+
+**Default:** `3`
+
+### [statefulset.livenessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.initialDelaySeconds)
+
+**Default:** `10`
+
+### [statefulset.livenessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.periodSeconds)
+
+**Default:** `10`
+
+### [statefulset.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.nodeSelector)
+
+Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+
+**Default:** `{}`
+
+### [statefulset.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAffinity)
+
+Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+
+**Default:** `{}`
+
+### [statefulset.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity)
+
+Anti-affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults.
+
+**Default:**
+
+```
+{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100}
+```
+
+### [statefulset.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.custom)
+
+Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here.
+
+**Default:** `{}`
+
+### [statefulset.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.topologyKey)
+
+The topologyKey to be used. Can be used to spread across different nodes, AZs, regions etc.
+
+**Default:** `"kubernetes.io/hostname"`
+
+### [statefulset.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.type)
+
+Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object.
+
+**Default:** `"hard"`
+
+### [statefulset.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.weight)
+
+Weight for `soft` anti-affinity rules. Does not apply to other anti-affinity types.
+
+**Default:** `100`
+
+### [statefulset.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.annotations)
+
+Additional annotations to apply to the Pods of the StatefulSet.
+
+**Default:** `{}`
+
+### [statefulset.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.labels)
+
+Additional labels to apply to the Pods of the StatefulSet.
+
+**Default:** `{}`
+
+### [statefulset.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.spec)
+
+A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details.
+
+**Default:**
+
+```
+{"containers":[{"env":[],"name":"redpanda","securityContext":{}}],"securityContext":{}}
+```
+
+### [statefulset.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.priorityClassName)
+
+PriorityClassName given to Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+
+**Default:** `""`
+
+### [statefulset.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.failureThreshold)
+
+**Default:** `3`
+
+### [statefulset.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.initialDelaySeconds)
+
+**Default:** `1`
+
+### [statefulset.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.periodSeconds)
+
+**Default:** `10`
+
+### [statefulset.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.successThreshold)
+
+**Default:** `1`
+
+### [statefulset.replicas](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.replicas)
+
+Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster)
+
+**Default:** `3`
+
+### [statefulset.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.securityContext)
+
+DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext.
+
+**Default:**
+
+```
+{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":101}
+```
+
+### [statefulset.sideCars.configWatcher.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.enabled)
+
+**Default:** `true`
+
+### [statefulset.sideCars.configWatcher.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.sideCars.configWatcher.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy
+
+**Default:** `{}`
+
+### [statefulset.sideCars.configWatcher.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.securityContext)
+
+**Default:** `{}`
+
+### [statefulset.sideCars.controllers.createRBAC](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.createRBAC)
+
+**Default:** `true`
+
+### [statefulset.sideCars.controllers.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.enabled)
+
+**Default:** `false`
+
+### [statefulset.sideCars.controllers.healthProbeAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.healthProbeAddress)
+
+**Default:** `":8085"`
+
+### [statefulset.sideCars.controllers.image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.repository)
+
+**Default:**
+
+```
+"docker.redpanda.com/redpandadata/redpanda-operator"
+```
+
+### [statefulset.sideCars.controllers.image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.tag)
+
+**Default:** `"v2.3.4-24.3.2"`
+
+### [statefulset.sideCars.controllers.metricsAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.metricsAddress)
+
+**Default:** `":9082"`
+
+### [statefulset.sideCars.controllers.pprofAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.pprofAddress)
+
+**Default:** `":9083"`
+
+### [statefulset.sideCars.controllers.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy
+
+**Default:** `{}`
+
+### [statefulset.sideCars.controllers.run[0]](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.run[0])
+
+**Default:** `"all"`
+
+### [statefulset.sideCars.controllers.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.securityContext)
+
+**Default:** `{}`
+
+### [statefulset.startupProbe](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.startupProbe)
+
+Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+
+**Default:**
+
+```
+{"failureThreshold":120,"initialDelaySeconds":1,"periodSeconds":10}
+```
+
+### [statefulset.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.terminationGracePeriodSeconds)
+
+Termination grace period in seconds is time required to execute preStop hook which puts particular Redpanda Pod (process/container) into maintenance mode. Before settle down on particular value please put Redpanda under load and perform rolling upgrade or rolling restart. That value needs to accommodate two processes: * preStop hook needs to put Redpanda into maintenance mode * after preStop hook Redpanda needs to handle gracefully SIGTERM signal Both processes are executed sequentially where preStop hook has hard deadline in the middle of terminationGracePeriodSeconds. REF: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination
+
+**Default:** `90`
+
+### [statefulset.tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.tolerations)
+
+Taints to be tolerated by Pods of this StatefulSet. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+
+**Default:** `[]`
+
+### [statefulset.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].maxSkew)
+
+**Default:** `1`
+
+### [statefulset.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].topologyKey)
+
+**Default:**
+
+```
+"topology.kubernetes.io/zone"
+```
+
+### [statefulset.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].whenUnsatisfiable)
+
+**Default:** `"ScheduleAnyway"`
+
+### [statefulset.updateStrategy.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.updateStrategy.type)
+
+**Default:** `"RollingUpdate"`
+
+### [storage](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage)
+
+Persistence settings. For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/).
+
+**Default:**
+
+```
+{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""},"tiered":{"config":{"cloud_storage_cache_size":5368709120,"cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false},"credentialsSecretRef":{"accessKey":{"configurationKey":"cloud_storage_access_key"},"secretKey":{"configurationKey":"cloud_storage_secret_key"}},"hostPath":"","mountType":"none","persistentVolume":{"annotations":{},"labels":{},"storageClass":""}}}
+```
+
+### [storage.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.hostPath)
+
+Absolute path on the host to store Redpanda's data. If unspecified, then an `emptyDir` volume is used. If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect.
+
+**Default:** `""`
+
+### [storage.persistentVolume](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume)
+
+If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and used to store Redpanda's data. Otherwise, `storage.hostPath` is used.
+
+**Default:**
+
+```
+{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""}
+```
+
+### [storage.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.annotations)
+
+Additional annotations to apply to the created PersistentVolumeClaims.
+
+**Default:** `{}`
+
+### [storage.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.labels)
+
+Additional labels to apply to the created PersistentVolumeClaims.
+
+**Default:** `{}`
+
+### [storage.persistentVolume.nameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.nameOverwrite)
+
+Option to change volume claim template name for tiered storage persistent volume if tiered.mountType is set to `persistentVolume`
+
+**Default:** `""`
+
+### [storage.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.storageClass)
+
+To disable dynamic provisioning, set to `-`. If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack).
+
+**Default:** `""`
+
+### [storage.tiered.config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config)
+
+Tiered Storage settings Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). For a list of properties, see [Object Storage Properties](https://docs.redpanda.com/current/reference/properties/object-storage-properties/).
+
+**Default:**
+
+```
+{"cloud_storage_cache_size":5368709120,"cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false}
+```
+
+### [storage.tiered.config.cloud_storage_cache_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_cache_size)
+
+Maximum size of the disk cache used by Tiered Storage. Default is 20 GiB. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_cache_size).
+
+**Default:** `5368709120`
+
+### [storage.tiered.config.cloud_storage_enable_remote_read](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_read)
+
+Cluster level default remote read configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_read).
+
+**Default:** `true`
+
+### [storage.tiered.config.cloud_storage_enable_remote_write](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_write)
+
+Cluster level default remote write configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_write).
+
+**Default:** `true`
+
+### [storage.tiered.config.cloud_storage_enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enabled)
+
+Global flag that enables Tiered Storage if a license key is provided. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enabled).
+
+**Default:** `false`
+
+### [storage.tiered.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.hostPath)
+
+Absolute path on the host to store Redpanda's Tiered Storage cache.
+
+**Default:** `""`
+
+### [storage.tiered.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.annotations)
+
+Additional annotations to apply to the created PersistentVolumeClaims.
+
+**Default:** `{}`
+
+### [storage.tiered.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.labels)
+
+Additional labels to apply to the created PersistentVolumeClaims.
+
+**Default:** `{}`
+
+### [storage.tiered.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.storageClass)
+
+To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack).
+
+**Default:** `""`
+
+### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tests.enabled)
+
+**Default:** `true`
+
+### [tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls)
+
+TLS settings. For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/).
+
+**Default:**
+
+```
+{"certs":{"default":{"caEnabled":true},"external":{"caEnabled":true}},"enabled":true}
+```
+
+### [tls.certs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs)
+
+List all Certificates here, then you can reference a specific Certificate's name in each listener's `listeners..tls.cert` setting.
+
+**Default:**
+
+```
+{"default":{"caEnabled":true},"external":{"caEnabled":true}}
+```
+
+### [tls.certs.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default)
+
+This key is the Certificate name. To apply the Certificate to a specific listener, reference the Certificate's name in `listeners..tls.cert`.
+
+**Default:** `{"caEnabled":true}`
+
+### [tls.certs.default.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default.caEnabled)
+
+Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates.
+
+**Default:** `true`
+
+### [tls.certs.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external)
+
+Example external tls configuration uncomment and set the right key to the listeners that require them also enable the tls setting for those listeners.
+
+**Default:** `{"caEnabled":true}`
+
+### [tls.certs.external.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external.caEnabled)
+
+Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates.
+
+**Default:** `true`
+
+### [tls.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.enabled)
+
+Enable TLS globally for all listeners. Each listener must include a Certificate name in its `.tls` object. To allow you to enable TLS for individual listeners, Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. See `listeners..tls.enabled`.
+
+**Default:** `true`
+
+### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tolerations)
+
+Taints to be tolerated by Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+
+**Default:** `[]`
+
+### [tuning](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning)
+
+Redpanda tuning settings. Each is set to their default values in Redpanda.
+
+**Default:** `{"tune_aio_events":true}`
+
+### [tuning.tune_aio_events](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning.tune_aio_events)
+
+Increase the maximum number of outstanding asynchronous IO operations if the current value is below a certain threshold. This allows Redpanda to make as many simultaneous IO requests as possible, increasing throughput. When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`. For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/).
+
+**Default:** `true`
+
+## Merging Semantics
+
+The redpanda chart implements a form of object merging that's roughly a
+middleground of [JSON Merge Patch][k8s.jsonmp] and [Kubernetes' Strategic Merge
+Patch][k8s.smp]. This is done to aid end users in setting or overriding fields
+that are not directly exposed via the chart.
+
+- Directives are not supported.
+- List fields that are merged by a unique key in Kubernetes' SMP (e.g.
+ `containers`, `env`) will be merged in a similar awy.
+- Only fields explicitly allowed by the chart's JSON schema will be merged.
+- Additional containers that are not present in the original value will NOT be added.
+
+[k8s.smp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-strategic-merge-patch-to-update-a-deployment
+[k8s.jsonmp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-json-merge-patch-to-update-a-deployment
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/.helmignore b/charts/redpanda/redpanda/5.9.18/charts/connectors/.helmignore
new file mode 100644
index 0000000000..2e271ea0fc
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/.helmignore
@@ -0,0 +1,29 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+README.md.gotmpl
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+*.go
+testdata/
+ci/
+examples/
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/Chart.yaml b/charts/redpanda/redpanda/5.9.18/charts/connectors/Chart.yaml
new file mode 100644
index 0000000000..cdb5798151
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/Chart.yaml
@@ -0,0 +1,25 @@
+annotations:
+ artifacthub.io/images: |
+ - name: connectors
+ image: docker.redpanda.com/redpandadata/connectors:v1.0.31
+ - name: rpk
+ image: docker.redpanda.com/redpandadata/redpanda:latest
+ artifacthub.io/license: Apache-2.0
+ artifacthub.io/links: |
+ - name: Documentation
+ url: https://docs.redpanda.com
+ - name: "Helm (>= 3.6.0)"
+ url: https://helm.sh/docs/intro/install/
+apiVersion: v2
+appVersion: v1.0.31
+description: Redpanda managed Connectors helm chart
+icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg
+kubeVersion: ^1.21.0-0
+maintainers:
+- name: redpanda-data
+ url: https://github.com/orgs/redpanda-data/people
+name: connectors
+sources:
+- https://github.com/redpanda-data/helm-charts
+type: application
+version: 0.1.14
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/LICENSE b/charts/redpanda/redpanda/5.9.18/charts/connectors/LICENSE
new file mode 100644
index 0000000000..261eeb9e9f
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/README.md b/charts/redpanda/redpanda/5.9.18/charts/connectors/README.md
new file mode 100644
index 0000000000..a8357bf0e8
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/README.md
@@ -0,0 +1,580 @@
+# Redpanda Connectors Helm Chart Specification
+---
+description: Find the default values and descriptions of settings in the Redpanda Connectors Helm chart.
+---
+
+  
+
+This page describes the official Redpanda Connectors Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/connectors/values.yaml). Each of the settings is listed and described on this page, along with any default values.
+
+For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/current/deploy/deployment-option/self-hosted/kubernetes/k-deploy-connectors/).
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
+
+## Source Code
+
+*
+
+## Requirements
+
+Kubernetes: `^1.21.0-0`
+
+## Settings
+
+### [auth](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth)
+
+Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster.
+
+**Default:**
+
+```
+{"sasl":{"enabled":false,"mechanism":"scram-sha-512","secretRef":"","userName":""}}
+```
+
+### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.mechanism)
+
+The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`.
+
+**Default:** `"scram-sha-512"`
+
+### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.secretRef)
+
+A Secret that contains your SASL user password.
+
+**Default:** `""`
+
+### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=commonLabels)
+
+Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`.
+
+**Default:** `{}`
+
+### [connectors.additionalConfiguration](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.additionalConfiguration)
+
+A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script.
+
+**Default:** `""`
+
+### [connectors.bootstrapServers](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.bootstrapServers)
+
+A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster.
+
+**Default:** `""`
+
+### [connectors.brokerTLS.ca.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretNameOverwrite)
+
+If `secretRef` points to a Secret where the certificate authority (CA) is not under the `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`.
+
+**Default:** `""`
+
+### [connectors.brokerTLS.ca.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretRef)
+
+The name of the Secret where the ca.crt file content is located.
+
+**Default:** `""`
+
+### [connectors.brokerTLS.cert.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretNameOverwrite)
+
+If secretRef points to secret where client signed certificate is not under tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt
+
+**Default:** `""`
+
+### [connectors.brokerTLS.cert.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretRef)
+
+The name of the secret where client signed certificate is located
+
+**Default:** `""`
+
+### [connectors.brokerTLS.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.enabled)
+
+**Default:** `false`
+
+### [connectors.brokerTLS.key.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretNameOverwrite)
+
+If secretRef points to secret where client private key is not under tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key
+
+**Default:** `""`
+
+### [connectors.brokerTLS.key.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretRef)
+
+The name of the secret where client private key is located
+
+**Default:** `""`
+
+### [connectors.groupID](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.groupID)
+
+A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other.
+
+**Default:** `"connectors-cluster"`
+
+### [connectors.producerBatchSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerBatchSize)
+
+The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput.
+
+**Default:** `131072`
+
+### [connectors.producerLingerMS](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerLingerMS)
+
+The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput.
+
+**Default:** `1`
+
+### [connectors.restPort](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.restPort)
+
+The port on which the Kafka Connect REST API listens. The API is used for administrative tasks.
+
+**Default:** `8083`
+
+### [connectors.schemaRegistryURL](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.schemaRegistryURL)
+
+**Default:** `""`
+
+### [connectors.secretManager.connectorsPrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.connectorsPrefix)
+
+**Default:** `""`
+
+### [connectors.secretManager.consolePrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.consolePrefix)
+
+**Default:** `""`
+
+### [connectors.secretManager.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.enabled)
+
+**Default:** `false`
+
+### [connectors.secretManager.region](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.region)
+
+**Default:** `""`
+
+### [connectors.storage.remote](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.remote)
+
+Indicates if read and write operations for the respective topics are allowed remotely.
+
+**Default:**
+
+```
+{"read":{"config":false,"offset":false,"status":false},"write":{"config":false,"offset":false,"status":false}}
+```
+
+### [connectors.storage.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor)
+
+The number of replicas for each of the internal topics that Kafka Connect uses.
+
+**Default:**
+
+```
+{"config":-1,"offset":-1,"status":-1}
+```
+
+### [connectors.storage.replicationFactor.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.config)
+
+Replication factor for the configuration topic.
+
+**Default:** `-1`
+
+### [connectors.storage.replicationFactor.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.offset)
+
+Replication factor for the offset topic.
+
+**Default:** `-1`
+
+### [connectors.storage.replicationFactor.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.status)
+
+Replication factor for the status topic.
+
+**Default:** `-1`
+
+### [connectors.storage.topic.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.config)
+
+The name of the internal topic that Kafka Connect uses to store connector and task configurations.
+
+**Default:**
+
+```
+"_internal_connectors_configs"
+```
+
+### [connectors.storage.topic.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.offset)
+
+The name of the internal topic that Kafka Connect uses to store source connector offsets.
+
+**Default:**
+
+```
+"_internal_connectors_offsets"
+```
+
+### [connectors.storage.topic.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.status)
+
+The name of the internal topic that Kafka Connect uses to store connector and task status updates.
+
+**Default:**
+
+```
+"_internal_connectors_status"
+```
+
+### [container.javaGCLogEnabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.javaGCLogEnabled)
+
+**Default:** `"false"`
+
+### [container.resources](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources)
+
+Pod resource management.
+
+**Default:**
+
+```
+{"javaMaxHeapSize":"2G","limits":{"cpu":"1","memory":"2350Mi"},"request":{"cpu":"1","memory":"2350Mi"}}
+```
+
+### [container.resources.javaMaxHeapSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources.javaMaxHeapSize)
+
+Java maximum heap size must not be greater than `container.resources.limits.memory`.
+
+**Default:** `"2G"`
+
+### [container.securityContext](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.securityContext)
+
+Security context for the Redpanda Connectors container. See also `deployment.securityContext` for Pod-level settings.
+
+**Default:**
+
+```
+{"allowPrivilegeEscalation":false}
+```
+
+### [deployment.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.annotations)
+
+Additional annotations to apply to the Pods of this Deployment.
+
+**Default:** `{}`
+
+### [deployment.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.budget.maxUnavailable)
+
+**Default:** `1`
+
+### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.create)
+
+**Default:** `true`
+
+### [deployment.extraEnv](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnv)
+
+Additional environment variables for the Pods.
+
+**Default:** `[]`
+
+### [deployment.extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnvFrom)
+
+Configure extra environment variables from Secrets and ConfigMaps.
+
+**Default:** `[]`
+
+### [deployment.livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.livenessProbe)
+
+Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+
+**Default:**
+
+```
+{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}
+```
+
+### [deployment.nodeAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeAffinity)
+
+Node Affinity rules for scheduling Pods of this Deployment. The suggestion would be to spread Pods according to topology zone. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity).
+
+**Default:** `{}`
+
+### [deployment.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeSelector)
+
+Node selection constraints for scheduling Pods of this Deployment. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+
+**Default:** `{}`
+
+### [deployment.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAffinity)
+
+Inter-Pod Affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+
+**Default:** `{}`
+
+### [deployment.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity)
+
+Anti-affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults.
+
+**Default:**
+
+```
+{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100}
+```
+
+### [deployment.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.custom)
+
+Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here.
+
+**Default:** `{}`
+
+### [deployment.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.topologyKey)
+
+The `topologyKey` to be used. Can be used to spread across different nodes, AZs, regions etc.
+
+**Default:** `"kubernetes.io/hostname"`
+
+### [deployment.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.type)
+
+Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object.
+
+**Default:** `"hard"`
+
+### [deployment.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.weight)
+
+Weight for `soft` anti-affinity rules. Does not apply for other anti-affinity types.
+
+**Default:** `100`
+
+### [deployment.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.priorityClassName)
+
+PriorityClassName given to Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+
+**Default:** `""`
+
+### [deployment.progressDeadlineSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.progressDeadlineSeconds)
+
+The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused.
+
+**Default:** `600`
+
+### [deployment.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.failureThreshold)
+
+**Default:** `2`
+
+### [deployment.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.initialDelaySeconds)
+
+**Default:** `60`
+
+### [deployment.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.periodSeconds)
+
+**Default:** `10`
+
+### [deployment.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.successThreshold)
+
+**Default:** `3`
+
+### [deployment.readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.timeoutSeconds)
+
+**Default:** `5`
+
+### [deployment.restartPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.restartPolicy)
+
+**Default:** `"Always"`
+
+### [deployment.revisionHistoryLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.revisionHistoryLimit)
+
+The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified.
+
+**Default:** `10`
+
+### [deployment.schedulerName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.schedulerName)
+
+**Default:** `""`
+
+### [deployment.securityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroup)
+
+**Default:** `101`
+
+### [deployment.securityContext.fsGroupChangePolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroupChangePolicy)
+
+**Default:** `"OnRootMismatch"`
+
+### [deployment.securityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.runAsUser)
+
+**Default:** `101`
+
+### [deployment.strategy.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.strategy.type)
+
+**Default:** `"RollingUpdate"`
+
+### [deployment.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.terminationGracePeriodSeconds)
+
+**Default:** `30`
+
+### [deployment.tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.tolerations)
+
+Taints to be tolerated by Pods of this Deployment. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+
+**Default:** `[]`
+
+### [deployment.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].maxSkew)
+
+**Default:** `1`
+
+### [deployment.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].topologyKey)
+
+**Default:**
+
+```
+"topology.kubernetes.io/zone"
+```
+
+### [deployment.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].whenUnsatisfiable)
+
+**Default:** `"ScheduleAnyway"`
+
+### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=fullnameOverride)
+
+Override `connectors.fullname` template.
+
+**Default:** `""`
+
+### [image](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image)
+
+Redpanda Docker image settings.
+
+**Default:**
+
+```
+{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/connectors","tag":""}
+```
+
+### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.pullPolicy)
+
+The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`.
+
+**Default:** `"IfNotPresent"`
+
+### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.repository)
+
+Docker repository from which to pull the Redpanda Docker image.
+
+**Default:**
+
+```
+"docker.redpanda.com/redpandadata/connectors"
+```
+
+### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.tag)
+
+The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags).
+
+**Default:** `Chart.appVersion`.
+
+### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=imagePullSecrets)
+
+Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+
+**Default:** `[]`
+
+### [logging](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging)
+
+Log-level settings.
+
+**Default:** `{"level":"warn"}`
+
+### [logging.level](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging.level)
+
+Log level Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`.
+
+**Default:** `"warn"`
+
+### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=monitoring)
+
+Monitoring. When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics.
+
+**Default:**
+
+```
+{"annotations":{},"enabled":false,"labels":{},"namespaceSelector":{"any":true},"scrapeInterval":"30s"}
+```
+
+### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=nameOverride)
+
+Override `connectors.name` template.
+
+**Default:** `""`
+
+### [service](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service)
+
+Service management.
+
+**Default:**
+
+```
+{"annotations":{},"name":"","ports":[{"name":"prometheus","port":9404}]}
+```
+
+### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.annotations)
+
+Annotations to add to the Service.
+
+**Default:** `{}`
+
+### [service.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.name)
+
+The name of the service to use. If not set, a name is generated using the `connectors.fullname` template.
+
+**Default:** `""`
+
+### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount)
+
+ServiceAccount management.
+
+**Default:**
+
+```
+{"annotations":{},"automountServiceAccountToken":false,"create":false,"name":""}
+```
+
+### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.annotations)
+
+Annotations to add to the ServiceAccount.
+
+**Default:** `{}`
+
+### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.automountServiceAccountToken)
+
+Specifies whether a service account should automount API-Credentials
+
+**Default:** `false`
+
+### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.create)
+
+Specifies whether a ServiceAccount should be created.
+
+**Default:** `false`
+
+### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.name)
+
+The name of the ServiceAccount to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `connectors.fullname` template.
+
+**Default:** `""`
+
+### [storage.volumeMounts[0].mountPath](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].mountPath)
+
+**Default:** `"/tmp"`
+
+### [storage.volumeMounts[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].name)
+
+**Default:** `"rp-connect-tmp"`
+
+### [storage.volume[0].emptyDir.medium](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.medium)
+
+**Default:** `"Memory"`
+
+### [storage.volume[0].emptyDir.sizeLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.sizeLimit)
+
+**Default:** `"5Mi"`
+
+### [storage.volume[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].name)
+
+**Default:** `"rp-connect-tmp"`
+
+### [test.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=test.create)
+
+**Default:** `true`
+
+### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=tolerations)
+
+Taints to be tolerated by Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+
+**Default:** `[]`
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_chart.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_chart.go.tpl
new file mode 100644
index 0000000000..04402ab8d5
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_chart.go.tpl
@@ -0,0 +1,13 @@
+{{- /* Generated from "chart.go" */ -}}
+
+{{- define "connectors.render" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $manifests := (list (get (fromJson (include "connectors.Deployment" (dict "a" (list $dot) ))) "r") (get (fromJson (include "connectors.PodMonitor" (dict "a" (list $dot) ))) "r") (get (fromJson (include "connectors.Service" (dict "a" (list $dot) ))) "r") (get (fromJson (include "connectors.ServiceAccount" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $manifests) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_deployment.go.tpl
new file mode 100644
index 0000000000..9db8224ef2
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_deployment.go.tpl
@@ -0,0 +1,136 @@
+{{- /* Generated from "deployment.go" */ -}}
+
+{{- define "connectors.Deployment" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.deployment.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $topologySpreadConstraints := (coalesce nil) -}}
+{{- range $_, $spread := $values.deployment.topologySpreadConstraints -}}
+{{- $topologySpreadConstraints = (concat (default (list ) $topologySpreadConstraints) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "maxSkew" ($spread.maxSkew | int) "topologyKey" $spread.topologyKey "whenUnsatisfiable" $spread.whenUnsatisfiable )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $ports := (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "containerPort" ($values.connectors.restPort | int) "name" "rest-api" "protocol" "TCP" ))) -}}
+{{- range $_, $port := $values.service.ports -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" $port.name "containerPort" ($port.port | int) "protocol" "TCP" )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $podAntiAffinity := (coalesce nil) -}}
+{{- if (ne (toJson $values.deployment.podAntiAffinity) "null") -}}
+{{- if (eq $values.deployment.podAntiAffinity.type "hard") -}}
+{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) ))) )) -}}
+{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "soft") -}}
+{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" $values.deployment.podAntiAffinity.weight "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) )) -}}
+{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "custom") -}}
+{{- $podAntiAffinity = $values.deployment.podAntiAffinity.custom -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.deployment.annotations) )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $values.deployment.replicas "progressDeadlineSeconds" ($values.deployment.progressDeadlineSeconds | int) "revisionHistoryLimit" $values.deployment.revisionHistoryLimit "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.deployment.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.deployment.annotations "labels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "automountServiceAccountToken" false "terminationGracePeriodSeconds" $values.deployment.terminationGracePeriodSeconds "affinity" (mustMergeOverwrite (dict ) (dict "nodeAffinity" $values.deployment.nodeAffinity "podAffinity" $values.deployment.podAffinity "podAntiAffinity" $podAntiAffinity )) "serviceAccountName" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "connectors-cluster" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r")) "imagePullPolicy" $values.image.pullPolicy "securityContext" $values.container.securityContext "command" $values.deployment.command "env" (get (fromJson (include "connectors.env" (dict "a" (list $values) ))) "r") "envFrom" $values.deployment.extraEnvFrom "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.livenessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.livenessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.livenessProbe.periodSeconds | int) "successThreshold" ($values.deployment.livenessProbe.successThreshold | int) "failureThreshold" ($values.deployment.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/connectors" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.readinessProbe.periodSeconds | int) "successThreshold" ($values.deployment.readinessProbe.successThreshold | int) "failureThreshold" ($values.deployment.readinessProbe.failureThreshold | int) )) "ports" $ports "resources" (mustMergeOverwrite (dict ) (dict "requests" $values.container.resources.request "limits" $values.container.resources.limits )) "terminationMessagePath" "/dev/termination-log" "terminationMessagePolicy" "File" "volumeMounts" (get (fromJson (include "connectors.volumeMountss" (dict "a" (list $values) ))) "r") ))) "dnsPolicy" "ClusterFirst" "restartPolicy" $values.deployment.restartPolicy "schedulerName" $values.deployment.schedulerName "nodeSelector" $values.deployment.nodeSelector "imagePullSecrets" $values.imagePullSecrets "securityContext" $values.deployment.securityContext "tolerations" $values.deployment.tolerations "topologySpreadConstraints" $topologySpreadConstraints "volumes" (get (fromJson (include "connectors.volumes" (dict "a" (list $values) ))) "r") )) )) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.env" -}}
+{{- $values := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $env := (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_CONFIGURATION" "value" (get (fromJson (include "connectors.connectorConfiguration" (dict "a" (list $values) ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_ADDITIONAL_CONFIGURATION" "value" $values.connectors.additionalConfiguration )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_BOOTSTRAP_SERVERS" "value" $values.connectors.bootstrapServers ))) -}}
+{{- if (not (empty $values.connectors.schemaRegistryURL)) -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SCHEMA_REGISTRY_URL" "value" $values.connectors.schemaRegistryURL )))) -}}
+{{- end -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_GC_LOG_ENABLED" "value" $values.container.javaGCLogEnabled )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_HEAP_OPTS" "value" (printf "-Xms256M -Xmx%s" $values.container.resources.javaMaxHeapSize) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_LOG_LEVEL" "value" $values.logging.level )))) -}}
+{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_USERNAME" "value" $values.auth.sasl.userName )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_MECHANISM" "value" $values.auth.sasl.mechanism )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_PASSWORD_FILE" "value" "rc-credentials/password" )))) -}}
+{{- end -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_ENABLED" "value" (printf "%v" $values.connectors.brokerTLS.enabled) )))) -}}
+{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}}
+{{- $ca := (default "ca.crt" $values.connectors.brokerTLS.ca.secretNameOverwrite) -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TRUSTED_CERTS" "value" (printf "ca/%s" $ca) )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}}
+{{- $cert := (default "tls.crt" $values.connectors.brokerTLS.cert.secretNameOverwrite) -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_CERT" "value" (printf "cert/%s" $cert) )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}}
+{{- $key := (default "tls.key" $values.connectors.brokerTLS.key.secretNameOverwrite) -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_KEY" "value" (printf "key/%s" $key) )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $env) (default (list ) $values.deployment.extraEnv))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.connectorConfiguration" -}}
+{{- $values := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $lines := (list (printf "rest.advertised.port=%d" ($values.connectors.restPort | int)) (printf "rest.port=%d" ($values.connectors.restPort | int)) "key.converter=org.apache.kafka.connect.converters.ByteArrayConverter" "value.converter=org.apache.kafka.connect.converters.ByteArrayConverter" (printf "group.id=%s" $values.connectors.groupID) (printf "offset.storage.topic=%s" $values.connectors.storage.topic.offset) (printf "config.storage.topic=%s" $values.connectors.storage.topic.config) (printf "status.storage.topic=%s" $values.connectors.storage.topic.status) (printf "offset.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.offset) (printf "offset.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.offset) (printf "config.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.config) (printf "config.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.config) (printf "status.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.status) (printf "status.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.status) (printf "offset.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.offset | int)) (printf "config.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.config | int)) (printf "status.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.status | int)) (printf "producer.linger.ms=%d" ($values.connectors.producerLingerMS | int)) (printf "producer.batch.size=%d" ($values.connectors.producerBatchSize | int)) "config.providers=file,secretsManager,env" "config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider") -}}
+{{- if $values.connectors.secretManager.enabled -}}
+{{- $lines = (concat (default (list ) $lines) (list "config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider" (printf "config.providers.secretsManager.param.secret.prefix=%s%s" $values.connectors.secretManager.consolePrefix $values.connectors.secretManager.connectorsPrefix) (printf "config.providers.secretsManager.param.aws.region=%s" $values.connectors.secretManager.region))) -}}
+{{- end -}}
+{{- $lines = (concat (default (list ) $lines) (list "config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (join "\n" $lines)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.volumes" -}}
+{{- $values := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $volumes := (coalesce nil) -}}
+{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.ca.secretRef )) )) (dict "name" "truststore" )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.cert.secretRef )) )) (dict "name" "cert" )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.key.secretRef )) )) (dict "name" "key" )))) -}}
+{{- end -}}
+{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.auth.sasl.secretRef )) )) (dict "name" "rc-credentials" )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.storage.volume))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.volumeMountss" -}}
+{{- $values := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $mounts := (coalesce nil) -}}
+{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "mountPath" "/opt/kafka/connect-password/rc-credentials" "name" "rc-credentials" )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststore" "mountPath" "/opt/kafka/connect-certs/ca" )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "cert" "mountPath" "/opt/kafka/connect-certs/cert" )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "key" "mountPath" "/opt/kafka/connect-certs/key" )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $mounts) (default (list ) $values.storage.volumeMounts))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_helpers.go.tpl
new file mode 100644
index 0000000000..aa57f996e7
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_helpers.go.tpl
@@ -0,0 +1,131 @@
+{{- /* Generated from "helpers.go" */ -}}
+
+{{- define "connectors.Name" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $name := (default $dot.Chart.Name $values.nameOverride) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.Fullname" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (empty $values.fullnameOverride)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $name := (default $dot.Chart.Name $values.nameOverride) -}}
+{{- if (contains $name $dot.Release.Name) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.FullLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) (dict "helm.sh/chart" (get (fromJson (include "connectors.ChartLabels" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.PodLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") ) $values.commonLabels)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.ChartLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.Semver" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (trimPrefix "v" (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.ServiceAccountName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if $values.serviceAccount.create -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.serviceAccount.name)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.ServiceName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.service.name)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.Tag" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tag := (default $dot.Chart.AppVersion $values.image.tag) -}}
+{{- $matchString := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}}
+{{- if (not (mustRegexMatch $matchString $tag)) -}}
+{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tag) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.trunc" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_helpers.tpl
new file mode 100644
index 0000000000..89c888eeef
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_helpers.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "connectors.name" -}}
+{{- get ((include "connectors.Name" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "connectors.fullname" }}
+{{- get ((include "connectors.Fullname" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+full helm labels + common labels
+*/}}
+{{- define "full.labels" -}}
+{{- (get ((include "connectors.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }}
+{{- end -}}
+
+{{/*
+pod labels merged with common labels
+*/}}
+{{- define "connectors-pod-labels" -}}
+{{- (get ((include "connectors.PodLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "connectors.chart" -}}
+{{- get ((include "connectors.Chart" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Get the version of redpanda being used as an image
+*/}}
+{{- define "connectors.semver" -}}
+{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "connectors.serviceAccountName" -}}
+{{- get ((include "connectors.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Create the name of the service to use
+*/}}
+{{- define "connectors.serviceName" -}}
+{{- get ((include "connectors.ServiceName" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Use AppVersion if image.tag is not set
+*/}}
+{{- define "connectors.tag" -}}
+{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_pod-monitor.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_pod-monitor.go.tpl
new file mode 100644
index 0000000000..4e12b20084
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_pod-monitor.go.tpl
@@ -0,0 +1,18 @@
+{{- /* Generated from "podmonitor.go" */ -}}
+
+{{- define "connectors.PodMonitor" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.monitoring.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "PodMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" $values.monitoring.labels "annotations" $values.monitoring.annotations )) "spec" (mustMergeOverwrite (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "namespaceSelector" $values.monitoring.namespaceSelector "podMetricsEndpoints" (list (mustMergeOverwrite (dict "bearerTokenSecret" (dict "key" "" ) ) (dict "path" "/" "port" "prometheus" ))) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_service.go.tpl
new file mode 100644
index 0000000000..54a7ce8a05
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_service.go.tpl
@@ -0,0 +1,20 @@
+{{- /* Generated from "service.go" */ -}}
+
+{{- define "connectors.Service" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $ports := (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rest-api" "port" ($values.connectors.restPort | int) "targetPort" ($values.connectors.restPort | int) "protocol" "TCP" ))) -}}
+{{- range $_, $port := $values.service.ports -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" $port.name "port" ($port.port | int) "targetPort" ($port.port | int) "protocol" "TCP" )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.ServiceName" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.service.annotations) )) "spec" (mustMergeOverwrite (dict ) (dict "ipFamilies" (list "IPv4") "ipFamilyPolicy" "SingleStack" "ports" $ports "selector" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "ClusterIP" )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_serviceaccount.go.tpl
new file mode 100644
index 0000000000..dedade21c3
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_serviceaccount.go.tpl
@@ -0,0 +1,18 @@
+{{- /* Generated from "serviceaccount.go" */ -}}
+
+{{- define "connectors.ServiceAccount" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.serviceAccount.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.serviceAccount.annotations "labels" (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") "name" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_shims.tpl
new file mode 100644
index 0000000000..c16b6d1788
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_shims.tpl
@@ -0,0 +1,339 @@
+{{- /* Generated from "bootstrap.go" */ -}}
+
+{{- define "_shims.typetest" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs $typ $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.typeassertion" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (typeIs $typ $value)) -}}
+{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.dicttest" -}}
+{{- $m := (index .a 0) -}}
+{{- $key := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (hasKey $m $key) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (index $m $key) true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.compact" -}}
+{{- $args := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $out := (dict ) -}}
+{{- range $i, $e := $args -}}
+{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $out) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $ptr) "null") -}}
+{{- $_ := (fail "nil dereference") -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.len" -}}
+{{- $m := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $m) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (0 | int)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (len $m)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- $def := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $ptr) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $def) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Equal" -}}
+{{- $a := (index .a 0) -}}
+{{- $b := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (and (eq (toJson $a) "null") (eq (toJson $b) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (eq $a $b)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.lookup" -}}
+{{- $apiVersion := (index .a 0) -}}
+{{- $kind := (index .a 1) -}}
+{{- $namespace := (index .a 2) -}}
+{{- $name := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (lookup $apiVersion $kind $namespace $name) -}}
+{{- if (empty $result) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (coalesce nil) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $result true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asnumeric" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asintegral" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.parseResource" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $repr) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (not (typeIs "string" $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}}
+{{- end -}}
+{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}}
+{{- end -}}
+{{- $reprStr := (toString $repr) -}}
+{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}}
+{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_1.T2 -}}
+{{- $scale := ($tmp_tuple_1.T1 | float64) -}}
+{{- if (not $ok) -}}
+{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $numeric $scale)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MustParse" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_2.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_2.T1 | float64) -}}
+{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}}
+{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}}
+{{- $idx := -1 -}}
+{{- range $i, $s := $scales -}}
+{{- if (eq ($s | float64) ($scale | float64)) -}}
+{{- $idx = $i -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (eq $idx -1) -}}
+{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_Value" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_3.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_3.T1 | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MilliValue" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_4.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_4.T1 | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.time_ParseDuration" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $unitMap := (dict "s" (1000000000 | int64) "m" (60000000000 | int64) "h" (3600000000000 | int64) ) -}}
+{{- $original := $repr -}}
+{{- $value := ((0 | int64) | int64) -}}
+{{- if (eq $repr "") -}}
+{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}}
+{{- end -}}
+{{- if (eq $repr "0") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (0 | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $_ := (list (0 | int) (0 | int) (0 | int)) -}}
+{{- if (eq $repr "") -}}
+{{- break -}}
+{{- end -}}
+{{- $n := (regexFind `^\d+` $repr) -}}
+{{- if (eq $n "") -}}
+{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}}
+{{- end -}}
+{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $n) ))) "r") | int) -1 $repr) -}}
+{{- $unit := (regexFind `^(h|m|s)` $repr) -}}
+{{- if (eq $unit "") -}}
+{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}}
+{{- end -}}
+{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int) -1 $repr) -}}
+{{- $value = ((add $value (((mul (int64 $n) (index $unitMap $unit)) | int64))) | int64) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.time_Duration_String" -}}
+{{- $dur := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (duration ((div $dur (1000000000 | int64)) | int64))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.render-manifest" -}}
+{{- $tpl := (index . 0) -}}
+{{- $dot := (index . 1) -}}
+{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}}
+{{- if not (typeIs "[]interface {}" $manifests) -}}
+{{- $manifests = (list $manifests) -}}
+{{- end -}}
+{{- range $_, $manifest := $manifests -}}
+{{- if ne (toJson $manifest) "null" }}
+---
+{{toYaml (unset (unset $manifest "status") "creationTimestamp")}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_values.go.tpl
new file mode 100644
index 0000000000..9b304d4bf6
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/_values.go.tpl
@@ -0,0 +1,15 @@
+{{- /* Generated from "values.go" */ -}}
+
+{{- define "connectors.Auth.SASLEnabled" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $saslEnabled := (not (empty $c.sasl.userName)) -}}
+{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.mechanism))) -}}
+{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.secretRef))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $saslEnabled) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/entry-point.yaml b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/entry-point.yaml
new file mode 100644
index 0000000000..b6c6467d5d
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/entry-point.yaml
@@ -0,0 +1,17 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- include "_shims.render-manifest" (list "connectors.render" .) -}}
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/tests/01-mm2-values.yaml b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/tests/01-mm2-values.yaml
new file mode 100644
index 0000000000..c369806c8b
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/templates/tests/01-mm2-values.yaml
@@ -0,0 +1,176 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "curl-options" -}}
+{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}}
+{{- end -}}
+{{- if .Values.test.create -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "connectors.fullname" . }}-mm2-test
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: create-mm2
+ image: docker.redpanda.com/redpandadata/redpanda:latest
+ command:
+ - /bin/bash
+ - -c
+ - |
+ set -xe
+
+ trap connectorsState ERR
+
+ connectorsState () {
+ echo check connectors expand status
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=status
+ echo check connectors expand info
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=info
+ echo check connector configuration
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME
+ echo check connector topics
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics
+ }
+
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors
+
+ SASL_MECHANISM="PLAIN"
+ {{- if .Values.auth.sasl.enabled }}
+ set -e
+ set +x
+
+ IFS=: read -r CONNECT_SASL_USERNAME KAFKA_SASL_PASSWORD CONNECT_SASL_MECHANISM < $(find /mnt/users/* -print)
+ CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ if [[ -n "$CONNECT_SASL_USERNAME" && -n "$KAFKA_SASL_PASSWORD" && -n "$CONNECT_SASL_MECHANISM" ]]; then
+ rpk profile set user=$CONNECT_SASL_USERNAME pass=$KAFKA_SASL_PASSWORD sasl.mechanism=$CONNECT_SASL_MECHANISM
+ SASL_MECHANISM=$CONNECT_SASL_MECHANISM
+ JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\","
+ JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\","
+ fi
+
+ set -x
+ set +e
+ {{- end }}
+
+ rpk profile create test
+ rpk profile set tls.enabled={{.Values.connectors.brokerTLS.enabled}} brokers={{ .Values.connectors.bootstrapServers }}
+ {{- if .Values.connectors.brokerTLS.ca.secretRef }}
+ rpk profile set tls.ca={{ printf "/redpanda-certs/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) }}
+ {{- end }}
+
+ {{- if .Values.connectors.brokerTLS.enabled }}
+ CONNECT_TLS_ENABLED=true
+ {{- else }}
+ CONNECT_TLS_ENABLED=false
+ {{- end }}
+ SECURITY_PROTOCOL=PLAINTEXT
+ if [[ -n "$CONNECT_SASL_MECHANISM" && $CONNECT_TLS_ENABLED == "true" ]]; then
+ SECURITY_PROTOCOL="SASL_SSL"
+ elif [[ -n "$CONNECT_SASL_MECHANISM" ]]; then
+ SECURITY_PROTOCOL="SASL_PLAINTEXT"
+ elif [[ $CONNECT_TLS_ENABLED == "true" ]]; then
+ SECURITY_PROTOCOL="SSL"
+ fi
+
+ rpk topic list
+ rpk topic create test-topic
+ rpk topic list
+ echo "Test message!" | rpk topic produce test-topic
+
+ CONNECTOR_NAME=mm2-$RANDOM
+ cat << 'EOF' > /tmp/mm2-conf.json
+ {
+ "name": "CONNECTOR_NAME",
+ "config": {
+ "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector",
+ "topics": "test-topic",
+ "replication.factor": "1",
+ "tasks.max": "1",
+ "source.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }},
+ "target.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }},
+ "target.cluster.alias": "test-only",
+ "source.cluster.alias": "source",
+ "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter",
+ "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter",
+ "source->target.enabled": "true",
+ "target->source.enabled": "false",
+ "sync.topic.configs.interval.seconds": "5",
+ "sync.topics.configs.enabled": "true",
+ "source.cluster.ssl.truststore.type": "PEM",
+ "target.cluster.ssl.truststore.type": "PEM",
+ "source.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }},
+ "target.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }},
+ JAAS_CONFIG_SOURCE
+ JAAS_CONFIG_TARGET
+ "source.cluster.security.protocol": "SECURITY_PROTOCOL",
+ "target.cluster.security.protocol": "SECURITY_PROTOCOL",
+ "source.cluster.sasl.mechanism": "SASL_MECHANISM",
+ "target.cluster.sasl.mechanism": "SASL_MECHANISM",
+ "offset-syncs.topic.replication.factor": 1
+ }
+ }
+ EOF
+
+ sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json
+ sed -i "s/SASL_MECHANISM/$SASL_MECHANISM/g" /tmp/mm2-conf.json
+ sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json
+ set +x
+ sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json
+ sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json
+ set -x
+
+ curl {{ template "curl-options" . }} -H 'Content-Type: application/json' http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors -d @/tmp/mm2-conf.json
+
+ # The rpk topic consume could fail for the first few times as kafka connect needs
+ # to spawn the task and copy one message from the source topic. To solve this race condition
+ # the retry should be implemented in bash for rpk topic consume or other mechanism that
+ # can confirm source connectors started its execution. As a fast fix fixed 30 second fix is added.
+ sleep 30
+
+ rpk topic consume source.test-topic -n 1 | grep "Test message!"
+
+ curl {{ template "curl-options" . }} -X DELETE http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME
+
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors
+
+ rpk topic delete test-topic source.test-topic mm2-offset-syncs.test-only.internal
+ volumeMounts:
+ {{- if .Values.connectors.brokerTLS.ca.secretRef }}
+ - mountPath: /redpanda-certs
+ name: redpanda-ca
+ {{- end }}
+ {{- toYaml .Values.storage.volumeMounts | nindent 8 }}
+ volumes:
+ {{- if .Values.connectors.brokerTLS.ca.secretRef }}
+ - name: redpanda-ca
+ secret:
+ defaultMode: 0444
+ secretName: {{ .Values.connectors.brokerTLS.ca.secretRef }}
+ {{- end }}
+ {{- toYaml .Values.storage.volume | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/charts/connectors/values.yaml b/charts/redpanda/redpanda/5.9.18/charts/connectors/values.yaml
new file mode 100644
index 0000000000..99cb3c5809
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/connectors/values.yaml
@@ -0,0 +1,313 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file contains values for variables referenced from yaml files in the templates directory.
+#
+# For further information on Helm templating see the documentation at:
+# https://helm.sh/docs/chart_template_guide/values_files/
+
+#
+# >>> This chart requires Helm version 3.6.0 or greater <<<
+#
+
+# Common settings
+#
+# -- Override `connectors.name` template.
+nameOverride: ""
+# -- Override `connectors.fullname` template.
+fullnameOverride: ""
+# -- Additional labels to add to all Kubernetes objects.
+# For example, `my.k8s.service: redpanda`.
+commonLabels: {}
+# -- Taints to be tolerated by Pods.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+tolerations: []
+
+# -- Redpanda Docker image settings.
+image:
+ # -- Docker repository from which to pull the Redpanda Docker image.
+ repository: docker.redpanda.com/redpandadata/connectors
+ # -- The Redpanda version.
+ # See DockerHub for:
+ # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags)
+ # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags).
+ # @default -- `Chart.appVersion`.
+ tag: ""
+ # -- The imagePullPolicy.
+ # If `image.tag` is 'latest', the default is `Always`.
+ pullPolicy: IfNotPresent
+
+# -- Pull secrets may be used to provide credentials to image repositories
+# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+
+test:
+ create: true
+
+connectors:
+ # -- The port on which the Kafka Connect REST API listens. The API is used for administrative tasks.
+ restPort: 8083
+ # -- A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster.
+ bootstrapServers: ""
+ # A comma-separated list of Schema Registry addresses in the format IP:Port or DNS:Port. The Schema Registry is a service that manages the schemas used by producers and consumers.
+ schemaRegistryURL: ""
+ # -- A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script.
+ additionalConfiguration: ""
+ secretManager:
+ enabled: false
+ region: ""
+ consolePrefix: ""
+ connectorsPrefix: ""
+ # -- The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput.
+ producerBatchSize: 131072
+ # -- The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput.
+ producerLingerMS: 1
+ storage:
+ # -- The number of replicas for each of the internal topics that Kafka Connect uses.
+ replicationFactor:
+ # -- Replication factor for the offset topic.
+ offset: -1
+ # -- Replication factor for the configuration topic.
+ config: -1
+ # -- Replication factor for the status topic.
+ status: -1
+ # -- Indicates if read and write operations for the respective topics are allowed remotely.
+ remote:
+ read:
+ offset: false
+ config: false
+ status: false
+ write:
+ offset: false
+ config: false
+ status: false
+ topic:
+ # -- The name of the internal topic that Kafka Connect uses to store source connector offsets.
+ offset: _internal_connectors_offsets
+ # -- The name of the internal topic that Kafka Connect uses to store connector and task configurations.
+ config: _internal_connectors_configs
+ # -- The name of the internal topic that Kafka Connect uses to store connector and task status updates.
+ status: _internal_connectors_status
+ # -- A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other.
+ groupID: connectors-cluster
+ brokerTLS:
+ enabled: false
+ ca:
+ # -- The name of the Secret where the ca.crt file content is located.
+ secretRef: ""
+ # -- If `secretRef` points to a Secret where the certificate authority (CA) is not under the
+ # `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`.
+ secretNameOverwrite: ""
+ cert:
+ # -- The name of the secret where client signed certificate is located
+ secretRef: ""
+ # -- If secretRef points to secret where client signed certificate is not under
+ # tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt
+ secretNameOverwrite: ""
+ key:
+ # -- The name of the secret where client private key is located
+ secretRef: ""
+ # -- If secretRef points to secret where client private key is not under
+ # tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key
+ secretNameOverwrite: ""
+
+# -- Authentication settings.
+# For details,
+# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/).
+# The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster.
+auth:
+ sasl:
+ enabled: false
+ # -- The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`.
+ mechanism: scram-sha-512
+ # -- A Secret that contains your SASL user password.
+ secretRef: ""
+ userName: ""
+
+# -- Log-level settings.
+logging:
+ # -- Log level
+ # Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`.
+ level: warn
+
+# -- Monitoring.
+# When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics.
+monitoring:
+ enabled: false
+ scrapeInterval: 30s
+ labels: {}
+ annotations: {}
+ namespaceSelector:
+ any: true
+
+container:
+ #
+ # -- Security context for the Redpanda Connectors container.
+ # See also `deployment.securityContext` for Pod-level settings.
+ securityContext:
+ allowPrivilegeEscalation: false
+ # -- Pod resource management.
+ resources:
+ request:
+ # Numeric values here are also acceptable.
+ cpu: "1"
+ memory: 2350Mi
+ limits:
+ cpu: "1"
+ memory: 2350Mi
+ # -- Java maximum heap size must not be greater than `container.resources.limits.memory`.
+ javaMaxHeapSize: 2G
+ javaGCLogEnabled: "false"
+
+deployment:
+ # Replicas can be used to scale Deployment
+ # replicas
+
+ create: true
+ # Customize the command to use as the entrypoint of the Deployment.
+ # command: []
+ strategy:
+ type: RollingUpdate
+ schedulerName: ""
+ budget:
+ maxUnavailable: 1
+ # -- Additional annotations to apply to the Pods of this Deployment.
+ annotations: {}
+ # -- Adjust the period for your probes to meet your needs.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+ livenessProbe:
+ initialDelaySeconds: 10
+ failureThreshold: 3
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ initialDelaySeconds: 60
+ failureThreshold: 2
+ periodSeconds: 10
+ successThreshold: 3
+ timeoutSeconds: 5
+
+ # -- Additional environment variables for the Pods.
+ extraEnv: []
+ # - name: RACK_ID
+ # value: "1"
+
+ # -- Configure extra environment variables from Secrets and ConfigMaps.
+ extraEnvFrom: []
+ # - secretRef:
+ # name: my-secret
+ # - configMapRef:
+ # name: my-configmap
+
+ # -- The maximum time in seconds for a deployment to make progress before it is
+ # considered to be failed. The deployment controller will continue to process
+ # failed deployments and a condition with a ProgressDeadlineExceeded reason
+ # will be surfaced in the deployment status. Note that progress will not be
+ # estimated during the time a deployment is paused.
+ progressDeadlineSeconds: 600
+
+ # -- The number of old ReplicaSets to retain to allow rollback. This is a pointer
+ # to distinguish between explicit zero and not specified.
+ revisionHistoryLimit: 10
+
+ # -- Inter-Pod Affinity rules for scheduling Pods of this Deployment.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+ podAffinity: {}
+ # -- Node Affinity rules for scheduling Pods of this Deployment.
+ # The suggestion would be to spread Pods according to topology zone.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity).
+ nodeAffinity: {}
+ # -- Anti-affinity rules for scheduling Pods of this Deployment.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+ # You may either edit the default settings for anti-affinity rules,
+ # or specify new anti-affinity rules to use instead of the defaults.
+ podAntiAffinity:
+ # -- The `topologyKey` to be used.
+ # Can be used to spread across different nodes, AZs, regions etc.
+ topologyKey: kubernetes.io/hostname
+ # -- Valid anti-affinity types are `soft`, `hard`, or `custom`.
+ # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object.
+ type: hard
+ # -- Weight for `soft` anti-affinity rules.
+ # Does not apply for other anti-affinity types.
+ weight: 100
+ # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here.
+ custom: {}
+ # -- Node selection constraints for scheduling Pods of this Deployment.
+ # These constraints override the global `nodeSelector` value.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+ nodeSelector: {}
+ # -- PriorityClassName given to Pods of this Deployment.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+ priorityClassName: ""
+ # -- Taints to be tolerated by Pods of this Deployment.
+ # These tolerations override the global tolerations value.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+ tolerations: []
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/).
+ topologySpreadConstraints:
+ - maxSkew: 1
+ topologyKey: topology.kubernetes.io/zone
+ whenUnsatisfiable: ScheduleAnyway
+ securityContext:
+ fsGroup: 101
+ runAsUser: 101
+ fsGroupChangePolicy: OnRootMismatch
+ terminationGracePeriodSeconds: 30
+ restartPolicy: Always
+
+storage:
+ volume:
+ - emptyDir:
+ medium: Memory
+ sizeLimit: 5Mi
+ name: rp-connect-tmp
+ volumeMounts:
+ - mountPath: /tmp
+ name: rp-connect-tmp
+
+# -- ServiceAccount management.
+serviceAccount:
+ # -- Specifies whether a ServiceAccount should be created.
+ create: false
+ # -- Specifies whether a service account should automount API-Credentials
+ automountServiceAccountToken: false
+ # -- Annotations to add to the ServiceAccount.
+ annotations: {}
+ # -- The name of the ServiceAccount to use.
+ # If not set and `serviceAccount.create` is `true`,
+ # a name is generated using the `connectors.fullname` template.
+ name: ""
+
+# -- Service management.
+service:
+ # -- Annotations to add to the Service.
+ annotations: {}
+ # -- The name of the service to use.
+ # If not set, a name is generated using the `connectors.fullname` template.
+ name: ""
+ ports:
+ - name: prometheus
+ port: 9404
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/.helmignore b/charts/redpanda/redpanda/5.9.18/charts/console/.helmignore
new file mode 100644
index 0000000000..d5bb5e6ba6
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/.helmignore
@@ -0,0 +1,28 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+README.md.gotmpl
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+*.go
+testdata/
+ci/
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/Chart.yaml b/charts/redpanda/redpanda/5.9.18/charts/console/Chart.yaml
new file mode 100644
index 0000000000..37a546db95
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/Chart.yaml
@@ -0,0 +1,23 @@
+annotations:
+ artifacthub.io/images: |
+ - name: redpanda
+ image: docker.redpanda.com/redpandadata/console:v2.7.2
+ artifacthub.io/license: Apache-2.0
+ artifacthub.io/links: |
+ - name: Documentation
+ url: https://docs.redpanda.com
+ - name: "Helm (>= 3.6.0)"
+ url: https://helm.sh/docs/intro/install/
+apiVersion: v2
+appVersion: v2.7.2
+description: Helm chart to deploy Redpanda Console.
+icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg
+kubeVersion: '>= 1.25.0-0'
+maintainers:
+- name: redpanda-data
+ url: https://github.com/orgs/redpanda-data/people
+name: console
+sources:
+- https://github.com/redpanda-data/helm-charts
+type: application
+version: 0.7.30
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/README.md b/charts/redpanda/redpanda/5.9.18/charts/console/README.md
new file mode 100644
index 0000000000..9fb3932733
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/README.md
@@ -0,0 +1,353 @@
+# Redpanda Console Helm Chart Specification
+---
+description: Find the default values and descriptions of settings in the Redpanda Console Helm chart.
+---
+
+  
+
+This page describes the official Redpanda Console Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/console/values.yaml).
+Each of the settings is listed and described on this page, along with any default values.
+
+The Redpanda Console Helm chart is included as a subchart in the Redpanda Helm chart so that you can deploy and configure Redpanda and Redpanda Console together.
+For instructions on how to install and use the chart, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/).
+For instructions on how to override and customize the chart’s values, see [Configure Redpanda Console](https://docs.redpanda.com/docs/manage/kubernetes/configure-helm-chart/#configure-redpanda-console).
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
+
+## Source Code
+
+*
+
+## Requirements
+
+Kubernetes: `>= 1.25.0-0`
+
+## Settings
+
+### [affinity](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=affinity)
+
+**Default:** `{}`
+
+### [annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=annotations)
+
+Annotations to add to the deployment.
+
+**Default:** `{}`
+
+### [automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=automountServiceAccountToken)
+
+Automount API credentials for the Service Account into the pod.
+
+**Default:** `true`
+
+### [autoscaling.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.enabled)
+
+**Default:** `false`
+
+### [autoscaling.maxReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.maxReplicas)
+
+**Default:** `100`
+
+### [autoscaling.minReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.minReplicas)
+
+**Default:** `1`
+
+### [autoscaling.targetCPUUtilizationPercentage](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.targetCPUUtilizationPercentage)
+
+**Default:** `80`
+
+### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=commonLabels)
+
+**Default:** `{}`
+
+### [configmap.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=configmap.create)
+
+**Default:** `true`
+
+### [console.config](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=console.config)
+
+Settings for the `Config.yaml` (required). For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/).
+
+**Default:** `{}`
+
+### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=deployment.create)
+
+**Default:** `true`
+
+### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=enterprise)
+
+Settings for license key, as an alternative to secret.enterprise when a license secret is available
+
+**Default:**
+
+```
+{"licenseSecretRef":{"key":"","name":""}}
+```
+
+### [extraContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraContainers)
+
+Add additional containers, such as for oauth2-proxy.
+
+**Default:** `[]`
+
+### [extraEnv](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnv)
+
+Additional environment variables for the Redpanda Console Deployment.
+
+**Default:** `[]`
+
+### [extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnvFrom)
+
+Additional environment variables for Redpanda Console mapped from Secret or ConfigMap.
+
+**Default:** `[]`
+
+### [extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumeMounts)
+
+Add additional volume mounts, such as for TLS keys.
+
+**Default:** `[]`
+
+### [extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumes)
+
+Add additional volumes, such as for TLS keys.
+
+**Default:** `[]`
+
+### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=fullnameOverride)
+
+Override `console.fullname` template.
+
+**Default:** `""`
+
+### [image](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image)
+
+Redpanda Console Docker image settings.
+
+**Default:**
+
+```
+{"pullPolicy":"IfNotPresent","registry":"docker.redpanda.com","repository":"redpandadata/console","tag":""}
+```
+
+### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.pullPolicy)
+
+The imagePullPolicy.
+
+**Default:** `"IfNotPresent"`
+
+### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.repository)
+
+Docker repository from which to pull the Redpanda Docker image.
+
+**Default:** `"redpandadata/console"`
+
+### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.tag)
+
+The Redpanda Console version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags).
+
+**Default:** `Chart.appVersion`
+
+### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=imagePullSecrets)
+
+Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+
+**Default:** `[]`
+
+### [ingress.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.annotations)
+
+**Default:** `{}`
+
+### [ingress.className](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.className)
+
+**Default:** `nil`
+
+### [ingress.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.enabled)
+
+**Default:** `false`
+
+### [ingress.hosts[0].host](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].host)
+
+**Default:** `"chart-example.local"`
+
+### [ingress.hosts[0].paths[0].path](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].path)
+
+**Default:** `"/"`
+
+### [ingress.hosts[0].paths[0].pathType](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].pathType)
+
+**Default:** `"ImplementationSpecific"`
+
+### [ingress.tls](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.tls)
+
+**Default:** `[]`
+
+### [initContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers)
+
+Any initContainers defined should be written here
+
+**Default:** `{"extraInitContainers":""}`
+
+### [initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers.extraInitContainers)
+
+Additional set of init containers
+
+**Default:** `""`
+
+### [livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=livenessProbe)
+
+Settings for liveness and readiness probes. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes).
+
+**Default:**
+
+```
+{"failureThreshold":3,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}
+```
+
+### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nameOverride)
+
+Override `console.name` template.
+
+**Default:** `""`
+
+### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nodeSelector)
+
+**Default:** `{}`
+
+### [podAnnotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podAnnotations)
+
+**Default:** `{}`
+
+### [podLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podLabels)
+
+**Default:** `{}`
+
+### [podSecurityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.fsGroup)
+
+**Default:** `99`
+
+### [podSecurityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.runAsUser)
+
+**Default:** `99`
+
+### [priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=priorityClassName)
+
+PriorityClassName given to Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+
+**Default:** `""`
+
+### [readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.failureThreshold)
+
+**Default:** `3`
+
+### [readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.initialDelaySeconds)
+
+Grant time to test connectivity to upstream services such as Kafka and Schema Registry.
+
+**Default:** `10`
+
+### [readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.periodSeconds)
+
+**Default:** `10`
+
+### [readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.successThreshold)
+
+**Default:** `1`
+
+### [readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.timeoutSeconds)
+
+**Default:** `1`
+
+### [replicaCount](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=replicaCount)
+
+**Default:** `1`
+
+### [resources](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=resources)
+
+**Default:** `{}`
+
+### [secret](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret)
+
+Create a new Kubernetes Secret for all sensitive configuration inputs. Each provided Secret is mounted automatically and made available to the Pod. If you want to use one or more existing Secrets, you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets.
+
+**Default:**
+
+```
+{"create":true,"enterprise":{},"kafka":{},"login":{"github":{},"google":{},"jwtSecret":"","oidc":{},"okta":{}},"redpanda":{"adminApi":{}}}
+```
+
+### [secret.kafka](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret.kafka)
+
+Kafka Secrets.
+
+**Default:** `{}`
+
+### [secretMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secretMounts)
+
+SecretMounts is an abstraction to make a Secret available in the container's filesystem. Under the hood it creates a volume and a volume mount for the Redpanda Console container.
+
+**Default:** `[]`
+
+### [securityContext.runAsNonRoot](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=securityContext.runAsNonRoot)
+
+**Default:** `true`
+
+### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.annotations)
+
+**Default:** `{}`
+
+### [service.port](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.port)
+
+**Default:** `8080`
+
+### [service.targetPort](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.targetPort)
+
+Override the value in `console.config.server.listenPort` if not `nil`
+
+**Default:** `nil`
+
+### [service.type](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.type)
+
+**Default:** `"ClusterIP"`
+
+### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.annotations)
+
+Annotations to add to the service account.
+
+**Default:** `{}`
+
+### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.automountServiceAccountToken)
+
+Specifies whether a service account should automount API-Credentials
+
+**Default:** `true`
+
+### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.create)
+
+Specifies whether a service account should be created.
+
+**Default:** `true`
+
+### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.name)
+
+The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `console.fullname` template
+
+**Default:** `""`
+
+### [strategy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=strategy)
+
+**Default:** `{}`
+
+### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tests.enabled)
+
+**Default:** `true`
+
+### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tolerations)
+
+**Default:** `[]`
+
+### [topologySpreadConstraints](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=topologySpreadConstraints)
+
+**Default:** `[]`
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/examples/console-enterprise.yaml b/charts/redpanda/redpanda/5.9.18/charts/console/examples/console-enterprise.yaml
new file mode 100644
index 0000000000..dc3f29197d
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/examples/console-enterprise.yaml
@@ -0,0 +1,94 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+image:
+ tag: master-8fcce39
+
+resources:
+ limits:
+ cpu: 1
+ memory: 2Gi
+ requests:
+ cpu: 100m
+ memory: 512Mi
+
+console:
+ config:
+ kafka:
+ brokers:
+ - bootstrap.mybrokers.com:9092
+ clientId: redpanda-console
+ sasl:
+ enabled: true
+ mechanism: SCRAM-SHA-256
+ username: console
+ # password: set via Helm secret / Env variable
+ tls:
+ enabled: false
+ login:
+ google:
+ enabled: true
+ clientId: redacted.apps.googleusercontent.com
+ # clientSecret: set via Helm secret / Env variable
+ directory:
+ # serviceAccountFilepath: set via Helm secret / Env variable
+ targetPrincipal: admin@mycompany.com
+ enterprise:
+ rbac:
+ enabled: true
+ roleBindingsFilepath: /etc/console/configs/role-bindings.yaml
+ roleBindings:
+ - roleName: viewer
+ metadata:
+ # Metadata properties will be shown in the UI. You can omit it if you want to
+ name: Developers
+ subjects:
+ # You can specify all groups or users from different providers here which shall be bound to the same role
+ - kind: group
+ provider: Google
+ name: engineering@mycompany.com
+ - kind: user
+ provider: Google
+ name: singleuser@mycompany.com
+ - roleName: admin
+ metadata:
+ name: Admin
+ subjects:
+ - kind: user
+ provider: Google
+ name: adminperson@mycompany.com
+
+secret:
+ create: true
+ kafka:
+ saslPassword: "redacted"
+ enterprise:
+ license: "redacted"
+ login:
+ google:
+ clientSecret: "redacted"
+ groupsServiceAccount: |
+ {
+ "type": "service_account",
+ "project_id": "redacted",
+ "private_key_id": "redacted",
+ "private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n",
+ "client_email": "redacted@projectid.iam.gserviceaccount.com",
+ "client_id": "redacted",
+ "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+ "token_uri": "https://oauth2.googleapis.com/token",
+ "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+ "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/redacted.iam.gserviceaccount.com"
+ }
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.18/charts/console/templates/NOTES.txt
new file mode 100644
index 0000000000..7541881fc9
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/NOTES.txt
@@ -0,0 +1,20 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- $notes := (get ((include "console.Notes" (dict "a" (list .))) | fromJson) "r") -}}
+{{- range $_, $note := $notes }}
+{{ $note }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_chart.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_chart.go.tpl
new file mode 100644
index 0000000000..47f236d6ff
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_chart.go.tpl
@@ -0,0 +1,13 @@
+{{- /* Generated from "chart.go" */ -}}
+
+{{- define "console.render" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $manifests := (list (get (fromJson (include "console.ServiceAccount" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Secret" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.ConfigMap" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Service" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Ingress" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Deployment" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.HorizontalPodAutoscaler" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $manifests) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_configmap.go.tpl
new file mode 100644
index 0000000000..14673b0249
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_configmap.go.tpl
@@ -0,0 +1,25 @@
+{{- /* Generated from "configmap.go" */ -}}
+
+{{- define "console.ConfigMap" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.configmap.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $data := (dict "config.yaml" (printf "# from .Values.console.config\n%s\n" (tpl (toYaml $values.console.config) $dot)) ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roles) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $data "roles.yaml" (tpl (toYaml (dict "roles" $values.console.roles )) $dot)) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roleBindings) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $data "role-bindings.yaml" (tpl (toYaml (dict "roleBindings" $values.console.roleBindings )) $dot)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ConfigMap" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "data" $data ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_deployment.go.tpl
new file mode 100644
index 0000000000..67aaf598fe
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_deployment.go.tpl
@@ -0,0 +1,133 @@
+{{- /* Generated from "deployment.go" */ -}}
+
+{{- define "console.ContainerPort" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $listenPort := ((8080 | int) | int) -}}
+{{- if (ne (toJson $values.service.targetPort) "null") -}}
+{{- $listenPort = $values.service.targetPort -}}
+{{- end -}}
+{{- $configListenPort := (dig "server" "listenPort" (coalesce nil) $values.console.config) -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $configListenPort) ))) "r")) ))) "r") -}}
+{{- $ok_2 := $tmp_tuple_1.T2 -}}
+{{- $asInt_1 := ($tmp_tuple_1.T1 | int) -}}
+{{- if $ok_2 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ($asInt_1 | int)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $listenPort) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.Deployment" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.deployment.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $replicas := (coalesce nil) -}}
+{{- if (not $values.autoscaling.enabled) -}}
+{{- $replicas = ($values.replicaCount | int) -}}
+{{- end -}}
+{{- $initContainers := (coalesce nil) -}}
+{{- if (not (empty $values.initContainers.extraInitContainers)) -}}
+{{- $initContainers = (fromYamlArray (tpl $values.initContainers.extraInitContainers $dot)) -}}
+{{- end -}}
+{{- $volumeMounts := (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "configs" "mountPath" "/etc/console/configs" "readOnly" true ))) -}}
+{{- if $values.secret.create -}}
+{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "secrets" "mountPath" "/etc/console/secrets" "readOnly" true )))) -}}
+{{- end -}}
+{{- range $_, $mount := $values.secretMounts -}}
+{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mount.name "mountPath" $mount.path "subPath" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $mount.subPath "") ))) "r") )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $volumeMounts = (concat (default (list ) $volumeMounts) (default (list ) $values.extraVolumeMounts)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.annotations )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $replicas "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" (merge (dict ) (dict "checksum/config" (sha256sum (toYaml (get (fromJson (include "console.ConfigMap" (dict "a" (list $dot) ))) "r"))) ) $values.podAnnotations) "labels" (merge (dict ) (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.podLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "imagePullSecrets" $values.imagePullSecrets "serviceAccountName" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "automountServiceAccountToken" $values.automountServiceAccountToken "securityContext" $values.podSecurityContext "nodeSelector" $values.nodeSelector "affinity" $values.affinity "topologySpreadConstraints" $values.topologySpreadConstraints "priorityClassName" $values.priorityClassName "tolerations" $values.tolerations "volumes" (get (fromJson (include "console.consolePodVolumes" (dict "a" (list $dot) ))) "r") "initContainers" $initContainers "containers" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" $dot.Chart.Name "command" $values.deployment.command "args" (concat (default (list ) (list "--config.filepath=/etc/console/configs/config.yaml")) (default (list ) $values.deployment.extraArgs)) "securityContext" $values.securityContext "image" (get (fromJson (include "console.containerImage" (dict "a" (list $dot) ))) "r") "imagePullPolicy" $values.image.pullPolicy "ports" (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ((get (fromJson (include "console.ContainerPort" (dict "a" (list $dot) ))) "r") | int) "protocol" "TCP" ))) "volumeMounts" $volumeMounts "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.livenessProbe.periodSeconds | int) "timeoutSeconds" ($values.livenessProbe.timeoutSeconds | int) "successThreshold" ($values.livenessProbe.successThreshold | int) "failureThreshold" ($values.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.readinessProbe.initialDelaySeconds | int) "periodSeconds" ($values.readinessProbe.periodSeconds | int) "timeoutSeconds" ($values.readinessProbe.timeoutSeconds | int) "successThreshold" ($values.readinessProbe.successThreshold | int) "failureThreshold" ($values.readinessProbe.failureThreshold | int) )) "resources" $values.resources "env" (get (fromJson (include "console.consoleContainerEnv" (dict "a" (list $dot) ))) "r") "envFrom" $values.extraEnvFrom )))) (default (list ) $values.extraContainers)) )) )) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.containerImage" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tag := $dot.Chart.AppVersion -}}
+{{- if (not (empty $values.image.tag)) -}}
+{{- $tag = $values.image.tag -}}
+{{- end -}}
+{{- $image := (printf "%s:%s" $values.image.repository $tag) -}}
+{{- if (not (empty $values.image.registry)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s" $values.image.registry $image)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $image) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.consoleContainerEnv" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.secret.create) -}}
+{{- $vars := $values.extraEnv -}}
+{{- if (not (empty $values.enterprise.licenseSecretRef.name)) -}}
+{{- $vars = (concat (default (list ) $values.extraEnv) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" (default "enterprise-license" $values.enterprise.licenseSecretRef.key) )) )) )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $vars) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $possibleVars := (list (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.saslPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.protobufGitBasicAuthPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-protobuf-git-basicauth-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.awsMskIamSecretKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_AWSMSKIAM_SECRETKEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-aws-msk-iam-secret-key" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-schema-registry-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" true "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_JWTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-jwt-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-google-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.groupsServiceAccount "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH" "value" "/etc/console/secrets/login-google-groups-service-account.json" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.personalAccessToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-personal-access-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.directoryApiToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_DIRECTORY_APITOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-directory-api-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.oidc.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OIDC_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-oidc-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.enterprise.license "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "enterprise-license" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.password "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "redpanda-admin-api-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CAFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_KEYFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CERTFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-cert" )) ))) -}}
+{{- $vars := $values.extraEnv -}}
+{{- range $_, $possible := $possibleVars -}}
+{{- if (not (empty $possible.Value)) -}}
+{{- $vars = (concat (default (list ) $vars) (list $possible.EnvVar)) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $vars) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.consolePodVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $volumes := (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "configs" ))) -}}
+{{- if $values.secret.create -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) )) (dict "name" "secrets" )))) -}}
+{{- end -}}
+{{- range $_, $mount := $values.secretMounts -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $mount.secretName "defaultMode" $mount.defaultMode )) )) (dict "name" $mount.name )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.extraVolumes))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_helpers.go.tpl
new file mode 100644
index 0000000000..05ad609654
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_helpers.go.tpl
@@ -0,0 +1,82 @@
+{{- /* Generated from "helpers.go" */ -}}
+
+{{- define "console.Name" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $name := (default $dot.Chart.Name $values.nameOverride) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.Fullname" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (ne $values.fullnameOverride "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $name := (default $dot.Chart.Name $values.nameOverride) -}}
+{{- if (contains $name $dot.Release.Name) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.ChartLabel" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.Labels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $labels := (dict "helm.sh/chart" (get (fromJson (include "console.ChartLabel" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) -}}
+{{- if (ne $dot.Chart.AppVersion "") -}}
+{{- $_ := (set $labels "app.kubernetes.io/version" $dot.Chart.AppVersion) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $labels (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.commonLabels)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.SelectorLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "app.kubernetes.io/name" (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.cleanForK8s" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_helpers.tpl
new file mode 100644
index 0000000000..ee2ab5d9b8
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_helpers.tpl
@@ -0,0 +1,25 @@
+{{/*
+Expand the name of the chart.
+Used by tests/test-connection.yaml
+*/}}
+{{- define "console.name" -}}
+{{- get ((include "console.Name" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+Used by tests/test-connection.yaml
+*/}}
+{{- define "console.fullname" -}}
+{{- get ((include "console.Fullname" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Common labels
+Used by tests/test-connection.yaml
+*/}}
+{{- define "console.labels" -}}
+{{- (get ((include "console.Labels" (dict "a" (list .))) | fromJson) "r") | toYaml -}}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_hpa.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_hpa.go.tpl
new file mode 100644
index 0000000000..5c3b33beda
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_hpa.go.tpl
@@ -0,0 +1,25 @@
+{{- /* Generated from "hpa.go" */ -}}
+
+{{- define "console.HorizontalPodAutoscaler" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.autoscaling.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $metrics := (list ) -}}
+{{- if (ne (toJson $values.autoscaling.targetCPUUtilizationPercentage) "null") -}}
+{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "cpu" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetCPUUtilizationPercentage )) )) )))) -}}
+{{- end -}}
+{{- if (ne (toJson $values.autoscaling.targetMemoryUtilizationPercentage) "null") -}}
+{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "memory" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetMemoryUtilizationPercentage )) )) )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) "status" (dict "desiredReplicas" 0 "currentMetrics" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "autoscaling/v2" "kind" "HorizontalPodAutoscaler" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) (dict "scaleTargetRef" (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "apiVersion" "apps/v1" "kind" "Deployment" "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) "minReplicas" ($values.autoscaling.minReplicas | int) "maxReplicas" ($values.autoscaling.maxReplicas | int) "metrics" $metrics )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_ingress.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_ingress.go.tpl
new file mode 100644
index 0000000000..0df05e870b
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_ingress.go.tpl
@@ -0,0 +1,46 @@
+{{- /* Generated from "ingress.go" */ -}}
+
+{{- define "console.Ingress" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.ingress.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $tls := (coalesce nil) -}}
+{{- range $_, $t := $values.ingress.tls -}}
+{{- $hosts := (coalesce nil) -}}
+{{- range $_, $host := $t.hosts -}}
+{{- $hosts = (concat (default (list ) $hosts) (list (tpl $host $dot))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $tls = (concat (default (list ) $tls) (list (mustMergeOverwrite (dict ) (dict "secretName" $t.secretName "hosts" $hosts )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $rules := (coalesce nil) -}}
+{{- range $_, $host := $values.ingress.hosts -}}
+{{- $paths := (coalesce nil) -}}
+{{- range $_, $path := $host.paths -}}
+{{- $paths = (concat (default (list ) $paths) (list (mustMergeOverwrite (dict "pathType" (coalesce nil) "backend" (dict ) ) (dict "path" $path.path "pathType" $path.pathType "backend" (mustMergeOverwrite (dict ) (dict "service" (mustMergeOverwrite (dict "name" "" "port" (dict ) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "port" (mustMergeOverwrite (dict ) (dict "number" ($values.service.port | int) )) )) )) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $rules = (concat (default (list ) $rules) (list (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "http" (mustMergeOverwrite (dict "paths" (coalesce nil) ) (dict "paths" $paths )) )) (dict "host" (tpl $host.host $dot) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "kind" "Ingress" "apiVersion" "networking.k8s.io/v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.ingress.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "ingressClassName" $values.ingress.className "tls" $tls "rules" $rules )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_notes.go.tpl
new file mode 100644
index 0000000000..6b58b21ef4
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_notes.go.tpl
@@ -0,0 +1,40 @@
+{{- /* Generated from "notes.go" */ -}}
+
+{{- define "console.Notes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $commands := (list `1. Get the application URL by running these commands:`) -}}
+{{- if $values.ingress.enabled -}}
+{{- $scheme := "http" -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.ingress.tls) ))) "r") | int) (0 | int)) -}}
+{{- $scheme = "https" -}}
+{{- end -}}
+{{- range $_, $host := $values.ingress.hosts -}}
+{{- range $_, $path := $host.paths -}}
+{{- $commands = (concat (default (list ) $commands) (list (printf "%s://%s%s" $scheme $host.host $path.path))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}}
+{{- $commands = (concat (default (list ) $commands) (list (printf ` export NODE_PORT=$(kubectl get --namespace %s -o jsonpath="{.spec.ports[0].nodePort}" services %s)` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export NODE_IP=$(kubectl get nodes --namespace %s -o jsonpath="{.items[0].status.addresses[0].address}")` $dot.Release.Namespace) " echo http://$NODE_IP:$NODE_PORT")) -}}
+{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}}
+{{- $commands = (concat (default (list ) $commands) (list ` NOTE: It may take a few minutes for the LoadBalancer IP to be available.` (printf ` You can watch the status of by running 'kubectl get --namespace %s svc -w %s'` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export SERVICE_IP=$(kubectl get svc --namespace %s %s --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` echo http://$SERVICE_IP:%d` ($values.service.port | int)))) -}}
+{{- else -}}{{- if (contains "ClusterIP" (toString $values.service.type)) -}}
+{{- $commands = (concat (default (list ) $commands) (list (printf ` export POD_NAME=$(kubectl get pods --namespace %s -l "app.kubernetes.io/name=%s,app.kubernetes.io/instance=%s" -o jsonpath="{.items[0].metadata.name}")` $dot.Release.Namespace (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Name) (printf ` export CONTAINER_PORT=$(kubectl get pod --namespace %s $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")` $dot.Release.Namespace) ` echo "Visit http://127.0.0.1:8080 to use your application"` (printf ` kubectl --namespace %s port-forward $POD_NAME 8080:$CONTAINER_PORT` $dot.Release.Namespace))) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $commands) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_secret.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_secret.go.tpl
new file mode 100644
index 0000000000..6af16b1c83
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_secret.go.tpl
@@ -0,0 +1,22 @@
+{{- /* Generated from "secret.go" */ -}}
+
+{{- define "console.Secret" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.secret.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $jwtSecret := $values.secret.login.jwtSecret -}}
+{{- if (eq $jwtSecret "") -}}
+{{- $jwtSecret = (randAlphaNum (32 | int)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "kafka-sasl-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.saslPassword "") ))) "r") "kafka-protobuf-git-basicauth-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.protobufGitBasicAuthPassword "") ))) "r") "kafka-sasl-aws-msk-iam-secret-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.awsMskIamSecretKey "") ))) "r") "kafka-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCa "") ))) "r") "kafka-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCert "") ))) "r") "kafka-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsKey "") ))) "r") "kafka-schema-registry-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryPassword "") ))) "r") "kafka-schemaregistry-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCa "") ))) "r") "kafka-schemaregistry-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCert "") ))) "r") "kafka-schemaregistry-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsKey "") ))) "r") "login-jwt-secret" $jwtSecret "login-google-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.clientSecret "") ))) "r") "login-google-groups-service-account.json" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.groupsServiceAccount "") ))) "r") "login-github-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.clientSecret "") ))) "r") "login-github-personal-access-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.personalAccessToken "") ))) "r") "login-okta-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.clientSecret "") ))) "r") "login-okta-directory-api-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.directoryApiToken "") ))) "r") "login-oidc-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.oidc.clientSecret "") ))) "r") "enterprise-license" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.enterprise.license "") ))) "r") "redpanda-admin-api-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.password "") ))) "r") "redpanda-admin-api-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCa "") ))) "r") "redpanda-admin-api-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCert "") ))) "r") "redpanda-admin-api-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsKey "") ))) "r") ) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_service.go.tpl
new file mode 100644
index 0000000000..8fac3d4542
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_service.go.tpl
@@ -0,0 +1,20 @@
+{{- /* Generated from "service.go" */ -}}
+
+{{- define "console.Service" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $port := (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "port" (($values.service.port | int) | int) "protocol" "TCP" )) -}}
+{{- if (ne (toJson $values.service.targetPort) "null") -}}
+{{- $_ := (set $port "targetPort" $values.service.targetPort) -}}
+{{- end -}}
+{{- if (and (contains "NodePort" (toString $values.service.type)) (ne (toJson $values.service.nodePort) "null")) -}}
+{{- $_ := (set $port "nodePort" $values.service.nodePort) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.service.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" $values.service.type "selector" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") "ports" (list $port) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_serviceaccount.go.tpl
new file mode 100644
index 0000000000..5a49ba3fdb
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_serviceaccount.go.tpl
@@ -0,0 +1,39 @@
+{{- /* Generated from "serviceaccount.go" */ -}}
+
+{{- define "console.ServiceAccountName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if $values.serviceAccount.create -}}
+{{- if (ne $values.serviceAccount.name "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $values.serviceAccount.name) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.ServiceAccount" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.serviceAccount.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ServiceAccount" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.serviceAccount.annotations )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_shims.tpl
new file mode 100644
index 0000000000..1e6d0425c3
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/_shims.tpl
@@ -0,0 +1,289 @@
+{{- /* Generated from "bootstrap.go" */ -}}
+
+{{- define "_shims.typetest" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs $typ $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.typeassertion" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (typeIs $typ $value)) -}}
+{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.dicttest" -}}
+{{- $m := (index .a 0) -}}
+{{- $key := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (hasKey $m $key) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (index $m $key) true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.compact" -}}
+{{- $args := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $out := (dict ) -}}
+{{- range $i, $e := $args -}}
+{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $out) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $ptr) "null") -}}
+{{- $_ := (fail "nil dereference") -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.len" -}}
+{{- $m := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $m) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (0 | int)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (len $m)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- $def := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $ptr) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $def) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Equal" -}}
+{{- $a := (index .a 0) -}}
+{{- $b := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (and (eq (toJson $a) "null") (eq (toJson $b) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (eq $a $b)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.lookup" -}}
+{{- $apiVersion := (index .a 0) -}}
+{{- $kind := (index .a 1) -}}
+{{- $namespace := (index .a 2) -}}
+{{- $name := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (lookup $apiVersion $kind $namespace $name) -}}
+{{- if (empty $result) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (coalesce nil) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $result true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asnumeric" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asintegral" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.parseResource" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $repr) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (not (typeIs "string" $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}}
+{{- end -}}
+{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}}
+{{- end -}}
+{{- $reprStr := (toString $repr) -}}
+{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}}
+{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_1.T2 -}}
+{{- $scale := ($tmp_tuple_1.T1 | float64) -}}
+{{- if (not $ok) -}}
+{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $numeric $scale)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MustParse" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_2.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_2.T1 | float64) -}}
+{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}}
+{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}}
+{{- $idx := -1 -}}
+{{- range $i, $s := $scales -}}
+{{- if (eq ($s | float64) ($scale | float64)) -}}
+{{- $idx = $i -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (eq $idx -1) -}}
+{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_Value" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_3.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_3.T1 | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MilliValue" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_4.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_4.T1 | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.render-manifest" -}}
+{{- $tpl := (index . 0) -}}
+{{- $dot := (index . 1) -}}
+{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}}
+{{- if not (typeIs "[]interface {}" $manifests) -}}
+{{- $manifests = (list $manifests) -}}
+{{- end -}}
+{{- range $_, $manifest := $manifests -}}
+{{- if ne (toJson $manifest) "null" }}
+---
+{{toYaml (unset (unset $manifest "status") "creationTimestamp")}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/entry-point.yaml b/charts/redpanda/redpanda/5.9.18/charts/console/templates/entry-point.yaml
new file mode 100644
index 0000000000..01fb6d68b2
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/entry-point.yaml
@@ -0,0 +1,17 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- include "_shims.render-manifest" (list "console.render" .) -}}
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/templates/tests/test-connection.yaml b/charts/redpanda/redpanda/5.9.18/charts/console/templates/tests/test-connection.yaml
new file mode 100644
index 0000000000..de17fb2b1d
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/templates/tests/test-connection.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.tests.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "console.fullname" . }}-test-connection"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- include "console.labels" . | nindent 4 }}
+ annotations:
+ "helm.sh/hook": test
+spec:
+{{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+{{- end }}
+ containers:
+ - name: wget
+ image: busybox
+ command: ['wget']
+ args: ['{{ include "console.fullname" . }}:{{ .Values.service.port }}']
+ restartPolicy: Never
+ priorityClassName: {{ .Values.priorityClassName }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/values.schema.json b/charts/redpanda/redpanda/5.9.18/charts/console/values.schema.json
new file mode 100644
index 0000000000..f4f369e98a
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/values.schema.json
@@ -0,0 +1,323 @@
+{
+ "$schema": "http://json-schema.org/schema#",
+ "type": "object",
+ "required": [
+ "image"
+ ],
+ "properties": {
+ "affinity": {
+ "type": "object"
+ },
+ "autoscaling": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "maxReplicas": {
+ "type": "integer"
+ },
+ "minReplicas": {
+ "type": "integer"
+ },
+ "targetCPUUtilizationPercentage": {
+ "type": "integer"
+ }
+ }
+ },
+ "configmap": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ }
+ },
+ "console": {
+ "type": "object"
+ },
+ "deployment": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ }
+ },
+ "extraContainers": {
+ "type": "array"
+ },
+ "extraEnv": {
+ "type": "array"
+ },
+ "extraEnvFrom": {
+ "type": "array"
+ },
+ "extraVolumeMounts": {
+ "type": "array"
+ },
+ "extraVolumes": {
+ "type": "array"
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "image": {
+ "type": "object",
+ "required": [
+ "repository"
+ ],
+ "properties": {
+ "pullPolicy": {
+ "type": "string"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string",
+ "minLength": 1
+ },
+ "tag": {
+ "type": "string"
+ }
+ }
+ },
+ "imagePullSecrets": {
+ "type": "array"
+ },
+ "ingress": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "className": {
+ "type": ["string", "null"]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "hosts": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "paths": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "pathType": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "tls": {
+ "type": "array"
+ }
+ }
+ },
+ "livenessProbe": {
+ "type": "object",
+ "properties": {
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ }
+ },
+ "nameOverride": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "type": "object"
+ },
+ "annotations": {
+ "type": "object"
+ },
+ "podAnnotations": {
+ "type": "object"
+ },
+ "podSecurityContext": {
+ "type": "object",
+ "properties": {
+ "fsGroup": {
+ "type": "integer"
+ },
+ "runAsUser": {
+ "type": "integer"
+ }
+ }
+ },
+ "readinessProbe": {
+ "type": "object",
+ "properties": {
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ }
+ },
+ "replicaCount": {
+ "type": "integer"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "secret": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "enterprise": {
+ "type": "object"
+ },
+ "kafka": {
+ "type": "object"
+ },
+ "login": {
+ "type": "object",
+ "properties": {
+ "jwtSecret": {
+ "type": "string"
+ },
+ "github": {
+ "type": "object"
+ },
+ "google": {
+ "type": "object"
+ },
+ "oidc": {
+ "type": "object"
+ },
+ "okta": {
+ "type": "object"
+ }
+ }
+ },
+ "redpanda": {
+ "type": "object",
+ "properties": {
+ "adminApi": {
+ "type": "object"
+ }
+ }
+ }
+ }
+ },
+ "secretMounts": {
+ "type": "array"
+ },
+ "securityContext": {
+ "type": "object",
+ "properties": {
+ "runAsNonRoot": {
+ "type": "boolean"
+ }
+ }
+ },
+ "service": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "targetPort": {
+ "anyOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "type": {
+ "type": "string"
+ }
+ }
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "serviceAccount": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "name": {
+ "type": "string"
+ }
+ }
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "initContainers": {
+ "type": "object",
+ "properties": {
+ "extraInitContainers": {
+ "type": "string"
+ }
+ }
+ },
+ "strategy": {
+ "type": "object"
+ },
+ "tests": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ }
+ }
+ }
+}
diff --git a/charts/redpanda/redpanda/5.9.18/charts/console/values.yaml b/charts/redpanda/redpanda/5.9.18/charts/console/values.yaml
new file mode 100644
index 0000000000..4825fc4876
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/charts/console/values.yaml
@@ -0,0 +1,279 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for console.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+# -- Redpanda Console Docker image settings.
+image:
+ registry: docker.redpanda.com
+ # -- Docker repository from which to pull the Redpanda Docker image.
+ repository: redpandadata/console
+ # -- The imagePullPolicy.
+ pullPolicy: IfNotPresent
+ # -- The Redpanda Console version.
+ # See DockerHub for:
+ # [All stable versions](https://hub.docker.com/r/redpandadata/console/tags)
+ # and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags).
+ # @default -- `Chart.appVersion`
+ tag: ""
+
+# -- Pull secrets may be used to provide credentials to image repositories
+# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+
+# -- Override `console.name` template.
+nameOverride: ""
+# -- Override `console.fullname` template.
+fullnameOverride: ""
+
+# -- Automount API credentials for the Service Account into the pod.
+automountServiceAccountToken: true
+
+serviceAccount:
+ # -- Specifies whether a service account should be created.
+ create: true
+ # -- Specifies whether a service account should automount API-Credentials
+ automountServiceAccountToken: true
+ # -- Annotations to add to the service account.
+ annotations: {}
+ # -- The name of the service account to use.
+ # If not set and `serviceAccount.create` is `true`,
+ # a name is generated using the `console.fullname` template
+ name: ""
+
+# Common labels to add to all the pods
+commonLabels: {}
+
+# -- Annotations to add to the deployment.
+annotations: {}
+
+podAnnotations: {}
+
+podLabels: {}
+
+podSecurityContext:
+ runAsUser: 99
+ fsGroup: 99
+
+securityContext:
+ runAsNonRoot: true
+ # capabilities:
+ # drop:
+ # - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+ # runAsUser: 1000
+
+service:
+ type: ClusterIP
+ port: 8080
+ # nodePort: 30001
+ # -- Override the value in `console.config.server.listenPort` if not `nil`
+ targetPort:
+ annotations: {}
+
+ingress:
+ enabled: false
+ className:
+ annotations: {}
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ hosts:
+ - host: chart-example.local
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ tls: []
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+resources: {}
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as minikube. If you want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+autoscaling:
+ enabled: false
+ minReplicas: 1
+ maxReplicas: 100
+ targetCPUUtilizationPercentage: 80
+ # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+topologySpreadConstraints: []
+
+# -- PriorityClassName given to Pods.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+priorityClassName: ""
+
+console:
+ # -- Settings for the `Config.yaml` (required).
+ # For a reference of configuration settings,
+ # see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/).
+ config: {}
+ # roles:
+ # roleBindings:
+
+# -- Additional environment variables for the Redpanda Console Deployment.
+extraEnv: []
+ # - name: KAFKA_RACKID
+ # value: "1"
+
+# -- Additional environment variables for Redpanda Console mapped from Secret or ConfigMap.
+extraEnvFrom: []
+# - secretRef:
+# name: kowl-config-secret
+
+# -- Add additional volumes, such as for TLS keys.
+extraVolumes: []
+# - name: kafka-certs
+# secret:
+# secretName: kafka-certs
+# - name: config
+# configMap:
+# name: console-config
+
+# -- Add additional volume mounts, such as for TLS keys.
+extraVolumeMounts: []
+# - name: kafka-certs # Must match the volume name
+# mountPath: /etc/kafka/certs
+# readOnly: true
+
+# -- Add additional containers, such as for oauth2-proxy.
+extraContainers: []
+
+# -- Any initContainers defined should be written here
+initContainers:
+ # -- Additional set of init containers
+ extraInitContainers: |-
+# - name: "test-init-container"
+# image: "mintel/docker-alpine-bash-curl-jq:latest"
+# command: [ "/bin/bash", "-c" ]
+# args:
+# - |
+# set -xe
+# echo "Hello World!"
+
+# -- SecretMounts is an abstraction to make a Secret available in the container's filesystem.
+# Under the hood it creates a volume and a volume mount for the Redpanda Console container.
+secretMounts: []
+# - name: kafka-certs
+# secretName: kafka-certs
+# path: /etc/console/certs
+# defaultMode: 0755
+
+# -- Create a new Kubernetes Secret for all sensitive configuration inputs.
+# Each provided Secret is mounted automatically and made available to the
+# Pod.
+# If you want to use one or more existing Secrets,
+# you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets.
+secret:
+ create: true
+
+ # Secret values in case you want the chart to create a Secret. All Certificates are mounted
+ # as files and the path to those files are configured through environment variables so
+ # that Console can automatically pick them up.
+ # -- Kafka Secrets.
+ kafka: {}
+ # saslPassword:
+ # awsMskIamSecretKey:
+ # tlsCa:
+ # tlsCert:
+ # tlsKey:
+ # tlsPassphrase:
+ # schemaRegistryPassword:
+ # schemaRegistryTlsCa:
+ # schemaRegistryTlsCert:
+ # schemaRegistryTlsKey:
+ # protobufGitBasicAuthPassword
+ # Enterprise version secrets
+ # - SSO secrets (Enterprise version).
+ login:
+ # Configurable JWT value
+ jwtSecret: ""
+ google: {}
+ # clientSecret:
+ # groupsServiceAccount:
+ github: {}
+ # clientSecret:
+ # personalAccessToken:
+ okta: {}
+ # clientSecret:
+ # directoryApiToken:
+ oidc: {}
+ # clientSecret:
+
+ enterprise: {}
+ # license:
+
+ redpanda:
+ adminApi: {}
+ # password:
+ # tlsCa:
+ # tlsCert:
+ # tlsKey:
+
+# -- Settings for license key, as an alternative to secret.enterprise when
+# a license secret is available
+enterprise:
+ licenseSecretRef:
+ name: ""
+ key: ""
+
+# -- Settings for liveness and readiness probes.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes).
+livenessProbe:
+ # initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 3
+
+readinessProbe:
+ # -- Grant time to test connectivity to upstream services such as Kafka and Schema Registry.
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 3
+
+configmap:
+ create: true
+deployment:
+ create: true
+
+strategy: {}
+
+tests:
+ enabled: true
diff --git a/charts/redpanda/redpanda/5.9.18/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.18/templates/NOTES.txt
new file mode 100644
index 0000000000..6992f8e36d
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/NOTES.txt
@@ -0,0 +1,26 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- $warnings := (get ((include "redpanda.Warnings" (dict "a" (list .))) | fromJson) "r") }}
+{{- range $_, $warning := $warnings }}
+{{ $warning }}
+{{- end }}
+
+{{- $notes := (get ((include "redpanda.Notes" (dict "a" (list .))) | fromJson) "r") }}
+{{- range $_, $note := $notes }}
+{{ $note }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_cert-issuers.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_cert-issuers.go.tpl
new file mode 100644
index 0000000000..0246c45d88
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_cert-issuers.go.tpl
@@ -0,0 +1,59 @@
+{{- /* Generated from "cert_issuers.go" */ -}}
+
+{{- define "redpanda.CertIssuers" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_30_issuers__ := (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r") -}}
+{{- $issuers := (index $_30_issuers__ 0) -}}
+{{- $_ := (index $_30_issuers__ 1) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $issuers) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RootCAs" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_35___cas := (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r") -}}
+{{- $_ := (index $_35___cas 0) -}}
+{{- $cas := (index $_35___cas 1) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $cas) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.certIssuersAndCAs" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $issuers := (coalesce nil) -}}
+{{- $certs := (coalesce nil) -}}
+{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $issuers $certs)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $data := $values.tls.certs -}}
+{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- if (eq (toJson $data.issuerRef) "null") -}}
+{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "selfSigned" (mustMergeOverwrite (dict ) (dict )) )) (dict )) )))) -}}
+{{- end -}}
+{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "ca" (mustMergeOverwrite (dict "secretName" "" ) (dict "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) )) )) (dict )) )))) -}}
+{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list (default "43800h" $data.duration)) ))) "r")) ))) "r") "isCA" true "commonName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "kind" "Issuer" "group" "cert-manager.io" )) )) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $issuers $certs)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_certs.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_certs.go.tpl
new file mode 100644
index 0000000000..ca2dfc4e95
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_certs.go.tpl
@@ -0,0 +1,71 @@
+{{- /* Generated from "certs.go" */ -}}
+
+{{- define "redpanda.ClientCerts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}}
+{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}}
+{{- $ns := $dot.Release.Namespace -}}
+{{- $domain := (trimSuffix "." $values.clusterDomain) -}}
+{{- $certs := (coalesce nil) -}}
+{{- range $name, $data := $values.tls.certs -}}
+{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- $names := (coalesce nil) -}}
+{{- if (or (eq (toJson $data.issuerRef) "null") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.applyInternalDNSNames false) ))) "r")) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc" $fullname $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s" $fullname $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc" $fullname $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s" $fullname $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc.%s" $service $ns $domain))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc" $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s.%s" $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc.%s" $service $ns $domain))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc" $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s" $service $ns))) -}}
+{{- end -}}
+{{- if (ne (toJson $values.external.domain) "null") -}}
+{{- $names = (concat (default (list ) $names) (list (tpl $values.external.domain $dot))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s" (tpl $values.external.domain $dot)))) -}}
+{{- end -}}
+{{- $duration := (default "43800h" $data.duration) -}}
+{{- $issuerRef := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.issuerRef (mustMergeOverwrite (dict "name" "" ) (dict "kind" "Issuer" "group" "cert-manager.io" "name" (printf "%s-%s-root-issuer" $fullname $name) ))) ))) "r") -}}
+{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "dnsNames" $names "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration) ))) "r")) ))) "r") "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) )) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $name := $values.listeners.kafka.tls.cert -}}
+{{- $_87_data_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.tls.certs $name (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil) )) ))) "r") -}}
+{{- $data := (index $_87_data_ok 0) -}}
+{{- $ok := (index $_87_data_ok 1) -}}
+{{- if (not $ok) -}}
+{{- $_ := (fail (printf "Certificate %q referenced but not defined" $name)) -}}
+{{- end -}}
+{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $certs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $issuerRef := (mustMergeOverwrite (dict "name" "" ) (dict "group" "cert-manager.io" "kind" "Issuer" "name" (printf "%s-%s-root-issuer" $fullname $name) )) -}}
+{{- if (ne (toJson $data.issuerRef) "null") -}}
+{{- $issuerRef = $data.issuerRef -}}
+{{- $_ := (set $issuerRef "group" "cert-manager.io") -}}
+{{- end -}}
+{{- $duration := (default "43800h" $data.duration) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "commonName" (printf "%s-client" $fullname) "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration) ))) "r")) ))) "r") "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" $issuerRef )) ))))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_chart.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_chart.go.tpl
new file mode 100644
index 0000000000..5852b10631
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_chart.go.tpl
@@ -0,0 +1,63 @@
+{{- /* Generated from "chart.go" */ -}}
+
+{{- define "redpanda.render" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $manifests := (list (get (fromJson (include "redpanda.NodePortService" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.PodDisruptionBudget" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceAccount" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceInternal" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceMonitor" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.SidecarControllersRole" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.SidecarControllersRoleBinding" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.StatefulSet" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.PostInstallUpgradeJob" (dict "a" (list $dot) ))) "r")) -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.ConfigMaps" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.CertIssuers" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.RootCAs" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.ClientCerts" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.ClusterRoleBindings" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.ClusterRoles" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.LoadBalancerServices" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.Secrets" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $manifests = (concat (default (list ) $manifests) (default (list ) (get (fromJson (include "redpanda.consoleChartIntegration" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $manifests = (concat (default (list ) $manifests) (default (list ) (get (fromJson (include "redpanda.connectorsChartIntegration" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $manifests) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_configmap.go.tpl
new file mode 100644
index 0000000000..5d4b121c4e
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_configmap.go.tpl
@@ -0,0 +1,579 @@
+{{- /* Generated from "configmap.tpl.go" */ -}}
+
+{{- define "redpanda.ConfigMaps" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $cms := (list (get (fromJson (include "redpanda.RedpandaConfigMap" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RPKProfile" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $cms) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaConfigMap" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "bootstrap.yaml" (get (fromJson (include "redpanda.BootstrapFile" (dict "a" (list $dot) ))) "r") "redpanda.yaml" (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot true) ))) "r") ) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapFile" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $bootstrap := (dict "kafka_enable_authorization" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_sasl" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_rack_awareness" $values.rackAwareness.enabled "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64) ) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.AuditLogging.Translate" (dict "a" (list $values.auditLogging $dot (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Logging.Translate" (dict "a" (list $values.logging) ))) "r")) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TunableConfig.Translate" (dict "a" (list $values.config.tunable) ))) "r")) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.ClusterConfig.Translate" (dict "a" (list $values.config.cluster) ))) "r")) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Auth.Translate" (dict "a" (list $values.auth (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TieredStorageConfig.Translate" (dict "a" (list (deepCopy (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) $values.storage.tiered.credentialsSecretRef) ))) "r")) -}}
+{{- $_85___ok_1 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "default_topic_replications" (coalesce nil)) ))) "r") -}}
+{{- $_ := (index $_85___ok_1 0) -}}
+{{- $ok_1 := (index $_85___ok_1 1) -}}
+{{- if (and (not $ok_1) (ge ($values.statefulset.replicas | int) (3 | int))) -}}
+{{- $_ := (set $bootstrap "default_topic_replications" (3 | int)) -}}
+{{- end -}}
+{{- $_90___ok_2 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "storage_min_free_bytes" (coalesce nil)) ))) "r") -}}
+{{- $_ := (index $_90___ok_2 0) -}}
+{{- $ok_2 := (index $_90___ok_2 1) -}}
+{{- if (not $ok_2) -}}
+{{- $_ := (set $bootstrap "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (toYaml $bootstrap)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaConfigFile" -}}
+{{- $dot := (index .a 0) -}}
+{{- $includeSeedServer := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $redpanda := (dict "empty_seed_starts_cluster" false ) -}}
+{{- if $includeSeedServer -}}
+{{- $_ := (set $redpanda "seed_servers" (get (fromJson (include "redpanda.Listeners.CreateSeedServers" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r")) -}}
+{{- end -}}
+{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.NodeConfig.Translate" (dict "a" (list $values.config.node) ))) "r")) -}}
+{{- $_ := (get (fromJson (include "redpanda.configureListeners" (dict "a" (list $redpanda $dot) ))) "r") -}}
+{{- $redpandaYaml := (dict "redpanda" $redpanda "schema_registry" (get (fromJson (include "redpanda.schemaRegistry" (dict "a" (list $dot) ))) "r") "schema_registry_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "pandaproxy" (get (fromJson (include "redpanda.pandaProxyListener" (dict "a" (list $dot) ))) "r") "pandaproxy_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "rpk" (get (fromJson (include "redpanda.rpkNodeConfig" (dict "a" (list $dot) ))) "r") "config_file" "/etc/redpanda/redpanda.yaml" ) -}}
+{{- if (and (and (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r") $values.auditLogging.enabled) (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) -}}
+{{- $_ := (set $redpandaYaml "audit_log_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r")) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (toYaml $redpandaYaml)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RPKProfile" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.external.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-rpk" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "profile" (toYaml (get (fromJson (include "redpanda.rpkProfile" (dict "a" (list $dot) ))) "r")) ) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkProfile" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $brokerList := (list ) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $brokerList = (concat (default (list ) $brokerList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedKafkaPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $adminAdvertisedList := (list ) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $adminAdvertisedList = (concat (default (list ) $adminAdvertisedList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedAdminPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $schemaAdvertisedList := (list ) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $schemaAdvertisedList = (concat (default (list ) $schemaAdvertisedList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedSchemaPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $kafkaTLS := (get (fromJson (include "redpanda.rpkKafkaClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}}
+{{- $_178___ok_3 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $kafkaTLS "ca_file" (coalesce nil)) ))) "r") -}}
+{{- $_ := (index $_178___ok_3 0) -}}
+{{- $ok_3 := (index $_178___ok_3 1) -}}
+{{- if $ok_3 -}}
+{{- $_ := (set $kafkaTLS "ca_file" "ca.crt") -}}
+{{- end -}}
+{{- $adminTLS := (get (fromJson (include "redpanda.rpkAdminAPIClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}}
+{{- $_184___ok_4 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $adminTLS "ca_file" (coalesce nil)) ))) "r") -}}
+{{- $_ := (index $_184___ok_4 0) -}}
+{{- $ok_4 := (index $_184___ok_4 1) -}}
+{{- if $ok_4 -}}
+{{- $_ := (set $adminTLS "ca_file" "ca.crt") -}}
+{{- end -}}
+{{- $schemaTLS := (get (fromJson (include "redpanda.rpkSchemaRegistryClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}}
+{{- $_190___ok_5 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $schemaTLS "ca_file" (coalesce nil)) ))) "r") -}}
+{{- $_ := (index $_190___ok_5 0) -}}
+{{- $ok_5 := (index $_190___ok_5 1) -}}
+{{- if $ok_5 -}}
+{{- $_ := (set $schemaTLS "ca_file" "ca.crt") -}}
+{{- end -}}
+{{- $ka := (dict "brokers" $brokerList "tls" (coalesce nil) ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $kafkaTLS) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $ka "tls" $kafkaTLS) -}}
+{{- end -}}
+{{- $aa := (dict "addresses" $adminAdvertisedList "tls" (coalesce nil) ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $adminTLS) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $aa "tls" $adminTLS) -}}
+{{- end -}}
+{{- $sa := (dict "addresses" $schemaAdvertisedList "tls" (coalesce nil) ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $schemaTLS) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $sa "tls" $schemaTLS) -}}
+{{- end -}}
+{{- $result := (dict "name" (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") "kafka_api" $ka "admin_api" $aa "schema_registry" $sa ) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.advertisedKafkaPort" -}}
+{{- $dot := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $externalKafkaListenerName := (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") -}}
+{{- $listener := (ternary (index $values.listeners.kafka.external $externalKafkaListenerName) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "prefixTemplate" (coalesce nil) "tls" (coalesce nil) ) (hasKey $values.listeners.kafka.external $externalKafkaListenerName)) -}}
+{{- $port := (($values.listeners.kafka.port | int) | int) -}}
+{{- if (gt (($listener.port | int) | int) ((1 | int) | int)) -}}
+{{- $port = (($listener.port | int) | int) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = ((index $listener.advertisedPorts $i) | int) -}}
+{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $port) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.advertisedAdminPort" -}}
+{{- $dot := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $keys := (keys $values.listeners.admin.external) -}}
+{{- $_ := (sortAlpha $keys) -}}
+{{- $externalAdminListenerName := (first $keys) -}}
+{{- $listener := (ternary (index $values.listeners.admin.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalAdminListenerName) ))) "r")) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "tls" (coalesce nil) ) (hasKey $values.listeners.admin.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalAdminListenerName) ))) "r"))) -}}
+{{- $port := (($values.listeners.admin.port | int) | int) -}}
+{{- if (gt (($listener.port | int) | int) (1 | int)) -}}
+{{- $port = (($listener.port | int) | int) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = ((index $listener.advertisedPorts $i) | int) -}}
+{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $port) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.advertisedSchemaPort" -}}
+{{- $dot := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $keys := (keys $values.listeners.schemaRegistry.external) -}}
+{{- $_ := (sortAlpha $keys) -}}
+{{- $externalSchemaListenerName := (first $keys) -}}
+{{- $listener := (ternary (index $values.listeners.schemaRegistry.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalSchemaListenerName) ))) "r")) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "tls" (coalesce nil) ) (hasKey $values.listeners.schemaRegistry.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalSchemaListenerName) ))) "r"))) -}}
+{{- $port := (($values.listeners.schemaRegistry.port | int) | int) -}}
+{{- if (gt (($listener.port | int) | int) (1 | int)) -}}
+{{- $port = (($listener.port | int) | int) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = ((index $listener.advertisedPorts $i) | int) -}}
+{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $port) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.advertisedHost" -}}
+{{- $dot := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $address := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ($i | int)) -}}
+{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}}
+{{- $address = (printf "%s.%s" $address (tpl $values.external.domain $dot)) -}}
+{{- end -}}
+{{- if (le ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $address) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}}
+{{- $address = (index $values.external.addresses (0 | int)) -}}
+{{- else -}}
+{{- $address = (index $values.external.addresses $i) -}}
+{{- end -}}
+{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}}
+{{- $address = (printf "%s.%s" $address (tpl $values.external.domain $dot)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $address) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.getFirstExternalKafkaListener" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $keys := (keys $values.listeners.kafka.external) -}}
+{{- $_ := (sortAlpha $keys) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" (first $keys)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BrokerList" -}}
+{{- $dot := (index .a 0) -}}
+{{- $replicas := (index .a 1) -}}
+{{- $port := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $bl := (coalesce nil) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}}
+{{- $bl = (concat (default (list ) $bl) (list (printf "%s-%d.%s:%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") $port))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $bl) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkNodeConfig" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $brokerList := (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") -}}
+{{- $adminTLS := (coalesce nil) -}}
+{{- $tls_6 := (get (fromJson (include "redpanda.rpkAdminAPIClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_6) ))) "r") | int) (0 | int)) -}}
+{{- $adminTLS = $tls_6 -}}
+{{- end -}}
+{{- $brokerTLS := (coalesce nil) -}}
+{{- $tls_7 := (get (fromJson (include "redpanda.rpkKafkaClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_7) ))) "r") | int) (0 | int)) -}}
+{{- $brokerTLS = $tls_7 -}}
+{{- end -}}
+{{- $schemaRegistryTLS := (coalesce nil) -}}
+{{- $tls_8 := (get (fromJson (include "redpanda.rpkSchemaRegistryClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_8) ))) "r") | int) (0 | int)) -}}
+{{- $schemaRegistryTLS = $tls_8 -}}
+{{- end -}}
+{{- $result := (dict "overprovisioned" (get (fromJson (include "redpanda.RedpandaResources.GetOverProvisionValue" (dict "a" (list $values.resources) ))) "r") "enable_memory_locking" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.resources.memory.enable_memory_locking false) ))) "r") "additional_start_flags" (get (fromJson (include "redpanda.RedpandaAdditionalStartFlags" (dict "a" (list $dot ((get (fromJson (include "redpanda.RedpandaSMP" (dict "a" (list $dot) ))) "r") | int64)) ))) "r") "kafka_api" (dict "brokers" $brokerList "tls" $brokerTLS ) "admin_api" (dict "addresses" (get (fromJson (include "redpanda.Listeners.AdminList" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r") "tls" $adminTLS ) "schema_registry" (dict "addresses" (get (fromJson (include "redpanda.Listeners.SchemaRegistryList" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r") "tls" $schemaRegistryTLS ) ) -}}
+{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Tuning.Translate" (dict "a" (list $values.tuning) ))) "r")) -}}
+{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Config.CreateRPKConfiguration" (dict "a" (list $values.config) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkKafkaClientTLSConfiguration" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tls := $values.listeners.kafka.tls -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}}
+{{- if $tls.requireClientAuth -}}
+{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkAdminAPIClientTLSConfiguration" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tls := $values.listeners.admin.tls -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}}
+{{- if $tls.requireClientAuth -}}
+{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkSchemaRegistryClientTLSConfiguration" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tls := $values.listeners.schemaRegistry.tls -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}}
+{{- if $tls.requireClientAuth -}}
+{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.kafkaClient" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $brokerList := (list ) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $brokerList = (concat (default (list ) $brokerList) (list (dict "address" (printf "%s-%d.%s" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) "port" ($values.listeners.kafka.port | int) ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $kafkaTLS := $values.listeners.kafka.tls -}}
+{{- $brokerTLS := (coalesce nil) -}}
+{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r") -}}
+{{- $brokerTLS = (dict "enabled" true "require_client_auth" $kafkaTLS.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $kafkaTLS $values.tls) ))) "r") ) -}}
+{{- if $kafkaTLS.requireClientAuth -}}
+{{- $_ := (set $brokerTLS "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $brokerTLS "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- end -}}
+{{- end -}}
+{{- $cfg := (dict "brokers" $brokerList ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $brokerTLS) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $cfg "broker_tls" $brokerTLS) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $cfg) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.configureListeners" -}}
+{{- $redpanda := (index .a 0) -}}
+{{- $dot := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_ := (set $redpanda "admin" (get (fromJson (include "redpanda.AdminListeners.Listeners" (dict "a" (list $values.listeners.admin) ))) "r")) -}}
+{{- $_ := (set $redpanda "kafka_api" (get (fromJson (include "redpanda.KafkaListeners.Listeners" (dict "a" (list $values.listeners.kafka $values.auth) ))) "r")) -}}
+{{- $_ := (set $redpanda "rpc_server" (get (fromJson (include "redpanda.rpcListeners" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_ := (set $redpanda "admin_api_tls" (coalesce nil)) -}}
+{{- $tls_9 := (get (fromJson (include "redpanda.AdminListeners.ListenersTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_9) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $redpanda "admin_api_tls" $tls_9) -}}
+{{- end -}}
+{{- $_ := (set $redpanda "kafka_api_tls" (coalesce nil)) -}}
+{{- $tls_10 := (get (fromJson (include "redpanda.KafkaListeners.ListenersTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_10) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $redpanda "kafka_api_tls" $tls_10) -}}
+{{- end -}}
+{{- $tls_11 := (get (fromJson (include "redpanda.rpcListenersTLS" (dict "a" (list $dot) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_11) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $redpanda "rpc_server_tls" $tls_11) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.pandaProxyListener" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $pandaProxy := (dict ) -}}
+{{- $_ := (set $pandaProxy "pandaproxy_api" (get (fromJson (include "redpanda.HTTPListeners.Listeners" (dict "a" (list $values.listeners.http (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}}
+{{- $_ := (set $pandaProxy "pandaproxy_api_tls" (coalesce nil)) -}}
+{{- $tls_12 := (get (fromJson (include "redpanda.HTTPListeners.ListenersTLS" (dict "a" (list $values.listeners.http $values.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_12) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $pandaProxy "pandaproxy_api_tls" $tls_12) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $pandaProxy) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.schemaRegistry" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $schemaReg := (dict ) -}}
+{{- $_ := (set $schemaReg "schema_registry_api" (get (fromJson (include "redpanda.SchemaRegistryListeners.Listeners" (dict "a" (list $values.listeners.schemaRegistry (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}}
+{{- $_ := (set $schemaReg "schema_registry_api_tls" (coalesce nil)) -}}
+{{- $tls_13 := (get (fromJson (include "redpanda.SchemaRegistryListeners.ListenersTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_13) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $schemaReg "schema_registry_api_tls" $tls_13) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $schemaReg) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpcListenersTLS" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $r := $values.listeners.rpc -}}
+{{- if (and (not ((or (or (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list $dot) ))) "r")) (get (fromJson (include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list $dot) ))) "r")))) ((or (and (eq (toJson $r.tls.enabled) "null") $values.tls.enabled) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $r.tls.enabled false) ))) "r")))) -}}
+{{- $_ := (fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")))) -}}
+{{- end -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $r.tls $values.tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $certName := $r.tls.cert -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls) ))) "r") )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpcListeners" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "address" "0.0.0.0" "port" ($values.listeners.rpc.port | int) )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.createInternalListenerTLSCfg" -}}
+{{- $tls := (index .a 0) -}}
+{{- $internal := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $internal $tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $internal.cert) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls) ))) "r") )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.createInternalListenerCfg" -}}
+{{- $port := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "name" "internal" "address" "0.0.0.0" "port" $port )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAdditionalStartFlags" -}}
+{{- $dot := (index .a 0) -}}
+{{- $smp := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $chartFlags := (dict "smp" (printf "%d" ($smp | int)) "memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "reserve-memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "default-log-level" $values.logging.logLevel ) -}}
+{{- if (eq (index $values.config.node "developer_mode") true) -}}
+{{- $_ := (unset $chartFlags "reserve-memory") -}}
+{{- end -}}
+{{- range $flag, $_ := $chartFlags -}}
+{{- range $_, $userFlag := $values.statefulset.additionalRedpandaCmdFlags -}}
+{{- if (regexMatch (printf "^--%s" $flag) $userFlag) -}}
+{{- $_ := (unset $chartFlags $flag) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $keys := (keys $chartFlags) -}}
+{{- $_ := (sortAlpha $keys) -}}
+{{- $flags := (list ) -}}
+{{- range $_, $key := $keys -}}
+{{- $flags = (concat (default (list ) $flags) (list (printf "--%s=%s" $key (ternary (index $chartFlags $key) "" (hasKey $chartFlags $key))))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $flags) (default (list ) $values.statefulset.additionalRedpandaCmdFlags))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_connectors.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_connectors.go.tpl
new file mode 100644
index 0000000000..c9c31a95b5
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_connectors.go.tpl
@@ -0,0 +1,47 @@
+{{- /* Generated from "connectors.go" */ -}}
+
+{{- define "redpanda.connectorsChartIntegration" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values -}}
+{{- if (or (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.connectors.enabled false) ))) "r")) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.connectors.deployment.create false) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $connectorsDot := (index $dot.Subcharts "connectors") -}}
+{{- $loadedValues := $connectorsDot.Values -}}
+{{- $connectorsValue := $connectorsDot.Values -}}
+{{- $_ := (set $connectorsValue "deployment" (merge (dict ) $connectorsValue.deployment (mustMergeOverwrite (dict "create" false "strategy" (dict ) "schedulerName" "" "budget" (dict "maxUnavailable" 0 ) "annotations" (coalesce nil) "extraEnv" (coalesce nil) "extraEnvFrom" (coalesce nil) "progressDeadlineSeconds" 0 "nodeSelector" (coalesce nil) "tolerations" (coalesce nil) "restartPolicy" "" ) (dict "create" true )))) -}}
+{{- if (eq $connectorsValue.connectors.bootstrapServers "") -}}
+{{- range $_, $b := (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") -}}
+{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $connectorsValue.connectors.bootstrapServers) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $connectorsValue.connectors "bootstrapServers" $b) -}}
+{{- continue -}}
+{{- end -}}
+{{- $_ := (set $connectorsValue.connectors "bootstrapServers" (printf "%s,%s" $connectorsValue.connectors.bootstrapServers $b)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := (set $connectorsValue.connectors "brokerTLS" (mustMergeOverwrite (dict "enabled" false "ca" (dict "secretRef" "" "secretNameOverwrite" "" ) "cert" (dict "secretRef" "" "secretNameOverwrite" "" ) "key" (dict "secretRef" "" "secretNameOverwrite" "" ) ) (dict "enabled" false "ca" (mustMergeOverwrite (dict "secretRef" "" "secretNameOverwrite" "" ) (dict )) "cert" (mustMergeOverwrite (dict "secretRef" "" "secretNameOverwrite" "" ) (dict )) "key" (mustMergeOverwrite (dict "secretRef" "" "secretNameOverwrite" "" ) (dict )) ))) -}}
+{{- $_ := (set $connectorsValue.connectors "brokerTLS" (get (fromJson (include "redpanda.KafkaListeners.ConnectorsTLS" (dict "a" (list $values.listeners.kafka $values.tls (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) -}}
+{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $command := (list "bash" "-c" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" "set -e; IFS=':' read -r CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print));" (printf " CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-%s};" (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) " export CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM;") " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-256\" ]] && CONNECT_SASL_MECHANISM=scram-sha-256;") " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-512\" ]] && CONNECT_SASL_MECHANISM=scram-sha-512;") " export CONNECT_SASL_MECHANISM;") " echo $CONNECT_SASL_PASSWORD > /opt/kafka/connect-password/rc-credentials/password;") " exec /opt/kafka/bin/kafka_connect_run.sh")) -}}
+{{- $_ := (set $connectorsValue.deployment "command" $command) -}}
+{{- $_ := (set $connectorsValue.auth "sasl" (merge (dict ) $connectorsValue.auth.sasl (mustMergeOverwrite (dict "enabled" false "mechanism" "" "secretRef" "" "userName" "" ) (dict "enabled" true )))) -}}
+{{- $_ := (set $connectorsValue.storage "volume" (concat (default (list ) $connectorsValue.storage.volume) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $values.auth.sasl.secretRef )) )) (dict "name" (get (fromJson (include "redpanda.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "users") ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" (get (fromJson (include "redpanda.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "user-password") ))) "r") )))))) -}}
+{{- $_ := (set $connectorsValue.storage "volumeMounts" (concat (default (list ) $connectorsValue.storage.volumeMounts) (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "users") ))) "r") "mountPath" "/mnt/users" "readOnly" true )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "user-password") ))) "r") "mountPath" "/opt/kafka/connect-password/rc-credentials" )))))) -}}
+{{- $_ := (set $connectorsValue.deployment "extraEnv" (concat (default (list ) $connectorsValue.deployment.extraEnv) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_PASSWORD_FILE" "value" "rc-credentials/password" )))))) -}}
+{{- end -}}
+{{- $_ := (set $connectorsDot "Values" $connectorsValue) -}}
+{{- $manifests := (list (get (fromJson (include "connectors.Deployment" (dict "a" (list $connectorsDot) ))) "r")) -}}
+{{- $_ := (set $connectorsDot "Values" $loadedValues) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $manifests) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_console.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_console.go.tpl
new file mode 100644
index 0000000000..340802ec43
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_console.go.tpl
@@ -0,0 +1,165 @@
+{{- /* Generated from "console.tpl.go" */ -}}
+
+{{- define "redpanda.consoleChartIntegration" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.enabled true) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $consoleDot := (index $dot.Subcharts "console") -}}
+{{- $loadedValues := $consoleDot.Values -}}
+{{- $consoleValue := $consoleDot.Values -}}
+{{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}}
+{{- if (and (ne $license_1 "") (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.secret.create false) ))) "r"))) -}}
+{{- $_ := (set $consoleValue.secret "create" true) -}}
+{{- $_ := (set $consoleValue.secret "enterprise" (mustMergeOverwrite (dict ) (dict "license" $license_1 ))) -}}
+{{- end -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.configmap.create false) ))) "r")) -}}
+{{- $_ := (set $consoleValue.configmap "create" true) -}}
+{{- $_ := (set $consoleValue.console "config" (get (fromJson (include "redpanda.ConsoleConfig" (dict "a" (list $dot) ))) "r")) -}}
+{{- end -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.deployment.create false) ))) "r")) -}}
+{{- $_ := (set $consoleValue.deployment "create" true) -}}
+{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $command := (list "sh" "-c" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" "set -e; IFS=':' read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print));" (printf " KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s};" (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) " export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM;") " export KAFKA_SCHEMAREGISTRY_USERNAME=$KAFKA_SASL_USERNAME;") " export KAFKA_SCHEMAREGISTRY_PASSWORD=$KAFKA_SASL_PASSWORD;") " export REDPANDA_ADMINAPI_USERNAME=$KAFKA_SASL_USERNAME;") " export REDPANDA_ADMINAPI_PASSWORD=$KAFKA_SASL_PASSWORD;") " /app/console $@") " --") -}}
+{{- $_ := (set $consoleValue.deployment "command" $command) -}}
+{{- end -}}
+{{- $secret_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $secret_2) "null") -}}
+{{- $_ := (set $consoleValue "enterprise" (mustMergeOverwrite (dict "licenseSecretRef" (dict "name" "" "key" "" ) ) (dict "licenseSecretRef" (mustMergeOverwrite (dict "name" "" "key" "" ) (dict "name" $secret_2.name "key" $secret_2.key )) ))) -}}
+{{- end -}}
+{{- $_ := (set $consoleValue "extraVolumes" (get (fromJson (include "redpanda.consoleTLSVolumes" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_ := (set $consoleValue "extraVolumeMounts" (get (fromJson (include "redpanda.consoleTLSVolumesMounts" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_ := (set $consoleDot "Values" $consoleValue) -}}
+{{- $cfg := (get (fromJson (include "console.ConfigMap" (dict "a" (list $consoleDot) ))) "r") -}}
+{{- if (eq (toJson $consoleValue.podAnnotations) "null") -}}
+{{- $_ := (set $consoleValue "podAnnotations" (dict )) -}}
+{{- end -}}
+{{- $_ := (set $consoleValue.podAnnotations "checksum-redpanda-chart/config" (sha256sum (toYaml $cfg))) -}}
+{{- end -}}
+{{- $_ := (set $consoleDot "Values" $consoleValue) -}}
+{{- $manifests := (list (get (fromJson (include "console.Secret" (dict "a" (list $consoleDot) ))) "r") (get (fromJson (include "console.ConfigMap" (dict "a" (list $consoleDot) ))) "r") (get (fromJson (include "console.Deployment" (dict "a" (list $consoleDot) ))) "r")) -}}
+{{- $_ := (set $consoleDot "Values" $loadedValues) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $manifests) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.consoleTLSVolumesMounts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $mounts := (list ) -}}
+{{- $sasl_3 := $values.auth.sasl -}}
+{{- if (and $sasl_3.enabled (ne $sasl_3.secretRef "")) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "%s-users" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/mnt/users" "readOnly" true )))) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $values.listeners $values.tls) ))) "r")) ))) "r") | int) (0 | int)) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststores" "mountPath" "/etc/truststores" "readOnly" true )))) -}}
+{{- end -}}
+{{- $visitedCert := (dict ) -}}
+{{- range $_, $tlsCfg := (list $values.listeners.kafka.tls $values.listeners.schemaRegistry.tls $values.listeners.admin.tls) -}}
+{{- $_142___visited := (get (fromJson (include "_shims.dicttest" (dict "a" (list $visitedCert $tlsCfg.cert false) ))) "r") -}}
+{{- $_ := (index $_142___visited 0) -}}
+{{- $visited := (index $_142___visited 1) -}}
+{{- if (or (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tlsCfg $values.tls) ))) "r")) $visited) -}}
+{{- continue -}}
+{{- end -}}
+{{- $_ := (set $visitedCert $tlsCfg.cert true) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $tlsCfg.cert) "mountPath" (printf "%s/%s" "/etc/tls/certs" $tlsCfg.cert) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $mounts) (default (list ) $values.console.extraVolumeMounts))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.consoleTLSVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $volumes := (list ) -}}
+{{- $sasl_4 := $values.auth.sasl -}}
+{{- if (and $sasl_4.enabled (ne $sasl_4.secretRef "")) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $values.auth.sasl.secretRef )) )) (dict "name" (printf "%s-users" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}}
+{{- end -}}
+{{- $vol_5 := (get (fromJson (include "redpanda.Listeners.TrustStoreVolume" (dict "a" (list $values.listeners $values.tls) ))) "r") -}}
+{{- if (ne (toJson $vol_5) "null") -}}
+{{- $volumes = (concat (default (list ) $volumes) (list $vol_5)) -}}
+{{- end -}}
+{{- $visitedCert := (dict ) -}}
+{{- range $_, $tlsCfg := (list $values.listeners.kafka.tls $values.listeners.schemaRegistry.tls $values.listeners.admin.tls) -}}
+{{- $_183___visited := (get (fromJson (include "_shims.dicttest" (dict "a" (list $visitedCert $tlsCfg.cert false) ))) "r") -}}
+{{- $_ := (index $_183___visited 0) -}}
+{{- $visited := (index $_183___visited 1) -}}
+{{- if (or (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tlsCfg $values.tls) ))) "r")) $visited) -}}
+{{- continue -}}
+{{- end -}}
+{{- $_ := (set $visitedCert $tlsCfg.cert true) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o420 | int) "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $tlsCfg.cert (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $tlsCfg.cert) ))) "r")) ))) "r") )) )) (dict "name" (printf "redpanda-%s-cert" $tlsCfg.cert) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.console.extraVolumes))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ConsoleConfig" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $schemaURLs := (coalesce nil) -}}
+{{- if $values.listeners.schemaRegistry.enabled -}}
+{{- $schema := "http" -}}
+{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.schemaRegistry.tls $values.tls) ))) "r") -}}
+{{- $schema = "https" -}}
+{{- end -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $schemaURLs = (concat (default (list ) $schemaURLs) (list (printf "%s://%s-%d.%s:%d" $schema (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.schemaRegistry.port | int)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $schema := "http" -}}
+{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}}
+{{- $schema = "https" -}}
+{{- end -}}
+{{- $c := (dict "kafka" (dict "brokers" (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") "sasl" (dict "enabled" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") ) "tls" (get (fromJson (include "redpanda.KafkaListeners.ConsoleTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") "schemaRegistry" (dict "enabled" $values.listeners.schemaRegistry.enabled "urls" $schemaURLs "tls" (get (fromJson (include "redpanda.SchemaRegistryListeners.ConsoleTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") ) ) "redpanda" (dict "adminApi" (dict "enabled" true "urls" (list (printf "%s://%s:%d" $schema (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) "tls" (get (fromJson (include "redpanda.AdminListeners.ConsoleTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") ) ) ) -}}
+{{- if (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.connectors.enabled false) ))) "r") -}}
+{{- $port := (dig "connectors" "connectors" "restPort" (8083 | int) $dot.Values.AsMap) -}}
+{{- $_254_p_ok := (get (fromJson (include "_shims.asintegral" (dict "a" (list $port) ))) "r") -}}
+{{- $p := ((index $_254_p_ok 0) | int) -}}
+{{- $ok := (index $_254_p_ok 1) -}}
+{{- if (not $ok) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $c) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $connectorsDot := (index $dot.Subcharts "connectors") -}}
+{{- $connectorsURL := (printf "http://%s.%s.svc.%s:%d" (get (fromJson (include "connectors.Fullname" (dict "a" (list $connectorsDot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) $p) -}}
+{{- $_ := (set $c "connect" (dict "enabled" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.connectors.enabled false) ))) "r") "clusters" (list (dict "name" "connectors" "url" $connectorsURL "tls" (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) "username" "" "password" "" "token" "" )) "connectTimeout" (0 | int) "readTimeout" (0 | int) "requestTimeout" (0 | int) )) -}}
+{{- end -}}
+{{- if (eq (toJson $values.console.console) "null") -}}
+{{- $_ := (set $values.console "console" (mustMergeOverwrite (dict ) (dict "config" (dict ) ))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $values.console.console.config $c)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_example-commands.tpl b/charts/redpanda/redpanda/5.9.18/templates/_example-commands.tpl
new file mode 100644
index 0000000000..9a5c695e32
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_example-commands.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+
+{{/*
+Any rpk command that's given to the user in NOTES.txt must be defined in this template file
+and tested in a test.
+*/}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-acl-user-create" -}}
+{{- $cmd := (get ((include "redpanda.RpkACLUserCreate" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-acl-create" -}}
+{{- $cmd := (get ((include "redpanda.RpkACLCreate" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-cluster-info" -}}
+{{- $cmd := (get ((include "redpanda.RpkClusterInfo" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-topic-create" -}}
+{{- $cmd := (get ((include "redpanda.RpkTopicCreate" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-topic-describe" -}}
+{{- $cmd := (get ((include "redpanda.RpkTopicDescribe" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-topic-delete" -}}
+{{- $cmd := (get ((include "redpanda.RpkTopicDelete" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_helpers.go.tpl
new file mode 100644
index 0000000000..2f590fb188
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_helpers.go.tpl
@@ -0,0 +1,644 @@
+{{- /* Generated from "helpers.go" */ -}}
+
+{{- define "redpanda.ChartLabel" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (replace "+" "_" (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version))) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Name" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_48_override_1_ok_2 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "nameOverride") "") ))) "r") -}}
+{{- $override_1 := (index $_48_override_1_ok_2 0) -}}
+{{- $ok_2 := (index $_48_override_1_ok_2 1) -}}
+{{- if (and $ok_2 (ne $override_1 "")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_1) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Chart.Name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Fullname" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_58_override_3_ok_4 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "fullnameOverride") "") ))) "r") -}}
+{{- $override_3 := (index $_58_override_3_ok_4 0) -}}
+{{- $ok_4 := (index $_58_override_3_ok_4 1) -}}
+{{- if (and $ok_4 (ne $override_3 "")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_3) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.FullLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $labels := (dict ) -}}
+{{- if (ne (toJson $values.commonLabels) "null") -}}
+{{- $labels = $values.commonLabels -}}
+{{- end -}}
+{{- $defaults := (dict "helm.sh/chart" (get (fromJson (include "redpanda.ChartLabel" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/managed-by" $dot.Release.Service "app.kubernetes.io/component" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $labels $defaults)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ServiceAccountName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $serviceAccount := $values.serviceAccount -}}
+{{- if (and $serviceAccount.create (ne $serviceAccount.name "")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $serviceAccount.name) | toJson -}}
+{{- break -}}
+{{- else -}}{{- if $serviceAccount.create -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}}
+{{- break -}}
+{{- else -}}{{- if (ne $serviceAccount.name "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $serviceAccount.name) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "default") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Tag" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tag := (toString $values.image.tag) -}}
+{{- if (eq $tag "") -}}
+{{- $tag = $dot.Chart.AppVersion -}}
+{{- end -}}
+{{- $pattern := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}}
+{{- if (not (regexMatch $pattern $tag)) -}}
+{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tag) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ServiceName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (and (ne (toJson $values.service) "null") (ne (toJson $values.service.name) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $values.service.name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.InternalDomain" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}}
+{{- $ns := $dot.Release.Namespace -}}
+{{- $domain := (trimSuffix "." $values.clusterDomain) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s.%s.svc.%s." $service $ns $domain)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TLSEnabled" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if $values.tls.enabled -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}}
+{{- range $_, $listener := $listeners -}}
+{{- $tlsCert := (dig "listeners" $listener "tls" "cert" false $dot.Values.AsMap) -}}
+{{- $tlsEnabled := (dig "listeners" $listener "tls" "enabled" false $dot.Values.AsMap) -}}
+{{- if (and (not (empty $tlsEnabled)) (not (empty $tlsCert))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $external := (dig "listeners" $listener "external" false $dot.Values.AsMap) -}}
+{{- if (empty $external) -}}
+{{- continue -}}
+{{- end -}}
+{{- $keys := (keys (get (fromJson (include "_shims.typeassertion" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $external) ))) "r")) -}}
+{{- range $_, $key := $keys -}}
+{{- $enabled := (dig "listeners" $listener "external" $key "enabled" false $dot.Values.AsMap) -}}
+{{- $tlsCert := (dig "listeners" $listener "external" $key "tls" "cert" false $dot.Values.AsMap) -}}
+{{- $tlsEnabled := (dig "listeners" $listener "external" $key "tls" "enabled" false $dot.Values.AsMap) -}}
+{{- if (and (and (not (empty $enabled)) (not (empty $tlsCert))) (not (empty $tlsEnabled))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" false) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ClientAuthRequired" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}}
+{{- range $_, $listener := $listeners -}}
+{{- $required := (dig "listeners" $listener "tls" "requireClientAuth" false $dot.Values.AsMap) -}}
+{{- if (not (empty $required)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" false) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.DefaultMounts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/etc/redpanda" )))) (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.CommonMounts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $mounts := (list ) -}}
+{{- $sasl_5 := $values.auth.sasl -}}
+{{- if (and $sasl_5.enabled (ne $sasl_5.secretRef "")) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "users" "mountPath" "/etc/secrets/users" "readOnly" true )))) -}}
+{{- end -}}
+{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}}
+{{- $certNames := (keys $values.tls.certs) -}}
+{{- $_ := (sortAlpha $certNames) -}}
+{{- range $_, $name := $certNames -}}
+{{- $cert := (ternary (index $values.tls.certs $name) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil) ) (hasKey $values.tls.certs $name)) -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "%s/%s" "/etc/tls/certs" $name) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $adminTLS := $values.listeners.admin.tls -}}
+{{- if $adminTLS.requireClientAuth -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "mtls-client" "mountPath" (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $mounts) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.DefaultVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "base-config" )))) (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.CommonVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $volumes := (list ) -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}}
+{{- $certNames := (keys $values.tls.certs) -}}
+{{- $_ := (sortAlpha $certNames) -}}
+{{- range $_, $name := $certNames -}}
+{{- $cert := (ternary (index $values.tls.certs $name) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil) ) (hasKey $values.tls.certs $name)) -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $name $cert) ))) "r") "defaultMode" (0o440 | int) )) )) (dict "name" (printf "redpanda-%s-cert" $name) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $adminTLS := $values.listeners.admin.tls -}}
+{{- $cert := (ternary (index $values.tls.certs $adminTLS.cert) (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil) ) (hasKey $values.tls.certs $adminTLS.cert)) -}}
+{{- if $adminTLS.requireClientAuth -}}
+{{- $secretName := (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- if (ne (toJson $cert.clientSecretRef) "null") -}}
+{{- $secretName = $cert.clientSecretRef.name -}}
+{{- end -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $secretName "defaultMode" (0o440 | int) )) )) (dict "name" "mtls-client" )))) -}}
+{{- end -}}
+{{- end -}}
+{{- $sasl_6 := $values.auth.sasl -}}
+{{- if (and $sasl_6.enabled (ne $sasl_6.secretRef "")) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $sasl_6.secretRef )) )) (dict "name" "users" )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $volumes) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.CertSecretName" -}}
+{{- $dot := (index .a 0) -}}
+{{- $certName := (index .a 1) -}}
+{{- $cert := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $cert.secretRef) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $cert.secretRef.name) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $certName)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.PodSecurityContext" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict ) (dict "fsGroup" $sc.fsGroup "fsGroupChangePolicy" $sc.fsGroupChangePolicy ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ContainerSecurityContext" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict ) (dict "runAsUser" $sc.runAsUser "runAsGroup" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.runAsGroup $sc.fsGroup)) ))) "r") "allowPrivilegeEscalation" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.allowPrivilegeEscalation $sc.allowPriviledgeEscalation)) ))) "r") "runAsNonRoot" $sc.runAsNonRoot ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_22_2_0" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.0-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_22_3_0" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_23_1_1" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.1-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_23_1_2" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.2-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.13-0,<22.4") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.10-0,<22.3") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_23_2_1" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.2.1-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_23_3_0" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.redpandaAtLeast" -}}
+{{- $dot := (index .a 0) -}}
+{{- $constraint := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $version := (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_391_result_err := (list (semverCompare $constraint $version) nil) -}}
+{{- $result := (index $_391_result_err 0) -}}
+{{- $err := (index $_391_result_err 1) -}}
+{{- if (ne (toJson $err) "null") -}}
+{{- $_ := (fail $err) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.cleanForK8s" -}}
+{{- $in := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $in))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.cleanForK8sWithSuffix" -}}
+{{- $s := (index .a 0) -}}
+{{- $suffix := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $lengthToTruncate := ((sub (((add ((get (fromJson (include "_shims.len" (dict "a" (list $s) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $suffix) ))) "r") | int)) | int)) (63 | int)) | int) -}}
+{{- if (gt $lengthToTruncate (0 | int)) -}}
+{{- $s = (trunc $lengthToTruncate $s) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s-%s" $s $suffix)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaSMP" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $coresInMillies := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}}
+{{- if (lt $coresInMillies (1000 | int64)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (1 | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.coalesce" -}}
+{{- $values := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- range $_, $v := $values -}}
+{{- if (ne (toJson $v) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $v) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StrategicMergePatch" -}}
+{{- $overrides := (index .a 0) -}}
+{{- $original := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $overrideSpec := $overrides.spec -}}
+{{- if (eq (toJson $overrideSpec) "null") -}}
+{{- $overrideSpec = (mustMergeOverwrite (dict ) (dict )) -}}
+{{- end -}}
+{{- $merged := (merge (dict ) (mustMergeOverwrite (dict ) (dict "metadata" (mustMergeOverwrite (dict ) (dict "labels" $overrides.labels "annotations" $overrides.annotations )) "spec" $overrideSpec )) $original) -}}
+{{- $_ := (set $merged.spec "initContainers" (get (fromJson (include "redpanda.mergeSliceBy" (dict "a" (list $original.spec.initContainers $overrideSpec.initContainers "name" "redpanda.mergeContainer") ))) "r")) -}}
+{{- $_ := (set $merged.spec "containers" (get (fromJson (include "redpanda.mergeSliceBy" (dict "a" (list $original.spec.containers $overrideSpec.containers "name" "redpanda.mergeContainer") ))) "r")) -}}
+{{- $_ := (set $merged.spec "volumes" (get (fromJson (include "redpanda.mergeSliceBy" (dict "a" (list $original.spec.volumes $overrideSpec.volumes "name" "redpanda.mergeVolume") ))) "r")) -}}
+{{- if (eq (toJson $merged.metadata.labels) "null") -}}
+{{- $_ := (set $merged.metadata "labels" (dict )) -}}
+{{- end -}}
+{{- if (eq (toJson $merged.metadata.annotations) "null") -}}
+{{- $_ := (set $merged.metadata "annotations" (dict )) -}}
+{{- end -}}
+{{- if (eq (toJson $merged.spec.nodeSelector) "null") -}}
+{{- $_ := (set $merged.spec "nodeSelector" (dict )) -}}
+{{- end -}}
+{{- if (eq (toJson $merged.spec.tolerations) "null") -}}
+{{- $_ := (set $merged.spec "tolerations" (list )) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $merged) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.mergeSliceBy" -}}
+{{- $original := (index .a 0) -}}
+{{- $override := (index .a 1) -}}
+{{- $mergeKey := (index .a 2) -}}
+{{- $mergeFunc := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $originalKeys := (dict ) -}}
+{{- $overrideByKey := (dict ) -}}
+{{- range $_, $el := $override -}}
+{{- $_515_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey) ))) "r") -}}
+{{- $key := (index $_515_key_ok 0) -}}
+{{- $ok := (index $_515_key_ok 1) -}}
+{{- if (not $ok) -}}
+{{- continue -}}
+{{- end -}}
+{{- $_ := (set $overrideByKey $key $el) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $merged := (coalesce nil) -}}
+{{- range $_, $el := $original -}}
+{{- $_527_key__ := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey) ))) "r") -}}
+{{- $key := (index $_527_key__ 0) -}}
+{{- $_ := (index $_527_key__ 1) -}}
+{{- $_ := (set $originalKeys $key true) -}}
+{{- $_529_elOverride_7_ok_8 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideByKey $key (coalesce nil)) ))) "r") -}}
+{{- $elOverride_7 := (index $_529_elOverride_7_ok_8 0) -}}
+{{- $ok_8 := (index $_529_elOverride_7_ok_8 1) -}}
+{{- if $ok_8 -}}
+{{- $merged = (concat (default (list ) $merged) (list (get (fromJson (include $mergeFunc (dict "a" (list $el $elOverride_7) ))) "r"))) -}}
+{{- else -}}
+{{- $merged = (concat (default (list ) $merged) (list $el)) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $el := $override -}}
+{{- $_539_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey) ))) "r") -}}
+{{- $key := (index $_539_key_ok 0) -}}
+{{- $ok := (index $_539_key_ok 1) -}}
+{{- if (not $ok) -}}
+{{- continue -}}
+{{- end -}}
+{{- $_544___ok_9 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $originalKeys $key false) ))) "r") -}}
+{{- $_ := (index $_544___ok_9 0) -}}
+{{- $ok_9 := (index $_544___ok_9 1) -}}
+{{- if $ok_9 -}}
+{{- continue -}}
+{{- end -}}
+{{- $merged = (concat (default (list ) $merged) (list (merge (dict ) $el))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $merged) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.mergeEnvVar" -}}
+{{- $original := (index .a 0) -}}
+{{- $overrides := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $overrides)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.mergeVolume" -}}
+{{- $original := (index .a 0) -}}
+{{- $override := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $override $original)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.mergeVolumeMount" -}}
+{{- $original := (index .a 0) -}}
+{{- $override := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $override $original)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.mergeContainer" -}}
+{{- $original := (index .a 0) -}}
+{{- $override := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $merged := (merge (dict ) $override $original) -}}
+{{- $_ := (set $merged "env" (get (fromJson (include "redpanda.mergeSliceBy" (dict "a" (list $original.env $override.env "name" "redpanda.mergeEnvVar") ))) "r")) -}}
+{{- $_ := (set $merged "volumeMounts" (get (fromJson (include "redpanda.mergeSliceBy" (dict "a" (list $original.volumeMounts $override.volumeMounts "name" "redpanda.mergeVolumeMount") ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $merged) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.18/templates/_helpers.tpl
new file mode 100644
index 0000000000..a885f9dcd3
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_helpers.tpl
@@ -0,0 +1,368 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "redpanda.name" -}}
+{{- get ((include "redpanda.Name" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "redpanda.fullname" -}}
+{{- get ((include "redpanda.Fullname" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/*
+Create a default service name
+*/}}
+{{- define "redpanda.servicename" -}}
+{{- get ((include "redpanda.ServiceName" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/*
+full helm labels + common labels
+*/}}
+{{- define "full.labels" -}}
+{{- (get ((include "redpanda.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "redpanda.chart" -}}
+{{- get ((include "redpanda.Chart" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "redpanda.serviceAccountName" -}}
+{{- get ((include "redpanda.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Use AppVersion if image.tag is not set
+*/}}
+{{- define "redpanda.tag" -}}
+{{- get ((include "redpanda.Tag" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/* Generate internal fqdn */}}
+{{- define "redpanda.internal.domain" -}}
+{{- get ((include "redpanda.InternalDomain" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/* ConfigMap variables */}}
+{{- define "admin-internal-tls-enabled" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.InternalTLS.IsEnabled" (dict "a" (list .Values.listeners.admin.tls .Values.tls))) | fromJson) "r")) -}}
+{{- end -}}
+
+{{- define "kafka-internal-tls-enabled" -}}
+{{- $listener := .Values.listeners.kafka -}}
+{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
+{{- end -}}
+
+{{- define "kafka-external-tls-cert" -}}
+{{- dig "tls" "cert" .Values.listeners.kafka.tls.cert .listener -}}
+{{- end -}}
+
+{{- define "http-internal-tls-enabled" -}}
+{{- $listener := .Values.listeners.http -}}
+{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
+{{- end -}}
+
+{{- define "schemaRegistry-internal-tls-enabled" -}}
+{{- $listener := .Values.listeners.schemaRegistry -}}
+{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
+{{- end -}}
+
+{{- define "tls-enabled" -}}
+{{- $tlsenabled := get ((include "redpanda.TLSEnabled" (dict "a" (list .))) | fromJson) "r" }}
+{{- toJson (dict "bool" $tlsenabled) -}}
+{{- end -}}
+
+{{- define "sasl-enabled" -}}
+{{- toJson (dict "bool" (dig "enabled" false .Values.auth.sasl)) -}}
+{{- end -}}
+
+{{- define "admin-api-urls" -}}
+{{ printf "${SERVICE_NAME}.%s" (include "redpanda.internal.domain" .) }}:{{.Values.listeners.admin.port }}
+{{- end -}}
+
+{{- define "admin-api-service-url" -}}
+{{ include "redpanda.internal.domain" .}}:{{.Values.listeners.admin.port }}
+{{- end -}}
+
+{{- define "sasl-mechanism" -}}
+{{- dig "sasl" "mechanism" "SCRAM-SHA-512" .Values.auth -}}
+{{- end -}}
+
+{{- define "fail-on-insecure-sasl-logging" -}}
+{{- if (include "sasl-enabled" .|fromJson).bool -}}
+ {{- $check := list
+ (include "redpanda-atleast-23-1-1" .|fromJson).bool
+ (include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool
+ (include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool
+ -}}
+ {{- if not (mustHas true $check) -}}
+ {{- fail "SASL is enabled and the redpanda version specified leaks secrets to the logs. Please choose a newer version of redpanda." -}}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "fail-on-unsupported-helm-version" -}}
+ {{- $helmVer := (fromYaml (toYaml .Capabilities.HelmVersion)).version -}}
+ {{- if semverCompare "<3.8.0-0" $helmVer -}}
+ {{- fail (printf "helm version %s is not supported. Please use helm version v3.8.0 or newer." $helmVer) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "redpanda-atleast-22-2-0" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-atleast-22-3-0" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-atleast-23-1-1" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_1" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-atleast-23-1-2" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-22-3-atleast-22-3-13" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-22-2-atleast-22-2-10" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-atleast-23-2-1" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-atleast-23-3-0" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+
+{{- define "redpanda-22-2-x-without-sasl" -}}
+{{- $result := (include "redpanda-atleast-22-3-0" . | fromJson).bool -}}
+{{- if or (include "sasl-enabled" . | fromJson).bool .Values.listeners.kafka.authenticationMethod -}}
+{{- $result := false -}}
+{{- end -}}
+{{- toJson (dict "bool" $result) -}}
+{{- end -}}
+
+{{- define "pod-security-context" -}}
+{{- get ((include "redpanda.PodSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }}
+{{- end -}}
+
+{{- define "container-security-context" -}}
+{{- get ((include "redpanda.ContainerSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }}
+{{- end -}}
+
+{{- define "admin-tls-curl-flags" -}}
+ {{- $result := "" -}}
+ {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}}
+ {{- $path := (printf "/etc/tls/certs/%s" .Values.listeners.admin.tls.cert) -}}
+ {{- $result = (printf "--cacert %s/tls.crt" $path) -}}
+ {{- if .Values.listeners.admin.tls.requireClientAuth -}}
+ {{- $result = (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- $result -}}
+{{- end -}}
+
+{{- define "admin-http-protocol" -}}
+ {{- $result := "http" -}}
+ {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}}
+ {{- $result = "https" -}}
+ {{- end -}}
+ {{- $result -}}
+{{- end -}}
+
+{{- /*
+advertised-port returns either the only advertised port if only one is specified,
+or the port specified for this pod ordinal when there is a full list provided.
+
+This will return a string int or panic if there is more than one port provided,
+but not enough ports for the number of replicas requested.
+*/ -}}
+{{- define "advertised-port" -}}
+ {{- $port := dig "port" .listenerVals.port .externalVals -}}
+ {{- if .externalVals.advertisedPorts -}}
+ {{- if eq (len .externalVals.advertisedPorts) 1 -}}
+ {{- $port = mustFirst .externalVals.advertisedPorts -}}
+ {{- else -}}
+ {{- $port = index .externalVals.advertisedPorts .replicaIndex -}}
+ {{- end -}}
+ {{- end -}}
+ {{ $port }}
+{{- end -}}
+
+{{- /*
+advertised-host returns a json string with the data needed for configuring the advertised listener
+*/ -}}
+{{- define "advertised-host" -}}
+ {{- $host := dict "name" .externalName "address" .externalAdvertiseAddress "port" .port -}}
+ {{- if .values.external.addresses -}}
+ {{- $address := "" -}}
+ {{- if gt (len .values.external.addresses) 1 -}}
+ {{- $address = (index .values.external.addresses .replicaIndex) -}}
+ {{- else -}}
+ {{- $address = (index .values.external.addresses 0) -}}
+ {{- end -}}
+ {{- if ( .values.external.domain | default "" ) }}
+ {{- $host = dict "name" .externalName "address" (printf "%s.%s" $address .values.external.domain) "port" .port -}}
+ {{- else -}}
+ {{- $host = dict "name" .externalName "address" $address "port" .port -}}
+ {{- end -}}
+ {{- end -}}
+ {{- toJson $host -}}
+{{- end -}}
+
+{{- define "is-licensed" -}}
+{{- toJson (dict "bool" (or (not (empty (include "enterprise-license" . ))) (not (empty (include "enterprise-secret" . ))))) -}}
+{{- end -}}
+
+{{- define "seed-server-list" -}}
+ {{- $brokers := list -}}
+ {{- range $ordinal := until (.Values.statefulset.replicas | int) -}}
+ {{- $brokers = append $brokers (printf "%s-%d.%s"
+ (include "redpanda.fullname" $)
+ $ordinal
+ (include "redpanda.internal.domain" $))
+ -}}
+ {{- end -}}
+ {{- toJson $brokers -}}
+{{- end -}}
+
+{{/*
+return license checks deprecated values if current values is empty
+*/}}
+{{- define "enterprise-license" -}}
+{{- if dig "license" dict .Values.enterprise -}}
+ {{- .Values.enterprise.license -}}
+{{- else -}}
+ {{- .Values.license_key -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+return licenseSecretRef checks deprecated values entry if current values empty
+*/}}
+{{- define "enterprise-secret" -}}
+{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}}
+ {{- .Values.enterprise.licenseSecretRef -}}
+{{- else if not (empty .Values.license_secret_ref ) -}}
+ {{- .Values.license_secret_ref -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+return licenseSecretRef.name checks deprecated values entry if current values empty
+*/}}
+{{- define "enterprise-secret-name" -}}
+{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}}
+ {{- dig "name" "" .Values.enterprise.licenseSecretRef -}}
+{{- else if not (empty .Values.license_secret_ref ) -}}
+ {{- dig "secret_name" "" .Values.license_secret_ref -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+return licenseSecretRef.key checks deprecated values entry if current values empty
+*/}}
+{{- define "enterprise-secret-key" -}}
+{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}}
+ {{- dig "key" "" .Values.enterprise.licenseSecretRef -}}
+{{- else if not (empty .Values.license_secret_ref ) -}}
+ {{- dig "secret_key" "" .Values.license_secret_ref -}}
+{{- end -}}
+{{- end -}}
+
+{{/* mounts that are common to all containers */}}
+{{- define "common-mounts" -}}
+{{- $mounts := get ((include "redpanda.CommonMounts" (dict "a" (list .))) | fromJson) "r" }}
+{{- if $mounts -}}
+{{- toYaml $mounts -}}
+{{- end -}}
+{{- end -}}
+
+{{/* mounts that are common to most containers */}}
+{{- define "default-mounts" -}}
+{{- $mounts := get ((include "redpanda.DefaultMounts" (dict "a" (list .))) | fromJson) "r" }}
+{{- if $mounts -}}
+{{- toYaml $mounts -}}
+{{- end -}}
+{{- end -}}
+
+{{/* volumes that are common to all pods */}}
+{{- define "common-volumes" -}}
+{{- $volumes := get ((include "redpanda.CommonVolumes" (dict "a" (list .))) | fromJson) "r" }}
+{{- if $volumes -}}
+{{- toYaml $volumes -}}
+{{- end -}}
+{{- end -}}
+
+{{/* the default set of volumes for most pods, except the sts pod */}}
+{{- define "default-volumes" -}}
+{{- $volumes := get ((include "redpanda.DefaultVolumes" (dict "a" (list .))) | fromJson) "r" }}
+{{- if $volumes -}}
+{{- toYaml $volumes -}}
+{{- end -}}
+{{- end -}}
+
+{{/* support legacy storage.tieredConfig */}}
+{{- define "storage-tiered-config" -}}
+{{- $cfg := get ((include "redpanda.StorageTieredConfig" (dict "a" (list .))) | fromJson) "r" }}
+{{- if $cfg -}}
+{{- toYaml $cfg -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ rpk sasl environment variables
+
+ this will return a string with the correct environment variables to use for SASL based on the
+ version of the redpada container being used
+*/}}
+{{- define "rpk-sasl-environment-variables" -}}
+{{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool -}}
+RPK_USER RPK_PASS RPK_SASL_MECHANISM
+{{- else -}}
+REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM
+{{- end -}}
+{{- end -}}
+
+{{- define "curl-options" -}}
+{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}}
+{{- end -}}
+
+{{- define "advertised-address-template" -}}
+ {{- $prefixTemplate := dig "prefixTemplate" "" .externalListener -}}
+ {{- if empty $prefixTemplate -}}
+ {{- $prefixTemplate = dig "prefixTemplate" "" .externalVals -}}
+ {{- end -}}
+ {{ quote $prefixTemplate }}
+{{- end -}}
+
+{{/* check if client auth is enabled for any of the listeners */}}
+{{- define "client-auth-required" -}}
+{{- $requireClientAuth := get ((include "redpanda.ClientAuthRequired" (dict "a" (list .))) | fromJson) "r" }}
+{{- toJson (dict "bool" $requireClientAuth) -}}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_memory.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_memory.go.tpl
new file mode 100644
index 0000000000..015a771b46
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_memory.go.tpl
@@ -0,0 +1,63 @@
+{{- /* Generated from "memory.go" */ -}}
+
+{{- define "redpanda.RedpandaReserveMemory" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $rpMem_1 := $values.resources.memory.redpanda -}}
+{{- if (and (ne (toJson $rpMem_1) "null") (ne (toJson $rpMem_1.reserveMemory) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_1.reserveMemory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ((add (((mulf (((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) | float64) 0.002) | float64) | int64) (200 | int64)) | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaMemory" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $memory := ((0 | int64) | int64) -}}
+{{- $containerMemory := ((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) -}}
+{{- $rpMem_2 := $values.resources.memory.redpanda -}}
+{{- if (and (ne (toJson $rpMem_2) "null") (ne (toJson $rpMem_2.memory) "null")) -}}
+{{- $memory = ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_2.memory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64) -}}
+{{- else -}}
+{{- $memory = (((mulf ($containerMemory | float64) 0.8) | float64) | int64) -}}
+{{- end -}}
+{{- if (eq $memory (0 | int64)) -}}
+{{- $_ := (fail "unable to get memory value redpanda-memory") -}}
+{{- end -}}
+{{- if (lt $memory (256 | int64)) -}}
+{{- $_ := (fail (printf "%d is below the minimum value for Redpanda" $memory)) -}}
+{{- end -}}
+{{- if (gt ((add $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64)) | int64) $containerMemory) -}}
+{{- $_ := (fail (printf "Not enough container memory for Redpanda memory values where Redpanda: %d, reserve: %d, container: %d" $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) $containerMemory)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $memory) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ContainerMemory" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (ne (toJson $values.resources.memory.container.min) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.min) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.max) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_notes.go.tpl
new file mode 100644
index 0000000000..cae9d21fb3
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_notes.go.tpl
@@ -0,0 +1,167 @@
+{{- /* Generated from "notes.go" */ -}}
+
+{{- define "redpanda.Warnings" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $warnings := (coalesce nil) -}}
+{{- $w_1 := (get (fromJson (include "redpanda.cpuWarning" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne $w_1 "") -}}
+{{- $warnings = (concat (default (list ) $warnings) (list (printf `**Warning**: %s` $w_1))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $warnings) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.cpuWarning" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $coresInMillis := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}}
+{{- if (lt $coresInMillis (1000 | int64)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%dm is below the minimum recommended CPU value for Redpanda" $coresInMillis)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Notes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $anySASL := (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $notes := (coalesce nil) -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `` `` `` (printf `Congratulations on installing %s!` $dot.Chart.Name) `` `The pods will rollout in a few seconds. To check the status:` `` (printf ` kubectl -n %s rollout status statefulset %s --watch` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}}
+{{- if (and $values.external.enabled (eq $values.external.type "LoadBalancer")) -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `If you are using the load balancer service with a cloud provider, the services will likely have automatically-generated addresses. In this scenario the advertised listeners must be updated in order for external access to work. Run the following command once Redpanda is deployed:` `` (printf ` helm upgrade %s redpanda/redpanda --reuse-values -n %s --set $(kubectl get svc -n %s -o jsonpath='{"external.addresses={"}{ range .items[*]}{.status.loadBalancer.ingress[0].ip }{.status.loadBalancer.ingress[0].hostname}{","}{ end }{"}\n"}')` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace $dot.Release.Namespace))) -}}
+{{- end -}}
+{{- $profiles := (keys $values.listeners.kafka.external) -}}
+{{- $_ := (sortAlpha $profiles) -}}
+{{- $profileName := (index $profiles (0 | int)) -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `Set up rpk for access to your external listeners:`)) -}}
+{{- $profile := (ternary (index $values.listeners.kafka.external $profileName) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "prefixTemplate" (coalesce nil) "tls" (coalesce nil) ) (hasKey $values.listeners.kafka.external $profileName)) -}}
+{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}}
+{{- $external := "" -}}
+{{- if (and (ne (toJson $profile.tls) "null") (ne (toJson $profile.tls.cert) "null")) -}}
+{{- $external = $profile.tls.cert -}}
+{{- else -}}
+{{- $external = $values.listeners.kafka.tls.cert -}}
+{{- end -}}
+{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-%s-cert -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $external))) -}}
+{{- if (or $values.listeners.kafka.tls.requireClientAuth $values.listeners.admin.tls.requireClientAuth) -}}
+{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.crt" | base64decode }}' > tls.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.key" | base64decode }}' > tls.key` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}}
+{{- end -}}
+{{- end -}}
+{{- $notes = (concat (default (list ) $notes) (list (printf ` rpk profile create --from-profile <(kubectl get configmap -n %s %s-rpk -o go-template='{{ .data.profile }}') %s` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $profileName) `` `Set up dns to look up the pods on their Kubernetes Nodes. You can use this query to get the list of short-names to IP addresses. Add your external domain to the hostnames and you could test by adding these to your /etc/hosts:` `` (printf ` kubectl get pod -n %s -o custom-columns=node:.status.hostIP,name:.metadata.name --no-headers -l app.kubernetes.io/name=redpanda,app.kubernetes.io/component=redpanda-statefulset` $dot.Release.Namespace))) -}}
+{{- if $anySASL -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `Set the credentials in the environment:` `` (printf ` kubectl -n %s get secret %s -o go-template="{{ range .data }}{{ . | base64decode }}{{ end }}" | IFS=: read -r %s` $dot.Release.Namespace $values.auth.sasl.secretRef (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")) (printf ` export %s` (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")))) -}}
+{{- end -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `Try some sample commands:`)) -}}
+{{- if $anySASL -}}
+{{- $notes = (concat (default (list ) $notes) (list `Create a user:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLUserCreate" (dict "a" (list $dot) ))) "r")) `` `Give the user permissions:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLCreate" (dict "a" (list $dot) ))) "r")))) -}}
+{{- end -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `Get the api status:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkClusterInfo" (dict "a" (list $dot) ))) "r")) `` `Create a topic` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicCreate" (dict "a" (list $dot) ))) "r")) `` `Describe the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDescribe" (dict "a" (list $dot) ))) "r")) `` `Delete the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDelete" (dict "a" (list $dot) ))) "r")))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $notes) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkACLUserCreate" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf `rpk acl user create myuser --new-password changeme --mechanism %s` (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SASLMechanism" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (ne (toJson $values.auth.sasl) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $values.auth.sasl.mechanism) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "SCRAM-SHA-512") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkACLCreate" -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `rpk acl create --allow-principal 'myuser' --allow-host '*' --operation all --topic 'test-topic'`) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkClusterInfo" -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `rpk cluster info`) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkTopicCreate" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf `rpk topic create test-topic -p 3 -r %d` (min (3 | int64) (($values.statefulset.replicas | int) | int64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkTopicDescribe" -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `rpk topic describe test-topic`) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkTopicDelete" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `rpk topic delete test-topic`) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkSASLEnvironmentVariables" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `RPK_USER RPK_PASS RPK_SASL_MECHANISM`) | toJson -}}
+{{- break -}}
+{{- else -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM`) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_poddisruptionbudget.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_poddisruptionbudget.go.tpl
new file mode 100644
index 0000000000..763b7b0bdf
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_poddisruptionbudget.go.tpl
@@ -0,0 +1,21 @@
+{{- /* Generated from "poddisruptionbudget.go" */ -}}
+
+{{- define "redpanda.PodDisruptionBudget" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $budget := ($values.statefulset.budget.maxUnavailable | int) -}}
+{{- $minReplicas := ((div ($values.statefulset.replicas | int) (2 | int)) | int) -}}
+{{- if (and (gt $budget (1 | int)) (gt $budget $minReplicas)) -}}
+{{- $_ := (fail (printf "statefulset.budget.maxUnavailable is set too high to maintain quorum: %d > %d" $budget $minReplicas)) -}}
+{{- end -}}
+{{- $maxUnavailable := ($budget | int) -}}
+{{- $matchLabels := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}}
+{{- $_ := (set $matchLabels "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "disruptionsAllowed" 0 "currentHealthy" 0 "desiredHealthy" 0 "expectedPods" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "policy/v1" "kind" "PodDisruptionBudget" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" $matchLabels )) "maxUnavailable" $maxUnavailable )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_post-install-upgrade-job.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_post-install-upgrade-job.go.tpl
new file mode 100644
index 0000000000..efbb41e8b6
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_post-install-upgrade-job.go.tpl
@@ -0,0 +1,123 @@
+{{- /* Generated from "post_install_upgrade_job.go" */ -}}
+
+{{- define "redpanda.bootstrapYamlTemplater" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $env := (get (fromJson (include "redpanda.TieredStorageCredentials.AsEnvVars" (dict "a" (list $values.storage.tiered.credentialsSecretRef (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) ))) "r") -}}
+{{- $image := (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "bootstrap-yaml-envsubst" "image" $image "command" (list "/redpanda-operator" "envsubst" "/tmp/base-config/bootstrap.yaml" "--output" "/tmp/config/.bootstrap.yaml") "env" $env "resources" (mustMergeOverwrite (dict ) (dict "limits" (dict "cpu" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "100m") ))) "r") "memory" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "125Mi") ))) "r") ) "requests" (dict "cpu" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "100m") ))) "r") "memory" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "125Mi") ))) "r") ) )) "securityContext" (mustMergeOverwrite (dict ) (dict "allowPrivilegeEscalation" false "readOnlyRootFilesystem" true "runAsNonRoot" true )) "volumeMounts" (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/tmp/config/" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config/" ))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.PostInstallUpgradeJob" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.post_install_job.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $image := (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) -}}
+{{- $job := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-configuration" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (default (dict ) $values.post_install_job.labels) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r")) "annotations" (merge (dict ) (default (dict ) $values.post_install_job.annotations) (dict "helm.sh/hook" "post-install,post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-5" )) )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_install_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "generateName" (printf "%s-post-" $dot.Release.Name) "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%.50s-post-install" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) ) (default (dict ) $values.commonLabels)) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (get (fromJson (include "redpanda.postInstallJobAffinity" (dict "a" (list $dot) ))) "r") "tolerations" (get (fromJson (include "redpanda.tolerations" (dict "a" (list $dot) ))) "r") "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "initContainers" (list (get (fromJson (include "redpanda.bootstrapYamlTemplater" (dict "a" (list $dot) ))) "r")) "automountServiceAccountToken" false "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-install" "image" $image "env" (get (fromJson (include "redpanda.PostInstallUpgradeEnvironmentVariables" (dict "a" (list $dot) ))) "r") "command" (list "/redpanda-operator" "sync-cluster-config" "--users-directory" "/etc/secrets/users" "--redpanda-yaml" "/tmp/base-config/redpanda.yaml" "--bootstrap-yaml" "/tmp/config/.bootstrap.yaml") "resources" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.resources (mustMergeOverwrite (dict ) (dict ))) ))) "r") "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "volumeMounts" (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/tmp/config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )))) ))) "volumes" (concat (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "base-config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )))) "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) )) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $job) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.postInstallJobAffinity" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (empty $values.post_install_job.affinity)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $values.post_install_job.affinity) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $values.post_install_job.affinity $values.affinity)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.tolerations" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $result := (coalesce nil) -}}
+{{- range $_, $t := $values.tolerations -}}
+{{- $result = (concat (default (list ) $result) (list (merge (dict ) $t))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.PostInstallUpgradeEnvironmentVariables" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $envars := (list ) -}}
+{{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}}
+{{- $secretReference_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne $license_1 "") -}}
+{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "value" $license_1 )))) -}}
+{{- else -}}{{- if (ne (toJson $secretReference_2) "null") -}}
+{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" $secretReference_2 )) )))) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.bootstrapEnvVars" (dict "a" (list $dot $envars) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.GetLicenseLiteral" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (ne $values.enterprise.license "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $values.enterprise.license) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $values.license_key) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.GetLicenseSecretReference" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (empty $values.enterprise.licenseSecretRef)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" $values.enterprise.licenseSecretRef.key ))) | toJson -}}
+{{- break -}}
+{{- else -}}{{- if (not (empty $values.license_secret_ref)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.license_secret_ref.secret_name )) (dict "key" $values.license_secret_ref.secret_key ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_post_upgrade_job.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_post_upgrade_job.go.tpl
new file mode 100644
index 0000000000..6a95bb94e6
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_post_upgrade_job.go.tpl
@@ -0,0 +1,87 @@
+{{- /* Generated from "post_upgrade_job.go" */ -}}
+
+{{- define "redpanda.PostUpgrade" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.post_upgrade_job.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $labels := (default (dict ) $values.post_upgrade_job.labels) -}}
+{{- $annotations := (default (dict ) $values.post_upgrade_job.annotations) -}}
+{{- $annotations = (merge (dict ) (dict "helm.sh/hook" "post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-10" ) $annotations) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-post-upgrade" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $labels) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "backoffLimit" $values.post_upgrade_job.backoffLimit "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_upgrade_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $dot.Release.Name "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%s-post-upgrade" (trunc (50 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r"))) ) $values.commonLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (merge (dict ) $values.post_upgrade_job.affinity $values.affinity) "tolerations" $values.tolerations "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-upgrade" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list "/bin/bash" "-c") "args" (list (get (fromJson (include "redpanda.PostUpgradeJobScript" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot $values.post_upgrade_job.extraEnv) ))) "r") "envFrom" $values.post_upgrade_job.extraEnvFrom "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_upgrade_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "resources" $values.post_upgrade_job.resources "volumeMounts" (get (fromJson (include "redpanda.DefaultMounts" (dict "a" (list $dot) ))) "r") ))) "volumes" (get (fromJson (include "redpanda.DefaultVolumes" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.PostUpgradeJobScript" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $script := (list `set -e` ``) -}}
+{{- range $key, $value := $values.config.cluster -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $value) ))) "r")) ))) "r") -}}
+{{- $isInt64 := $tmp_tuple_1.T2 -}}
+{{- $asInt64 := ($tmp_tuple_1.T1 | int64) -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $value false) ))) "r")) ))) "r") -}}
+{{- $ok_2 := $tmp_tuple_2.T2 -}}
+{{- $asBool_1 := $tmp_tuple_2.T1 -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $value "") ))) "r")) ))) "r") -}}
+{{- $ok_4 := $tmp_tuple_3.T2 -}}
+{{- $asStr_3 := $tmp_tuple_3.T1 -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "[]%s" "interface {}") $value (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_6 := $tmp_tuple_4.T2 -}}
+{{- $asSlice_5 := $tmp_tuple_4.T1 -}}
+{{- if (and $ok_2 $asBool_1) -}}
+{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %t" $key $asBool_1))) -}}
+{{- else -}}{{- if (and $ok_4 (ne $asStr_3 "")) -}}
+{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %s" $key $asStr_3))) -}}
+{{- else -}}{{- if (and $isInt64 (gt $asInt64 (0 | int64))) -}}
+{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %d" $key $asInt64))) -}}
+{{- else -}}{{- if (and $ok_6 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $asSlice_5) ))) "r") | int) (0 | int))) -}}
+{{- $script = (concat (default (list ) $script) (list (printf `rpk cluster config set %s "[ %s ]"` $key (join "," $asSlice_5)))) -}}
+{{- else -}}{{- if (not (empty $value)) -}}
+{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %v" $key $value))) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "default_topic_replications" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_7 := $tmp_tuple_5.T2 -}}
+{{- if (and (not $ok_7) (ge ($values.statefulset.replicas | int) (3 | int))) -}}
+{{- $script = (concat (default (list ) $script) (list "rpk cluster config set default_topic_replications 3")) -}}
+{{- end -}}
+{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "storage_min_free_bytes" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_8 := $tmp_tuple_6.T2 -}}
+{{- if (not $ok_8) -}}
+{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set storage_min_free_bytes %d" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64)))) -}}
+{{- end -}}
+{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}}
+{{- $service := $values.listeners.admin -}}
+{{- $caCert := "" -}}
+{{- $scheme := "http" -}}
+{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $service.tls $values.tls) ))) "r") -}}
+{{- $scheme = "https" -}}
+{{- $caCert = (printf "--cacert %q" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $service.tls $values.tls) ))) "r")) -}}
+{{- end -}}
+{{- $url := (printf "%s://%s:%d/v1/debug/restart_service?service=schema-registry" $scheme (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") (($service.port | int) | int64)) -}}
+{{- $script = (concat (default (list ) $script) (list `if [ -d "/etc/secrets/users/" ]; then` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` ` curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \` (printf ` %s \` $caCert) ` -X PUT -u ${USER_NAME}:${PASSWORD} \` (printf ` %s || true` $url) `fi`)) -}}
+{{- end -}}
+{{- $script = (concat (default (list ) $script) (list "")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (join "\n" $script)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_rbac.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_rbac.go.tpl
new file mode 100644
index 0000000000..162092626d
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_rbac.go.tpl
@@ -0,0 +1,116 @@
+{{- /* Generated from "rbac.go" */ -}}
+
+{{- define "redpanda.ClusterRoles" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $crs := (coalesce nil) -}}
+{{- $cr_1 := (get (fromJson (include "redpanda.SidecarControllersClusterRole" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $cr_1) "null") -}}
+{{- $crs = (concat (default (list ) $crs) (list $cr_1)) -}}
+{{- end -}}
+{{- if (not $values.rbac.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $crs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $crs = (concat (default (list ) $crs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list") ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "configmaps" "endpoints" "events" "limitranges" "persistentvolumeclaims" "pods" "pods/log" "replicationcontrollers" "resourcequotas" "serviceaccounts" "services") "verbs" (list "get" "list") ))) ))))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $crs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ClusterRoleBindings" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $crbs := (coalesce nil) -}}
+{{- $crb_2 := (get (fromJson (include "redpanda.SidecarControllersClusterRoleBinding" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $crb_2) "null") -}}
+{{- $crbs = (concat (default (list ) $crbs) (list $crb_2)) -}}
+{{- end -}}
+{{- if (not $values.rbac.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $crbs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $crbs = (concat (default (list ) $crbs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $rpkBundleName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $crbs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SidecarControllersClusterRole" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumes") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SidecarControllersClusterRoleBinding" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SidecarControllersRole" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "Role" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets/status") "verbs" (list "patch" "update") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "secrets" "pods") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets") "verbs" (list "get" "patch" "update" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumeclaims") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SidecarControllersRoleBinding" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "RoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "Role" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_secrets.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_secrets.go.tpl
new file mode 100644
index 0000000000..09d04155ed
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_secrets.go.tpl
@@ -0,0 +1,419 @@
+{{- /* Generated from "secrets.go" */ -}}
+
+{{- define "redpanda.Secrets" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $secrets := (coalesce nil) -}}
+{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretSTSLifecycle" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $saslUsers_1 := (get (fromJson (include "redpanda.SecretSASLUsers" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $saslUsers_1) "null") -}}
+{{- $secrets = (concat (default (list ) $secrets) (list $saslUsers_1)) -}}
+{{- end -}}
+{{- $configWatcher_2 := (get (fromJson (include "redpanda.SecretConfigWatcher" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $configWatcher_2) "null") -}}
+{{- $secrets = (concat (default (list ) $secrets) (list $configWatcher_2)) -}}
+{{- end -}}
+{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretConfigurator" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $fsValidator_3 := (get (fromJson (include "redpanda.SecretFSValidator" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $fsValidator_3) "null") -}}
+{{- $secrets = (concat (default (list ) $secrets) (list $fsValidator_3)) -}}
+{{- end -}}
+{{- $bootstrapUser_4 := (get (fromJson (include "redpanda.SecretBootstrapUser" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $bootstrapUser_4) "null") -}}
+{{- $secrets = (concat (default (list ) $secrets) (list $bootstrapUser_4)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secrets) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretSTSLifecycle" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-sts-lifecycle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}}
+{{- $adminCurlFlags := (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") -}}
+{{- $_ := (set $secret.stringData "common.sh" (join "\n" (list `#!/usr/bin/env bash` `` `# the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME` (printf `CURL_URL="%s"` (get (fromJson (include "redpanda.adminInternalURL" (dict "a" (list $dot) ))) "r")) `` `# commands used throughout` (printf `CURL_NODE_ID_CMD="curl --silent --fail %s ${CURL_URL}/v1/node_config"` $adminCurlFlags) `` `CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"'` `CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"'` (printf `CURL_MAINTENANCE_GET_CMD="curl -X GET --silent %s ${CURL_URL}/v1/maintenance"` $adminCurlFlags)))) -}}
+{{- $postStartSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `postStartHook () {` ` set -x` `` ` touch /tmp/postStartHookStarted` `` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Clearing maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` # a 400 here would mean not in maintenance mode` ` until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do` ` status=$(${CURL_MAINTENANCE_DELETE_CMD})` ` sleep 0.5` ` done` `` ` touch /tmp/postStartHookFinished` `}` `` `postStartHook` `true`) -}}
+{{- $_ := (set $secret.stringData "postStart.sh" (join "\n" $postStartSh)) -}}
+{{- $preStopSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `touch /tmp/preStopHookStarted` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `set -x` `` `preStopHook () {` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Setting maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` until [ "${status:-}" = '"200"' ]; do` ` status=$(${CURL_MAINTENANCE_PUT_CMD})` ` sleep 0.5` ` done` `` ` until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do` ` res=$(${CURL_MAINTENANCE_GET_CMD})` ` finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$')` ` draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$')` ` sleep 0.5` ` done` `` ` touch /tmp/preStopHookFinished` `}`) -}}
+{{- if (and (gt ($values.statefulset.replicas | int) (2 | int)) (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig "recovery_mode_enabled" false $values.config.node)) ))) "r"))) -}}
+{{- $preStopSh = (concat (default (list ) $preStopSh) (list `preStopHook`)) -}}
+{{- else -}}
+{{- $preStopSh = (concat (default (list ) $preStopSh) (list `touch /tmp/preStopHookFinished` `echo "Not enough replicas or in recovery mode, cannot put a broker into maintenance mode."`)) -}}
+{{- end -}}
+{{- $preStopSh = (concat (default (list ) $preStopSh) (list `true`)) -}}
+{{- $_ := (set $secret.stringData "preStop.sh" (join "\n" $preStopSh)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secret) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretSASLUsers" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (and (and (ne $values.auth.sasl.secretRef "") $values.auth.sasl.enabled) (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.auth.sasl.users) ))) "r") | int) (0 | int))) -}}
+{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $values.auth.sasl.secretRef "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}}
+{{- $usersTxt := (list ) -}}
+{{- range $_, $user := $values.auth.sasl.users -}}
+{{- if (empty $user.mechanism) -}}
+{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s" $user.name $user.password))) -}}
+{{- else -}}
+{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s:%s" $user.name $user.password $user.mechanism))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $secret.stringData "users.txt" (join "\n" $usersTxt)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secret) | toJson -}}
+{{- break -}}
+{{- else -}}{{- if (and $values.auth.sasl.enabled (eq $values.auth.sasl.secretRef "")) -}}
+{{- $_ := (fail "auth.sasl.secretRef cannot be empty when auth.sasl.enabled=true") -}}
+{{- else -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretBootstrapUser" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.auth.sasl.enabled) (ne (toJson $values.auth.sasl.bootstrapUser.secretKeyRef) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $secretName := (printf "%s-bootstrap-user" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- if $dot.Release.IsUpgrade -}}
+{{- $_214_existing_5_ok_6 := (get (fromJson (include "_shims.lookup" (dict "a" (list "v1" "Secret" $dot.Release.Namespace $secretName) ))) "r") -}}
+{{- $existing_5 := (index $_214_existing_5_ok_6 0) -}}
+{{- $ok_6 := (index $_214_existing_5_ok_6 1) -}}
+{{- if $ok_6 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $existing_5) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $password := (randAlphaNum (32 | int)) -}}
+{{- $userPassword := $values.auth.sasl.bootstrapUser.password -}}
+{{- if (ne (toJson $userPassword) "null") -}}
+{{- $password = $userPassword -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $secretName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "password" $password ) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretConfigWatcher" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $bootstrapUser := (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $values.auth.sasl.bootstrapUser) ))) "r") -}}
+{{- $sasl := $values.auth.sasl -}}
+{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-config-watcher" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}}
+{{- $saslUserSh := (coalesce nil) -}}
+{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `#!/usr/bin/env bash` `` `trap 'error_handler $? $LINENO' ERR` `` `error_handler() {` ` echo "Error: ($1) occurred at line $2"` `}` `` `set -e` `` `# rpk cluster health can exit non-zero if it's unable to dial brokers. This` `# can happen for many reasons but we never want this script to crash as it` `# would take down yet another broker and make a bad situation worse.` `# Instead, just wait for the command to eventually exit zero.` `echo "Waiting for cluster to be ready"` `until rpk cluster health --watch --exit-when-healthy; do` ` echo "rpk cluster health failed. Waiting 5 seconds before trying again..."` ` sleep 5` `done`)) -}}
+{{- if (and $sasl.enabled (ne $sasl.secretRef "")) -}}
+{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `while true; do` ` echo "RUNNING: Monitoring and Updating SASL users"` ` USERS_DIR="/etc/secrets/users"` `` ` new_users_list(){` ` LIST=$1` ` NEW_USER=$2` ` if [[ -n "${LIST}" ]]; then` ` LIST="${NEW_USER},${LIST}"` ` else` ` LIST="${NEW_USER}"` ` fi` `` ` echo "${LIST}"` ` }` `` ` process_users() {` ` USERS_DIR=${1-"/etc/secrets/users"}` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` (printf ` USERS_LIST="%s"` $bootstrapUser) ` READ_LIST_SUCCESS=0` ` # Read line by line, handle a missing EOL at the end of file` ` while read p || [ -n "$p" ] ; do` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM <<< $p` ` # Do not process empty lines` ` if [ -z "$USER_NAME" ]; then` ` continue` ` fi` ` if [[ "${USER_NAME// /}" != "$USER_NAME" ]]; then` ` continue` ` fi` ` echo "Creating user ${USER_NAME}..."` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` creation_result=$(rpk acl user create ${USER_NAME} -p ${PASSWORD} --mechanism ${MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` # Check if the stderr contains "User already exists"` ` # this error occurs when password has changed` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Update user ${USER_NAME}"` ` # we will try to update by first deleting` ` deletion_result=$(rpk acl user delete ${USER_NAME} 2>&1) && deletion_result_exit_code=$? || deletion_result_exit_code=$?` ` if [[ $deletion_result_exit_code -ne 0 ]]; then` ` echo "deletion of user ${USER_NAME} failed: ${deletion_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # Now we update the user` ` update_result=$(rpk acl user create ${USER_NAME} -p ${PASSWORD} --mechanism ${MECHANISM} 2>&1) && update_result_exit_code=$? || update_result_exit_code=$? # On a non-success exit code` ` if [[ $update_result_exit_code -ne 0 ]]; then` ` echo "updating user ${USER_NAME} failed: ${update_result}"` ` READ_LIST_SUCCESS=1` ` break` ` else` ` echo "Updated user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` else` ` # Another error occurred, so output the original message and exit code` ` echo "error creating user ${USER_NAME}: ${creation_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # On a success, the user was created so output that` ` else` ` echo "Created user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` done < $USERS_FILE` `` ` if [[ -n "${USERS_LIST}" && ${READ_LIST_SUCCESS} ]]; then` ` echo "Setting superusers configurations with users [${USERS_LIST}]"` ` superuser_result=$(rpk cluster config set superusers [${USERS_LIST}] 2>&1) && superuser_result_exit_code=$? || superuser_result_exit_code=$?` ` if [[ $superuser_result_exit_code -ne 0 ]]; then` ` echo "Setting superusers configurations failed: ${superuser_result}"` ` else` ` echo "Completed setting superusers configurations"` ` fi` ` fi` ` }` `` ` # before we do anything ensure we have the bootstrap user` ` echo "Ensuring bootstrap user ${RPK_USER}..."` ` creation_result=$(rpk acl user create ${RPK_USER} -p ${RPK_PASS} --mechanism ${RPK_SASL_MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Bootstrap user already created"` ` else` ` echo "error creating user ${RPK_USER}: ${creation_result}"` ` fi` ` fi` `` ` # first time processing` ` process_users $USERS_DIR` `` ` # subsequent changes detected here` ` # watching delete_self as documented in https://ahmet.im/blog/kubernetes-inotify/` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` ` while RES=$(inotifywait -q -e delete_self ${USERS_FILE}); do` ` process_users $USERS_DIR` ` done` `done`)) -}}
+{{- else -}}
+{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `echo "Nothing to do. Sleeping..."` `sleep infinity`)) -}}
+{{- end -}}
+{{- $_ := (set $secret.stringData "sasl-user.sh" (join "\n" $saslUserSh)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secret) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretFSValidator" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%.49s-fs-validator" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}}
+{{- $_ := (set $secret.stringData "fsValidator.sh" `set -e
+EXPECTED_FS_TYPE=$1
+
+DATA_DIR="/var/lib/redpanda/data"
+TEST_FILE="testfile"
+
+echo "checking data directory exist..."
+if [ ! -d "${DATA_DIR}" ]; then
+ echo "data directory does not exists, exiting"
+ exit 1
+fi
+
+echo "checking filesystem type..."
+FS_TYPE=$(df -T $DATA_DIR | tail -n +2 | awk '{print $2}')
+
+if [ "${FS_TYPE}" != "${EXPECTED_FS_TYPE}" ]; then
+ echo "file system found to be ${FS_TYPE} when expected ${EXPECTED_FS_TYPE}"
+ exit 1
+fi
+
+echo "checking if able to create a test file..."
+
+touch ${DATA_DIR}/${TEST_FILE}
+result=$(touch ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?)
+if [ "${result}" != "0" ]; then
+ echo "could not write testfile, may not have write permission"
+ exit 1
+fi
+
+echo "checking if able to delete a test file..."
+
+result=$(rm ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?)
+if [ "${result}" != "0" ]; then
+ echo "could not delete testfile"
+ exit 1
+fi
+
+echo "passed"`) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secret) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretConfigurator" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%.51s-configurator" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}}
+{{- $configuratorSh := (list ) -}}
+{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `set -xe` `SERVICE_NAME=$1` `KUBERNETES_NODE_NAME=$2` `POD_ORDINAL=${SERVICE_NAME##*-}` "BROKER_INDEX=`expr $POD_ORDINAL + 1`" `` `CONFIG=/etc/redpanda/redpanda.yaml` `` `# Setup config files` `cp /tmp/base-config/redpanda.yaml "${CONFIG}"`)) -}}
+{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r")) -}}
+{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure bootstrap` `## Not used for Redpanda v22.3.0+` `rpk --config "${CONFIG}" redpanda config set redpanda.node_id "${POD_ORDINAL}"` `if [ "${POD_ORDINAL}" = "0" ]; then` ` rpk --config "${CONFIG}" redpanda config set redpanda.seed_servers '[]' --format yaml` `fi`)) -}}
+{{- end -}}
+{{- $kafkaSnippet := (get (fromJson (include "redpanda.secretConfiguratorKafkaConfig" (dict "a" (list $dot) ))) "r") -}}
+{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $kafkaSnippet)) -}}
+{{- $httpSnippet := (get (fromJson (include "redpanda.secretConfiguratorHTTPConfig" (dict "a" (list $dot) ))) "r") -}}
+{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $httpSnippet)) -}}
+{{- if (and (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r") $values.rackAwareness.enabled) -}}
+{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure Rack Awareness` `set +x` (printf `RACK=$(curl --silent --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --fail -H 'Authorization: Bearer '$(cat /run/secrets/kubernetes.io/serviceaccount/token) "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/nodes/${KUBERNETES_NODE_NAME}?pretty=true" | grep %s | grep -v '\"key\":' | sed 's/.*": "\([^"]\+\).*/\1/')` (squote (quote $values.rackAwareness.nodeAnnotation))) `set -x` `rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}"`)) -}}
+{{- end -}}
+{{- $_ := (set $secret.stringData "configurator.sh" (join "\n" $configuratorSh)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secret) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.secretConfiguratorKafkaConfig" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}}
+{{- $snippet := (coalesce nil) -}}
+{{- $listenerName := "kafka" -}}
+{{- $listenerAdvertisedName := $listenerName -}}
+{{- $redpandaConfigPart := "redpanda" -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.kafka.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.kafka.external) ))) "r") | int) (0 | int)) -}}
+{{- $externalCounter := (0 | int) -}}
+{{- range $externalName, $externalVals := $values.listeners.kafka.external -}}
+{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}}
+{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}}
+{{- $port := ($externalVals.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}}
+{{- else -}}
+{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}}
+{{- end -}}
+{{- end -}}
+{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}}
+{{- $address := (toJson $host) -}}
+{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}}
+{{- if (eq $prefixTemplate "") -}}
+{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}}
+{{- end -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $snippet) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.secretConfiguratorHTTPConfig" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}}
+{{- $snippet := (coalesce nil) -}}
+{{- $listenerName := "http" -}}
+{{- $listenerAdvertisedName := "pandaproxy" -}}
+{{- $redpandaConfigPart := "pandaproxy" -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.http.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.http.external) ))) "r") | int) (0 | int)) -}}
+{{- $externalCounter := (0 | int) -}}
+{{- range $externalName, $externalVals := $values.listeners.http.external -}}
+{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}}
+{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}}
+{{- $port := ($externalVals.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}}
+{{- else -}}
+{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}}
+{{- end -}}
+{{- end -}}
+{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}}
+{{- $address := (toJson $host) -}}
+{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}}
+{{- if (eq $prefixTemplate "") -}}
+{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}}
+{{- end -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $snippet) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.adminTLSCurlFlags" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if $values.listeners.admin.tls.requireClientAuth -}}
+{{- $path := (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $path := (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "--cacert %s" $path)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.externalAdvertiseAddress" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $eaa := "${SERVICE_NAME}" -}}
+{{- $externalDomainTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}}
+{{- $expanded := (tpl $externalDomainTemplate $dot) -}}
+{{- if (not (empty $expanded)) -}}
+{{- $eaa = (printf "%s.%s" "${SERVICE_NAME}" $expanded) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $eaa) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.advertisedHostJSON" -}}
+{{- $dot := (index .a 0) -}}
+{{- $externalName := (index .a 1) -}}
+{{- $port := (index .a 2) -}}
+{{- $replicaIndex := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $host := (dict "name" $externalName "address" (get (fromJson (include "redpanda.externalAdvertiseAddress" (dict "a" (list $dot) ))) "r") "port" $port ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}}
+{{- $address := "" -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}}
+{{- $address = (index $values.external.addresses $replicaIndex) -}}
+{{- else -}}
+{{- $address = (index $values.external.addresses (0 | int)) -}}
+{{- end -}}
+{{- $domain_7 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}}
+{{- if (ne $domain_7 "") -}}
+{{- $host = (dict "name" $externalName "address" (printf "%s.%s" $address (tpl $domain_7 $dot)) "port" $port ) -}}
+{{- else -}}
+{{- $host = (dict "name" $externalName "address" $address "port" $port ) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $host) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.adminInternalHTTPProtocol" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "https") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "http") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.adminInternalURL" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s://%s.%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") `${SERVICE_NAME}` (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) ($values.listeners.admin.port | int))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_service.internal.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_service.internal.go.tpl
new file mode 100644
index 0000000000..0719ec5fa3
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_service.internal.go.tpl
@@ -0,0 +1,38 @@
+{{- /* Generated from "service_internal.go" */ -}}
+
+{{- define "redpanda.MonitoringEnabledLabel" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "monitoring.redpanda.com/enabled" (printf "%t" $values.monitoring.enabled) )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ServiceInternal" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $ports := (list ) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "admin" "protocol" "TCP" "appProtocol" $values.listeners.admin.appProtocol "port" ($values.listeners.admin.port | int) "targetPort" ($values.listeners.admin.port | int) )))) -}}
+{{- if $values.listeners.http.enabled -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "protocol" "TCP" "port" ($values.listeners.http.port | int) "targetPort" ($values.listeners.http.port | int) )))) -}}
+{{- end -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "kafka" "protocol" "TCP" "port" ($values.listeners.kafka.port | int) "targetPort" ($values.listeners.kafka.port | int) )))) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rpc" "protocol" "TCP" "port" ($values.listeners.rpc.port | int) "targetPort" ($values.listeners.rpc.port | int) )))) -}}
+{{- if $values.listeners.schemaRegistry.enabled -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "schemaregistry" "protocol" "TCP" "port" ($values.listeners.schemaRegistry.port | int) "targetPort" ($values.listeners.schemaRegistry.port | int) )))) -}}
+{{- end -}}
+{{- $annotations := (dict ) -}}
+{{- if (ne (toJson $values.service) "null") -}}
+{{- $annotations = $values.service.internal.annotations -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.MonitoringEnabledLabel" (dict "a" (list $dot) ))) "r")) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" "ClusterIP" "publishNotReadyAddresses" true "clusterIP" "None" "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "ports" $ports )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_service.loadbalancer.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_service.loadbalancer.go.tpl
new file mode 100644
index 0000000000..bb34c583ed
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_service.loadbalancer.go.tpl
@@ -0,0 +1,105 @@
+{{- /* Generated from "service.loadbalancer.go" */ -}}
+
+{{- define "redpanda.LoadBalancerServices" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (ne $values.external.type "LoadBalancer") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $externalDNS := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.externalDns (mustMergeOverwrite (dict "enabled" false ) (dict ))) ))) "r") -}}
+{{- $labels := (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") -}}
+{{- $_ := (set $labels "repdanda.com/type" "loadbalancer") -}}
+{{- $selector := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}}
+{{- $services := (coalesce nil) -}}
+{{- $replicas := ($values.statefulset.replicas | int) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $podname := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i) -}}
+{{- $annotations := (dict ) -}}
+{{- range $k, $v := $values.external.annotations -}}
+{{- $_ := (set $annotations $k $v) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if $externalDNS.enabled -}}
+{{- $prefix := $podname -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}}
+{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}}
+{{- $prefix = (index $values.external.addresses (0 | int)) -}}
+{{- else -}}
+{{- $prefix = (index $values.external.addresses $i) -}}
+{{- end -}}
+{{- end -}}
+{{- $address := (printf "%s.%s" $prefix (tpl $values.external.domain $dot)) -}}
+{{- $_ := (set $annotations "external-dns.alpha.kubernetes.io/hostname" $address) -}}
+{{- end -}}
+{{- $podSelector := (dict ) -}}
+{{- range $k, $v := $selector -}}
+{{- $_ := (set $podSelector $k $v) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $podSelector "statefulset.kubernetes.io/pod-name" $podname) -}}
+{{- $ports := (coalesce nil) -}}
+{{- range $name, $listener := $values.listeners.admin.external -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($values.listeners.admin.port | int))) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.kafka.external -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.http.external -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.schemaRegistry.external -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $svc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "lb-%s" $podname) "namespace" $dot.Release.Namespace "labels" $labels "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "loadBalancerSourceRanges" $values.external.sourceRanges "ports" $ports "publishNotReadyAddresses" true "selector" $podSelector "sessionAffinity" "None" "type" "LoadBalancer" )) )) -}}
+{{- $services = (concat (default (list ) $services) (list $svc)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $services) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_service.nodeport.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_service.nodeport.go.tpl
new file mode 100644
index 0000000000..bc199951d7
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_service.nodeport.go.tpl
@@ -0,0 +1,80 @@
+{{- /* Generated from "service.nodeport.go" */ -}}
+
+{{- define "redpanda.NodePortService" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (ne $values.external.type "NodePort") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $ports := (coalesce nil) -}}
+{{- range $name, $listener := $values.listeners.admin.external -}}
+{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $nodePort := ($listener.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}}
+{{- end -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.kafka.external -}}
+{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $nodePort := ($listener.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}}
+{{- end -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.http.external -}}
+{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $nodePort := ($listener.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}}
+{{- end -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.schemaRegistry.external -}}
+{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $nodePort := ($listener.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}}
+{{- end -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $annotations := $values.external.annotations -}}
+{{- if (eq (toJson $annotations) "null") -}}
+{{- $annotations = (dict ) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-external" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "ports" $ports "publishNotReadyAddresses" true "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "NodePort" )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_serviceaccount.go.tpl
new file mode 100644
index 0000000000..82ec5be757
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_serviceaccount.go.tpl
@@ -0,0 +1,18 @@
+{{- /* Generated from "serviceaccount.go" */ -}}
+
+{{- define "redpanda.ServiceAccount" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.serviceAccount.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_servicemonitor.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_servicemonitor.go.tpl
new file mode 100644
index 0000000000..7f5a621309
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_servicemonitor.go.tpl
@@ -0,0 +1,26 @@
+{{- /* Generated from "servicemonitor.go" */ -}}
+
+{{- define "redpanda.ServiceMonitor" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.monitoring.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $endpoint := (mustMergeOverwrite (dict ) (dict "interval" $values.monitoring.scrapeInterval "path" "/public_metrics" "port" "admin" "enableHttp2" $values.monitoring.enableHttp2 "scheme" "http" )) -}}
+{{- if (or (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") (ne (toJson $values.monitoring.tlsConfig) "null")) -}}
+{{- $_ := (set $endpoint "scheme" "https") -}}
+{{- $_ := (set $endpoint "tlsConfig" $values.monitoring.tlsConfig) -}}
+{{- if (eq (toJson $endpoint.tlsConfig) "null") -}}
+{{- $_ := (set $endpoint "tlsConfig" (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (dict "insecureSkipVerify" true )) (dict ))) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "ServiceMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $values.monitoring.labels) )) "spec" (mustMergeOverwrite (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "endpoints" (list $endpoint) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (dict "monitoring.redpanda.com/enabled" "true" "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name ) )) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.18/templates/_shims.tpl
new file mode 100644
index 0000000000..7fdd55a9e5
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_shims.tpl
@@ -0,0 +1,338 @@
+{{- /* Generated from "bootstrap.go" */ -}}
+
+{{- define "_shims.typetest" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs $typ $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.typeassertion" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (typeIs $typ $value)) -}}
+{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.dicttest" -}}
+{{- $m := (index .a 0) -}}
+{{- $key := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (hasKey $m $key) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (index $m $key) true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $ptr) "null") -}}
+{{- $_ := (fail "nil dereference") -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.len" -}}
+{{- $m := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $m) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (0 | int)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (len $m)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- $def := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $ptr) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $def) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Equal" -}}
+{{- $a := (index .a 0) -}}
+{{- $b := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (and (eq (toJson $a) "null") (eq (toJson $b) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (eq $a $b)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.get" -}}
+{{- $dict := (index .a 0) -}}
+{{- $key := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (hasKey $dict $key)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (coalesce nil) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (get $dict $key) true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.lookup" -}}
+{{- $apiVersion := (index .a 0) -}}
+{{- $kind := (index .a 1) -}}
+{{- $namespace := (index .a 2) -}}
+{{- $name := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (lookup $apiVersion $kind $namespace $name) -}}
+{{- if (empty $result) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (coalesce nil) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $result true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asnumeric" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asintegral" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.parseResource" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $repr) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (not (typeIs "string" $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}}
+{{- end -}}
+{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}}
+{{- end -}}
+{{- $reprStr := (toString $repr) -}}
+{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}}
+{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}}
+{{- $_184_scale_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (float64 0)) ))) "r") -}}
+{{- $scale := ((index $_184_scale_ok 0) | float64) -}}
+{{- $ok := (index $_184_scale_ok 1) -}}
+{{- if (not $ok) -}}
+{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $numeric $scale)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MustParse" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_207_numeric_scale := (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r") -}}
+{{- $numeric := ((index $_207_numeric_scale 0) | float64) -}}
+{{- $scale := ((index $_207_numeric_scale 1) | float64) -}}
+{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}}
+{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}}
+{{- $idx := -1 -}}
+{{- range $i, $s := $scales -}}
+{{- if (eq ($s | float64) ($scale | float64)) -}}
+{{- $idx = $i -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (eq $idx -1) -}}
+{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_Value" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_234_numeric_scale := (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r") -}}
+{{- $numeric := ((index $_234_numeric_scale 0) | float64) -}}
+{{- $scale := ((index $_234_numeric_scale 1) | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MilliValue" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_239_numeric_scale := (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r") -}}
+{{- $numeric := ((index $_239_numeric_scale 0) | float64) -}}
+{{- $scale := ((index $_239_numeric_scale 1) | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.time_ParseDuration" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $unitMap := (dict "s" ((1000000000 | int64) | int64) "m" ((60000000000 | int64) | int64) "h" ((3600000000000 | int64) | int64) ) -}}
+{{- $original := $repr -}}
+{{- $value := ((0 | int64) | int64) -}}
+{{- if (eq $repr "") -}}
+{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}}
+{{- end -}}
+{{- if (eq $repr "0") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (0 | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $_ := (list (0 | int) (0 | int) (0 | int)) -}}
+{{- if (eq $repr "") -}}
+{{- break -}}
+{{- end -}}
+{{- $n := (regexFind `^\d+` $repr) -}}
+{{- if (eq $n "") -}}
+{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}}
+{{- end -}}
+{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $n) ))) "r") | int) -1 $repr) -}}
+{{- $unit := (regexFind `^(h|m|s)` $repr) -}}
+{{- if (eq $unit "") -}}
+{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}}
+{{- end -}}
+{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int) -1 $repr) -}}
+{{- $value = ((add $value (((mul (int64 $n) (ternary (index $unitMap $unit) 0 (hasKey $unitMap $unit))) | int64))) | int64) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.time_Duration_String" -}}
+{{- $dur := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (duration ((div $dur ((1000000000 | int64) | int64)) | int64))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.render-manifest" -}}
+{{- $tpl := (index . 0) -}}
+{{- $dot := (index . 1) -}}
+{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}}
+{{- if not (typeIs "[]interface {}" $manifests) -}}
+{{- $manifests = (list $manifests) -}}
+{{- end -}}
+{{- range $_, $manifest := $manifests -}}
+{{- if ne (toJson $manifest) "null" }}
+---
+{{toYaml (unset (unset $manifest "status") "creationTimestamp")}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_statefulset.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_statefulset.go.tpl
new file mode 100644
index 0000000000..4756b38678
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_statefulset.go.tpl
@@ -0,0 +1,777 @@
+{{- /* Generated from "statefulset.go" */ -}}
+
+{{- define "redpanda.statefulSetRedpandaEnv" -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "POD_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.podIP" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.hostIP" )) )) )))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetPodLabelsSelector" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if $dot.Release.IsUpgrade -}}
+{{- $_90_existing_1_ok_2 := (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r") -}}
+{{- $existing_1 := (index $_90_existing_1_ok_2 0) -}}
+{{- $ok_2 := (index $_90_existing_1_ok_2 1) -}}
+{{- if (and $ok_2 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_1.spec.selector.matchLabels) ))) "r") | int) (0 | int))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $existing_1.spec.selector.matchLabels) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $additionalSelectorLabels := (dict ) -}}
+{{- if (ne (toJson $values.statefulset.additionalSelectorLabels) "null") -}}
+{{- $additionalSelectorLabels = $values.statefulset.additionalSelectorLabels -}}
+{{- end -}}
+{{- $component := (printf "%s-statefulset" (trimSuffix "-" (trunc (51 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")))) -}}
+{{- $defaults := (dict "app.kubernetes.io/component" $component "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $additionalSelectorLabels $defaults)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetPodLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if $dot.Release.IsUpgrade -}}
+{{- $_121_existing_3_ok_4 := (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r") -}}
+{{- $existing_3 := (index $_121_existing_3_ok_4 0) -}}
+{{- $ok_4 := (index $_121_existing_3_ok_4 1) -}}
+{{- if (and $ok_4 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_3.spec.template.metadata.labels) ))) "r") | int) (0 | int))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $existing_3.spec.template.metadata.labels) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $statefulSetLabels := (dict ) -}}
+{{- if (ne (toJson $values.statefulset.podTemplate.labels) "null") -}}
+{{- $statefulSetLabels = $values.statefulset.podTemplate.labels -}}
+{{- end -}}
+{{- $defaults := (dict "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $statefulSetLabels (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") $defaults (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetPodAnnotations" -}}
+{{- $dot := (index .a 0) -}}
+{{- $configMapChecksum := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $configMapChecksumAnnotation := (dict "config.redpanda.com/checksum" $configMapChecksum ) -}}
+{{- if (ne (toJson $values.statefulset.podTemplate.annotations) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $values.statefulset.podTemplate.annotations $configMapChecksumAnnotation)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $values.statefulset.annotations $configMapChecksumAnnotation)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}}
+{{- $volumes := (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r") -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $volumes = (concat (default (list ) $volumes) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.50s-sts-lifecycle" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" "lifecycle-scripts" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $fullname )) (dict )) )) (dict "name" "base-config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.51s-configurator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.51s-configurator" $fullname) )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%s-config-watcher" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%s-config-watcher" $fullname) ))))) -}}
+{{- if $values.statefulset.initContainers.fsValidator.enabled -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.49s-fs-validator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.49s-fs-validator" $fullname) )))) -}}
+{{- end -}}
+{{- $vol_5 := (get (fromJson (include "redpanda.Listeners.TrustStoreVolume" (dict "a" (list $values.listeners $values.tls) ))) "r") -}}
+{{- if (ne (toJson $vol_5) "null") -}}
+{{- $volumes = (concat (default (list ) $volumes) (list $vol_5)) -}}
+{{- end -}}
+{{- $volumes = (concat (default (list ) $volumes) (default (list ) (get (fromJson (include "redpanda.templateToVolumes" (dict "a" (list $dot $values.statefulset.extraVolumes) ))) "r"))) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (get (fromJson (include "redpanda.statefulSetVolumeDataDir" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $v_6 := (get (fromJson (include "redpanda.statefulSetVolumeTieredStorageDir" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $v_6) "null") -}}
+{{- $volumes = (concat (default (list ) $volumes) (list $v_6)) -}}
+{{- end -}}
+{{- if (and (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r")) ((or ((and (and $values.rbac.enabled $values.statefulset.sideCars.controllers.enabled) $values.statefulset.sideCars.controllers.createRBAC)) $values.rackAwareness.enabled))) -}}
+{{- $foundK8STokenVolume := false -}}
+{{- range $_, $v := $volumes -}}
+{{- if (hasPrefix $v.name (printf "%s%s" "kube-api-access" "-")) -}}
+{{- $foundK8STokenVolume = true -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (not $foundK8STokenVolume) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (get (fromJson (include "redpanda.kubeTokenAPIVolume" (dict "a" (list "kube-api-access") ))) "r"))) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $volumes) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.kubeTokenAPIVolume" -}}
+{{- $name := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "projected" (mustMergeOverwrite (dict "sources" (coalesce nil) ) (dict "defaultMode" (420 | int) "sources" (list (mustMergeOverwrite (dict ) (dict "serviceAccountToken" (mustMergeOverwrite (dict "path" "" ) (dict "path" "token" "expirationSeconds" ((3607 | int) | int64) )) )) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" "kube-root-ca.crt" )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" "ca.crt" "path" "ca.crt" ))) )) )) (mustMergeOverwrite (dict ) (dict "downwardAPI" (mustMergeOverwrite (dict ) (dict "items" (list (mustMergeOverwrite (dict "path" "" ) (dict "path" "namespace" "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "apiVersion" "v1" "fieldPath" "metadata.namespace" )) ))) )) ))) )) )) (dict "name" $name ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetVolumeDataDir" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $datadirSource := (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) -}}
+{{- if $values.storage.persistentVolume.enabled -}}
+{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "persistentVolumeClaim" (mustMergeOverwrite (dict "claimName" "" ) (dict "claimName" "datadir" )) )) -}}
+{{- else -}}{{- if (ne $values.storage.hostPath "") -}}
+{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" $values.storage.hostPath )) )) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) $datadirSource (dict "name" "datadir" ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetVolumeTieredStorageDir" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $tieredType := (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") -}}
+{{- if (or (eq $tieredType "none") (eq $tieredType "persistentVolume")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (eq $tieredType "hostPath") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" (get (fromJson (include "redpanda.Storage.GetTieredStorageHostPath" (dict "a" (list $values.storage) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict "sizeLimit" (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r"))) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetVolumeMounts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $mounts = (concat (default (list ) $mounts) (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "lifecycle-scripts" "mountPath" "/var/lifecycle" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" ))))) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $values.listeners $values.tls) ))) "r")) ))) "r") | int) (0 | int)) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststores" "mountPath" "/etc/truststores" "readOnly" true )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $mounts) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetInitContainers" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $containers := (coalesce nil) -}}
+{{- $c_7 := (get (fromJson (include "redpanda.statefulSetInitContainerTuning" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_7) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_7)) -}}
+{{- end -}}
+{{- $c_8 := (get (fromJson (include "redpanda.statefulSetInitContainerSetDataDirOwnership" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_8) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_8)) -}}
+{{- end -}}
+{{- $c_9 := (get (fromJson (include "redpanda.statefulSetInitContainerFSValidator" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_9) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_9)) -}}
+{{- end -}}
+{{- $c_10 := (get (fromJson (include "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_10) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_10)) -}}
+{{- end -}}
+{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetInitContainerConfigurator" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.bootstrapYamlTemplater" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $containers = (concat (default (list ) $containers) (default (list ) (get (fromJson (include "redpanda.templateToContainers" (dict "a" (list $dot $values.statefulset.initContainers.extraInitContainers) ))) "r"))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $containers) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetInitContainerTuning" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.tuning.tune_aio_events) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "tuning" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict ) (dict "capabilities" (mustMergeOverwrite (dict ) (dict "add" (list `SYS_RESOURCE`) )) "privileged" true "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64) )) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.tuning.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/etc/redpanda" )))) "resources" $values.statefulset.initContainers.tuning.resources ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetInitContainerSetDataDirOwnership" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.statefulset.initContainers.setDataDirOwnership.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_457_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-datadir-ownership") ))) "r") -}}
+{{- $uid := ((index $_457_uid_gid 0) | int64) -}}
+{{- $gid := ((index $_457_uid_gid 1) | int64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "set-datadir-ownership" "image" (printf "%s:%s" $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `chown %d:%d -R /var/lib/redpanda/data` $uid $gid)) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setDataDirOwnership.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.setDataDirOwnership.resources ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.securityContextUidGid" -}}
+{{- $dot := (index .a 0) -}}
+{{- $containerName := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $uid := $values.statefulset.securityContext.runAsUser -}}
+{{- if (and (ne (toJson $values.statefulset.podSecurityContext) "null") (ne (toJson $values.statefulset.podSecurityContext.runAsUser) "null")) -}}
+{{- $uid = $values.statefulset.podSecurityContext.runAsUser -}}
+{{- end -}}
+{{- if (eq (toJson $uid) "null") -}}
+{{- $_ := (fail (printf `%s container requires runAsUser to be specified` $containerName)) -}}
+{{- end -}}
+{{- $gid := $values.statefulset.securityContext.fsGroup -}}
+{{- if (and (ne (toJson $values.statefulset.podSecurityContext) "null") (ne (toJson $values.statefulset.podSecurityContext.fsGroup) "null")) -}}
+{{- $gid = $values.statefulset.podSecurityContext.fsGroup -}}
+{{- end -}}
+{{- if (eq (toJson $gid) "null") -}}
+{{- $_ := (fail (printf `%s container requires fsGroup to be specified` $containerName)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $uid $gid)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetInitContainerFSValidator" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "fs-validator" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` (printf `trap "exit 0" TERM; exec /etc/secrets/fs-validator/scripts/fsValidator.sh %s & wait $!` $values.statefulset.initContainers.fsValidator.expectedFS)) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.fsValidator.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.49s-fs-validator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" `/etc/secrets/fs-validator/scripts/` )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.fsValidator.resources ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_538_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-tiered-storage-cache-dir-ownership") ))) "r") -}}
+{{- $uid := ((index $_538_uid_gid 0) | int64) -}}
+{{- $gid := ((index $_538_uid_gid 1) | int64) -}}
+{{- $cacheDir := (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") -}}
+{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" )))) -}}
+{{- if (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none") -}}
+{{- $name := "tiered-storage-dir" -}}
+{{- if (and (ne (toJson $values.storage.persistentVolume) "null") (ne $values.storage.persistentVolume.nameOverwrite "")) -}}
+{{- $name = $values.storage.persistentVolume.nameOverwrite -}}
+{{- end -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" $cacheDir )))) -}}
+{{- end -}}
+{{- $mounts = (concat (default (list ) $mounts) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts) ))) "r"))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" `set-tiered-storage-cache-dir-ownership` "image" (printf `%s:%s` $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `mkdir -p %s; chown %d:%d -R %s` $cacheDir $uid $gid $cacheDir)) "volumeMounts" $mounts "resources" $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.resources ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetInitContainerConfigurator" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $volMounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}}
+{{- $volMounts = (concat (default (list ) $volMounts) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.configurator.extraVolumeMounts) ))) "r"))) -}}
+{{- $volMounts = (concat (default (list ) $volMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/configurator/scripts/" )))) -}}
+{{- if (and (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r")) $values.rackAwareness.enabled) -}}
+{{- $mountName := "kube-api-access" -}}
+{{- range $_, $vol := (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") -}}
+{{- if (hasPrefix $vol.name (printf "%s%s" "kube-api-access" "-")) -}}
+{{- $mountName = $vol.name -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $volMounts = (concat (default (list ) $volMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mountName "readOnly" true "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `trap "exit 0" TERM; exec $CONFIGURATOR_SCRIPT "${SERVICE_NAME}" "${KUBERNETES_NODE_NAME}" & wait $!`) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONFIGURATOR_SCRIPT" "value" "/etc/secrets/configurator/scripts/configurator.sh" )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) "resourceFieldRef" (coalesce nil) "configMapKeyRef" (coalesce nil) "secretKeyRef" (coalesce nil) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "KUBERNETES_NODE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "spec.nodeName" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP_ADDRESS" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "apiVersion" "v1" "fieldPath" "status.hostIP" )) )) )))) ))) "r") "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" $volMounts "resources" $values.statefulset.initContainers.configurator.resources ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetContainers" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $containers := (coalesce nil) -}}
+{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetContainerRedpanda" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $c_11 := (get (fromJson (include "redpanda.statefulSetContainerConfigWatcher" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_11) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_11)) -}}
+{{- end -}}
+{{- $c_12 := (get (fromJson (include "redpanda.statefulSetContainerControllers" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_12) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_12)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $containers) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.wrapLifecycleHook" -}}
+{{- $hook := (index .a 0) -}}
+{{- $timeoutSeconds := (index .a 1) -}}
+{{- $cmd := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $wrapped := (join " " $cmd) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list "bash" "-c" (printf "timeout -v %d %s 2>&1 | sed \"s/^/lifecycle-hook %s $(date): /\" | tee /proc/1/fd/1; true" $timeoutSeconds $wrapped $hook))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetContainerRedpanda" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $internalAdvertiseAddress := (printf "%s.%s" "$(SERVICE_NAME)" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}}
+{{- $container := (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.bootstrapEnvVars" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetRedpandaEnv" (dict "a" (list ) ))) "r")) ))) "r") "lifecycle" (mustMergeOverwrite (dict ) (dict "postStart" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (get (fromJson (include "redpanda.wrapLifecycleHook" (dict "a" (list "post-start" ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64) (list "bash" "-x" "/var/lifecycle/postStart.sh")) ))) "r") )) )) "preStop" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (get (fromJson (include "redpanda.wrapLifecycleHook" (dict "a" (list "pre-stop" ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64) (list "bash" "-x" "/var/lifecycle/preStop.sh")) ))) "r") )) )) )) "startupProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -e` (printf `RESULT=$(curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready")` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r")) `echo $RESULT` `echo $RESULT | grep ready` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.startupProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.startupProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.startupProbe.failureThreshold | int) )) "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (printf `curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready"` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r"))) )) )) (dict "initialDelaySeconds" ($values.statefulset.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.livenessProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.livenessProbe.failureThreshold | int) )) "command" (list `rpk` `redpanda` `start` (printf `--advertise-rpc-addr=%s:%d` $internalAdvertiseAddress ($values.listeners.rpc.port | int))) "volumeMounts" (concat (default (list ) (get (fromJson (include "redpanda.StatefulSetVolumeMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.extraVolumeMounts) ))) "r"))) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "resources" (mustMergeOverwrite (dict ) (dict )) )) -}}
+{{- if (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig `recovery_mode_enabled` false $values.config.node)) ))) "r")) -}}
+{{- $_ := (set $container "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -x` `RESULT=$(rpk cluster health)` `echo $RESULT` `echo $RESULT | grep 'Healthy:.*true'` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.statefulset.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.statefulset.readinessProbe.periodSeconds | int) "successThreshold" ($values.statefulset.readinessProbe.successThreshold | int) "failureThreshold" ($values.statefulset.readinessProbe.failureThreshold | int) ))) -}}
+{{- end -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "admin" "containerPort" ($values.listeners.admin.port | int) ))))) -}}
+{{- range $externalName, $external := $values.listeners.admin.external -}}
+{{- if (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "admin-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ($values.listeners.http.port | int) ))))) -}}
+{{- range $externalName, $external := $values.listeners.http.external -}}
+{{- if (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "http-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "kafka" "containerPort" ($values.listeners.kafka.port | int) ))))) -}}
+{{- range $externalName, $external := $values.listeners.kafka.external -}}
+{{- if (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "kafka-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "rpc" "containerPort" ($values.listeners.rpc.port | int) ))))) -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "schemaregistry" "containerPort" ($values.listeners.schemaRegistry.port | int) ))))) -}}
+{{- range $externalName, $external := $values.listeners.schemaRegistry.external -}}
+{{- if (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "schema-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none")) -}}
+{{- $name := "tiered-storage-dir" -}}
+{{- if (and (ne (toJson $values.storage.persistentVolume) "null") (ne $values.storage.persistentVolume.nameOverwrite "")) -}}
+{{- $name = $values.storage.persistentVolume.nameOverwrite -}}
+{{- end -}}
+{{- $_ := (set $container "volumeMounts" (concat (default (list ) $container.volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") ))))) -}}
+{{- end -}}
+{{- $_ := (set $container.resources "limits" (dict "cpu" $values.resources.cpu.cores "memory" $values.resources.memory.container.max )) -}}
+{{- if (ne (toJson $values.resources.memory.container.min) "null") -}}
+{{- $_ := (set $container.resources "requests" (dict "cpu" $values.resources.cpu.cores "memory" $values.resources.memory.container.min )) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $container) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.adminApiURLs" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf `${SERVICE_NAME}.%s:%d` (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetContainerConfigWatcher" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "config-watcher" "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` `trap "exit 0" TERM; exec /etc/secrets/config-watcher/scripts/sasl-user.sh & wait $!`) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (coalesce nil)) ))) "r") "resources" $values.statefulset.sideCars.configWatcher.resources "securityContext" $values.statefulset.sideCars.configWatcher.securityContext "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%s-config-watcher` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/config-watcher/scripts" ))))) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.sideCars.configWatcher.extraVolumeMounts) ))) "r"))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetContainerControllers" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.rbac.enabled) (not $values.statefulset.sideCars.controllers.enabled)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $volumeMounts := (list ) -}}
+{{- if (and (and (and $values.rbac.enabled $values.statefulset.sideCars.controllers.enabled) $values.statefulset.sideCars.controllers.createRBAC) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r"))) -}}
+{{- $mountName := "kube-api-access" -}}
+{{- range $_, $vol := (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") -}}
+{{- if (hasPrefix $vol.name (printf "%s%s" "kube-api-access" "-")) -}}
+{{- $mountName = $vol.name -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mountName "readOnly" true "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "redpanda-controllers" "image" (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) "command" (list `/manager`) "args" (list `--operator-mode=false` (printf `--namespace=%s` $dot.Release.Namespace) (printf `--health-probe-bind-address=%s` $values.statefulset.sideCars.controllers.healthProbeAddress) (printf `--metrics-bind-address=%s` $values.statefulset.sideCars.controllers.metricsAddress) (printf `--pprof-bind-address=%s` $values.statefulset.sideCars.controllers.pprofAddress) (printf `--additional-controllers=%s` (join "," $values.statefulset.sideCars.controllers.run))) "env" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_HELM_RELEASE_NAME" "value" $dot.Release.Name ))) "resources" $values.statefulset.sideCars.controllers.resources "securityContext" $values.statefulset.sideCars.controllers.securityContext "volumeMounts" $volumeMounts ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkEnvVars" -}}
+{{- $dot := (index .a 0) -}}
+{{- $envVars := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (and (ne (toJson $values.auth.sasl) "null") $values.auth.sasl.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $envVars) (default (list ) (get (fromJson (include "redpanda.BootstrapUser.RpkEnvironment" (dict "a" (list $values.auth.sasl.bootstrapUser (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $envVars) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.bootstrapEnvVars" -}}
+{{- $dot := (index .a 0) -}}
+{{- $envVars := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (and (ne (toJson $values.auth.sasl) "null") $values.auth.sasl.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $envVars) (default (list ) (get (fromJson (include "redpanda.BootstrapUser.BootstrapEnvironment" (dict "a" (list $values.auth.sasl.bootstrapUser (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $envVars) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.templateToVolumeMounts" -}}
+{{- $dot := (index .a 0) -}}
+{{- $template := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (tpl $template $dot) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (fromYamlArray $result)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.templateToVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- $template := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (tpl $template $dot) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (fromYamlArray $result)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.templateToContainers" -}}
+{{- $dot := (index .a 0) -}}
+{{- $template := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (tpl $template $dot) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (fromYamlArray $result)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSet" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (and (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list $dot) ))) "r")) (not $values.force)) -}}
+{{- $sv := (get (fromJson (include "redpanda.semver" (dict "a" (list $dot) ))) "r") -}}
+{{- $_ := (fail (printf "Error: The Redpanda version (%s) is no longer supported \nTo accept this risk, run the upgrade again adding `--force=true`\n" $sv)) -}}
+{{- end -}}
+{{- $ss := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) "status" (dict "replicas" 0 "availableReplicas" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "StatefulSet" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) "serviceName" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "replicas" ($values.statefulset.replicas | int) "updateStrategy" $values.statefulset.updateStrategy "podManagementPolicy" "Parallel" "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.statefulset.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "labels" (get (fromJson (include "redpanda.StatefulSetPodLabels" (dict "a" (list $dot) ))) "r") "annotations" (get (fromJson (include "redpanda.StatefulSetPodAnnotations" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetChecksumAnnotation" (dict "a" (list $dot) ))) "r")) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "automountServiceAccountToken" false "terminationGracePeriodSeconds" ($values.statefulset.terminationGracePeriodSeconds | int64) "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "initContainers" (get (fromJson (include "redpanda.StatefulSetInitContainers" (dict "a" (list $dot) ))) "r") "containers" (get (fromJson (include "redpanda.StatefulSetContainers" (dict "a" (list $dot) ))) "r") "volumes" (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") "topologySpreadConstraints" (get (fromJson (include "redpanda.statefulSetTopologySpreadConstraints" (dict "a" (list $dot) ))) "r") "nodeSelector" (get (fromJson (include "redpanda.statefulSetNodeSelectors" (dict "a" (list $dot) ))) "r") "affinity" (get (fromJson (include "redpanda.statefulSetAffinity" (dict "a" (list $dot) ))) "r") "priorityClassName" $values.statefulset.priorityClassName "tolerations" (get (fromJson (include "redpanda.statefulSetTolerations" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") "volumeClaimTemplates" (coalesce nil) )) )) -}}
+{{- if (or $values.storage.persistentVolume.enabled ((and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (eq (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")))) -}}
+{{- $t_13 := (get (fromJson (include "redpanda.volumeClaimTemplateDatadir" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $t_13) "null") -}}
+{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_13))) -}}
+{{- end -}}
+{{- $t_14 := (get (fromJson (include "redpanda.volumeClaimTemplateTieredStorageDir" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $t_14) "null") -}}
+{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_14))) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.semver" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetChecksumAnnotation" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $dependencies := (coalesce nil) -}}
+{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot false) ))) "r"))) -}}
+{{- if $values.external.enabled -}}
+{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r"))) -}}
+{{- if (empty $values.external.addresses) -}}
+{{- $dependencies = (concat (default (list ) $dependencies) (list "")) -}}
+{{- else -}}
+{{- $dependencies = (concat (default (list ) $dependencies) (list $values.external.addresses)) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (sha256sum (toJson $dependencies))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetTolerations" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default $values.tolerations $values.statefulset.tolerations)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetNodeSelectors" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default $values.statefulset.nodeSelector $values.nodeSelector)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetAffinity" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $affinity := (mustMergeOverwrite (dict ) (dict )) -}}
+{{- if (not (empty $values.statefulset.nodeAffinity)) -}}
+{{- $_ := (set $affinity "nodeAffinity" $values.statefulset.nodeAffinity) -}}
+{{- else -}}{{- if (not (empty $values.affinity.nodeAffinity)) -}}
+{{- $_ := (set $affinity "nodeAffinity" $values.affinity.nodeAffinity) -}}
+{{- end -}}
+{{- end -}}
+{{- if (not (empty $values.statefulset.podAffinity)) -}}
+{{- $_ := (set $affinity "podAffinity" $values.statefulset.podAffinity) -}}
+{{- else -}}{{- if (not (empty $values.affinity.podAffinity)) -}}
+{{- $_ := (set $affinity "podAffinity" $values.affinity.podAffinity) -}}
+{{- end -}}
+{{- end -}}
+{{- if (not (empty $values.statefulset.podAntiAffinity)) -}}
+{{- $_ := (set $affinity "podAntiAffinity" (mustMergeOverwrite (dict ) (dict ))) -}}
+{{- if (eq $values.statefulset.podAntiAffinity.type "hard") -}}
+{{- $_ := (set $affinity.podAntiAffinity "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )))) -}}
+{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "soft") -}}
+{{- $_ := (set $affinity.podAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" ($values.statefulset.podAntiAffinity.weight | int) "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )) )))) -}}
+{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "custom") -}}
+{{- $_ := (set $affinity "podAntiAffinity" $values.statefulset.podAntiAffinity.custom) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- else -}}{{- if (not (empty $values.affinity.podAntiAffinity)) -}}
+{{- $_ := (set $affinity "podAntiAffinity" $values.affinity.podAntiAffinity) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $affinity) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.volumeClaimTemplateDatadir" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.storage.persistentVolume.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" "datadir" "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) $values.storage.persistentVolume.labels $values.commonLabels) "annotations" (default (coalesce nil) $values.storage.persistentVolume.annotations) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" $values.storage.persistentVolume.size ) )) )) )) -}}
+{{- if (not (empty $values.storage.persistentVolume.storageClass)) -}}
+{{- if (eq $values.storage.persistentVolume.storageClass "-") -}}
+{{- $_ := (set $pvc.spec "storageClassName" "") -}}
+{{- else -}}
+{{- $_ := (set $pvc.spec "storageClassName" $values.storage.persistentVolume.storageClass) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $pvc) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.volumeClaimTemplateTieredStorageDir" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (default "tiered-storage-dir" $values.storage.persistentVolume.nameOverwrite) "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeLabels" (dict "a" (list $values.storage) ))) "r") $values.commonLabels) "annotations" (default (coalesce nil) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeAnnotations" (dict "a" (list $values.storage) ))) "r")) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" (index (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") `cloud_storage_cache_size`) ) )) )) )) -}}
+{{- $sc_15 := (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeStorageClass" (dict "a" (list $values.storage) ))) "r") -}}
+{{- if (eq $sc_15 "-") -}}
+{{- $_ := (set $pvc.spec "storageClassName" "") -}}
+{{- else -}}{{- if (not (empty $sc_15)) -}}
+{{- $_ := (set $pvc.spec "storageClassName" $sc_15) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $pvc) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetTopologySpreadConstraints" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $result := (coalesce nil) -}}
+{{- $labelSelector := (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) -}}
+{{- range $_, $v := $values.statefulset.topologySpreadConstraints -}}
+{{- $result = (concat (default (list ) $result) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "maxSkew" ($v.maxSkew | int) "topologyKey" $v.topologyKey "whenUnsatisfiable" $v.whenUnsatisfiable "labelSelector" $labelSelector )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StorageTieredConfig" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.18/templates/_values.go.tpl
new file mode 100644
index 0000000000..257ff3574c
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/_values.go.tpl
@@ -0,0 +1,1377 @@
+{{- /* Generated from "values.go" */ -}}
+
+{{- define "redpanda.AuditLogging.Translate" -}}
+{{- $a := (index .a 0) -}}
+{{- $dot := (index .a 1) -}}
+{{- $isSASLEnabled := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $enabled := (and $a.enabled $isSASLEnabled) -}}
+{{- $_ := (set $result "audit_enabled" $enabled) -}}
+{{- if (not $enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (ne (($a.clientMaxBufferSize | int) | int) (16777216 | int)) -}}
+{{- $_ := (set $result "audit_client_max_buffer_size" ($a.clientMaxBufferSize | int)) -}}
+{{- end -}}
+{{- if (ne (($a.queueDrainIntervalMs | int) | int) (500 | int)) -}}
+{{- $_ := (set $result "audit_queue_drain_interval_ms" ($a.queueDrainIntervalMs | int)) -}}
+{{- end -}}
+{{- if (ne (($a.queueMaxBufferSizePerShard | int) | int) (1048576 | int)) -}}
+{{- $_ := (set $result "audit_queue_max_buffer_size_per_shard" ($a.queueMaxBufferSizePerShard | int)) -}}
+{{- end -}}
+{{- if (ne (($a.partitions | int) | int) (12 | int)) -}}
+{{- $_ := (set $result "audit_log_num_partitions" ($a.partitions | int)) -}}
+{{- end -}}
+{{- if (ne ($a.replicationFactor | int) (0 | int)) -}}
+{{- $_ := (set $result "audit_log_replication_factor" ($a.replicationFactor | int)) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.enabledEventTypes) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $result "audit_enabled_event_types" $a.enabledEventTypes) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedTopics) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $result "audit_excluded_topics" $a.excludedTopics) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedPrincipals) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $result "audit_excluded_principals" $a.excludedPrincipals) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Auth.IsSASLEnabled" -}}
+{{- $a := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $a.sasl) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" false) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $a.sasl.enabled) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Auth.Translate" -}}
+{{- $a := (index .a 0) -}}
+{{- $isSASLEnabled := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not $isSASLEnabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $users := (list (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $a.sasl.bootstrapUser) ))) "r")) -}}
+{{- range $_, $u := $a.sasl.users -}}
+{{- $users = (concat (default (list ) $users) (list $u.name)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "superusers" $users )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Logging.Translate" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- $clusterID_1 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.usageStats.clusterId "") ))) "r") -}}
+{{- if (ne $clusterID_1 "") -}}
+{{- $_ := (set $result "cluster_id" $clusterID_1) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaResources.GetOverProvisionValue" -}}
+{{- $rr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (lt ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $rr.cpu.cores) ))) "r") | int64) (1000 | int64)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $rr.cpu.overprovisioned false) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.IsTieredStorageEnabled" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $conf := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}}
+{{- $_395_b_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil)) ))) "r") -}}
+{{- $b := (index $_395_b_ok 0) -}}
+{{- $ok := (index $_395_b_ok 1) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and $ok (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" $b) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.GetTieredStorageConfig" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $s.tieredConfig) ))) "r") | int) (0 | int)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tieredConfig) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tiered.config) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.GetTieredStorageHostPath" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $hp := $s.tieredStorageHostPath -}}
+{{- if (empty $hp) -}}
+{{- $hp = $s.tiered.hostPath -}}
+{{- end -}}
+{{- if (empty $hp) -}}
+{{- $_ := (fail (printf `storage.tiered.mountType is "%s" but storage.tiered.hostPath is empty` $s.tiered.mountType)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $hp) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.TieredCacheDirectory" -}}
+{{- $s := (index .a 0) -}}
+{{- $dot := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_424_dir_2_ok_3 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $values.config.node "cloud_storage_cache_directory") "") ))) "r") -}}
+{{- $dir_2 := (index $_424_dir_2_ok_3 0) -}}
+{{- $ok_3 := (index $_424_dir_2_ok_3 1) -}}
+{{- if $ok_3 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $dir_2) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $tieredConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") -}}
+{{- $_433_dir_4_ok_5 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $tieredConfig "cloud_storage_cache_directory") "") ))) "r") -}}
+{{- $dir_4 := (index $_433_dir_4_ok_5 0) -}}
+{{- $ok_5 := (index $_433_dir_4_ok_5 1) -}}
+{{- if $ok_5 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $dir_4) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "/var/lib/redpanda/data/cloud_storage_cache") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.TieredMountType" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (and (ne (toJson $s.tieredStoragePersistentVolume) "null") $s.tieredStoragePersistentVolume.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "persistentVolume") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (not (empty $s.tieredStorageHostPath)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "hostPath") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tiered.mountType) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.TieredPersistentVolumeLabels" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tieredStoragePersistentVolume.labels) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tiered.persistentVolume.labels) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.TieredPersistentVolumeAnnotations" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tieredStoragePersistentVolume.annotations) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tiered.persistentVolume.annotations) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.TieredPersistentVolumeStorageClass" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tieredStoragePersistentVolume.storageClass) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tiered.persistentVolume.storageClass) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.StorageMinFreeBytes" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (and (ne (toJson $s.persistentVolume) "null") (not $s.persistentVolume.enabled)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (5368709120 | int)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $minimumFreeBytes := ((mulf (((get (fromJson (include "_shims.resource_Value" (dict "a" (list $s.persistentVolume.size) ))) "r") | int64) | float64) 0.05) | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (min (5368709120 | int) ($minimumFreeBytes | int64))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Tuning.Translate" -}}
+{{- $t := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- $s := (toJson $t) -}}
+{{- $tune := (fromJson $s) -}}
+{{- $_659_m_ok := (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil)) ))) "r") -}}
+{{- $m := (index $_659_m_ok 0) -}}
+{{- $ok := (index $_659_m_ok 1) -}}
+{{- if (not $ok) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- range $k, $v := $m -}}
+{{- $_ := (set $result $k $v) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Listeners.CreateSeedServers" -}}
+{{- $l := (index .a 0) -}}
+{{- $replicas := (index .a 1) -}}
+{{- $fullname := (index .a 2) -}}
+{{- $internalDomain := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (coalesce nil) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}}
+{{- $result = (concat (default (list ) $result) (list (dict "host" (dict "address" (printf "%s-%d.%s" $fullname $i $internalDomain) "port" ($l.rpc.port | int) ) ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Listeners.AdminList" -}}
+{{- $l := (index .a 0) -}}
+{{- $replicas := (index .a 1) -}}
+{{- $fullname := (index .a 2) -}}
+{{- $internalDomain := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.ServerList" (dict "a" (list $replicas "" $fullname $internalDomain ($l.admin.port | int)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Listeners.SchemaRegistryList" -}}
+{{- $l := (index .a 0) -}}
+{{- $replicas := (index .a 1) -}}
+{{- $fullname := (index .a 2) -}}
+{{- $internalDomain := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.ServerList" (dict "a" (list $replicas "" $fullname $internalDomain ($l.schemaRegistry.port | int)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ServerList" -}}
+{{- $replicas := (index .a 0) -}}
+{{- $prefix := (index .a 1) -}}
+{{- $fullname := (index .a 2) -}}
+{{- $internalDomain := (index .a 3) -}}
+{{- $port := (index .a 4) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (coalesce nil) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}}
+{{- $result = (concat (default (list ) $result) (list (printf "%s%s-%d.%s:%d" $prefix $fullname $i $internalDomain ($port | int)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Listeners.TrustStoreVolume" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $cmSources := (dict ) -}}
+{{- $secretSources := (dict ) -}}
+{{- range $_, $ts := (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $l $tls) ))) "r") -}}
+{{- $projection := (get (fromJson (include "redpanda.TrustStore.VolumeProjection" (dict "a" (list $ts) ))) "r") -}}
+{{- if (ne (toJson $projection.secret) "null") -}}
+{{- $_ := (set $secretSources $projection.secret.name (concat (default (list ) (index $secretSources $projection.secret.name)) (default (list ) $projection.secret.items))) -}}
+{{- else -}}
+{{- $_ := (set $cmSources $projection.configMap.name (concat (default (list ) (index $cmSources $projection.configMap.name)) (default (list ) $projection.configMap.items))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $sources := (coalesce nil) -}}
+{{- range $_, $name := (sortAlpha (keys $cmSources)) -}}
+{{- $keys := (index $cmSources $name) -}}
+{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $name := (sortAlpha (keys $secretSources)) -}}
+{{- $keys := (index $secretSources $name) -}}
+{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (lt ((get (fromJson (include "_shims.len" (dict "a" (list $sources) ))) "r") | int) (1 | int)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "projected" (mustMergeOverwrite (dict "sources" (coalesce nil) ) (dict "sources" $sources )) )) (dict "name" "truststores" ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.dedupKeyToPaths" -}}
+{{- $items := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $seen := (dict ) -}}
+{{- $deduped := (coalesce nil) -}}
+{{- range $_, $item := $items -}}
+{{- $_776___ok_6 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $seen $item.key false) ))) "r") -}}
+{{- $_ := (index $_776___ok_6 0) -}}
+{{- $ok_6 := (index $_776___ok_6 1) -}}
+{{- if $ok_6 -}}
+{{- continue -}}
+{{- end -}}
+{{- $deduped = (concat (default (list ) $deduped) (list $item)) -}}
+{{- $_ := (set $seen $item.key true) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $deduped) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Listeners.TrustStores" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tss := (get (fromJson (include "redpanda.KafkaListeners.TrustStores" (dict "a" (list $l.kafka $tls) ))) "r") -}}
+{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.AdminListeners.TrustStores" (dict "a" (list $l.admin $tls) ))) "r"))) -}}
+{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.HTTPListeners.TrustStores" (dict "a" (list $l.http $tls) ))) "r"))) -}}
+{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.SchemaRegistryListeners.TrustStores" (dict "a" (list $l.schemaRegistry $tls) ))) "r"))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Config.CreateRPKConfiguration" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- range $k, $v := $c.rpk -}}
+{{- $_ := (set $result $k $v) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TLSCertMap.MustGet" -}}
+{{- $m := (index .a 0) -}}
+{{- $name := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_867_cert_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (dict "enabled" (coalesce nil) "caEnabled" false "applyInternalDNSNames" (coalesce nil) "duration" "" "issuerRef" (coalesce nil) "secretRef" (coalesce nil) "clientSecretRef" (coalesce nil) )) ))) "r") -}}
+{{- $cert := (index $_867_cert_ok 0) -}}
+{{- $ok := (index $_867_cert_ok 1) -}}
+{{- if (not $ok) -}}
+{{- $_ := (fail (printf "Certificate %q referenced, but not found in the tls.certs map" $name)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $cert) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapUser.BootstrapEnvironment" -}}
+{{- $b := (index .a 0) -}}
+{{- $fullname := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) (get (fromJson (include "redpanda.BootstrapUser.RpkEnvironment" (dict "a" (list $b $fullname) ))) "r")) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RP_BOOTSTRAP_USER" "value" "$(RPK_USER):$(RPK_PASS):$(RPK_SASL_MECHANISM)" ))))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapUser.Username" -}}
+{{- $b := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $b.name) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $b.name) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "kubernetes-controller") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapUser.RpkEnvironment" -}}
+{{- $b := (index .a 0) -}}
+{{- $fullname := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_PASS" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (get (fromJson (include "redpanda.BootstrapUser.SecretKeySelector" (dict "a" (list $b $fullname) ))) "r") )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_USER" "value" (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $b) ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_SASL_MECHANISM" "value" (get (fromJson (include "redpanda.BootstrapUser.GetMechanism" (dict "a" (list $b) ))) "r") )))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapUser.GetMechanism" -}}
+{{- $b := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq $b.mechanism "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "SCRAM-SHA-256") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $b.mechanism) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapUser.SecretKeySelector" -}}
+{{- $b := (index .a 0) -}}
+{{- $fullname := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $b.secretKeyRef) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $b.secretKeyRef) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (printf "%s-bootstrap-user" $fullname) )) (dict "key" "password" ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TrustStore.TrustStoreFilePath" -}}
+{{- $t := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s" "/etc/truststores" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TrustStore.RelativePath" -}}
+{{- $t := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $t.configMapKeyRef) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "configmaps/%s-%s" $t.configMapKeyRef.name $t.configMapKeyRef.key)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "secrets/%s-%s" $t.secretKeyRef.name $t.secretKeyRef.key)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TrustStore.VolumeProjection" -}}
+{{- $t := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $t.configMapKeyRef) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.configMapKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.configMapKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.secretKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.secretKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.InternalTLS.IsEnabled" -}}
+{{- $t := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled $tls.enabled) ))) "r") (ne $t.cert ""))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.InternalTLS.TrustStoreFilePath" -}}
+{{- $t := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $t.trustStore) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.InternalTLS.ServerCAPath" -}}
+{{- $t := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s/tls.crt" "/etc/tls/certs" $t.cert)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ExternalTLS.GetCert" -}}
+{{- $t := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- $tls := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r")) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ExternalTLS.GetCertName" -}}
+{{- $t := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.cert $i.cert) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ExternalTLS.TrustStoreFilePath" -}}
+{{- $t := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- $tls := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $t.trustStore) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls) ))) "r").caEnabled -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ExternalTLS.IsEnabled" -}}
+{{- $t := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- $tls := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $t) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" false) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (ne (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r") "") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $i $tls) ))) "r")) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.AdminListeners.ConsoleTLS" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") )) -}}
+{{- if (not $t.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $adminAPIPrefix := (printf "%s/%s" "/etc/tls/certs" $l.tls.cert) -}}
+{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $l.tls.cert) ))) "r").caEnabled -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $adminAPIPrefix)) -}}
+{{- else -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $adminAPIPrefix)) -}}
+{{- end -}}
+{{- if (not $l.tls.requireClientAuth) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $adminAPIPrefix)) -}}
+{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $adminAPIPrefix)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.AdminListeners.Listeners" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $admin := (list (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r")) -}}
+{{- range $k, $lis := $l.external -}}
+{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "port" ($lis.port | int) "address" "0.0.0.0" ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $admin) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.AdminListeners.ListenersTLS" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $admin := (list ) -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}}
+{{- $admin = (concat (default (list ) $admin) (list $internal)) -}}
+{{- end -}}
+{{- range $k, $lis := $l.external -}}
+{{- if (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
+{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $admin) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.AdminListeners.TrustStores" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tss := (list ) -}}
+{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}}
+{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}}
+{{- end -}}
+{{- range $_, $key := (sortAlpha (keys $l.external)) -}}
+{{- $lis := (ternary (index $l.external $key) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "tls" (coalesce nil) ) (hasKey $l.external $key)) -}}
+{{- if (or (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.AdminExternal.IsEnabled" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.HTTPListeners.Listeners" -}}
+{{- $l := (index .a 0) -}}
+{{- $saslEnabled := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}}
+{{- if $saslEnabled -}}
+{{- $_ := (set $internal "authentication_method" "http_basic") -}}
+{{- end -}}
+{{- $am_7 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_7 "") -}}
+{{- $_ := (set $internal "authentication_method" $am_7) -}}
+{{- end -}}
+{{- $result := (list $internal) -}}
+{{- range $k, $l := $l.external -}}
+{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}}
+{{- if $saslEnabled -}}
+{{- $_ := (set $listener "authentication_method" "http_basic") -}}
+{{- end -}}
+{{- $am_8 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_8 "") -}}
+{{- $_ := (set $listener "authentication_method" $am_8) -}}
+{{- end -}}
+{{- $result = (concat (default (list ) $result) (list $listener)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.HTTPListeners.ListenersTLS" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $pp := (list ) -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}}
+{{- $pp = (concat (default (list ) $pp) (list $internal)) -}}
+{{- end -}}
+{{- range $k, $lis := $l.external -}}
+{{- if (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
+{{- $pp = (concat (default (list ) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $pp) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.HTTPListeners.TrustStores" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tss := (coalesce nil) -}}
+{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}}
+{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}}
+{{- end -}}
+{{- range $_, $key := (sortAlpha (keys $l.external)) -}}
+{{- $lis := (ternary (index $l.external $key) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "prefixTemplate" (coalesce nil) "tls" (coalesce nil) ) (hasKey $l.external $key)) -}}
+{{- if (or (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.HTTPExternal.IsEnabled" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaListeners.Listeners" -}}
+{{- $l := (index .a 0) -}}
+{{- $auth := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}}
+{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}}
+{{- $_ := (set $internal "authentication_method" "sasl") -}}
+{{- end -}}
+{{- $am_9 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_9 "") -}}
+{{- $_ := (set $internal "authentication_method" $am_9) -}}
+{{- end -}}
+{{- $kafka := (list $internal) -}}
+{{- range $k, $l := $l.external -}}
+{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}}
+{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}}
+{{- $_ := (set $listener "authentication_method" "sasl") -}}
+{{- end -}}
+{{- $am_10 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_10 "") -}}
+{{- $_ := (set $listener "authentication_method" $am_10) -}}
+{{- end -}}
+{{- $kafka = (concat (default (list ) $kafka) (list $listener)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $kafka) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaListeners.ListenersTLS" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $kafka := (list ) -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}}
+{{- $kafka = (concat (default (list ) $kafka) (list $internal)) -}}
+{{- end -}}
+{{- range $k, $lis := $l.external -}}
+{{- if (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
+{{- $kafka = (concat (default (list ) $kafka) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $kafka) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaListeners.TrustStores" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tss := (coalesce nil) -}}
+{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}}
+{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}}
+{{- end -}}
+{{- range $_, $key := (sortAlpha (keys $l.external)) -}}
+{{- $lis := (ternary (index $l.external $key) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "prefixTemplate" (coalesce nil) "tls" (coalesce nil) ) (hasKey $l.external $key)) -}}
+{{- if (or (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaListeners.ConsoleTLS" -}}
+{{- $k := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $k.tls $tls) ))) "r") )) -}}
+{{- if (not $t.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $kafkaPathPrefix := (printf "%s/%s" "/etc/tls/certs" $k.tls.cert) -}}
+{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $k.tls.cert) ))) "r").caEnabled -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $kafkaPathPrefix)) -}}
+{{- else -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $kafkaPathPrefix)) -}}
+{{- end -}}
+{{- if (not $k.tls.requireClientAuth) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $kafkaPathPrefix)) -}}
+{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $kafkaPathPrefix)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaListeners.ConnectorsTLS" -}}
+{{- $k := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- $fullName := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $t := (mustMergeOverwrite (dict "enabled" false "ca" (dict "secretRef" "" "secretNameOverwrite" "" ) "cert" (dict "secretRef" "" "secretNameOverwrite" "" ) "key" (dict "secretRef" "" "secretNameOverwrite" "" ) ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $k.tls $tls) ))) "r") )) -}}
+{{- if (not $t.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $t "ca" (mustMergeOverwrite (dict "secretRef" "" "secretNameOverwrite" "" ) (dict "secretRef" (printf "%s-default-cert" $fullName) ))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaExternal.IsEnabled" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SchemaRegistryListeners.Listeners" -}}
+{{- $sr := (index .a 0) -}}
+{{- $saslEnabled := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($sr.port | int)) ))) "r") -}}
+{{- if $saslEnabled -}}
+{{- $_ := (set $internal "authentication_method" "http_basic") -}}
+{{- end -}}
+{{- $am_11 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $sr.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_11 "") -}}
+{{- $_ := (set $internal "authentication_method" $am_11) -}}
+{{- end -}}
+{{- $result := (list $internal) -}}
+{{- range $k, $l := $sr.external -}}
+{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}}
+{{- if $saslEnabled -}}
+{{- $_ := (set $listener "authentication_method" "http_basic") -}}
+{{- end -}}
+{{- $am_12 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_12 "") -}}
+{{- $_ := (set $listener "authentication_method" $am_12) -}}
+{{- end -}}
+{{- $result = (concat (default (list ) $result) (list $listener)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SchemaRegistryListeners.ListenersTLS" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $listeners := (list ) -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}}
+{{- $listeners = (concat (default (list ) $listeners) (list $internal)) -}}
+{{- end -}}
+{{- range $k, $lis := $l.external -}}
+{{- if (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
+{{- $listeners = (concat (default (list ) $listeners) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $listeners) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SchemaRegistryListeners.TrustStores" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tss := (coalesce nil) -}}
+{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}}
+{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}}
+{{- end -}}
+{{- range $_, $key := (sortAlpha (keys $l.external)) -}}
+{{- $lis := (ternary (index $l.external $key) (dict "enabled" (coalesce nil) "advertisedPorts" (coalesce nil) "port" 0 "nodePort" (coalesce nil) "authenticationMethod" (coalesce nil) "tls" (coalesce nil) ) (hasKey $l.external $key)) -}}
+{{- if (or (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SchemaRegistryListeners.ConsoleTLS" -}}
+{{- $sr := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $sr.tls $tls) ))) "r") )) -}}
+{{- if (not $t.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $schemaRegistryPrefix := (printf "%s/%s" "/etc/tls/certs" $sr.tls.cert) -}}
+{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $sr.tls.cert) ))) "r").caEnabled -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $schemaRegistryPrefix)) -}}
+{{- else -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $schemaRegistryPrefix)) -}}
+{{- end -}}
+{{- if (not $sr.tls.requireClientAuth) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $schemaRegistryPrefix)) -}}
+{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $schemaRegistryPrefix)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SchemaRegistryExternal.IsEnabled" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TunableConfig.Translate" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $c) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $result := (dict ) -}}
+{{- range $k, $v := $c -}}
+{{- if (not (empty $v)) -}}
+{{- $_ := (set $result $k $v) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.NodeConfig.Translate" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- range $k, $v := $c -}}
+{{- if (not (empty $v)) -}}
+{{- $_1701___ok_13 := (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r") -}}
+{{- $_ := ((index $_1701___ok_13 0) | float64) -}}
+{{- $ok_13 := (index $_1701___ok_13 1) -}}
+{{- if $ok_13 -}}
+{{- $_ := (set $result $k $v) -}}
+{{- else -}}{{- if (kindIs "bool" $v) -}}
+{{- $_ := (set $result $k $v) -}}
+{{- else -}}
+{{- $_ := (set $result $k (toYaml $v)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ClusterConfig.Translate" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- range $k, $v := $c -}}
+{{- $_1721_b_14_ok_15 := (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false) ))) "r") -}}
+{{- $b_14 := (index $_1721_b_14_ok_15 0) -}}
+{{- $ok_15 := (index $_1721_b_14_ok_15 1) -}}
+{{- if $ok_15 -}}
+{{- $_ := (set $result $k $b_14) -}}
+{{- continue -}}
+{{- end -}}
+{{- if (not (empty $v)) -}}
+{{- $_ := (set $result $k $v) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretRef.AsSource" -}}
+{{- $sr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sr.name )) (dict "key" $sr.key )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretRef.IsValid" -}}
+{{- $sr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (and (ne (toJson $sr) "null") (not (empty $sr.key))) (not (empty $sr.name)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TieredStorageCredentials.AsEnvVars" -}}
+{{- $tsc := (index .a 0) -}}
+{{- $config := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_1766___hasAccessKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_access_key" (coalesce nil)) ))) "r") -}}
+{{- $_ := (index $_1766___hasAccessKey 0) -}}
+{{- $hasAccessKey := (index $_1766___hasAccessKey 1) -}}
+{{- $_1767___hasSecretKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_secret_key" (coalesce nil)) ))) "r") -}}
+{{- $_ := (index $_1767___hasSecretKey 0) -}}
+{{- $hasSecretKey := (index $_1767___hasSecretKey 1) -}}
+{{- $_1768___hasSharedKey := (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_azure_shared_key" (coalesce nil)) ))) "r") -}}
+{{- $_ := (index $_1768___hasSharedKey 0) -}}
+{{- $hasSharedKey := (index $_1768___hasSharedKey 1) -}}
+{{- $envvars := (coalesce nil) -}}
+{{- if (and (not $hasAccessKey) (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.accessKey) ))) "r")) -}}
+{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.accessKey) ))) "r") )))) -}}
+{{- end -}}
+{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.secretKey) ))) "r") -}}
+{{- if (and (not $hasSecretKey) (not (get (fromJson (include "redpanda.TieredStorageConfig.HasAzureCanaries" (dict "a" (list (deepCopy $config)) ))) "r"))) -}}
+{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_SECRET_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.secretKey) ))) "r") )))) -}}
+{{- else -}}{{- if (and (not $hasSharedKey) (get (fromJson (include "redpanda.TieredStorageConfig.HasAzureCanaries" (dict "a" (list (deepCopy $config)) ))) "r")) -}}
+{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_AZURE_SHARED_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.secretKey) ))) "r") )))) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $envvars) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TieredStorageConfig.HasAzureCanaries" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_1804___containerExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_container" (coalesce nil)) ))) "r") -}}
+{{- $_ := (index $_1804___containerExists 0) -}}
+{{- $containerExists := (index $_1804___containerExists 1) -}}
+{{- $_1805___accountExists := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_storage_account" (coalesce nil)) ))) "r") -}}
+{{- $_ := (index $_1805___accountExists 0) -}}
+{{- $accountExists := (index $_1805___accountExists 1) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and $containerExists $accountExists)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TieredStorageConfig.CloudStorageCacheSize" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_1810_value_ok := (get (fromJson (include "_shims.dicttest" (dict "a" (list $c `cloud_storage_cache_size` (coalesce nil)) ))) "r") -}}
+{{- $value := (index $_1810_value_ok 0) -}}
+{{- $ok := (index $_1810_value_ok 1) -}}
+{{- if (not $ok) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TieredStorageConfig.Translate" -}}
+{{- $c := (index .a 0) -}}
+{{- $creds := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $config := (merge (dict ) (dict ) $c) -}}
+{{- range $_, $envvar := (get (fromJson (include "redpanda.TieredStorageCredentials.AsEnvVars" (dict "a" (list $creds $c) ))) "r") -}}
+{{- $key := (lower (substr ((get (fromJson (include "_shims.len" (dict "a" (list "REDPANDA_") ))) "r") | int) -1 $envvar.name)) -}}
+{{- $_ := (set $config $key (printf "$%s" $envvar.name)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $size_16 := (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy $c)) ))) "r") -}}
+{{- if (ne (toJson $size_16) "null") -}}
+{{- $_ := (set $config "cloud_storage_cache_size" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $size_16) ))) "r") | int64)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $config) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.18/templates/entry-point.yaml b/charts/redpanda/redpanda/5.9.18/templates/entry-point.yaml
new file mode 100644
index 0000000000..6cdf646ad6
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/entry-point.yaml
@@ -0,0 +1,17 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- include "_shims.render-manifest" (list "redpanda.render" .) -}}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-api-status.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-api-status.yaml
new file mode 100644
index 0000000000..330a2c4a4d
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-api-status.yaml
@@ -0,0 +1,52 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool)) -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-api-status"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ until rpk cluster info \
+ --brokers {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }}
+ do sleep 2
+ done
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-auditLogging.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-auditLogging.yaml
new file mode 100644
index 0000000000..fea34776fc
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-auditLogging.yaml
@@ -0,0 +1,86 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/}}
+{{/*
+ This feature is gated by having a license, and it must have sasl enabled, we assume these conditions are met
+ as part of setting auditLogging being enabled.
+*/}}
+{{- if and .Values.tests.enabled .Values.auditLogging.enabled (include "redpanda-atleast-23-3-0" . | fromJson).bool }}
+{{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-audit-logging"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: { { - toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ set -xe
+ old_setting=${-//[^x]/}
+ audit_topic_name="_redpanda.audit_log"
+ expected_partitions={{ .Values.auditLogging.partitions }}
+
+ # sasl configurations
+ set +x
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ if [[ -n "$old_setting" ]]; then set -x; fi
+
+ # now run the to determine if we have the right results
+ # should describe topic without error
+ rpk topic describe ${audit_topic_name}
+ # should get the expected values
+ result=$(rpk topic list | grep ${audit_topic_name})
+ name=$(echo $result | awk '{print $1}')
+ partitions=$(echo $result | awk '{print $2}')
+ if [ "${name}" != "${audit_topic_name}" ]; then
+ echo "expected topic name does not match"
+ exit 1
+ fi
+ if [ ${partitions} != ${expected_partitions} ]; then
+ echo "expected partition size did not match"
+ exit 1
+ fi
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources:
+{{- toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-connector-via-console.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-connector-via-console.yaml
new file mode 100644
index 0000000000..67619a829b
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-connector-via-console.yaml
@@ -0,0 +1,166 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled .Values.connectors.enabled .Values.console.enabled }}
+{{- $sasl := .Values.auth.sasl }}
+{{- $values := .Values }}
+{{- $consoleValues := (merge (dict) .Values.console .Subcharts.console.Values) -}}
+{{- $consoleDot := dict "Values" (dict "AsMap" $consoleValues) "Release" .Release "Chart" .Subcharts.console.Chart -}}
+{{- $connectorsDot := dict "Values" (merge (dict) .Values.connectors .Subcharts.connectors.Values) "Release" .Release "Chart" .Subcharts.connectors.Chart -}}
+{{/* brokers */}}
+{{- $kafkaBrokers := list }}
+{{- range (include "seed-server-list" . | mustFromJson) }}
+ {{- $kafkaBrokers = append $kafkaBrokers (printf "%s:%s" . ($values.listeners.kafka.port | toString)) }}
+{{- end }}
+{{- $brokersString := join "," $kafkaBrokers}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . | trunc 54 }}-test-connectors-via-console
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ test-name: test-connectors-via-console
+ annotations:
+ test-name: test-connectors-via-console
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ env:
+ - name: TLS_ENABLED
+ value: {{ (include "kafka-internal-tls-enabled" . | fromJson).bool | quote }}
+ command:
+ - /bin/bash
+ - -c
+ - |
+ set -xe
+
+ trap connectorsState ERR
+
+ connectorsState () {
+ echo check connectors expand status
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=status
+ echo check connectors expand info
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=info
+ echo check connector configuration
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME
+ echo check connector topics
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics
+ }
+
+ {{- if .Values.auth.sasl.enabled }}
+ set -e
+ set +x
+
+ echo "SASL enabled: reading credentials from $(find /etc/secrets/users/* -print)"
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ RPK_USER="${REDPANDA_SASL_USERNAME}"
+ RPK_PASS="${REDPANDA_SASL_PASSWORD}"
+ RPK_SASL_MECHANISM="${REDPANDA_SASL_MECHANISM}"
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+
+ JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\","
+ JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\","
+ set -x
+ set +e
+ {{- end }}
+
+ {{- $testTopic := printf "test-topic-%s" (randNumeric 3) }}
+ rpk topic create {{ $testTopic }}
+ rpk topic list
+ echo "Test message!" | rpk topic produce {{ $testTopic }}
+
+ SECURITY_PROTOCOL=PLAINTEXT
+ if [[ -n "$RPK_SASL_MECHANISM" && $TLS_ENABLED == "true" ]]; then
+ SECURITY_PROTOCOL="SASL_SSL"
+ elif [[ -n "$RPK_SASL_MECHANISM" ]]; then
+ SECURITY_PROTOCOL="SASL_PLAINTEXT"
+ elif [[ $TLS_ENABLED == "true" ]]; then
+ SECURITY_PROTOCOL="SSL"
+ fi
+
+ CONNECTOR_NAME=mm2-$RANDOM
+ cat << 'EOF' > /tmp/mm2-conf.json
+ {
+ "connectorName": "CONNECTOR_NAME",
+ "config": {
+ "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector",
+ "topics": "{{ $testTopic }}",
+ "replication.factor": "1",
+ "tasks.max": "1",
+ "source.cluster.bootstrap.servers": {{ $brokersString | quote }},
+ "target.cluster.bootstrap.servers": {{ $brokersString | quote }},
+ "target.cluster.alias": "test-only-redpanda",
+ "source.cluster.alias": "source",
+ "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter",
+ "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter",
+ "source->target.enabled": "true",
+ "target->source.enabled": "false",
+ "sync.topic.configs.interval.seconds": "5",
+ "sync.topics.configs.enabled": "true",
+ "source.cluster.ssl.truststore.type": "PEM",
+ "target.cluster.ssl.truststore.type": "PEM",
+ "source.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt",
+ "target.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt",
+ JAAS_CONFIG_SOURCE
+ JAAS_CONFIG_TARGET
+ "source.cluster.security.protocol": "SECURITY_PROTOCOL",
+ "target.cluster.security.protocol": "SECURITY_PROTOCOL",
+ "source.cluster.sasl.mechanism": "SASL_MECHANISM",
+ "target.cluster.sasl.mechanism": "SASL_MECHANISM"
+ }
+ }
+ EOF
+
+ sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json
+ sed -i "s/SASL_MECHANISM/$RPK_SASL_MECHANISM/g" /tmp/mm2-conf.json
+ sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json
+ set +x
+ sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json
+ sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json
+ set -x
+
+ URL=http://{{ get ((include "console.Fullname" (dict "a" (list $consoleDot))) | fromJson) "r" }}:{{ get (fromJson (include "console.ContainerPort" (dict "a" (list $consoleDot) ))) "r" }}/api/kafka-connect/clusters/connectors/connectors
+ {{/* outputting to /dev/null because the output contains the user password */}}
+ echo "Creating mm2 connector"
+ curl {{ template "curl-options" . }} -H 'Content-Type: application/json' "${URL}" -d @/tmp/mm2-conf.json
+
+ rpk topic consume source.{{ $testTopic }} -n 1
+
+ echo "Destroying mm2 connector"
+ curl {{ template "curl-options" . }} -X DELETE "${URL}/${CONNECTOR_NAME}"
+
+ rpk topic list
+ rpk topic delete {{ $testTopic }} source.{{ $testTopic }} mm2-offset-syncs.test-only-redpanda.internal
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-console.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-console.yaml
new file mode 100644
index 0000000000..aeef1117ac
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-console.yaml
@@ -0,0 +1,49 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled .Values.console.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-console"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ curl {{ template "curl-options" . }} http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }}/api/cluster
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-internal-external-tls-secrets.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-internal-external-tls-secrets.yaml
new file mode 100644
index 0000000000..53d75bb1ba
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-internal-external-tls-secrets.yaml
@@ -0,0 +1,122 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (include "tls-enabled" . | fromJson).bool ( eq .Values.external.type "NodePort" ) }}
+ {{- $values := .Values }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-internal-externals-cert-secrets
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - bash
+ - -c
+ - |
+ set -x
+
+ retry() {
+ local retries="$1"
+ local command="$2"
+
+ # Run the command, and save the exit code
+ bash -c $command
+ local exit_code=$?
+
+ # If the exit code is non-zero (i.e. command failed), and we have not
+ # reached the maximum number of retries, run the command again
+ if [[ $exit_code -ne 0 && $retries -gt 0 ]]; then
+ retry $(($retries - 1)) "$command"
+ else
+ # Return the exit code from the command
+ return $exit_code
+ fi
+ }
+
+ {{- range $name, $cert := $values.tls.certs }}
+ {{- if $cert.secretRef }}
+ echo testing cert: {{ $name | quote }}
+
+ {{- if eq $cert.secretRef.name "internal-tls-secret" }}
+ echo "---> testing internal tls"
+ retry 5 'openssl s_client -verify_return_error -prexit
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key
+ -connect {{ include "admin-api-urls" $ }}'
+ {{- end }}
+
+ {{- if eq $cert.secretRef.name "external-tls-secret" }}
+ echo "---> testing external tls"
+
+ {{- if eq $values.listeners.kafka.external.default.tls.cert $name }}
+ echo "-----> testing external tls: kafka api"
+ {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }}
+ retry 5 'openssl s_client -verify_return_error -prexit
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key
+ -connect {{ $values.external.domain }}:{{ $port }}'
+ {{- end }}
+
+ {{- if and (eq $values.listeners.schemaRegistry.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }}
+ echo "-----> testing external tls: schema registry"
+ {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }}
+ retry 5 'openssl s_client -verify_return_error -prexit
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key
+ -connect {{ $values.external.domain }}:{{ $port }}'
+ {{- end }}
+
+ {{- if and (eq $values.listeners.http.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }}
+ echo "-----> testing external tls: http api"
+ {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }}
+ retry 5 'openssl s_client -verify_return_error -prexit
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key
+ -connect {{ $values.external.domain }}:{{ $port }}'
+ {{- end }}
+
+ {{- end }}
+ echo "----"
+
+ {{- end }}
+ {{- end }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-internal-tls-status.yaml
new file mode 100644
index 0000000000..dcfc02cbdc
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-internal-tls-status.yaml
@@ -0,0 +1,62 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (include "kafka-internal-tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}}
+ {{- $service := .Values.listeners.kafka -}}
+ {{- $cert := get .Values.tls.certs $service.tls.cert -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-kafka-internal-tls-status
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ until rpk cluster info \
+ --brokers {{ include "redpanda.fullname" .}}-0.{{ include "redpanda.internal.domain" . }}:{{ $service.port }} \
+ --tls-enabled \
+ {{- if $cert.caEnabled }}
+ --tls-truststore /etc/tls/certs/{{ $service.tls.cert }}/ca.crt
+ {{- else }}
+ {{- /* This is a required field so we use the default in the redpanda debian container */}}
+ --tls-truststore /etc/ssl/certs/ca-certificates.crt
+ {{- end }}
+ do sleep 2
+ done
+ resources: {{ toYaml .Values.statefulset.resources | nindent 12 }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-nodelete.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-nodelete.yaml
new file mode 100644
index 0000000000..9b5fe4237e
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-nodelete.yaml
@@ -0,0 +1,100 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (dig "kafka_nodelete_topics" "[]" $.Values.config.cluster) }}
+{{- $noDeleteTopics := .Values.config.cluster.kafka_nodelete_topics }}
+{{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-kafka-nodelete
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+{{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ env:
+ - name: REDPANDA_BROKERS
+ value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}"
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ set -e
+{{- $cloudStorageFlags := "" }}
+{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }}
+ {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}}
+{{- end }}
+{{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ if [[ -n "$old_setting" ]]; then set -x; fi
+{{- end }}
+
+ exists=$(rpk topic list | grep my_sample_topic | awk '{print $1}')
+ if [[ "$exists" != "my_sample_topic" ]]; then
+ until rpk topic create my_sample_topic {{ $cloudStorageFlags }}
+ do sleep 2
+ done
+ fi
+
+ {{- range $i := until 100 }}
+ echo "Pandas are awesome!" | rpk topic produce my_sample_topic
+ {{- end }}
+ sleep 2
+ rpk topic consume my_sample_topic -n 1 | grep "Pandas are awesome!"
+
+ # now check if we can delete the topic (we should not)
+ rpk topic delete my_sample_topic
+
+ {{- if has "my_sample_topic" $noDeleteTopics }}
+ result=$(rpk topic list | grep my_sample_topic | awk '{print $1}')
+ if [[ "$result" != "my_sample_topic" ]]; then
+ echo "topic should not have been deleted"
+ exit 1
+ fi
+ {{- end }}
+
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources: {{ toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-produce-consume.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-produce-consume.yaml
new file mode 100644
index 0000000000..d8f0ee7518
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-produce-consume.yaml
@@ -0,0 +1,83 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.tests.enabled }}
+{{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-kafka-produce-consume
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+{{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ env:
+ - name: REDPANDA_BROKERS
+ value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}"
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ set -e
+{{- $cloudStorageFlags := "" }}
+{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }}
+ {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}}
+{{- end }}
+{{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ if [[ -n "$old_setting" ]]; then set -x; fi
+{{- end }}
+ until rpk topic create produce.consume.test.$POD_NAME {{ $cloudStorageFlags }}
+ do sleep 2
+ done
+ {{- range $i := until 100 }}
+ echo "Pandas are awesome!" | rpk topic produce produce.consume.test.$POD_NAME
+ {{- end }}
+ sleep 2
+ rpk topic consume produce.consume.test.$POD_NAME -n 1 | grep "Pandas are awesome!"
+ rpk topic delete produce.consume.test.$POD_NAME
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources: {{ toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-sasl-status.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-sasl-status.yaml
new file mode 100644
index 0000000000..0519c44bba
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-kafka-sasl-status.yaml
@@ -0,0 +1,79 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool }}
+{{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-kafka-sasl-status"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ set -xe
+
+{{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ if [[ -n "$old_setting" ]]; then set -x; fi
+{{- end }}
+
+ until rpk acl user delete myuser
+ do sleep 2
+ done
+ sleep 3
+
+ {{ include "rpk-cluster-info" $ }}
+ {{ include "rpk-acl-user-create" $ }}
+ {{ include "rpk-acl-create" $ }}
+ sleep 3
+ {{ include "rpk-topic-create" $ }}
+ {{ include "rpk-topic-describe" $ }}
+ {{ include "rpk-topic-delete" $ }}
+ rpk acl user delete myuser
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources:
+{{- toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-license-with-console.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-license-with-console.yaml
new file mode 100644
index 0000000000..1edf7a3507
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-license-with-console.yaml
@@ -0,0 +1,61 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (include "is-licensed" . | fromJson).bool .Values.console.enabled }}
+{{- $consolePort := (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-license-with-console"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext:
+ runAsUser: 65535
+ runAsGroup: 65535
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: mintel/docker-alpine-bash-curl-jq:latest
+ command: [ "/bin/bash", "-c" ]
+ args:
+ - |
+ echo "testing that we do NOT have an open source license"
+ set -xe
+
+ max_iteration=10
+ curl -vm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq .
+ type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type)
+ while [[ $max_iteration -gt 0 && ("$type" == "open_source" || "$type" == "") ]]; do
+ max_iteration=$(( max_iteration - 1 ))
+ type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type)
+ done
+ if [[ "$type" == "open_source" || "$type" == "" ]]; then
+ curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq .
+ exit 1
+ fi
+ set +x
+ echo "license test passed."
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-lifecycle-scripts.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-lifecycle-scripts.yaml
new file mode 100644
index 0000000000..5c72e1d9fb
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-lifecycle-scripts.yaml
@@ -0,0 +1,66 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.tests.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-lifecycle"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ env:
+ - name: SERVICE_NAME
+ value: {{ include "redpanda.fullname" . }}-0
+ command:
+ - /bin/timeout
+ - "{{ mul .Values.statefulset.terminationGracePeriodSeconds 2 }}"
+ - bash
+ - -xec
+ - |
+ /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/preStop.sh
+ ls -l /tmp/preStop*
+ test -f /tmp/preStopHookStarted
+ test -f /tmp/preStopHookFinished
+
+ /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/postStart.sh
+ ls -l /tmp/postStart*
+ test -f /tmp/postStartHookStarted
+ test -f /tmp/postStartHookFinished
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ - name: lifecycle-scripts
+ mountPath: /var/lifecycle
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+ - name: lifecycle-scripts
+ secret:
+ secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle
+ defaultMode: 0o775
+ {{- end }}
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-loadbalancer-tls.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-loadbalancer-tls.yaml
new file mode 100644
index 0000000000..4db3523d2b
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-loadbalancer-tls.yaml
@@ -0,0 +1,173 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */}}
+{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "LoadBalancer" ) -}}
+ {{- $values := .Values }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-loadbalancer-tls
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ serviceAccountName: test-loadbalancer-tls-redpanda
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: mintel/docker-alpine-bash-curl-jq:latest
+ command:
+ - bash
+ - -c
+ - |
+ set -x
+ export APISERVER=https://kubernetes.default.svc
+ export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+ export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
+ export TOKEN=$(cat ${SERVICEACCOUNT}/token)
+ export CACERT=${SERVICEACCOUNT}/ca.crt
+
+ ip_list=""
+
+ replicas={{ .Values.statefulset.replicas }}
+ if [ "${replicas}" -lt "1" ]; then
+ echo "replicas cannot be less than 1"
+ exit 1
+ fi
+
+ range=$(expr $replicas - 1)
+ ordinal_list=$(seq 0 $range)
+
+ set -e
+
+ for i in $ordinal_list
+ do
+ POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
+ -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/services/lb-{{ template "redpanda.fullname" . }}-$i)
+ ip=$(echo $POD_DESC | jq -r .status.loadBalancer.ingress[0].ip )
+ ip_list="$ip $ip_list"
+ done
+
+ echo test will be run against $ip_list
+ echo testing LoadBalancer connectivity
+
+ {{- range $name, $cert := $values.tls.certs }}
+ {{- if $cert.secretRef }}
+ {{- if eq $cert.secretRef.name "external-tls-secret" }}
+ echo "---> testing external tls"
+
+ {{- if eq $values.listeners.kafka.external.default.tls.cert $name }}
+ echo "-----> testing external tls: kafka api"
+ {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }}
+
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled -}}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end -}}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }}
+ done
+ {{- end }}
+
+ {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }}
+ {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }}
+ echo "-----> testing external tls: schema registry"
+ {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }}
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled -}}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end -}}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }}
+ done
+ {{- end }}
+
+ {{- if eq $values.listeners.http.external.default.tls.cert $name }}
+ echo "-----> testing external tls: http api"
+ {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }}
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled -}}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end -}}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }}
+ done
+ {{- end }}
+ {{- end }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: test-loadbalancer-tls-redpanda
+ annotations:
+ helm.sh/hook-weight: "-100"
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: test-loadbalancer-tls-redpanda
+ annotations:
+ helm.sh/hook-weight: "-100"
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: test-loadbalancer-tls-redpanda
+subjects:
+ - kind: ServiceAccount
+ name: test-loadbalancer-tls-redpanda
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: test-loadbalancer-tls-redpanda
+ annotations:
+ helm.sh/hook-weight: "-100"
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ verbs:
+ - get
+
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-nodeport-tls.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-nodeport-tls.yaml
new file mode 100644
index 0000000000..4310eaf3a9
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-nodeport-tls.yaml
@@ -0,0 +1,173 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */}}
+{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "NodePort" ) -}}
+ {{- $values := .Values }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-nodeport-tls
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+spec:
+ serviceAccountName: test-nodeport-tls-redpanda-no-a-test
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: mintel/docker-alpine-bash-curl-jq:latest
+ command:
+ - bash
+ - -c
+ - |
+ set -x
+ export APISERVER=https://kubernetes.default.svc
+ export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+ export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
+ export TOKEN=$(cat ${SERVICEACCOUNT}/token)
+ export CACERT=${SERVICEACCOUNT}/ca.crt
+
+ ip_list=""
+
+ replicas={{ .Values.statefulset.replicas }}
+ if [ "${replicas}" -lt "1" ]; then
+ echo "replicas cannot be less than 1"
+ exit 1
+ fi
+
+ range=$(expr $replicas - 1)
+ ordinal_list=$(seq 0 $range)
+
+ set -e
+
+ for i in $ordinal_list
+ do
+ POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
+ -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/pods/{{ template "redpanda.fullname" . }}-$i)
+ ip=$(echo $POD_DESC | jq -r .status.hostIP )
+ ip_list="$ip $ip_list"
+ done
+
+ echo test will be run against $ip_list
+ echo testing NodePort connectivity
+ {{- range $name, $cert := $values.tls.certs }}
+ {{- if $cert.secretRef }}
+ {{- if eq $cert.secretRef.name "external-tls-secret" }}
+ echo "---> testing external tls"
+
+ {{- if eq $values.listeners.kafka.external.default.tls.cert $name }}
+ echo "-----> testing external tls: kafka api"
+ {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }}
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \
+ -connect ${ip}:{{ $port }}
+ done
+ {{- end }}
+
+ {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }}
+ {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }}
+ echo "-----> testing external tls: schema registry"
+ {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }}
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \
+ -connect ${ip}:{{ $port }}
+ done
+ {{- end }}
+
+ {{- if eq $values.listeners.http.external.default.tls.cert $name }}
+ echo "-----> testing external tls: http api"
+ {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }}
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \
+ -connect ${ip}:{{ $port }}
+ done
+ {{- end }}
+ {{- end }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: test-nodeport-tls-redpanda-no-a-test
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+ helm.sh/hook-weight: "-100"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: test-nodeport-tls-redpanda-no-a-test
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+ helm.sh/hook-weight: "-100"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: test-nodeport-tls-redpanda-no-a-test
+subjects:
+ - kind: ServiceAccount
+ name: test-nodeport-tls-redpanda-no-a-test
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: test-nodeport-tls-redpanda-no-a-test
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+ helm.sh/hook-weight: "-100"
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ verbs:
+ - get
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-pandaproxy-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-pandaproxy-internal-tls-status.yaml
new file mode 100644
index 0000000000..4cb6aaa0f6
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-pandaproxy-internal-tls-status.yaml
@@ -0,0 +1,81 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (include "http-internal-tls-enabled" . | fromJson).bool .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}}
+ {{- $service := .Values.listeners.http -}}
+ {{- $cert := get .Values.tls.certs $service.tls.cert -}}
+ {{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-pandaproxy-internal-tls-status
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command: [ "/bin/bash", "-c" ]
+ args:
+ - |
+ {{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}"
+ RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}"
+ if [[ -n "$old_setting" ]]; then set -x; fi
+ {{- end }}
+
+ curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \
+ {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }}
+ -u ${RPK_USER}:${RPK_PASS} \
+ {{- end }}
+ {{- if $cert.caEnabled }}
+ --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \
+ {{- end }}
+ https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/brokers
+
+ curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \
+ {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }}
+ -u ${RPK_USER}:${RPK_PASS} \
+ {{- end }}
+ {{- if $cert.caEnabled }}
+ --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \
+ {{- end }}
+ https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/topics
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources: {{ toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-pandaproxy-status.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-pandaproxy-status.yaml
new file mode 100644
index 0000000000..4f5ee6bb71
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-pandaproxy-status.yaml
@@ -0,0 +1,72 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (not (include "http-internal-tls-enabled" . | fromJson).bool) .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}}
+ {{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-pandaproxy-status"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command: [ "/bin/bash", "-c" ]
+ args:
+ - |
+ {{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}"
+ RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}"
+ if [[ -n "$old_setting" ]]; then set -x; fi
+ {{- end }}
+
+ curl {{ template "curl-options" . }} \
+ {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }}
+ -u ${RPK_USER}:${RPK_PASS} \
+ {{- end }}
+ http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/brokers
+
+ curl {{ template "curl-options" . }} \
+ {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }}
+ -u ${RPK_USER}:${RPK_PASS} \
+ {{- end }}
+ http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/topics
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-prometheus-targets.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-prometheus-targets.yaml
new file mode 100644
index 0000000000..81f83a34e2
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-prometheus-targets.yaml
@@ -0,0 +1,84 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */}}
+
+{{- if and .Values.tests.enabled .Values.monitoring.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-prometheus-targets"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: registry.gitlab.com/gitlab-ci-utils/curl-jq:latest
+ command: [ "/bin/bash", "-c" ]
+ args:
+ - |
+ set -xe
+
+ HEALTHY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/healthy)
+ if [ $HEALTHY != 200 ]; then
+ echo "prometheus is not healthy, exiting"
+ exit 1
+ fi
+
+ echo "prometheus is healthy, checking if ready..."
+
+ READY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/ready)
+ if [ $READY != 200 ]; then
+ echo "prometheus is not ready, exiting"
+ exit 1
+ fi
+
+ echo "prometheus is ready, requesting target information..."
+
+
+ curl_prometheus() {
+
+ # Run the command, and save the exit code
+ # from: https://prometheus.io/docs/prometheus/latest/querying/api/
+ local RESULT=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq '.data.activeTargets[].health | select(. == "up")' | wc -l )
+
+ echo $RESULT
+ }
+ for d in $(seq 1 30); do
+ RESULT=$(curl_prometheus)
+ if [ $RESULT == {{ .Values.statefulset.replicas }} ]; then
+ break
+ fi
+ sleep 15
+ done
+
+ set +x
+ if [ $RESULT != {{ .Values.statefulset.replicas }} ]; then
+ curl --fail http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq .
+ echo "the number of targets unexpected; got ${RESULT} targets 'up', but was expecting {{ .Values.statefulset.replicas }}"
+ exit 1
+ fi
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-rack-awareness.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-rack-awareness.yaml
new file mode 100644
index 0000000000..82a31937f5
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-rack-awareness.yaml
@@ -0,0 +1,61 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.tests.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-rack-awareness
+ namespace: {{ .Release.Namespace | quote }}
+{{- with include "full.labels" . }}
+ labels: {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+{{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+{{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /bin/bash
+ - -c
+ - |
+ set -e
+{{- if and .Values.rackAwareness.enabled (include "redpanda-atleast-22-3-0" . | fromJson).bool }}
+ curl {{ template "curl-options" . }} \
+ {{- if (include "tls-enabled" . | fromJson).bool }}
+ {{- if (dig "default" "caEnabled" false .Values.tls.certs) }}
+ --cacert "/etc/tls/certs/default/ca.crt" \
+ {{- end }}
+ https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"'
+ {{- else }}
+ http://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"'
+ {{- end }}
+{{- end }}
+
+ rpk redpanda admin config print --host {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }} | grep '"enable_rack_awareness": {{ .Values.rackAwareness.enabled }}'
+
+ rpk cluster config get enable_rack_awareness
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-rpk-debug-bundle.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-rpk-debug-bundle.yaml
new file mode 100644
index 0000000000..3230f08817
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-rpk-debug-bundle.yaml
@@ -0,0 +1,104 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+
+This test currently fails because of a bug where when multiple containers exist
+The api returns an error. We should be requesting logs from each container.
+
+
+{{- if and .Values.tests.enabled .Values.rbac.enabled (include "redpanda-atleast-23-1-1" .|fromJson).bool -}}
+ {{- $sasl := .Values.auth.sasl }}
+ {{- $useSaslSecret := and $sasl.enabled (not (empty $sasl.secretRef )) }}
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-rpk-debug-bundle
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ affinity:
+ podAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchLabels:
+ statefulset.kubernetes.io/pod-name: {{ include "redpanda.fullname" . }}-0
+ topologyKey: kubernetes.io/hostname
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ initContainers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ - name: shared-data
+ mountPath: /usr/share/redpanda/test
+ - name: datadir
+ mountPath: /var/lib/redpanda/data
+ command:
+ - /bin/bash
+ - -c
+ - |
+ set -e
+ {{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ if [[ -n "$old_setting" ]]; then set -x; fi
+ {{- end }}
+ rpk debug bundle -o /usr/share/redpanda/test/debug-test.zip -n {{ .Release.Namespace }}
+ containers:
+ - name: {{ template "redpanda.name" . }}-tester
+ image: busybox:latest
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ - name: shared-data
+ mountPath: /test
+ command:
+ - /bin/ash
+ - -c
+ - |
+ set -e
+ unzip /test/debug-test.zip -d /tmp/bundle
+
+ test -f /tmp/bundle/logs/{{ .Release.Namespace }}-0.txt
+ test -f /tmp/bundle/logs/{{ .Release.Namespace }}-1.txt
+ test -f /tmp/bundle/logs/{{ .Release.Namespace }}-2.txt
+
+ test -d /tmp/bundle/controller
+
+ test -f /tmp/bundle/k8s/pods.json
+ test -f /tmp/bundle/k8s/configmaps.json
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end -}}
+*/}}
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.18/templates/tests/test-sasl-updated.yaml b/charts/redpanda/redpanda/5.9.18/templates/tests/test-sasl-updated.yaml
new file mode 100644
index 0000000000..5f61be552e
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/templates/tests/test-sasl-updated.yaml
@@ -0,0 +1,71 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool (eq .Values.auth.sasl.secretRef "some-users") -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-update-sasl-users"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ set -e
+ IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+
+ set -x
+
+ # check that the users list did update
+ ready_result_exit_code=1
+ while [[ ${ready_result_exit_code} -ne 0 ]]; do
+ ready_result=$(rpk acl user list | grep anotheranotherme 2>&1) && ready_result_exit_code=$?
+ sleep 2
+ done
+
+ # check that sasl is not broken
+ {{ include "rpk-cluster-info" $ }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources:
+{{- toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.18/values.schema.json b/charts/redpanda/redpanda/5.9.18/values.schema.json
new file mode 100644
index 0000000000..8c90d45c3c
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/values.schema.json
@@ -0,0 +1,20003 @@
+{
+ "$id": "https://github.com/redpanda-data/helm-charts/charts/redpanda/values",
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
+ "description": "DO NOT EDIT!. This file was generated by ./cmd/genschema/genschema.go",
+ "properties": {
+ "affinity": {
+ "properties": {
+ "nodeAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "preference": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "properties": {
+ "nodeSelectorTerms": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "auditLogging": {
+ "properties": {
+ "clientMaxBufferSize": {
+ "type": "integer"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "enabledEventTypes": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "excludedPrincipals": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "excludedTopics": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "listener": {
+ "type": "string"
+ },
+ "partitions": {
+ "type": "integer"
+ },
+ "queueDrainIntervalMs": {
+ "type": "integer"
+ },
+ "queueMaxBufferSizePerShard": {
+ "type": "integer"
+ },
+ "replicationFactor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "auth": {
+ "properties": {
+ "sasl": {
+ "properties": {
+ "bootstrapUser": {
+ "properties": {
+ "mechanism": {
+ "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$",
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "password": {
+ "type": "string"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "mechanism": {
+ "type": "string"
+ },
+ "secretRef": {
+ "type": "string"
+ },
+ "users": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "mechanism": {
+ "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$",
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "password": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "sasl"
+ ],
+ "type": "object"
+ },
+ "clusterDomain": {
+ "type": "string"
+ },
+ "commonLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "config": {
+ "properties": {
+ "cluster": {
+ "type": "object"
+ },
+ "node": {
+ "type": "object"
+ },
+ "pandaproxy_client": {
+ "properties": {
+ "consumer_heartbeat_interval_ms": {
+ "type": "integer"
+ },
+ "consumer_rebalance_timeout_ms": {
+ "type": "integer"
+ },
+ "consumer_request_max_bytes": {
+ "type": "integer"
+ },
+ "consumer_request_timeout_ms": {
+ "type": "integer"
+ },
+ "consumer_session_timeout_ms": {
+ "type": "integer"
+ },
+ "produce_batch_delay_ms": {
+ "type": "integer"
+ },
+ "produce_batch_record_count": {
+ "type": "integer"
+ },
+ "produce_batch_size_bytes": {
+ "type": "integer"
+ },
+ "retries": {
+ "type": "integer"
+ },
+ "retry_base_backoff_ms": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "rpk": {
+ "type": "object"
+ },
+ "schema_registry_client": {
+ "properties": {
+ "consumer_heartbeat_interval_ms": {
+ "type": "integer"
+ },
+ "consumer_rebalance_timeout_ms": {
+ "type": "integer"
+ },
+ "consumer_request_max_bytes": {
+ "type": "integer"
+ },
+ "consumer_request_timeout_ms": {
+ "type": "integer"
+ },
+ "consumer_session_timeout_ms": {
+ "type": "integer"
+ },
+ "produce_batch_delay_ms": {
+ "type": "integer"
+ },
+ "produce_batch_record_count": {
+ "type": "integer"
+ },
+ "produce_batch_size_bytes": {
+ "type": "integer"
+ },
+ "retries": {
+ "type": "integer"
+ },
+ "retry_base_backoff_ms": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tunable": {
+ "additionalProperties": true,
+ "properties": {
+ "group_initial_rebalance_delay": {
+ "type": "integer"
+ },
+ "log_retention_ms": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cluster",
+ "node",
+ "tunable"
+ ],
+ "type": "object"
+ },
+ "connectors": {
+ "properties": {
+ "auth": {
+ "properties": {
+ "sasl": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "mechanism": {
+ "type": "string"
+ },
+ "secretRef": {
+ "type": "string"
+ },
+ "userName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "commonLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "connectors": {
+ "properties": {
+ "additionalConfiguration": {
+ "type": "string"
+ },
+ "bootstrapServers": {
+ "type": "string"
+ },
+ "brokerTLS": {
+ "properties": {
+ "ca": {
+ "properties": {
+ "secretNameOverwrite": {
+ "type": "string"
+ },
+ "secretRef": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cert": {
+ "properties": {
+ "secretNameOverwrite": {
+ "type": "string"
+ },
+ "secretRef": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "key": {
+ "properties": {
+ "secretNameOverwrite": {
+ "type": "string"
+ },
+ "secretRef": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "groupID": {
+ "type": "string"
+ },
+ "producerBatchSize": {
+ "type": "integer"
+ },
+ "producerLingerMS": {
+ "type": "integer"
+ },
+ "restPort": {
+ "type": "integer"
+ },
+ "schemaRegistryURL": {
+ "type": "string"
+ },
+ "secretManager": {
+ "properties": {
+ "connectorsPrefix": {
+ "type": "string"
+ },
+ "consolePrefix": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "region": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "storage": {
+ "properties": {
+ "remote": {
+ "properties": {
+ "read": {
+ "properties": {
+ "config": {
+ "type": "boolean"
+ },
+ "offset": {
+ "type": "boolean"
+ },
+ "status": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "write": {
+ "properties": {
+ "config": {
+ "type": "boolean"
+ },
+ "offset": {
+ "type": "boolean"
+ },
+ "status": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "replicationFactor": {
+ "properties": {
+ "config": {
+ "type": "integer"
+ },
+ "offset": {
+ "type": "integer"
+ },
+ "status": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "topic": {
+ "properties": {
+ "config": {
+ "type": "string"
+ },
+ "offset": {
+ "type": "string"
+ },
+ "status": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "container": {
+ "properties": {
+ "javaGCLogEnabled": {
+ "type": "string"
+ },
+ "resources": {
+ "properties": {
+ "javaMaxHeapSize": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "request": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "drop": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "deployment": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "budget": {
+ "properties": {
+ "maxUnavailable": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "command": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "extraEnv": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "extraEnvFrom": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "nodeAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "preference": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "properties": {
+ "nodeSelectorTerms": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "nodeSelector": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "custom": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "topologyKey": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "string"
+ },
+ "progressDeadlineSeconds": {
+ "type": "integer"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "replicas": {
+ "type": "integer"
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "revisionHistoryLimit": {
+ "type": "integer"
+ },
+ "schedulerName": {
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "supplementalGroups": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "sysctls": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "strategy": {
+ "properties": {
+ "rollingUpdate": {
+ "properties": {
+ "maxSurge": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "maxUnavailable": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "tolerations": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "tolerationSeconds": {
+ "type": "integer"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "topologySpreadConstraints": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "maxSkew": {
+ "type": "integer"
+ },
+ "minDomains": {
+ "type": "integer"
+ },
+ "nodeAffinityPolicy": {
+ "type": "string"
+ },
+ "nodeTaintsPolicy": {
+ "type": "string"
+ },
+ "topologyKey": {
+ "type": "string"
+ },
+ "whenUnsatisfiable": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "image": {
+ "properties": {
+ "pullPolicy": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "imagePullSecrets": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "logging": {
+ "properties": {
+ "level": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "monitoring": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "any": {
+ "type": "boolean"
+ },
+ "matchNames": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "scrapeInterval": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "nameOverride": {
+ "type": "string"
+ },
+ "service": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "ports": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "port": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccount": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "storage": {
+ "properties": {
+ "volume": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "awsElasticBlockStore": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "azureDisk": {
+ "properties": {
+ "cachingMode": {
+ "type": "string"
+ },
+ "diskName": {
+ "type": "string"
+ },
+ "diskURI": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "azureFile": {
+ "properties": {
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ },
+ "shareName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cephfs": {
+ "properties": {
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretFile": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cinder": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "csi": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "nodePublishSecretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeAttributes": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "emptyDir": {
+ "properties": {
+ "medium": {
+ "type": "string"
+ },
+ "sizeLimit": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "ephemeral": {
+ "properties": {
+ "volumeClaimTemplate": {
+ "properties": {
+ "metadata": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "creationTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "deletionGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "deletionTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "finalizers": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "generateName": {
+ "type": "string"
+ },
+ "generation": {
+ "type": "integer"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "managedFields": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldsType": {
+ "type": "string"
+ },
+ "fieldsV1": {
+ "properties": {},
+ "type": "object"
+ },
+ "manager": {
+ "type": "string"
+ },
+ "operation": {
+ "type": "string"
+ },
+ "subresource": {
+ "type": "string"
+ },
+ "time": {
+ "properties": {},
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ },
+ "ownerReferences": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "blockOwnerDeletion": {
+ "type": "boolean"
+ },
+ "controller": {
+ "type": "boolean"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resourceVersion": {
+ "type": "string"
+ },
+ "selfLink": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "accessModes": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "dataSource": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "dataSourceRef": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "selector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "storageClassName": {
+ "type": "string"
+ },
+ "volumeAttributesClassName": {
+ "type": "string"
+ },
+ "volumeMode": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "fc": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "targetWWNs": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "wwids": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "flexVolume": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "options": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "flocker": {
+ "properties": {
+ "datasetName": {
+ "type": "string"
+ },
+ "datasetUUID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "gcePersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "pdName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "gitRepo": {
+ "properties": {
+ "directory": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "revision": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "glusterfs": {
+ "properties": {
+ "endpoints": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "hostPath": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "iscsi": {
+ "properties": {
+ "chapAuthDiscovery": {
+ "type": "boolean"
+ },
+ "chapAuthSession": {
+ "type": "boolean"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "initiatorName": {
+ "type": "string"
+ },
+ "iqn": {
+ "type": "string"
+ },
+ "iscsiInterface": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "portals": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "targetPortal": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "nfs": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "server": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "persistentVolumeClaim": {
+ "properties": {
+ "claimName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "photonPersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "pdID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "portworxVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "projected": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "sources": {
+ "items": {
+ "properties": {
+ "clusterTrustBundle": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
+ },
+ "signerName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccountToken": {
+ "properties": {
+ "audience": {
+ "type": "string"
+ },
+ "expirationSeconds": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "quobyte": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tenant": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ },
+ "volume": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "rbd": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "image": {
+ "type": "string"
+ },
+ "keyring": {
+ "type": "string"
+ },
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "pool": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "scaleIO": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "gateway": {
+ "type": "string"
+ },
+ "protectionDomain": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sslEnabled": {
+ "type": "boolean"
+ },
+ "storageMode": {
+ "type": "string"
+ },
+ "storagePool": {
+ "type": "string"
+ },
+ "system": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "storageos": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeName": {
+ "type": "string"
+ },
+ "volumeNamespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "vsphereVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "storagePolicyID": {
+ "type": "string"
+ },
+ "storagePolicyName": {
+ "type": "string"
+ },
+ "volumePath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "volumeMounts": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "recursiveReadOnly": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "test": {
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "tolerations": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "tolerationSeconds": {
+ "type": "integer"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "console": {
+ "properties": {
+ "affinity": {
+ "properties": {
+ "nodeAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "preference": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "properties": {
+ "nodeSelectorTerms": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "autoscaling": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "maxReplicas": {
+ "type": "integer"
+ },
+ "minReplicas": {
+ "type": "integer"
+ },
+ "targetCPUUtilizationPercentage": {
+ "type": "integer"
+ },
+ "targetMemoryUtilizationPercentage": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "commonLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "configmap": {
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "console": {
+ "properties": {
+ "config": {
+ "type": "object"
+ },
+ "roleBindings": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "roles": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "deployment": {
+ "properties": {
+ "command": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "extraArgs": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "enterprise": {
+ "properties": {
+ "licenseSecretRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "extraContainers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "args": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "envFrom": {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "image": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "lifecycle": {
+ "properties": {
+ "postStart": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "preStop": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "ports": {
+ "items": {
+ "properties": {
+ "containerPort": {
+ "type": "integer"
+ },
+ "hostIP": {
+ "type": "string"
+ },
+ "hostPort": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "resizePolicy": {
+ "items": {
+ "properties": {
+ "resourceName": {
+ "type": "string"
+ },
+ "restartPolicy": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "startupProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "stdin": {
+ "type": "boolean"
+ },
+ "stdinOnce": {
+ "type": "boolean"
+ },
+ "terminationMessagePath": {
+ "type": "string"
+ },
+ "terminationMessagePolicy": {
+ "type": "string"
+ },
+ "tty": {
+ "type": "boolean"
+ },
+ "volumeDevices": {
+ "items": {
+ "properties": {
+ "devicePath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "recursiveReadOnly": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "workingDir": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "extraEnv": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "extraEnvFrom": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "extraVolumeMounts": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "recursiveReadOnly": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "extraVolumes": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "awsElasticBlockStore": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "azureDisk": {
+ "properties": {
+ "cachingMode": {
+ "type": "string"
+ },
+ "diskName": {
+ "type": "string"
+ },
+ "diskURI": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "azureFile": {
+ "properties": {
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ },
+ "shareName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cephfs": {
+ "properties": {
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretFile": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cinder": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "csi": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "nodePublishSecretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeAttributes": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "emptyDir": {
+ "properties": {
+ "medium": {
+ "type": "string"
+ },
+ "sizeLimit": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "ephemeral": {
+ "properties": {
+ "volumeClaimTemplate": {
+ "properties": {
+ "metadata": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "creationTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "deletionGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "deletionTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "finalizers": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "generateName": {
+ "type": "string"
+ },
+ "generation": {
+ "type": "integer"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "managedFields": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldsType": {
+ "type": "string"
+ },
+ "fieldsV1": {
+ "properties": {},
+ "type": "object"
+ },
+ "manager": {
+ "type": "string"
+ },
+ "operation": {
+ "type": "string"
+ },
+ "subresource": {
+ "type": "string"
+ },
+ "time": {
+ "properties": {},
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ },
+ "ownerReferences": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "blockOwnerDeletion": {
+ "type": "boolean"
+ },
+ "controller": {
+ "type": "boolean"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resourceVersion": {
+ "type": "string"
+ },
+ "selfLink": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "accessModes": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "dataSource": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "dataSourceRef": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "selector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "storageClassName": {
+ "type": "string"
+ },
+ "volumeAttributesClassName": {
+ "type": "string"
+ },
+ "volumeMode": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "fc": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "targetWWNs": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "wwids": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "flexVolume": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "options": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "flocker": {
+ "properties": {
+ "datasetName": {
+ "type": "string"
+ },
+ "datasetUUID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "gcePersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "pdName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "gitRepo": {
+ "properties": {
+ "directory": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "revision": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "glusterfs": {
+ "properties": {
+ "endpoints": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "hostPath": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "iscsi": {
+ "properties": {
+ "chapAuthDiscovery": {
+ "type": "boolean"
+ },
+ "chapAuthSession": {
+ "type": "boolean"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "initiatorName": {
+ "type": "string"
+ },
+ "iqn": {
+ "type": "string"
+ },
+ "iscsiInterface": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "portals": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "targetPortal": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "nfs": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "server": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "persistentVolumeClaim": {
+ "properties": {
+ "claimName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "photonPersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "pdID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "portworxVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "projected": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "sources": {
+ "items": {
+ "properties": {
+ "clusterTrustBundle": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
+ },
+ "signerName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccountToken": {
+ "properties": {
+ "audience": {
+ "type": "string"
+ },
+ "expirationSeconds": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "quobyte": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tenant": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ },
+ "volume": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "rbd": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "image": {
+ "type": "string"
+ },
+ "keyring": {
+ "type": "string"
+ },
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "pool": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "scaleIO": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "gateway": {
+ "type": "string"
+ },
+ "protectionDomain": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sslEnabled": {
+ "type": "boolean"
+ },
+ "storageMode": {
+ "type": "string"
+ },
+ "storagePool": {
+ "type": "string"
+ },
+ "system": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "storageos": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeName": {
+ "type": "string"
+ },
+ "volumeNamespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "vsphereVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "storagePolicyID": {
+ "type": "string"
+ },
+ "storagePolicyName": {
+ "type": "string"
+ },
+ "volumePath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "image": {
+ "properties": {
+ "pullPolicy": {
+ "type": "string"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "imagePullSecrets": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "ingress": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "className": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "hosts": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "paths": {
+ "items": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "pathType": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "tls": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "hosts": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "secretName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "initContainers": {
+ "properties": {
+ "extraInitContainers": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "nameOverride": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podAnnotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podSecurityContext": {
+ "properties": {
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "supplementalGroups": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "sysctls": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "string"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "replicaCount": {
+ "type": "integer"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "enterprise": {
+ "properties": {
+ "license": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "kafka": {
+ "properties": {
+ "awsMskIamSecretKey": {
+ "type": "string"
+ },
+ "protobufGitBasicAuthPassword": {
+ "type": "string"
+ },
+ "saslPassword": {
+ "type": "string"
+ },
+ "schemaRegistryPassword": {
+ "type": "string"
+ },
+ "schemaRegistryTlsCa": {
+ "type": "string"
+ },
+ "schemaRegistryTlsCert": {
+ "type": "string"
+ },
+ "schemaRegistryTlsKey": {
+ "type": "string"
+ },
+ "tlsCa": {
+ "type": "string"
+ },
+ "tlsCert": {
+ "type": "string"
+ },
+ "tlsKey": {
+ "type": "string"
+ },
+ "tlsPassphrase": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "login": {
+ "properties": {
+ "github": {
+ "properties": {
+ "clientSecret": {
+ "type": "string"
+ },
+ "personalAccessToken": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "google": {
+ "properties": {
+ "clientSecret": {
+ "type": "string"
+ },
+ "groupsServiceAccount": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "jwtSecret": {
+ "type": "string"
+ },
+ "oidc": {
+ "properties": {
+ "clientSecret": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "okta": {
+ "properties": {
+ "clientSecret": {
+ "type": "string"
+ },
+ "directoryApiToken": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "redpanda": {
+ "properties": {
+ "adminApi": {
+ "properties": {
+ "password": {
+ "type": "string"
+ },
+ "tlsCa": {
+ "type": "string"
+ },
+ "tlsCert": {
+ "type": "string"
+ },
+ "tlsKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "secretMounts": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "secretName": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "drop": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "service": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "targetPort": {
+ "type": "integer"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccount": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "strategy": {
+ "properties": {
+ "rollingUpdate": {
+ "properties": {
+ "maxSurge": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "maxUnavailable": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "tests": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "tolerations": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "tolerationSeconds": {
+ "type": "integer"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "topologySpreadConstraints": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "maxSkew": {
+ "type": "integer"
+ },
+ "minDomains": {
+ "type": "integer"
+ },
+ "nodeAffinityPolicy": {
+ "type": "string"
+ },
+ "nodeTaintsPolicy": {
+ "type": "string"
+ },
+ "topologyKey": {
+ "type": "string"
+ },
+ "whenUnsatisfiable": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "enterprise": {
+ "properties": {
+ "license": {
+ "type": "string"
+ },
+ "licenseSecretRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "external": {
+ "properties": {
+ "addresses": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "domain": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "externalDns": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "type": "object"
+ },
+ "prefixTemplate": {
+ "type": "string"
+ },
+ "service": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "type": "object"
+ },
+ "sourceRanges": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "type": {
+ "pattern": "^(LoadBalancer|NodePort)$",
+ "type": "string"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "type": "object"
+ },
+ "force": {
+ "type": "boolean"
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "image": {
+ "description": "Values used to define the container image to be used for Redpanda",
+ "properties": {
+ "pullPolicy": {
+ "description": "The Kubernetes Pod image pull policy.",
+ "pattern": "^(Always|Never|IfNotPresent)$",
+ "type": "string"
+ },
+ "repository": {
+ "default": "docker.redpanda.com/redpandadata/redpanda",
+ "description": "container image repository",
+ "type": "string"
+ },
+ "tag": {
+ "default": "Chart.appVersion",
+ "description": "The container image tag. Use the Redpanda release version. Must be a valid semver prefixed with a 'v'.",
+ "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$",
+ "type": "string"
+ }
+ },
+ "required": [
+ "repository",
+ "pullPolicy"
+ ],
+ "type": "object"
+ },
+ "imagePullSecrets": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "license_key": {
+ "deprecated": true,
+ "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\\.(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$|^$",
+ "type": "string"
+ },
+ "license_secret_ref": {
+ "deprecated": true,
+ "properties": {
+ "secret_key": {
+ "type": "string"
+ },
+ "secret_name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "listeners": {
+ "properties": {
+ "admin": {
+ "properties": {
+ "appProtocol": {
+ "type": "string"
+ },
+ "external": {
+ "minProperties": 1,
+ "patternProperties": {
+ "^[A-Za-z_][A-Za-z0-9_]*$": {
+ "properties": {
+ "advertisedPorts": {
+ "items": {
+ "type": "integer"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "port"
+ ],
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cert",
+ "requireClientAuth"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "port",
+ "tls"
+ ],
+ "type": "object"
+ },
+ "http": {
+ "properties": {
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "none",
+ "http_basic"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "external": {
+ "minProperties": 1,
+ "patternProperties": {
+ "^[A-Za-z_][A-Za-z0-9_]*$": {
+ "properties": {
+ "advertisedPorts": {
+ "items": {
+ "type": "integer"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "none",
+ "http_basic"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "prefixTemplate": {
+ "type": "string"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "port"
+ ],
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "kafkaEndpoint": {
+ "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$",
+ "type": "string"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cert",
+ "requireClientAuth"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "enabled",
+ "tls",
+ "kafkaEndpoint",
+ "port"
+ ],
+ "type": "object"
+ },
+ "kafka": {
+ "properties": {
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "sasl",
+ "none",
+ "mtls_identity"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "external": {
+ "minProperties": 1,
+ "patternProperties": {
+ "^[A-Za-z_][A-Za-z0-9_]*$": {
+ "properties": {
+ "advertisedPorts": {
+ "items": {
+ "type": "integer"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "sasl",
+ "none",
+ "mtls_identity"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "prefixTemplate": {
+ "type": "string"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "port"
+ ],
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cert",
+ "requireClientAuth"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "tls",
+ "port"
+ ],
+ "type": "object"
+ },
+ "rpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cert",
+ "requireClientAuth"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "port",
+ "tls"
+ ],
+ "type": "object"
+ },
+ "schemaRegistry": {
+ "properties": {
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "none",
+ "http_basic"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "external": {
+ "minProperties": 1,
+ "patternProperties": {
+ "^[A-Za-z_][A-Za-z0-9_]*$": {
+ "properties": {
+ "advertisedPorts": {
+ "items": {
+ "type": "integer"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "none",
+ "http_basic"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "kafkaEndpoint": {
+ "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$",
+ "type": "string"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cert",
+ "requireClientAuth"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "enabled",
+ "kafkaEndpoint",
+ "port",
+ "tls"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "admin",
+ "http",
+ "kafka",
+ "schemaRegistry",
+ "rpc"
+ ],
+ "type": "object"
+ },
+ "logging": {
+ "properties": {
+ "logLevel": {
+ "pattern": "^(error|warn|info|debug|trace)$",
+ "type": "string"
+ },
+ "usageStats": {
+ "properties": {
+ "clusterId": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "logLevel",
+ "usageStats"
+ ],
+ "type": "object"
+ },
+ "monitoring": {
+ "properties": {
+ "enableHttp2": {
+ "type": "boolean"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "scrapeInterval": {
+ "type": "string"
+ },
+ "tlsConfig": {
+ "properties": {
+ "ca": {
+ "properties": {
+ "configMap": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "caFile": {
+ "type": "string"
+ },
+ "cert": {
+ "properties": {
+ "configMap": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "certFile": {
+ "type": "string"
+ },
+ "insecureSkipVerify": {
+ "type": "boolean"
+ },
+ "keyFile": {
+ "type": "string"
+ },
+ "keySecret": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "serverName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "enabled",
+ "scrapeInterval"
+ ],
+ "type": "object"
+ },
+ "nameOverride": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "post_install_job": {
+ "properties": {
+ "affinity": {
+ "properties": {
+ "nodeAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "preference": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "properties": {
+ "nodeSelectorTerms": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podTemplate": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "activeDeadlineSeconds": {
+ "type": "integer"
+ },
+ "affinity": {
+ "properties": {
+ "nodeAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "preference": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "properties": {
+ "nodeSelectorTerms": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "containers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "args": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "envFrom": {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "image": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "lifecycle": {
+ "properties": {
+ "postStart": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "preStop": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "ports": {
+ "items": {
+ "properties": {
+ "containerPort": {
+ "type": "integer"
+ },
+ "hostIP": {
+ "type": "string"
+ },
+ "hostPort": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "resizePolicy": {
+ "items": {
+ "properties": {
+ "resourceName": {
+ "type": "string"
+ },
+ "restartPolicy": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "startupProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "stdin": {
+ "type": "boolean"
+ },
+ "stdinOnce": {
+ "type": "boolean"
+ },
+ "terminationMessagePath": {
+ "type": "string"
+ },
+ "terminationMessagePolicy": {
+ "type": "string"
+ },
+ "tty": {
+ "type": "boolean"
+ },
+ "volumeDevices": {
+ "items": {
+ "properties": {
+ "devicePath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "recursiveReadOnly": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "workingDir": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "dnsConfig": {
+ "properties": {
+ "nameservers": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "options": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "searches": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "dnsPolicy": {
+ "type": "string"
+ },
+ "enableServiceLinks": {
+ "type": "boolean"
+ },
+ "ephemeralContainers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "args": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "envFrom": {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "image": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "lifecycle": {
+ "properties": {
+ "postStart": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "preStop": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "ports": {
+ "items": {
+ "properties": {
+ "containerPort": {
+ "type": "integer"
+ },
+ "hostIP": {
+ "type": "string"
+ },
+ "hostPort": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "resizePolicy": {
+ "items": {
+ "properties": {
+ "resourceName": {
+ "type": "string"
+ },
+ "restartPolicy": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "startupProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "stdin": {
+ "type": "boolean"
+ },
+ "stdinOnce": {
+ "type": "boolean"
+ },
+ "targetContainerName": {
+ "type": "string"
+ },
+ "terminationMessagePath": {
+ "type": "string"
+ },
+ "terminationMessagePolicy": {
+ "type": "string"
+ },
+ "tty": {
+ "type": "boolean"
+ },
+ "volumeDevices": {
+ "items": {
+ "properties": {
+ "devicePath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "recursiveReadOnly": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "workingDir": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "hostAliases": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "hostnames": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "ip": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "hostIPC": {
+ "type": "boolean"
+ },
+ "hostNetwork": {
+ "type": "boolean"
+ },
+ "hostPID": {
+ "type": "boolean"
+ },
+ "hostUsers": {
+ "type": "boolean"
+ },
+ "hostname": {
+ "type": "string"
+ },
+ "imagePullSecrets": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "initContainers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "args": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "envFrom": {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "image": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "lifecycle": {
+ "properties": {
+ "postStart": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "preStop": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "ports": {
+ "items": {
+ "properties": {
+ "containerPort": {
+ "type": "integer"
+ },
+ "hostIP": {
+ "type": "string"
+ },
+ "hostPort": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "resizePolicy": {
+ "items": {
+ "properties": {
+ "resourceName": {
+ "type": "string"
+ },
+ "restartPolicy": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "startupProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "stdin": {
+ "type": "boolean"
+ },
+ "stdinOnce": {
+ "type": "boolean"
+ },
+ "terminationMessagePath": {
+ "type": "string"
+ },
+ "terminationMessagePolicy": {
+ "type": "string"
+ },
+ "tty": {
+ "type": "boolean"
+ },
+ "volumeDevices": {
+ "items": {
+ "properties": {
+ "devicePath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "recursiveReadOnly": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "workingDir": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "nodeName": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "os": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "overhead": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "preemptionPolicy": {
+ "type": "string"
+ },
+ "priority": {
+ "type": "integer"
+ },
+ "priorityClassName": {
+ "type": "string"
+ },
+ "readinessGates": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "conditionType": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "resourceClaims": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "source": {
+ "properties": {
+ "resourceClaimName": {
+ "type": "string"
+ },
+ "resourceClaimTemplateName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "runtimeClassName": {
+ "type": "string"
+ },
+ "schedulerName": {
+ "type": "string"
+ },
+ "schedulingGates": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "securityContext": {
+ "properties": {
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "supplementalGroups": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "sysctls": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccount": {
+ "type": "string"
+ },
+ "serviceAccountName": {
+ "type": "string"
+ },
+ "setHostnameAsFQDN": {
+ "type": "boolean"
+ },
+ "shareProcessNamespace": {
+ "type": "boolean"
+ },
+ "subdomain": {
+ "type": "string"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "tolerations": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "tolerationSeconds": {
+ "type": "integer"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "topologySpreadConstraints": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "maxSkew": {
+ "type": "integer"
+ },
+ "minDomains": {
+ "type": "integer"
+ },
+ "nodeAffinityPolicy": {
+ "type": "string"
+ },
+ "nodeTaintsPolicy": {
+ "type": "string"
+ },
+ "topologyKey": {
+ "type": "string"
+ },
+ "whenUnsatisfiable": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "volumes": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "awsElasticBlockStore": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "azureDisk": {
+ "properties": {
+ "cachingMode": {
+ "type": "string"
+ },
+ "diskName": {
+ "type": "string"
+ },
+ "diskURI": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "azureFile": {
+ "properties": {
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ },
+ "shareName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cephfs": {
+ "properties": {
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretFile": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cinder": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "csi": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "nodePublishSecretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeAttributes": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "emptyDir": {
+ "properties": {
+ "medium": {
+ "type": "string"
+ },
+ "sizeLimit": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "ephemeral": {
+ "properties": {
+ "volumeClaimTemplate": {
+ "properties": {
+ "metadata": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "creationTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "deletionGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "deletionTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "finalizers": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "generateName": {
+ "type": "string"
+ },
+ "generation": {
+ "type": "integer"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ },
+ "ownerReferences": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "blockOwnerDeletion": {
+ "type": "boolean"
+ },
+ "controller": {
+ "type": "boolean"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resourceVersion": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "accessModes": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "dataSource": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "dataSourceRef": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "selector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "storageClassName": {
+ "type": "string"
+ },
+ "volumeAttributesClassName": {
+ "type": "string"
+ },
+ "volumeMode": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "fc": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "targetWWNs": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "wwids": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "flexVolume": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "options": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "flocker": {
+ "properties": {
+ "datasetName": {
+ "type": "string"
+ },
+ "datasetUUID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "gcePersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "pdName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "gitRepo": {
+ "properties": {
+ "directory": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "revision": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "glusterfs": {
+ "properties": {
+ "endpoints": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "hostPath": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "iscsi": {
+ "properties": {
+ "chapAuthDiscovery": {
+ "type": "boolean"
+ },
+ "chapAuthSession": {
+ "type": "boolean"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "initiatorName": {
+ "type": "string"
+ },
+ "iqn": {
+ "type": "string"
+ },
+ "iscsiInterface": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "portals": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "targetPortal": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "nfs": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "server": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "persistentVolumeClaim": {
+ "properties": {
+ "claimName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "photonPersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "pdID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "portworxVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "projected": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "sources": {
+ "items": {
+ "properties": {
+ "clusterTrustBundle": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
+ },
+ "signerName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccountToken": {
+ "properties": {
+ "audience": {
+ "type": "string"
+ },
+ "expirationSeconds": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "quobyte": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tenant": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ },
+ "volume": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "rbd": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "image": {
+ "type": "string"
+ },
+ "keyring": {
+ "type": "string"
+ },
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "pool": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "scaleIO": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "gateway": {
+ "type": "string"
+ },
+ "protectionDomain": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sslEnabled": {
+ "type": "boolean"
+ },
+ "storageMode": {
+ "type": "string"
+ },
+ "storagePool": {
+ "type": "string"
+ },
+ "system": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "storageos": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeName": {
+ "type": "string"
+ },
+ "volumeNamespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "vsphereVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "storagePolicyID": {
+ "type": "string"
+ },
+ "storagePolicyName": {
+ "type": "string"
+ },
+ "volumePath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "labels",
+ "annotations"
+ ],
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "drop": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "rackAwareness": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "nodeAnnotation": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "enabled",
+ "nodeAnnotation"
+ ],
+ "type": "object"
+ },
+ "rbac": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled",
+ "annotations"
+ ],
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "cpu": {
+ "properties": {
+ "cores": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "overprovisioned": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "cores"
+ ],
+ "type": "object"
+ },
+ "memory": {
+ "properties": {
+ "container": {
+ "properties": {
+ "max": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "min": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "required": [
+ "max"
+ ],
+ "type": "object"
+ },
+ "enable_memory_locking": {
+ "type": "boolean"
+ },
+ "redpanda": {
+ "properties": {
+ "memory": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "reserveMemory": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "container"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "cpu",
+ "memory"
+ ],
+ "type": "object"
+ },
+ "service": {
+ "properties": {
+ "internal": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccount": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "annotations",
+ "create",
+ "name"
+ ],
+ "type": "object"
+ },
+ "statefulset": {
+ "properties": {
+ "additionalRedpandaCmdFlags": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "additionalSelectorLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "budget": {
+ "properties": {
+ "maxUnavailable": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "maxUnavailable"
+ ],
+ "type": "object"
+ },
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "extraVolumes": {
+ "type": "string"
+ },
+ "initContainerImage": {
+ "properties": {
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initContainers": {
+ "properties": {
+ "configurator": {
+ "properties": {
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "extraInitContainers": {
+ "type": "string"
+ },
+ "fsValidator": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "expectedFS": {
+ "type": "string"
+ },
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "setDataDirOwnership": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "setTieredStorageCacheDirOwnership": {
+ "properties": {
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "tuning": {
+ "properties": {
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "initialDelaySeconds",
+ "failureThreshold",
+ "periodSeconds"
+ ],
+ "type": "object"
+ },
+ "nodeAffinity": {
+ "type": "object"
+ },
+ "nodeSelector": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "custom": {
+ "type": "object"
+ },
+ "topologyKey": {
+ "type": "string"
+ },
+ "type": {
+ "pattern": "^(hard|soft|custom)$",
+ "type": "string"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "topologyKey",
+ "type",
+ "weight"
+ ],
+ "type": "object"
+ },
+ "podSecurityContext": {
+ "deprecated": true,
+ "properties": {
+ "allowPriviledgeEscalation": {
+ "type": "boolean"
+ },
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "podTemplate": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "activeDeadlineSeconds": {
+ "type": "integer"
+ },
+ "affinity": {
+ "properties": {
+ "nodeAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "preference": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "properties": {
+ "nodeSelectorTerms": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "containers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "args": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "envFrom": {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "image": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "lifecycle": {
+ "properties": {
+ "postStart": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "preStop": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "ports": {
+ "items": {
+ "properties": {
+ "containerPort": {
+ "type": "integer"
+ },
+ "hostIP": {
+ "type": "string"
+ },
+ "hostPort": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "resizePolicy": {
+ "items": {
+ "properties": {
+ "resourceName": {
+ "type": "string"
+ },
+ "restartPolicy": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "startupProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "stdin": {
+ "type": "boolean"
+ },
+ "stdinOnce": {
+ "type": "boolean"
+ },
+ "terminationMessagePath": {
+ "type": "string"
+ },
+ "terminationMessagePolicy": {
+ "type": "string"
+ },
+ "tty": {
+ "type": "boolean"
+ },
+ "volumeDevices": {
+ "items": {
+ "properties": {
+ "devicePath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "recursiveReadOnly": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "workingDir": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "dnsConfig": {
+ "properties": {
+ "nameservers": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "options": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "searches": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "dnsPolicy": {
+ "type": "string"
+ },
+ "enableServiceLinks": {
+ "type": "boolean"
+ },
+ "ephemeralContainers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "args": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "envFrom": {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "image": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "lifecycle": {
+ "properties": {
+ "postStart": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "preStop": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "ports": {
+ "items": {
+ "properties": {
+ "containerPort": {
+ "type": "integer"
+ },
+ "hostIP": {
+ "type": "string"
+ },
+ "hostPort": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "resizePolicy": {
+ "items": {
+ "properties": {
+ "resourceName": {
+ "type": "string"
+ },
+ "restartPolicy": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "startupProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "stdin": {
+ "type": "boolean"
+ },
+ "stdinOnce": {
+ "type": "boolean"
+ },
+ "targetContainerName": {
+ "type": "string"
+ },
+ "terminationMessagePath": {
+ "type": "string"
+ },
+ "terminationMessagePolicy": {
+ "type": "string"
+ },
+ "tty": {
+ "type": "boolean"
+ },
+ "volumeDevices": {
+ "items": {
+ "properties": {
+ "devicePath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "recursiveReadOnly": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "workingDir": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "hostAliases": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "hostnames": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "ip": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "hostIPC": {
+ "type": "boolean"
+ },
+ "hostNetwork": {
+ "type": "boolean"
+ },
+ "hostPID": {
+ "type": "boolean"
+ },
+ "hostUsers": {
+ "type": "boolean"
+ },
+ "hostname": {
+ "type": "string"
+ },
+ "imagePullSecrets": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "initContainers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "args": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "envFrom": {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "image": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "lifecycle": {
+ "properties": {
+ "postStart": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "preStop": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "ports": {
+ "items": {
+ "properties": {
+ "containerPort": {
+ "type": "integer"
+ },
+ "hostIP": {
+ "type": "string"
+ },
+ "hostPort": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "resizePolicy": {
+ "items": {
+ "properties": {
+ "resourceName": {
+ "type": "string"
+ },
+ "restartPolicy": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "startupProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "stdin": {
+ "type": "boolean"
+ },
+ "stdinOnce": {
+ "type": "boolean"
+ },
+ "terminationMessagePath": {
+ "type": "string"
+ },
+ "terminationMessagePolicy": {
+ "type": "string"
+ },
+ "tty": {
+ "type": "boolean"
+ },
+ "volumeDevices": {
+ "items": {
+ "properties": {
+ "devicePath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "recursiveReadOnly": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "workingDir": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "nodeName": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "os": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "overhead": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "preemptionPolicy": {
+ "type": "string"
+ },
+ "priority": {
+ "type": "integer"
+ },
+ "priorityClassName": {
+ "type": "string"
+ },
+ "readinessGates": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "conditionType": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "resourceClaims": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "source": {
+ "properties": {
+ "resourceClaimName": {
+ "type": "string"
+ },
+ "resourceClaimTemplateName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "runtimeClassName": {
+ "type": "string"
+ },
+ "schedulerName": {
+ "type": "string"
+ },
+ "schedulingGates": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "securityContext": {
+ "properties": {
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "supplementalGroups": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "sysctls": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccount": {
+ "type": "string"
+ },
+ "serviceAccountName": {
+ "type": "string"
+ },
+ "setHostnameAsFQDN": {
+ "type": "boolean"
+ },
+ "shareProcessNamespace": {
+ "type": "boolean"
+ },
+ "subdomain": {
+ "type": "string"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "tolerations": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "tolerationSeconds": {
+ "type": "integer"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "topologySpreadConstraints": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "maxSkew": {
+ "type": "integer"
+ },
+ "minDomains": {
+ "type": "integer"
+ },
+ "nodeAffinityPolicy": {
+ "type": "string"
+ },
+ "nodeTaintsPolicy": {
+ "type": "string"
+ },
+ "topologyKey": {
+ "type": "string"
+ },
+ "whenUnsatisfiable": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "volumes": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "awsElasticBlockStore": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "azureDisk": {
+ "properties": {
+ "cachingMode": {
+ "type": "string"
+ },
+ "diskName": {
+ "type": "string"
+ },
+ "diskURI": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "azureFile": {
+ "properties": {
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ },
+ "shareName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cephfs": {
+ "properties": {
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretFile": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cinder": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "csi": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "nodePublishSecretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeAttributes": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "emptyDir": {
+ "properties": {
+ "medium": {
+ "type": "string"
+ },
+ "sizeLimit": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "ephemeral": {
+ "properties": {
+ "volumeClaimTemplate": {
+ "properties": {
+ "metadata": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "creationTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "deletionGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "deletionTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "finalizers": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "generateName": {
+ "type": "string"
+ },
+ "generation": {
+ "type": "integer"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ },
+ "ownerReferences": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "blockOwnerDeletion": {
+ "type": "boolean"
+ },
+ "controller": {
+ "type": "boolean"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resourceVersion": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "accessModes": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "dataSource": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "dataSourceRef": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "selector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "storageClassName": {
+ "type": "string"
+ },
+ "volumeAttributesClassName": {
+ "type": "string"
+ },
+ "volumeMode": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "fc": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "targetWWNs": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "wwids": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "flexVolume": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "options": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "flocker": {
+ "properties": {
+ "datasetName": {
+ "type": "string"
+ },
+ "datasetUUID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "gcePersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "pdName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "gitRepo": {
+ "properties": {
+ "directory": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "revision": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "glusterfs": {
+ "properties": {
+ "endpoints": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "hostPath": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "iscsi": {
+ "properties": {
+ "chapAuthDiscovery": {
+ "type": "boolean"
+ },
+ "chapAuthSession": {
+ "type": "boolean"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "initiatorName": {
+ "type": "string"
+ },
+ "iqn": {
+ "type": "string"
+ },
+ "iscsiInterface": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "portals": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "targetPortal": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "nfs": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "server": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "persistentVolumeClaim": {
+ "properties": {
+ "claimName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "photonPersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "pdID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "portworxVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "projected": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "sources": {
+ "items": {
+ "properties": {
+ "clusterTrustBundle": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
+ },
+ "signerName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccountToken": {
+ "properties": {
+ "audience": {
+ "type": "string"
+ },
+ "expirationSeconds": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "quobyte": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tenant": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ },
+ "volume": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "rbd": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "image": {
+ "type": "string"
+ },
+ "keyring": {
+ "type": "string"
+ },
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "pool": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "scaleIO": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "gateway": {
+ "type": "string"
+ },
+ "protectionDomain": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sslEnabled": {
+ "type": "boolean"
+ },
+ "storageMode": {
+ "type": "string"
+ },
+ "storagePool": {
+ "type": "string"
+ },
+ "system": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "storageos": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeName": {
+ "type": "string"
+ },
+ "volumeNamespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "vsphereVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "storagePolicyID": {
+ "type": "string"
+ },
+ "storagePolicyName": {
+ "type": "string"
+ },
+ "volumePath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "labels",
+ "annotations"
+ ],
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "string"
+ },
+ "readinessProbe": {
+ "properties": {
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "initialDelaySeconds",
+ "failureThreshold",
+ "periodSeconds"
+ ],
+ "type": "object"
+ },
+ "replicas": {
+ "type": "integer"
+ },
+ "securityContext": {
+ "deprecated": true,
+ "properties": {
+ "allowPriviledgeEscalation": {
+ "type": "boolean"
+ },
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "sideCars": {
+ "properties": {
+ "configWatcher": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "drop": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "controllers": {
+ "properties": {
+ "createRBAC": {
+ "type": "boolean"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "healthProbeAddress": {
+ "type": "string"
+ },
+ "image": {
+ "properties": {
+ "repository": {
+ "default": "docker.redpanda.com/redpandadata/redpanda-operator",
+ "type": "string"
+ },
+ "tag": {
+ "default": "Chart.appVersion",
+ "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$",
+ "type": "string"
+ }
+ },
+ "required": [
+ "tag",
+ "repository"
+ ],
+ "type": "object"
+ },
+ "metricsAddress": {
+ "type": "string"
+ },
+ "pprofAddress": {
+ "type": "string"
+ },
+ "resources": true,
+ "run": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "appArmorProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "drop": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "startupProbe": {
+ "properties": {
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "initialDelaySeconds",
+ "failureThreshold",
+ "periodSeconds"
+ ],
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "tolerations": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "tolerationSeconds": {
+ "type": "integer"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "topologySpreadConstraints": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "maxSkew": {
+ "type": "integer"
+ },
+ "topologyKey": {
+ "type": "string"
+ },
+ "whenUnsatisfiable": {
+ "pattern": "^(ScheduleAnyway|DoNotSchedule)$",
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "updateStrategy": {
+ "properties": {
+ "type": {
+ "pattern": "^(RollingUpdate|OnDelete)$",
+ "type": "string"
+ }
+ },
+ "required": [
+ "type"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "additionalSelectorLabels",
+ "replicas",
+ "updateStrategy",
+ "podTemplate",
+ "budget",
+ "startupProbe",
+ "livenessProbe",
+ "readinessProbe",
+ "podAffinity",
+ "podAntiAffinity",
+ "nodeSelector",
+ "priorityClassName",
+ "topologySpreadConstraints",
+ "tolerations",
+ "securityContext",
+ "sideCars"
+ ],
+ "type": "object"
+ },
+ "storage": {
+ "properties": {
+ "hostPath": {
+ "type": "string"
+ },
+ "persistentVolume": {
+ "deprecated": true,
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "nameOverwrite": {
+ "type": "string"
+ },
+ "size": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "storageClass": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "annotations",
+ "enabled",
+ "labels",
+ "size",
+ "storageClass"
+ ],
+ "type": "object"
+ },
+ "tiered": {
+ "properties": {
+ "config": {
+ "properties": {
+ "cloud_storage_access_key": {
+ "type": "string"
+ },
+ "cloud_storage_api_endpoint": {
+ "type": "string"
+ },
+ "cloud_storage_api_endpoint_port": {
+ "type": "integer"
+ },
+ "cloud_storage_azure_adls_endpoint": {
+ "type": "string"
+ },
+ "cloud_storage_azure_adls_port": {
+ "type": "integer"
+ },
+ "cloud_storage_bucket": {
+ "type": "string"
+ },
+ "cloud_storage_cache_check_interval": {
+ "type": "integer"
+ },
+ "cloud_storage_cache_directory": {
+ "type": "string"
+ },
+ "cloud_storage_cache_size": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "cloud_storage_credentials_source": {
+ "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$",
+ "type": "string"
+ },
+ "cloud_storage_disable_tls": {
+ "type": "boolean"
+ },
+ "cloud_storage_enable_remote_read": {
+ "type": "boolean"
+ },
+ "cloud_storage_enable_remote_write": {
+ "type": "boolean"
+ },
+ "cloud_storage_enabled": {
+ "type": "boolean"
+ },
+ "cloud_storage_initial_backoff_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_manifest_upload_timeout_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_max_connection_idle_time_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_max_connections": {
+ "type": "integer"
+ },
+ "cloud_storage_reconciliation_interval_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_region": {
+ "type": "string"
+ },
+ "cloud_storage_secret_key": {
+ "type": "string"
+ },
+ "cloud_storage_segment_max_upload_interval_sec": {
+ "type": "integer"
+ },
+ "cloud_storage_segment_upload_timeout_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_trust_file": {
+ "type": "string"
+ },
+ "cloud_storage_upload_ctrl_d_coeff": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_max_shares": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_min_shares": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_p_coeff": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_update_interval_ms": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "cloud_storage_enabled"
+ ],
+ "type": "object"
+ },
+ "credentialsSecretRef": {
+ "properties": {
+ "accessKey": {
+ "properties": {
+ "configurationKey": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKey": {
+ "properties": {
+ "configurationKey": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "hostPath": {
+ "type": "string"
+ },
+ "mountType": {
+ "pattern": "^(none|hostPath|emptyDir|persistentVolume)$",
+ "type": "string"
+ },
+ "persistentVolume": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "nameOverwrite": {
+ "type": "string"
+ },
+ "size": {
+ "type": "string"
+ },
+ "storageClass": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "annotations",
+ "labels",
+ "storageClass"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "mountType"
+ ],
+ "type": "object"
+ },
+ "tieredConfig": {
+ "deprecated": true,
+ "properties": {
+ "cloud_storage_access_key": {
+ "type": "string"
+ },
+ "cloud_storage_api_endpoint": {
+ "type": "string"
+ },
+ "cloud_storage_api_endpoint_port": {
+ "type": "integer"
+ },
+ "cloud_storage_azure_adls_endpoint": {
+ "type": "string"
+ },
+ "cloud_storage_azure_adls_port": {
+ "type": "integer"
+ },
+ "cloud_storage_bucket": {
+ "type": "string"
+ },
+ "cloud_storage_cache_check_interval": {
+ "type": "integer"
+ },
+ "cloud_storage_cache_directory": {
+ "type": "string"
+ },
+ "cloud_storage_cache_size": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "cloud_storage_credentials_source": {
+ "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$",
+ "type": "string"
+ },
+ "cloud_storage_disable_tls": {
+ "type": "boolean"
+ },
+ "cloud_storage_enable_remote_read": {
+ "type": "boolean"
+ },
+ "cloud_storage_enable_remote_write": {
+ "type": "boolean"
+ },
+ "cloud_storage_enabled": {
+ "type": "boolean"
+ },
+ "cloud_storage_initial_backoff_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_manifest_upload_timeout_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_max_connection_idle_time_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_max_connections": {
+ "type": "integer"
+ },
+ "cloud_storage_reconciliation_interval_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_region": {
+ "type": "string"
+ },
+ "cloud_storage_secret_key": {
+ "type": "string"
+ },
+ "cloud_storage_segment_max_upload_interval_sec": {
+ "type": "integer"
+ },
+ "cloud_storage_segment_upload_timeout_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_trust_file": {
+ "type": "string"
+ },
+ "cloud_storage_upload_ctrl_d_coeff": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_max_shares": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_min_shares": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_p_coeff": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_update_interval_ms": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tieredStorageHostPath": {
+ "deprecated": true,
+ "type": "string"
+ },
+ "tieredStoragePersistentVolume": {
+ "deprecated": true,
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "storageClass": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "annotations",
+ "enabled",
+ "labels",
+ "storageClass"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "hostPath",
+ "tiered",
+ "persistentVolume"
+ ],
+ "type": "object"
+ },
+ "tests": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "tls": {
+ "properties": {
+ "certs": {
+ "minProperties": 1,
+ "patternProperties": {
+ "^[A-Za-z_][A-Za-z0-9_]*$": {
+ "properties": {
+ "applyInternalDNSNames": {
+ "type": "boolean"
+ },
+ "caEnabled": {
+ "type": "boolean"
+ },
+ "clientSecretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "duration": {
+ "pattern": ".*[smh]$",
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "issuerRef": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "caEnabled"
+ ],
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled",
+ "certs"
+ ],
+ "type": "object"
+ },
+ "tolerations": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "tolerationSeconds": {
+ "type": "integer"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "tuning": {
+ "properties": {
+ "ballast_file_path": {
+ "type": "string"
+ },
+ "ballast_file_size": {
+ "type": "string"
+ },
+ "tune_aio_events": {
+ "type": "boolean"
+ },
+ "tune_ballast_file": {
+ "type": "boolean"
+ },
+ "tune_clocksource": {
+ "type": "boolean"
+ },
+ "well_known_io": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "affinity",
+ "image"
+ ],
+ "type": "object"
+}
diff --git a/charts/redpanda/redpanda/5.9.18/values.yaml b/charts/redpanda/redpanda/5.9.18/values.yaml
new file mode 100644
index 0000000000..99fcd51a43
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.18/values.yaml
@@ -0,0 +1,1131 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file contains values for variables referenced from yaml files in the templates directory.
+#
+# For further information on Helm templating see the documentation at:
+# https://helm.sh/docs/chart_template_guide/values_files/
+
+#
+# >>> This chart requires Helm version 3.6.0 or greater <<<
+#
+
+# Common settings
+#
+# -- Override `redpanda.name` template.
+nameOverride: ""
+# -- Override `redpanda.fullname` template.
+fullnameOverride: ""
+# -- Default Kubernetes cluster domain.
+clusterDomain: cluster.local
+# -- Additional labels to add to all Kubernetes objects.
+# For example, `my.k8s.service: redpanda`.
+commonLabels: {}
+# -- Node selection constraints for scheduling Pods, can override this for StatefulSets.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+nodeSelector: {}
+# -- Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
+affinity: {}
+# -- Taints to be tolerated by Pods, can override this for StatefulSets.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+tolerations: []
+
+# -- Redpanda Docker image settings.
+image:
+ # -- Docker repository from which to pull the Redpanda Docker image.
+ repository: docker.redpanda.com/redpandadata/redpanda
+ # -- The Redpanda version.
+ # See DockerHub for:
+ # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags)
+ # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags).
+ # @default -- `Chart.appVersion`.
+ tag: ""
+ # -- The imagePullPolicy.
+ # If `image.tag` is 'latest', the default is `Always`.
+ pullPolicy: IfNotPresent
+
+# -- Redpanda Service settings.
+# service:
+# -- set service.name to override the default service name
+# name: redpanda
+# -- internal Service
+# internal:
+# -- add annotations to the internal Service
+# annotations: {}
+#
+# -- eg. for a bare metal install using external-dns
+# annotations:
+# "external-dns.alpha.kubernetes.io/hostname": redpanda.domain.dom
+# "external-dns.alpha.kubernetes.io/endpoints-type": HostIP
+
+# -- Pull secrets may be used to provide credentials to image repositories
+# See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
+imagePullSecrets: []
+
+# -- DEPRECATED Enterprise license key (optional).
+# For details,
+# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition).
+license_key: ""
+# -- DEPRECATED Secret name and secret key where the license key is stored.
+license_secret_ref: {}
+ # secret_name: my-secret
+ # secret_key: key-where-license-is-stored
+
+# -- Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication
+# for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0.
+auditLogging:
+ # -- Enable or disable audit logging, for production clusters we suggest you enable,
+ # however, this will only work if you also enable sasl and a listener with sasl enabled.
+ enabled: false
+ # -- Kafka listener name, note that it must have `authenticationMethod` set to `sasl`.
+ # For external listeners, use the external listener name, such as `default`.
+ listener: internal
+ # -- Integer value defining the number of partitions used by a newly created audit topic.
+ partitions: 12
+ # -- Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`].
+ enabledEventTypes:
+ # -- List of topics to exclude from auditing, default is null.
+ excludedTopics:
+ # -- List of principals to exclude from auditing, default is null.
+ excludedPrincipals:
+ # -- Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages.
+ clientMaxBufferSize: 16777216
+ # -- In ms, frequency in which per shard audit logs are batched to client for write to audit log.
+ queueDrainIntervalMs: 500
+ # -- Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard.
+ queueMaxBufferSizePerShard: 1048576
+ # -- Defines the replication factor for a newly created audit log topic. This configuration applies
+ # only to the audit log topic and may be different from the cluster or other topic configurations.
+ # This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided,
+ # Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null`
+ replicationFactor:
+
+# -- Enterprise (optional)
+# For details,
+# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition).
+enterprise:
+ # -- license (optional).
+ license: ""
+ # -- Secret name and key where the license key is stored.
+ licenseSecretRef: {}
+ # name: my-secret
+ # key: key-where-license-is-stored
+
+# -- Rack Awareness settings.
+# For details,
+# see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/).
+rackAwareness:
+ # -- When running in multiple racks or availability zones, use a Kubernetes Node
+ # annotation value as the Redpanda rack value.
+ # Enabling this requires running with a service account with "get" Node permissions.
+ # To have the Helm chart configure these permissions,
+ # set `serviceAccount.create=true` and `rbac.enabled=true`.
+ enabled: false
+ # -- The common well-known annotation to use as the rack ID.
+ # Override this only if you use a custom Node annotation.
+ nodeAnnotation: topology.kubernetes.io/zone
+
+#
+# -- Redpanda Console settings.
+# For a reference of configuration settings,
+# see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/).
+console:
+ enabled: true
+ configmap:
+ create: false
+ secret:
+ create: false
+ deployment:
+ create: false
+ config: {}
+
+#
+# -- Redpanda Managed Connectors settings
+# For a reference of configuration settings,
+# see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/).
+connectors:
+ enabled: false
+ deployment:
+ create: false
+ test:
+ create: false
+
+# -- Authentication settings.
+# For details,
+# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/).
+auth:
+ sasl:
+ # -- Enable SASL authentication.
+ # If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`.
+ enabled: false
+ # -- The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`.
+ mechanism: SCRAM-SHA-512
+ # -- A Secret that contains your superuser credentials.
+ # For details,
+ # see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets).
+ secretRef: "redpanda-users"
+ # -- Optional list of superusers.
+ # These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`.
+ # If this list is empty,
+ # the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart.
+ # Uncomment the sample list if you wish to try adding sample sasl users or override to use your own.
+ users: []
+ # - name: admin
+ # password: change-me
+ # mechanism: SCRAM-SHA-512
+ # -- Details about how to create the bootstrap user for the cluster.
+ # The secretKeyRef is optionally specified. If it is specified, the
+ # chart will use a password written to that secret when creating the
+ # "kubernetes-controller" bootstrap user. If it is unspecified, then
+ # the secret will be generated and stored in the secret
+ # "releasename"-bootstrap-user, with the key "password".
+ bootstrapUser:
+ # -- The name used to override the name of the bootstrap user. If unspecified the bootstrap user is named
+ # "kubernetes-controller". This should only be specified when SASL authentication is enabled (usually installation)
+ # and should not be changed afterward.
+ # name: my-user
+ # -- The authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`.
+ mechanism: SCRAM-SHA-256
+ # secretKeyRef:
+ # name: my-password
+ # key: my-key
+
+# -- TLS settings.
+# For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/).
+tls:
+ # -- Enable TLS globally for all listeners.
+ # Each listener must include a Certificate name in its `.tls` object.
+ # To allow you to enable TLS for individual listeners,
+ # Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`.
+ # See `listeners..tls.enabled`.
+ enabled: true
+ # -- List all Certificates here,
+ # then you can reference a specific Certificate's name
+ # in each listener's `listeners..tls.cert` setting.
+ certs:
+ # -- This key is the Certificate name.
+ # To apply the Certificate to a specific listener,
+ # reference the Certificate's name in `listeners..tls.cert`.
+ default:
+ # -- To use a custom pre-installed Issuer,
+ # add its name and kind to the `issuerRef` object.
+ # issuerRef:
+ # name: redpanda-default-root-issuer
+ # kind: Issuer # Can be Issuer or ClusterIssuer
+ # -- To use a secret with custom tls files,
+ # secretRef:
+ # name: my-tls-secret
+ # -- Indicates whether or not the Secret holding this certificate
+ # includes a `ca.crt` key. When `true`, chart managed clients, such as
+ # rpk, will use `ca.crt` for certificate verification and listeners with
+ # `require_client_auth` and no explicit `truststore` will use `ca.crt` as
+ # their `truststore_file` for verification of client certificates. When
+ # `false`, chart managed clients will use `tls.crt` for certificate
+ # verification and listeners with `require_client_auth` and no explicit
+ # `truststore` will use the container's CA certificates.
+ caEnabled: true
+ # duration: 43800h
+ # if you wish to have Kubernetes internal dns names (IE the headless service of the redpanda StatefulSet) included in `dnsNames` of the certificate even, when supplying an issuer.
+ # applyInternalDNSNames: false
+ # -- Example external tls configuration
+ # uncomment and set the right key to the listeners that require them
+ # also enable the tls setting for those listeners.
+ external:
+ # -- To use a custom pre-installed Issuer,
+ # add its name and kind to the `issuerRef` object.
+ # issuerRef:
+ # name: redpanda-default-root-issuer
+ # kind: Issuer # Can be Issuer or ClusterIssuer
+ # -- To use a secret with custom tls files,
+ # secretRef:
+ # name: my-tls-secret
+ # -- Indicates whether or not the Secret holding this certificate
+ # includes a `ca.crt` key. When `true`, chart managed clients, such as
+ # rpk, will use `ca.crt` for certificate verification and listeners with
+ # `require_client_auth` and no explicit `truststore` will use `ca.crt` as
+ # their `truststore_file` for verification of client certificates. When
+ # `false`, chart managed clients will use `tls.crt` for certificate
+ # verification and listeners with `require_client_auth` and no explicit
+ # `truststore` will use the container's CA certificates.
+ caEnabled: true
+ # duration: 43800h
+ # if you wish to for apply internal dns names to the certificate even when supplying an issuer
+ # applyInternalDNSNames: false
+
+# -- External access settings.
+# For details,
+# see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/).
+external:
+ # -- Service allows you to manage the creation of an external kubernetes service object
+ service:
+ # -- Enabled if set to false will not create the external service type
+ # You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander).
+ # Set this to false if you rather manage your own service.
+ enabled: true
+ # -- Enable external access for each Service.
+ # You can toggle external access for each listener in
+ # `listeners..external..enabled`.
+ enabled: true
+ # -- External access type. Only `NodePort` and `LoadBalancer` are supported.
+ # If undefined, then advertised listeners will be configured in Redpanda,
+ # but the helm chart will not create a Service.
+ # You must create a Service manually.
+ # Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss.
+ # NodePort is recommended in cases where latency is a priority.
+ type: NodePort
+ # Optional source range for external access. Only applicable when external.type is LoadBalancer
+ # sourceRanges: []
+ # -- Optional domain advertised to external clients
+ # If specified, then it will be appended to the `external.addresses` values as each broker's advertised address
+ # domain: local
+ # Optional list of addresses that the Redpanda brokers advertise.
+ # Provide one entry for each broker in order of StatefulSet replicas.
+ # The number of brokers is defined in statefulset.replicas.
+ # The values can be IP addresses or DNS names.
+ # If external.domain is set, the domain is appended to these values.
+ # There is an option to define a single external address for all brokers and leverage
+ # prefixTemplate as it will be calculated during initContainer execution.
+ # addresses:
+ # - redpanda-0
+ # - redpanda-1
+ # - redpanda-2
+ #
+ # annotations:
+ # For example:
+ # cloud.google.com/load-balancer-type: "Internal"
+ # service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ # If you enable externalDns, each LoadBalancer service instance
+ # will be annotated with external-dns hostname
+ # matching external.addresses + external.domain
+ # externalDns:
+ # enabled: true
+ # prefixTemplate: ""
+
+# -- Log-level settings.
+logging:
+ # -- Log level
+ # Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`.
+ logLevel: info
+ # -- Send usage statistics back to Redpanda Data.
+ # For details,
+ # see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting).
+ usageStats:
+ # Enable the `rpk.enable_usage_stats` property.
+ enabled: true
+ # Your cluster ID (optional)
+ # clusterId: your-helm-cluster
+
+# -- Monitoring.
+# This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics.
+monitoring:
+ enabled: false
+ scrapeInterval: 30s
+ labels: {}
+ # Enables http2 for scraping metrics for prometheus. Used when Istio's mTLS is enabled and using tlsConfig.
+ # enableHttp2: true
+ # tlsConfig:
+ # caFile: /etc/prom-certs/root-cert.pem
+ # certFile: /etc/prom-certs/cert-chain.pem
+ # insecureSkipVerify: true
+ # keyFile: /etc/prom-certs/key.pem
+
+# -- Pod resource management.
+# This section simplifies resource allocation
+# by providing a single location where resources are defined.
+# Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates.
+#
+# The default values are for a development environment.
+# Production-level values and other considerations are documented,
+# where those values are different from the default.
+# For details,
+# see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/).
+resources:
+ #
+ # -- CPU resources.
+ # For details,
+ # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources).
+ cpu:
+ # -- Redpanda makes use of a thread per core model.
+ # For details, see this [blog](https://redpanda.com/blog/tpc-buffers).
+ # For this reason, Redpanda should only be given full cores.
+ #
+ # Note: You can increase cores, but decreasing cores is supported only from
+ # 24.3 Redpanda version.
+ #
+ # This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`.
+ # For production, use `4` or greater.
+ #
+ # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for
+ # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers
+ # access to exclusive CPUs on the node. See
+ # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy.
+ cores: 1
+ #
+ # -- Overprovisioned means Redpanda won't assume it has all of the provisioned CPU.
+ # This should be true unless the container has CPU affinity.
+ # Equivalent to: `--idle-poll-time-us 0 --thread-affinity 0 --poll-aio 0`
+ #
+ # If the value of full cores in `resources.cpu.cores` is less than `1`, this
+ # setting is set to `true`.
+ # overprovisioned: false
+ #
+ # -- Memory resources
+ # For details,
+ # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources).
+ memory:
+ # -- Enables memory locking.
+ # For production, set to `true`.
+ # enable_memory_locking: false
+ #
+ # It is recommended to have at least 2Gi of memory per core for the Redpanda binary.
+ # This memory is taken from the total memory given to each container.
+ # The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for
+ # other container processes.
+ # So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi.
+ #
+ # These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory
+ # requests/limits in the StatefulSet.
+ # Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi
+ # To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container.
+ # For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a memory limit and a memory request.
+ # * For every container in the Pod, the memory limit must equal the memory request.
+ #
+ container:
+ # Minimum memory count for each Redpanda broker.
+ # If omitted, the `min` value is equal to the `max` value (requested resources defaults to limits).
+ # This setting is equivalent to `resources.requests.memory`.
+ # For production, use 10Gi or greater.
+ # min: 2.5Gi
+ #
+ # -- Maximum memory count for each Redpanda broker.
+ # Equivalent to `resources.limits.memory`.
+ # For production, use `10Gi` or greater.
+ max: 2.5Gi
+ #
+ # This optional `redpanda` object allows you to specify the memory size for both the Redpanda
+ # process and the Seastar subsystem.
+ # This section is omitted by default, and memory sizes are calculated automatically
+ # based on container memory.
+ # Uncommenting this section and setting memory and reserveMemory values will disable
+ # automatic calculation.
+ #
+ # If you are setting these values manually, follow these guidelines carefully. Incorrect settings can lead to performance degradation, instability, or even data loss. The total memory allocated to a container is determined as the sum of the following two areas:
+ #
+ #- Redpanda (including Seastar): Defined by the `--memory` parameter. Includes the memory used by the Redpanda process and the reserved memory allocated for Seastar. A minimum of 2Gi per core is required, and this value typically accounts for ~80% of the container’s total memory. For production, allocate at least 8Gi.
+ #
+ # - Operating system (OS): Defined by the `--reserve-memory` parameter. Represents the memory available for the operating system and other processes within the container.
+ # redpanda:
+ # Memory for the Redpanda process.
+ # This must be lower than the container's memory (resources.memory.container.min if provided, otherwise
+ # resources.memory.container.max).
+ # Equivalent to --memory.
+ # For production, use 8Gi or greater.
+ # memory: 2Gi
+ #
+ # Memory reserved for the OS.
+ # Equivalent to --reserve-memory.
+ # reserveMemory: 200Mi
+
+# -- Persistence settings.
+# For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/).
+storage:
+ # -- Absolute path on the host to store Redpanda's data.
+ # If unspecified, then an `emptyDir` volume is used.
+ # If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect.
+ hostPath: ""
+ # -- If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and
+ # used to store Redpanda's data. Otherwise, `storage.hostPath` is used.
+ persistentVolume:
+ enabled: true
+ size: 20Gi
+ # -- To disable dynamic provisioning, set to `-`.
+ # If undefined or empty (default), then no storageClassName spec is set,
+ # and the default dynamic provisioner is chosen (gp2 on AWS, standard on
+ # GKE, AWS & OpenStack).
+ storageClass: ""
+ # -- Additional labels to apply to the created PersistentVolumeClaims.
+ labels: {}
+ # -- Additional annotations to apply to the created PersistentVolumeClaims.
+ annotations: {}
+ # -- Option to change volume claim template name for tiered storage persistent volume
+ # if tiered.mountType is set to `persistentVolume`
+ nameOverwrite: ""
+ #
+ # Settings for the Tiered Storage cache.
+ # For details,
+ # see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/#caching).
+
+ tiered:
+ # mountType can be one of:
+ # - none: does not mount a volume. Tiered storage will use the data directory.
+ # - hostPath: will allow you to chose a path on the Node the pod is running on
+ # - emptyDir: will mount a fresh empty directory every time the pod starts
+ # - persistentVolume: creates and mounts a PersistentVolumeClaim
+ mountType: none
+
+ # For the maximum size of the disk cache, see `tieredConfig.cloud_storage_cache_size`.
+ #
+ # -- Absolute path on the host to store Redpanda's Tiered Storage cache.
+ hostPath: ""
+ # PersistentVolumeClaim to be created for the Tiered Storage cache and
+ # used to store data retrieved from cloud storage, such as S3).
+ persistentVolume:
+ # -- To disable dynamic provisioning, set to "-".
+ # If undefined or empty (default), then no storageClassName spec is set,
+ # and the default dynamic provisioner is chosen (gp2 on AWS, standard on
+ # GKE, AWS & OpenStack).
+ storageClass: ""
+ # -- Additional labels to apply to the created PersistentVolumeClaims.
+ labels: {}
+ # -- Additional annotations to apply to the created PersistentVolumeClaims.
+ annotations: {}
+
+ # credentialsSecretRef can be used to set `cloud_storage_secret_key` and/or `cloud_storage_access_key` from
+ # referenced Kubernetes Secret
+ credentialsSecretRef:
+ accessKey:
+ # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_access_key
+ configurationKey: cloud_storage_access_key
+ # name:
+ # key:
+ secretKey:
+ # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_secret_key
+ # or
+ # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_azure_shared_key
+ configurationKey: cloud_storage_secret_key
+ # name:
+ # key
+ # -- DEPRECATED `configurationKey`, `name` and `key`. Please use `accessKey` and `secretKey`
+ # configurationKey: cloud_storage_secret_key
+ # name:
+ # key:
+ #
+ # -- Tiered Storage settings
+ # Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef`
+ # For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/).
+ # For a list of properties, see [Object Storage Properties](https://docs.redpanda.com/current/reference/properties/object-storage-properties/).
+ config:
+ # -- Global flag that enables Tiered Storage if a license key is provided.
+ # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enabled).
+ cloud_storage_enabled: false
+ # -- Cluster level default remote write configuration for new topics.
+ # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_write).
+ cloud_storage_enable_remote_write: true
+ # -- Cluster level default remote read configuration for new topics.
+ # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_read).
+ cloud_storage_enable_remote_read: true
+ # -- Maximum size of the disk cache used by Tiered Storage.
+ # Default is 20 GiB.
+ # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_cache_size).
+ cloud_storage_cache_size: 5368709120
+
+post_install_job:
+ enabled: true
+ # Resource requests and limits for the post-install batch job
+ # resources:
+ # requests:
+ # cpu: 1
+ # memory: 512Mi
+ # limits:
+ # cpu: 2
+ # memory: 1024Mi
+ # labels: {}
+ # annotations: {}
+ affinity: {}
+
+ podTemplate:
+ # -- Labels to apply (or overwrite the default) to the Pods of this Job.
+ labels: {}
+ # -- Annotations to apply (or overwrite the default) to the Pods of this Job.
+ annotations: {}
+ # -- A subset of Kubernetes' PodSpec type that will be merged into the
+ # final PodSpec. See [Merge Semantics](#merging-semantics) for details.
+ spec:
+ securityContext: {}
+ containers:
+ - name: post-install
+ securityContext: {}
+ env: []
+
+statefulset:
+ # -- Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster)
+ replicas: 3
+ updateStrategy:
+ type: RollingUpdate
+ budget:
+ maxUnavailable: 1
+ # -- DEPRECATED Please use statefulset.podTemplate.annotations.
+ # Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have
+ # any dedicated annotation.
+ annotations: {}
+ # -- Additional labels to be added to statefulset label selector.
+ # For example, `my.k8s.service: redpanda`.
+ additionalSelectorLabels: {}
+ podTemplate:
+ # -- Additional labels to apply to the Pods of the StatefulSet.
+ labels: {}
+ # -- Additional annotations to apply to the Pods of the StatefulSet.
+ annotations: {}
+ # -- A subset of Kubernetes' PodSpec type that will be merged into the
+ # final PodSpec. See [Merge Semantics](#merging-semantics) for details.
+ spec:
+ securityContext: {}
+ containers:
+ - name: redpanda
+ securityContext: {}
+ env: []
+ # -- Adjust the period for your probes to meet your needs.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+ startupProbe:
+ initialDelaySeconds: 1
+ failureThreshold: 120
+ periodSeconds: 10
+ livenessProbe:
+ initialDelaySeconds: 10
+ failureThreshold: 3
+ periodSeconds: 10
+ readinessProbe:
+ initialDelaySeconds: 1
+ failureThreshold: 3
+ periodSeconds: 10
+ successThreshold: 1
+ #
+ # StatefulSet resources:
+ # Resources are set through the top-level resources section above.
+ # It is recommended to set resource values in that section rather than here, as this will guarantee
+ # memory is allocated across containers, Redpanda, and the Seastar subsystem correctly.
+ # This automatic memory allocation is in place because Repanda and the Seastar subsystem require flags
+ # at startup that set the amount of memory available to each process.
+ # Kubernetes (mainly statefulset), Redpanda, and Seastar memory values are tightly coupled.
+ # Adding a resource section here will be ignored.
+ #
+ # -- Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+ podAffinity: {}
+ # -- Anti-affinity rules for scheduling Pods of this StatefulSet.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+ # You may either edit the default settings for anti-affinity rules,
+ # or specify new anti-affinity rules to use instead of the defaults.
+ podAntiAffinity:
+ # -- The topologyKey to be used.
+ # Can be used to spread across different nodes, AZs, regions etc.
+ topologyKey: kubernetes.io/hostname
+ # -- Valid anti-affinity types are `soft`, `hard`, or `custom`.
+ # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object.
+ type: hard
+ # -- Weight for `soft` anti-affinity rules.
+ # Does not apply to other anti-affinity types.
+ weight: 100
+ # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here.
+ custom: {}
+ # -- Node selection constraints for scheduling Pods of this StatefulSet.
+ # These constraints override the global `nodeSelector` value.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+ nodeSelector: {}
+ # -- PriorityClassName given to Pods of this StatefulSet.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+ priorityClassName: ""
+ # -- Taints to be tolerated by Pods of this StatefulSet.
+ # These tolerations override the global tolerations value.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+ tolerations: []
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/).
+ topologySpreadConstraints:
+ - maxSkew: 1
+ topologyKey: topology.kubernetes.io/zone
+ whenUnsatisfiable: ScheduleAnyway
+ # -- DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext.
+ securityContext:
+ fsGroup: 101
+ runAsUser: 101
+ fsGroupChangePolicy: OnRootMismatch
+ sideCars:
+ configWatcher:
+ enabled: true
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a memory limit and a memory request.
+ # * For every container in the Pod, the memory limit must equal the memory request.
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ #
+ # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for
+ # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers
+ # access to exclusive CPUs on the node. For details, see
+ # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy
+ resources: {}
+ securityContext: {}
+ extraVolumeMounts: |-
+ # Configure extra controllers to run as sidecars inside the Pods running Redpanda brokers.
+ # Available controllers:
+ # - Decommission Controller: The Decommission Controller ensures smooth scaling down operations.
+ # This controller is responsible for monitoring changes in the number of StatefulSet replicas and orchestrating
+ # the decommissioning of brokers when necessary. It also sets the reclaim policy for the decommissioned
+ # broker's PersistentVolume to `Retain` and deletes the corresponding PersistentVolumeClaim.
+ # - Node-PVC Controller: The Node-PVC Controller handles the PVCs of deleted brokers.
+ # By setting the PV Retain policy to retain, it facilitates the rescheduling of brokers to new, healthy nodes when
+ # an existing node is removed.
+ controllers:
+ image:
+ tag: v2.3.4-24.3.2
+ repository: docker.redpanda.com/redpandadata/redpanda-operator
+ # You must also enable RBAC, `rbac.enabled=true`, to deploy this sidecar
+ enabled: false
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ #
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ #
+ # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for
+ # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers
+ # access to exclusive CPUs on the node. For details, see
+ # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy
+ resources: {}
+ securityContext: {}
+ healthProbeAddress: ":8085"
+ metricsAddress: ":9082"
+ pprofAddress: ":9083"
+ run:
+ - all
+ createRBAC: true
+ initContainers:
+ fsValidator:
+ enabled: false
+ expectedFS: xfs
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ resources: {}
+ extraVolumeMounts: |-
+ tuning:
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ resources: {}
+ extraVolumeMounts: |-
+ setDataDirOwnership:
+ # -- In environments where root is not allowed, you cannot change the ownership of files and directories.
+ # Enable `setDataDirOwnership` when using default minikube cluster configuration.
+ enabled: false
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ resources: {}
+ extraVolumeMounts: |-
+ setTieredStorageCacheDirOwnership:
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ resources: {}
+ extraVolumeMounts: |-
+ configurator:
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ resources: {}
+ extraVolumeMounts: |-
+ ## Additional init containers
+ extraInitContainers: |-
+# - name: "test-init-container"
+# image: "mintel/docker-alpine-bash-curl-jq:latest"
+# command: [ "/bin/bash", "-c" ]
+# args:
+# - |
+# set -xe
+# echo "Hello World!"
+ initContainerImage:
+ repository: busybox
+ tag: latest
+ # -- Additional flags to pass to redpanda,
+ additionalRedpandaCmdFlags: []
+# - --unsafe-bypass-fsync
+ # -- Termination grace period in seconds is time required to execute preStop hook
+ # which puts particular Redpanda Pod (process/container) into maintenance mode.
+ # Before settle down on particular value please put Redpanda under load and perform
+ # rolling upgrade or rolling restart. That value needs to accommodate two processes:
+ # * preStop hook needs to put Redpanda into maintenance mode
+ # * after preStop hook Redpanda needs to handle gracefully SIGTERM signal
+ #
+ # Both processes are executed sequentially where preStop hook has hard deadline in the
+ # middle of terminationGracePeriodSeconds.
+ #
+ # REF:
+ # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
+ # https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination
+ terminationGracePeriodSeconds: 90
+ ## Additional Volumes that you mount
+ extraVolumes: |-
+ ## Additional Volume mounts for redpanda container
+ extraVolumeMounts: |-
+
+# -- Service account management.
+serviceAccount:
+ # -- Specifies whether a service account should be created.
+ create: false
+ # -- Specifies whether a service account should automount API-Credentials. The token is used in sidecars.controllers
+ automountServiceAccountToken: false
+ # -- Annotations to add to the service account.
+ annotations: {}
+ # -- The name of the service account to use.
+ # If not set and `serviceAccount.create` is `true`,
+ # a name is generated using the `redpanda.fullname` template.
+ name: ""
+
+# -- Role Based Access Control.
+rbac:
+ # -- Enable for features that need extra privileges.
+ # If you use the Redpanda Operator,
+ # you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag
+ # to give it the required ClusterRoles.
+ enabled: false
+ # -- Annotations to add to the `rbac` resources.
+ annotations: {}
+
+# -- Redpanda tuning settings.
+# Each is set to their default values in Redpanda.
+tuning:
+ # -- Increase the maximum number of outstanding asynchronous IO operations if the
+ # current value is below a certain threshold. This allows Redpanda to make as many
+ # simultaneous IO requests as possible, increasing throughput.
+ #
+ # When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`.
+ # For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/).
+ tune_aio_events: true
+ #
+ # Syncs NTP
+ # tune_clocksource: false
+ #
+ # Creates a "ballast" file so that, if a Redpanda node runs out of space,
+ # you can delete the ballast file to allow the node to resume operations and then
+ # delete a topic or records to reduce the space used by Redpanda.
+ # tune_ballast_file: false
+ #
+ # The path where the ballast file will be created.
+ # ballast_file_path: "/var/lib/redpanda/data/ballast"
+ #
+ # The ballast file size.
+ # ballast_file_size: "1GiB"
+ #
+ # (Optional) The vendor, VM type and storage device type that redpanda will run on, in
+ # the format ::. This hints to rpk which configuration values it
+ # should use for the redpanda IO scheduler.
+ # Some valid values are "gcp:c2-standard-16:nvme", "aws:i3.xlarge:default"
+ # well_known_io: ""
+ #
+ # The following tuning parameters must be false in container environments and will be ignored:
+ # tune_network
+ # tune_disk_scheduler
+ # tune_disk_nomerges
+ # tune_disk_irq
+ # tune_fstrim
+ # tune_cpu
+ # tune_swappiness
+ # tune_transparent_hugepages
+ # tune_coredump
+
+
+# -- Listener settings.
+#
+# Override global settings configured above for individual
+# listeners.
+# For details,
+# see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/).
+listeners:
+ # -- Admin API listener (only one).
+ admin:
+ # -- The port for both internal and external connections to the Admin API.
+ port: 9644
+ # -- Optional instrumentation hint - https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
+ # appProtocol:
+ # -- Optional external access settings.
+ external:
+ # -- Name of the external listener.
+ default:
+ port: 9645
+ # Override the global `external.enabled` for only this listener.
+ # enabled: true
+ # -- The port advertised to this listener's external clients.
+ # List one port if you want to use the same port for each broker (would be the case when using NodePort service).
+ # Otherwise, list the port you want to use for each broker in order of StatefulSet replicas.
+ # If undefined, `listeners.admin.port` is used.
+ tls:
+ # enabled: true
+ cert: external
+ advertisedPorts:
+ - 31644
+ # -- Optional TLS section (required if global TLS is enabled)
+ tls:
+ # Optional flag to override the global TLS enabled flag.
+ # enabled: true
+ # -- Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs).
+ cert: default
+ # -- If true, the truststore file for this listener is included in the ConfigMap.
+ requireClientAuth: false
+ # -- Kafka API listeners.
+ kafka:
+ # -- The port for internal client connections.
+ port: 9093
+ # default is "sasl"
+ authenticationMethod:
+ tls:
+ # Optional flag to override the global TLS enabled flag.
+ # enabled: true
+ cert: default
+ requireClientAuth: false
+ external:
+ default:
+ # enabled: true
+ # -- The port used for external client connections.
+ port: 9094
+ # prefixTemplate: ""
+ # -- If undefined, `listeners.kafka.external.default.port` is used.
+ advertisedPorts:
+ - 31092
+ tls:
+ # enabled: true
+ cert: external
+ # default is "sasl"
+ authenticationMethod:
+ # -- RPC listener (this is never externally accessible).
+ rpc:
+ port: 33145
+ tls:
+ # Optional flag to override the global TLS enabled flag.
+ # enabled: true
+ cert: default
+ requireClientAuth: false
+ # -- Schema registry listeners.
+ schemaRegistry:
+ enabled: true
+ port: 8081
+ kafkaEndpoint: default
+ # default is "http_basic"
+ authenticationMethod:
+ tls:
+ # Optional flag to override the global TLS enabled flag.
+ # enabled: true
+ cert: default
+ requireClientAuth: false
+ external:
+ default:
+ # enabled: true
+ port: 8084
+ advertisedPorts:
+ - 30081
+ tls:
+ # enabled: true
+ cert: external
+ requireClientAuth: false
+ # default is "http_basic"
+ authenticationMethod:
+ # -- HTTP API listeners (aka PandaProxy).
+ http:
+ enabled: true
+ port: 8082
+ kafkaEndpoint: default
+ # default is "http_basic"
+ authenticationMethod:
+ tls:
+ # Optional flag to override the global TLS enabled flag.
+ # enabled: true
+ cert: default
+ requireClientAuth: false
+ external:
+ default:
+ # enabled: true
+ port: 8083
+ # prefixTemplate: ""
+ advertisedPorts:
+ - 30082
+ tls:
+ # enabled: true
+ cert: external
+ requireClientAuth: false
+ # default is "http_basic"
+ authenticationMethod:
+
+# Expert Config
+# Here be dragons!
+#
+# -- This section contains various settings supported by Redpanda that may not work
+# correctly in a Kubernetes cluster. Changing these settings comes with some risk.
+#
+# Use these settings to customize various Redpanda configurations that are not covered in other sections.
+# These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm,
+# and therefore should not be modified for the purpose of configuring those objects.
+# Instead, these settings get passed directly to the Redpanda binary at startup.
+# For descriptions of these properties,
+# see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/).
+config:
+ rpk: {}
+ # additional_start_flags: # List of flags to pass to rpk, e.g., ` "--idle-poll-time-us=0"`
+ # -- [Cluster Configuration Properties](https://docs.redpanda.com/current/reference/properties/cluster-properties/)
+ cluster: {}
+
+ # -- Tunable cluster properties.
+ # Deprecated: all settings here may be specified via `config.cluster`.
+ tunable:
+ # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_min).
+ log_segment_size_min: 16777216 # 16 mb
+ # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_max).
+ log_segment_size_max: 268435456 # 256 mb
+ # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#compacted_log_segment_size).
+ compacted_log_segment_size: 67108864 # 64 mb
+ # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#max_compacted_log_segment_size).
+ max_compacted_log_segment_size: 536870912 # 512 mb
+ # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit).
+ kafka_connection_rate_limit: 1000
+
+ # -- [Broker (node) Configuration Properties](https://docs.redpanda.com/docs/reference/broker-properties/).
+ node:
+ # -- Crash loop limit
+ # A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset.
+ # This limit prevents a broker from getting stuck in an infinite cycle of crashes.
+ # User can disable this crash loop limit check by the following action:
+ #
+ # * One hour elapses since the last crash
+ # * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects
+ # * The startup_log file in the node’s data_directory is manually deleted
+ #
+ # Default to 5
+ # REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit
+ crash_loop_limit: 5
+
+ # Reference schema registry client https://docs.redpanda.com/current/reference/node-configuration-sample/
+ schema_registry_client: {}
+ # # Number of times to retry a request to a broker
+ # # Default: 5
+ # retries: 5
+ #
+ # # Delay (in milliseconds) for initial retry backoff
+ # # Default: 100ms
+ # retry_base_backoff_ms: 100
+ #
+ # # Number of records to batch before sending to broker
+ # # Default: 1000
+ # produce_batch_record_count: 1000
+ #
+ # # Number of bytes to batch before sending to broker
+ # # Defautl 1MiB
+ # produce_batch_size_bytes: 1048576
+ #
+ # # Delay (in milliseconds) to wait before sending batch
+ # # Default: 100ms
+ # produce_batch_delay_ms: 100
+ #
+ # # Interval (in milliseconds) for consumer request timeout
+ # # Default: 100ms
+ # consumer_request_timeout_ms: 100
+ #
+ # # Max bytes to fetch per request
+ # # Default: 1MiB
+ # consumer_request_max_bytes: 1048576
+ #
+ # # Timeout (in milliseconds) for consumer session
+ # # Default: 10s
+ # consumer_session_timeout_ms: 10000
+ #
+ # # Timeout (in milliseconds) for consumer rebalance
+ # # Default: 2s
+ # consumer_rebalance_timeout_ms: 2000
+ #
+ # # Interval (in milliseconds) for consumer heartbeats
+ # # Default: 500ms
+ # consumer_heartbeat_interval_ms: 500
+
+ # Reference panda proxy client https://docs.redpanda.com/current/reference/node-configuration-sample/
+ pandaproxy_client: {}
+ # # Number of times to retry a request to a broker
+ # # Default: 5
+ # retries: 5
+ #
+ # # Delay (in milliseconds) for initial retry backoff
+ # # Default: 100ms
+ # retry_base_backoff_ms: 100
+ #
+ # # Number of records to batch before sending to broker
+ # # Default: 1000
+ # produce_batch_record_count: 1000
+ #
+ # # Number of bytes to batch before sending to broker
+ # # Defautl 1MiB
+ # produce_batch_size_bytes: 1048576
+ #
+ # # Delay (in milliseconds) to wait before sending batch
+ # # Default: 100ms
+ # produce_batch_delay_ms: 100
+ #
+ # # Interval (in milliseconds) for consumer request timeout
+ # # Default: 100ms
+ # consumer_request_timeout_ms: 100
+ #
+ # # Max bytes to fetch per request
+ # # Default: 1MiB
+ # consumer_request_max_bytes: 1048576
+ #
+ # # Timeout (in milliseconds) for consumer session
+ # # Default: 10s
+ # consumer_session_timeout_ms: 10000
+ #
+ # # Timeout (in milliseconds) for consumer rebalance
+ # # Default: 2s
+ # consumer_rebalance_timeout_ms: 2000
+ #
+ # # Interval (in milliseconds) for consumer heartbeats
+ # # Default: 500ms
+ # consumer_heartbeat_interval_ms: 500
+
+ # Invalid properties
+ # Any of these properties will be ignored. These otherwise valid properties are not allowed
+ # to be used in this section since they impact deploying Redpanda in Kubernetes.
+ # Make use of the above sections to modify these values instead (see comments below).
+ # admin: "127.0.0.1:9644" # Address and port of admin server: use listeners.admin
+ # admin_api_tls: validate_many # TLS configuration for admin HTTP server: use listeners.admin.tls
+ # advertised_kafka_api: None # Address of Kafka API published to the clients
+ # advertised_pandaproxy_api: None # Rest API address and port to publish to client
+ # advertised_rpc_api: None # Address of RPC endpoint published to other cluster members
+ # enable_admin_api: true # Enable the admin API
+ # enable_sasl: false # Enable SASL authentication for Kafka connections
+ # kafka_api: "127.0.0.1:9092" # Address and port of an interface to listen for Kafka API requests
+ # kafka_api_tls: None # TLS configuration for Kafka API endpoint
+ # pandaproxy_api: "0.0.0.0:8082" # Rest API listen address and port
+ # pandaproxy_api_tls: validate_many # TLS configuration for Pandaproxy api
+ # rpc_server: "127.0.0.1:33145" # IP address and port for RPC server
+ # rpc_server_tls: validate # TLS configuration for RPC server
+ # superusers: None # List of superuser usernames
+
+tests:
+ enabled: true
diff --git a/charts/speedscale/speedscale-operator/2.3.45/.helmignore b/charts/speedscale/speedscale-operator/2.3.45/.helmignore
new file mode 100644
index 0000000000..0e8a0eb36f
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/speedscale/speedscale-operator/2.3.45/Chart.yaml b/charts/speedscale/speedscale-operator/2.3.45/Chart.yaml
new file mode 100644
index 0000000000..cce0c7b77a
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/Chart.yaml
@@ -0,0 +1,27 @@
+annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Speedscale Operator
+ catalog.cattle.io/kube-version: '>= 1.17.0-0'
+ catalog.cattle.io/release-name: speedscale-operator
+apiVersion: v1
+appVersion: 2.3.45
+description: Stress test your APIs with real world scenarios. Collect and replay
+ traffic without scripting.
+home: https://speedscale.com
+icon: file://assets/icons/speedscale-operator.png
+keywords:
+- speedscale
+- test
+- testing
+- regression
+- reliability
+- load
+- replay
+- network
+- traffic
+kubeVersion: '>= 1.17.0-0'
+maintainers:
+- email: support@speedscale.com
+ name: Speedscale Support
+name: speedscale-operator
+version: 2.3.45
diff --git a/charts/speedscale/speedscale-operator/2.3.45/LICENSE b/charts/speedscale/speedscale-operator/2.3.45/LICENSE
new file mode 100644
index 0000000000..b78723d62f
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright 2021 Speedscale
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/charts/speedscale/speedscale-operator/2.3.45/README.md b/charts/speedscale/speedscale-operator/2.3.45/README.md
new file mode 100644
index 0000000000..6ca25eed9d
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/README.md
@@ -0,0 +1,111 @@
+
+
+
+# Speedscale Operator
+
+The [Speedscale](https://www.speedscale.com) Operator is a [Kubernetes operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
+that watches for deployments to be applied to the cluster and takes action based on annotations. The operator
+can inject a proxy to capture traffic into or out of applications, or setup an isolation test environment around
+a deployment for testing. The operator itself is a deployment that will be always present on the cluster once
+the helm chart is installed.
+
+## Prerequisites
+
+- Kubernetes 1.20+
+- Helm 3+
+- Appropriate [network and firewall configuration](https://docs.speedscale.com/reference/networking) for Speedscale cloud and webhook traffic
+
+## Get Repo Info
+
+```bash
+helm repo add speedscale https://speedscale.github.io/operator-helm/
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Install Chart
+
+An API key is required. Sign up for a [free Speedscale trial](https://speedscale.com/free-trial/) if you do not have one.
+
+```bash
+helm install speedscale-operator speedscale/speedscale-operator \
+ -n speedscale \
+ --create-namespace \
+ --set apiKey= \
+ --set clusterName=
+```
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+### Pre-install job failure
+
+We use pre-install job to check provided API key and provision some of the required resources.
+
+If the job failed during the installation, you'll see the following error during install:
+
+```
+Error: INSTALLATION FAILED: failed pre-install: job failed: BackoffLimitExceeded
+```
+
+You can inspect the logs using this command:
+
+```bash
+kubectl -n speedscale logs job/speedscale-operator-pre-install
+```
+
+After fixing the error, uninstall the helm release, delete the failed job
+and try installing again:
+
+```bash
+helm -n speedscale uninstall speedscale-operator
+kubectl -n speedscale delete job speedscale-operator-pre-install
+```
+
+## Uninstall Chart
+
+```bash
+helm -n speedscale uninstall speedscale-operator
+```
+
+This removes all the Kubernetes components associated with the chart and deletes the release.
+
+_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
+
+CRDs created by this chart are not removed by default and should be manually cleaned up:
+
+```bash
+kubectl delete crd trafficreplays.speedscale.com
+```
+
+## Upgrading Chart
+
+```bash
+helm repo update
+helm -n speedscale upgrade speedscale-operator speedscale/speedscale-operator
+```
+
+Resources capturing traffic will need to be rolled to pick up the latest
+Speedscale sidecar. Use the rollout restart command for each namespace and
+resource type:
+
+```bash
+kubectl -n rollout restart deployment
+```
+
+With Helm v3, CRDs created by this chart are not updated by default
+and should be manually updated.
+Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
+
+_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
+
+### Upgrading an existing Release to a new version
+
+A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
+incompatible breaking change needing manual actions.
+
+
+## Help
+
+Speedscale docs information available at [docs.speedscale.com](https://docs.speedscale.com) or join us
+on the [Speedscale community Slack](https://join.slack.com/t/speedscalecommunity/shared_invite/zt-x5rcrzn4-XHG1QqcHNXIM~4yozRrz8A)!
diff --git a/charts/speedscale/speedscale-operator/2.3.45/app-readme.md b/charts/speedscale/speedscale-operator/2.3.45/app-readme.md
new file mode 100644
index 0000000000..6ca25eed9d
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/app-readme.md
@@ -0,0 +1,111 @@
+
+
+
+# Speedscale Operator
+
+The [Speedscale](https://www.speedscale.com) Operator is a [Kubernetes operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
+that watches for deployments to be applied to the cluster and takes action based on annotations. The operator
+can inject a proxy to capture traffic into or out of applications, or setup an isolation test environment around
+a deployment for testing. The operator itself is a deployment that will be always present on the cluster once
+the helm chart is installed.
+
+## Prerequisites
+
+- Kubernetes 1.20+
+- Helm 3+
+- Appropriate [network and firewall configuration](https://docs.speedscale.com/reference/networking) for Speedscale cloud and webhook traffic
+
+## Get Repo Info
+
+```bash
+helm repo add speedscale https://speedscale.github.io/operator-helm/
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Install Chart
+
+An API key is required. Sign up for a [free Speedscale trial](https://speedscale.com/free-trial/) if you do not have one.
+
+```bash
+helm install speedscale-operator speedscale/speedscale-operator \
+ -n speedscale \
+ --create-namespace \
+ --set apiKey= \
+ --set clusterName=
+```
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+### Pre-install job failure
+
+We use pre-install job to check provided API key and provision some of the required resources.
+
+If the job failed during the installation, you'll see the following error during install:
+
+```
+Error: INSTALLATION FAILED: failed pre-install: job failed: BackoffLimitExceeded
+```
+
+You can inspect the logs using this command:
+
+```bash
+kubectl -n speedscale logs job/speedscale-operator-pre-install
+```
+
+After fixing the error, uninstall the helm release, delete the failed job
+and try installing again:
+
+```bash
+helm -n speedscale uninstall speedscale-operator
+kubectl -n speedscale delete job speedscale-operator-pre-install
+```
+
+## Uninstall Chart
+
+```bash
+helm -n speedscale uninstall speedscale-operator
+```
+
+This removes all the Kubernetes components associated with the chart and deletes the release.
+
+_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
+
+CRDs created by this chart are not removed by default and should be manually cleaned up:
+
+```bash
+kubectl delete crd trafficreplays.speedscale.com
+```
+
+## Upgrading Chart
+
+```bash
+helm repo update
+helm -n speedscale upgrade speedscale-operator speedscale/speedscale-operator
+```
+
+Resources capturing traffic will need to be rolled to pick up the latest
+Speedscale sidecar. Use the rollout restart command for each namespace and
+resource type:
+
+```bash
+kubectl -n rollout restart deployment
+```
+
+With Helm v3, CRDs created by this chart are not updated by default
+and should be manually updated.
+Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
+
+_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
+
+### Upgrading an existing Release to a new version
+
+A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
+incompatible breaking change needing manual actions.
+
+
+## Help
+
+Speedscale docs information available at [docs.speedscale.com](https://docs.speedscale.com) or join us
+on the [Speedscale community Slack](https://join.slack.com/t/speedscalecommunity/shared_invite/zt-x5rcrzn4-XHG1QqcHNXIM~4yozRrz8A)!
diff --git a/charts/speedscale/speedscale-operator/2.3.45/questions.yaml b/charts/speedscale/speedscale-operator/2.3.45/questions.yaml
new file mode 100644
index 0000000000..29aee38958
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/questions.yaml
@@ -0,0 +1,9 @@
+questions:
+- variable: apiKey
+ default: "fffffffffffffffffffffffffffffffffffffffffffff"
+ description: "An API key is required to connect to the Speedscale cloud."
+ required: true
+ type: string
+ label: API Key
+ group: Authentication
+
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/NOTES.txt b/charts/speedscale/speedscale-operator/2.3.45/templates/NOTES.txt
new file mode 100644
index 0000000000..cabb59b175
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/NOTES.txt
@@ -0,0 +1,12 @@
+Thank you for installing the Speedscale Operator!
+
+Next you'll need to add the Speedscale Proxy Sidecar to your deployments.
+See https://docs.speedscale.com/setup/sidecar/install/
+
+If upgrading use the rollout restart command for each namespace and resource
+type to ensure Speedscale sidecars are updated:
+
+ kubectl -n rollout restart deployment
+
+Once your deployment is running the sidecar your service will show up on
+https://app.speedscale.com/.
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/admission.yaml b/charts/speedscale/speedscale-operator/2.3.45/templates/admission.yaml
new file mode 100644
index 0000000000..301748a61d
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/admission.yaml
@@ -0,0 +1,209 @@
+{{- $cacrt := "" -}}
+{{- $crt := "" -}}
+{{- $key := "" -}}
+{{- $s := (lookup "v1" "Secret" .Release.Namespace "speedscale-webhook-certs") -}}
+{{- if $s -}}
+{{- $cacrt = index $s.data "ca.crt" | default (index $s.data "tls.crt") | b64dec -}}
+{{- $crt = index $s.data "tls.crt" | b64dec -}}
+{{- $key = index $s.data "tls.key" | b64dec -}}
+{{ else }}
+{{- $altNames := list ( printf "speedscale-operator.%s" .Release.Namespace ) ( printf "speedscale-operator.%s.svc" .Release.Namespace ) -}}
+{{- $ca := genCA "speedscale-operator" 3650 -}}
+{{- $cert := genSignedCert "speedscale-operator" nil $altNames 3650 $ca -}}
+{{- $cacrt = $ca.Cert -}}
+{{- $crt = $cert.Cert -}}
+{{- $key = $cert.Key -}}
+{{- end -}}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ creationTimestamp: null
+ name: speedscale-operator
+ annotations:
+ argocd.argoproj.io/hook: PreSync
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+webhooks:
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ caBundle: {{ $cacrt | b64enc }}
+ service:
+ name: speedscale-operator
+ namespace: {{ .Release.Namespace }}
+ path: /mutate
+ failurePolicy: Ignore
+ name: sidecar.speedscale.com
+ namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: "NotIn"
+ values:
+ - kube-system
+ - kube-node-lease
+ {{- if .Values.namespaceSelector }}
+ - key: kubernetes.io/metadata.name
+ operator: "In"
+ values:
+ {{- range .Values.namespaceSelector }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- end }}
+ reinvocationPolicy: IfNeeded
+ rules:
+ - apiGroups:
+ - apps
+ - batch
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ - DELETE
+ resources:
+ - deployments
+ - statefulsets
+ - daemonsets
+ - jobs
+ - replicasets
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ - DELETE
+ resources:
+ - pods
+ - apiGroups:
+ - argoproj.io
+ apiVersions:
+ - "*"
+ operations:
+ - CREATE
+ - UPDATE
+ - DELETE
+ resources:
+ - rollouts
+ sideEffects: None
+ timeoutSeconds: 10
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ creationTimestamp: null
+ name: speedscale-operator-replay
+ annotations:
+ argocd.argoproj.io/hook: PreSync
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+webhooks:
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ caBundle: {{ $cacrt | b64enc }}
+ service:
+ name: speedscale-operator
+ namespace: {{ .Release.Namespace }}
+ path: /mutate-speedscale-com-v1-trafficreplay
+ failurePolicy: Fail
+ name: replay.speedscale.com
+ namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: "NotIn"
+ values:
+ - kube-system
+ - kube-node-lease
+ {{- if .Values.namespaceSelector }}
+ - key: kubernetes.io/metadata.name
+ operator: "In"
+ values:
+ {{- range .Values.namespaceSelector }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- end }}
+ rules:
+ - apiGroups:
+ - speedscale.com
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - trafficreplays
+ sideEffects: None
+ timeoutSeconds: 10
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ creationTimestamp: null
+ name: speedscale-operator-replay
+ annotations:
+ argocd.argoproj.io/hook: PreSync
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+webhooks:
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ caBundle: {{ $cacrt | b64enc }}
+ service:
+ name: speedscale-operator
+ namespace: {{ .Release.Namespace }}
+ path: /validate-speedscale-com-v1-trafficreplay
+ failurePolicy: Fail
+ name: replay.speedscale.com
+ namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: "NotIn"
+ values:
+ - kube-system
+ - kube-node-lease
+ {{- if .Values.namespaceSelector }}
+ - key: kubernetes.io/metadata.name
+ operator: "In"
+ values:
+ {{- range .Values.namespaceSelector }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- end }}
+ rules:
+ - apiGroups:
+ - speedscale.com
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ - DELETE
+ resources:
+ - trafficreplays
+ sideEffects: None
+ timeoutSeconds: 10
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-delete-policy: before-hook-creation
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+ creationTimestamp: null
+ name: speedscale-webhook-certs
+ namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+data:
+ ca.crt: {{ $cacrt | b64enc }}
+ tls.crt: {{ $crt | b64enc }}
+ tls.key: {{ $key | b64enc }}
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/configmap.yaml b/charts/speedscale/speedscale-operator/2.3.45/templates/configmap.yaml
new file mode 100644
index 0000000000..eb963d3c0b
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/configmap.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: speedscale-operator
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ argocd.argoproj.io/hook: PreSync
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+data:
+ CLUSTER_NAME: {{ .Values.clusterName }}
+ IMAGE_PULL_POLICY: {{ .Values.image.pullPolicy }}
+ IMAGE_PULL_SECRETS: ""
+ IMAGE_REGISTRY: {{ .Values.image.registry }}
+ IMAGE_TAG: {{ .Values.image.tag }}
+ INSTANCE_ID: '{{- $cm := (lookup "v1" "ConfigMap" .Release.Namespace "speedscale-operator") -}}{{ if $cm }}{{ $cm.data.INSTANCE_ID }}{{ else }}{{ ( printf "%s-%s" .Values.clusterName uuidv4 ) }}{{ end }}'
+ LOG_LEVEL: {{ .Values.logLevel }}
+ SPEEDSCALE_DLP_CONFIG: {{ .Values.dlp.config }}
+ SPEEDSCALE_FILTER_RULE: {{ .Values.filterRule }}
+ TELEMETRY_INTERVAL: 60s
+ WITH_DLP: {{ .Values.dlp.enabled | quote }}
+ WITH_INSPECTOR: {{ .Values.dashboardAccess | quote }}
+ API_KEY_SECRET_NAME: {{ .Values.apiKeySecret | quote }}
+ DEPLOY_DEMO: {{ .Values.deployDemo | quote }}
+ GLOBAL_ANNOTATIONS: {{ .Values.globalAnnotations | toJson | quote }}
+ GLOBAL_LABELS: {{ .Values.globalLabels | toJson | quote }}
+ {{- if .Values.http_proxy }}
+ HTTP_PROXY: {{ .Values.http_proxy }}
+ {{- end }}
+ {{- if .Values.https_proxy }}
+ HTTPS_PROXY: {{ .Values.https_proxy }}
+ {{- end }}
+ {{- if .Values.no_proxy }}
+ NO_PROXY: {{ .Values.no_proxy }}
+ {{- end }}
+ PRIVILEGED_SIDECARS: {{ .Values.privilegedSidecars | quote }}
+ DISABLE_SMARTDNS: {{ .Values.disableSidecarSmartReverseDNS | quote }}
+ SIDECAR_CONFIG: {{ .Values.sidecar | toJson | quote }}
+ FORWARDER_CONFIG: {{ .Values.forwarder | toJson | quote }}
+ TEST_PREP_TIMEOUT: {{ .Values.operator.test_prep_timeout }}
+ CONTROL_PLANE_TIMEOUT: {{ .Values.operator.control_plane_timeout }}
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/crds/agenttasks.yaml b/charts/speedscale/speedscale-operator/2.3.45/templates/crds/agenttasks.yaml
new file mode 100644
index 0000000000..4d56f89500
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/crds/agenttasks.yaml
@@ -0,0 +1,161 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ creationTimestamp: null
+ name: agenttasks.speedscale.com
+spec:
+ group: speedscale.com
+ names:
+ kind: AgentTask
+ listKind: AgentTaskList
+ plural: agenttasks
+ shortNames:
+ - sat
+ singular: agenttask
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.active
+ name: Active
+ type: boolean
+ - jsonPath: .spec.mode
+ name: Mode
+ type: string
+ - jsonPath: .status.conditions[-1:].message
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: AgentTask is the Schema for the agenttasks API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec is the desired state of the AgentTask.
+ type: object
+ status:
+ default:
+ observedGeneration: -1
+ description: Status is the current state of the AgentTask.
+ properties:
+ active:
+ description: Active indicates whether this agent task is currently
+ underway or not.
+ type: boolean
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ observedGeneration:
+ description: ObservedGeneration is the last observed generation.
+ format: int64
+ type: integer
+ reconcileFailures:
+ description: |-
+ ReconcileFailures is the number of times the agent task controller
+ experienced an error during the reconciliation process. The agent
+ task will be deleted if too many errors occur.
+ format: int64
+ type: integer
+ reportID:
+ description: The ID of the agent report associated with this agent
+ task.
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/crds/trafficreplays.yaml b/charts/speedscale/speedscale-operator/2.3.45/templates/crds/trafficreplays.yaml
new file mode 100644
index 0000000000..5a11583069
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/crds/trafficreplays.yaml
@@ -0,0 +1,522 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ creationTimestamp: null
+ name: trafficreplays.speedscale.com
+spec:
+ group: speedscale.com
+ names:
+ kind: TrafficReplay
+ listKind: TrafficReplayList
+ plural: trafficreplays
+ shortNames:
+ - replay
+ singular: trafficreplay
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.active
+ name: Active
+ type: boolean
+ - jsonPath: .spec.mode
+ name: Mode
+ type: string
+ - jsonPath: .status.conditions[-1:].message
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: TrafficReplay is the Schema for the trafficreplays API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of TrafficReplay.
+ properties:
+ buildTag:
+ description: |-
+ BuildTag links a unique tag, build hash, etc. to the generated
+ traffic replay report. That way you can connect the report results to the
+ version of the code that was tested.
+ type: string
+ cleanup:
+ description: |-
+ Cleanup is the name of cleanup mode used for this TrafficReplay. Set to
+ "none" to leave resources in the state they were during the replay. The
+ default mode "inventory" will revert the environment to the state it was
+ before the replay.
+ enum:
+ - inventory
+ - all
+ - none
+ type: string
+ collectLogs:
+ description: 'DEPRECATED: use TestReport.ActualConfig.Cluster.CollectLogs'
+ type: boolean
+ configChecksum:
+ description: |-
+ ConfigChecksum, managed my the operator, is the SHA1 checksum of the
+ configuration.
+ type: string
+ customURL:
+ description: |-
+ CustomURL specifies a custom URL to send *ALL* traffic to. Use
+ Workload.CustomURI to send traffic to a specific URL for only that
+ workload.
+ type: string
+ generatorLowData:
+ description: |-
+ GeneratorLowData forces the generator into a high
+ efficiency/low data output mode. This is ideal for high volume
+ performance tests. Defaults to false.
+ DEPRECATED
+ type: boolean
+ mode:
+ description: Mode is the name of replay mode used for this TrafficReplay.
+ enum:
+ - full-replay
+ - responder-only
+ - generator-only
+ type: string
+ needsReport:
+ description: 'DEPRECATED: replays always create reports'
+ type: boolean
+ proxyMode:
+ description: |-
+ ProxyMode defines proxy operational mode used with injected sidecar.
+ DEPRECATED
+ type: string
+ responderLowData:
+ description: |-
+ ResponderLowData forces the responder into a high
+ efficiency/low data output mode. This is ideal for high volume
+ performance tests. Defaults to false.
+ DEPRECATED
+ type: boolean
+ secretRefs:
+ description: |-
+ SecretRefs hold the references to the secrets which contain
+ various secrets like (e.g. short-lived JWTs to be used by the generator
+ for authorization with HTTP calls).
+ items:
+ description: |-
+ LocalObjectReference contains enough information to locate the referenced
+ Kubernetes resource object.
+ properties:
+ name:
+ description: Name of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ sidecar:
+ description: |-
+ Sidecar defines sidecar specific configuration.
+ DEPRECATED: use Workloads
+ properties:
+ inject:
+ description: 'DEPRECATED: do not use'
+ type: boolean
+ patch:
+ description: Patch is .yaml file patch for the Workload
+ format: byte
+ type: string
+ tls:
+ properties:
+ in:
+ description: In provides configuration for sidecar inbound
+ TLS.
+ properties:
+ private:
+ description: Private is the filename of the TLS inbound
+ private key.
+ type: string
+ public:
+ description: Public is the filename of the TLS inbound
+ public key.
+ type: string
+ secret:
+ description: Secret is a secret with the TLS keys to use
+ for inbound traffic.
+ type: string
+ type: object
+ mutual:
+ description: Mutual provides configuration for sidecar mutual
+ TLS.
+ properties:
+ private:
+ description: Private is the filename of the mutual TLS
+ private key.
+ type: string
+ public:
+ description: Public is the filename of the mutual TLS
+ public key.
+ type: string
+ secret:
+ description: Secret is a secret with the mutual TLS keys.
+ type: string
+ type: object
+ out:
+ description: |-
+ Out enables or disables TLS out on the
+ sidecar during replay.
+ type: boolean
+ type: object
+ type: object
+ snapshotID:
+ description: |-
+ SnapshotID is the id of the traffic snapshot for this
+ TrafficReplay.
+ type: string
+ testConfigID:
+ description: |-
+ TestConfigID is the id of the replay configuration to be used
+ by the generator and responder for the TrafficReplay.
+ type: string
+ timeout:
+ description: |-
+ Timeout is the time to wait for replay test to finish. Defaults
+ to value of the `TIMEOUT` setting of the operator.
+ type: string
+ ttlAfterReady:
+ description: |-
+ TTLAfterReady provides a TTL (time to live) mechanism to limit
+ the lifetime of TrafficReplay object that have finished the execution and
+ reached its final state (either complete or failed).
+ type: string
+ workloadRef:
+ description: |-
+ WorkloadRef is the reference to the target workload (SUT) for
+ TrafficReplay. The operations will be performed in the namespace of the
+ target object.
+ DEPRECATED: use Workloads
+ properties:
+ apiVersion:
+ description: API version of the referenced object.
+ type: string
+ kind:
+ description: Kind of the referenced object. Defaults to "Deployment".
+ type: string
+ name:
+ description: |-
+ Name of the referenced object. Required when defining for a test unless a
+ custom URI is provided. Always required when defining mocks.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. Defaults to the
+ TrafficReplay namespace.
+ type: string
+ required:
+ - name
+ type: object
+ workloads:
+ description: |-
+ Workloads define target workloads (SUT) for a TrafficReplay. Many
+ workloads may be provided, or none. Workloads may be modified and
+ restarted during replay to configure communication with a responder.
+ items:
+ description: |-
+ Workload represents a Kubernetes workload to be targeted during replay and
+ associated settings.
+ properties:
+ customURI:
+ description: |-
+ CustomURI will be target of the traffic instead of directly targeting
+ workload. This is required if a Ref is not specified.
+ type: string
+ inTrafficKey:
+ description: 'DEPRECATED: use Tests'
+ type: string
+ inTrafficKeys:
+ description: 'DEPRECATED: use Tests'
+ items:
+ type: string
+ type: array
+ mocks:
+ description: |-
+ Mocks are strings used to identify slices of outbound snapshot traffic to
+ mock for this workload and maps directly to a snapshot's `OutTraffic`
+ field. Snapshot egress traffic can be split across multiple slices where
+ each slice contains part of the traffic. A workload may specify multiple
+ keys and multiple workloads may specify the same key.
+
+
+ Only the traffic slices defined here will be mocked. A workload with no
+ keys defined will not mock any traffic. Pass '*' to mock all traffic.
+
+
+ Mock strings may only match part of the snapshot's `OutTraffic` key if the
+ string matches exactly one key. For example, the test string
+ `foo.example.com` would match the `OutTraffic` key of
+ my-service:foo.example.com:8080, as long as no other keys would match
+ `foo.example.com`. Multiple mocks must be specified for multiple keys
+ unless using '*'.
+ items:
+ type: string
+ type: array
+ outTrafficKeys:
+ description: 'DEPRECATED: use Mocks'
+ items:
+ type: string
+ type: array
+ ref:
+ description: |-
+ Ref is a reference to a cluster workload, like a service, deployment or
+ statefulset. This is required unless a CustomURI is specified.
+ properties:
+ apiVersion:
+ description: API version of the referenced object.
+ type: string
+ kind:
+ description: Kind of the referenced object. Defaults to
+ "Deployment".
+ type: string
+ name:
+ description: |-
+ Name of the referenced object. Required when defining for a test unless a
+ custom URI is provided. Always required when defining mocks.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. Defaults
+ to the TrafficReplay namespace.
+ type: string
+ required:
+ - name
+ type: object
+ routing:
+ description: Routing configures how workloads route egress traffic
+ to responders
+ enum:
+ - hostalias
+ - nat
+ type: string
+ sidecar:
+ description: |-
+ TODO: this is not implemented, come back and replace deprecated Sidecar with workload specific settings
+ Sidecar defines sidecar specific configuration.
+ properties:
+ inject:
+ description: 'DEPRECATED: do not use'
+ type: boolean
+ patch:
+ description: Patch is .yaml file patch for the Workload
+ format: byte
+ type: string
+ tls:
+ properties:
+ in:
+ description: In provides configuration for sidecar inbound
+ TLS.
+ properties:
+ private:
+ description: Private is the filename of the TLS
+ inbound private key.
+ type: string
+ public:
+ description: Public is the filename of the TLS inbound
+ public key.
+ type: string
+ secret:
+ description: Secret is a secret with the TLS keys
+ to use for inbound traffic.
+ type: string
+ type: object
+ mutual:
+ description: Mutual provides configuration for sidecar
+ mutual TLS.
+ properties:
+ private:
+ description: Private is the filename of the mutual
+ TLS private key.
+ type: string
+ public:
+ description: Public is the filename of the mutual
+ TLS public key.
+ type: string
+ secret:
+ description: Secret is a secret with the mutual
+ TLS keys.
+ type: string
+ type: object
+ out:
+ description: |-
+ Out enables or disables TLS out on the
+ sidecar during replay.
+ type: boolean
+ type: object
+ type: object
+ tests:
+ description: |-
+ Tests are strings used to identify slices of inbound snapshot traffic this
+ workload is targeting and maps directly to a snapshot's `InTraffic` field.
+ Snapshot ingress traffic can be split across multiple slices where each
+ slice contains part of the traffic. A key must only be specified once
+ across all workloads, but a workload may specify multiple keys. Pass '*'
+ to match all keys.
+
+
+ Test strings may only match part of the snapshot's `InTraffic` key if the
+ string matches exactly one key. For example, the test string
+ `foo.example.com` would match the `InTraffic` key of
+ my-service:foo.example.com:8080, as long as no other keys would match
+ `foo.example.com`
+
+
+ This field is optional in the spec to provide support for single-workload
+ and legacy replays, but must be specified for multi-workload replays in
+ order to provide deterministic replay configuration.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ required:
+ - snapshotID
+ - testConfigID
+ type: object
+ status:
+ default:
+ observedGeneration: -1
+ description: Status defines the observed state of TrafficReplay.
+ properties:
+ active:
+ description: Active indicates whether this traffic replay is currently
+ underway or not.
+ type: boolean
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ finishedTime:
+ description: Information when the traffic replay has finished.
+ format: date-time
+ type: string
+ initializedTime:
+ description: Information when the test environment was successfully
+ prepared.
+ format: date-time
+ type: string
+ lastHeartbeatTime:
+ description: 'DEPRECATED: will not be set'
+ format: date-time
+ type: string
+ observedGeneration:
+ description: ObservedGeneration is the last observed generation.
+ format: int64
+ type: integer
+ reconcileFailures:
+ description: |-
+ ReconcileFailures is the number of times the traffic replay controller
+ experienced an error during the reconciliation process. The traffic
+ replay will be deleted if too many errors occur.
+ format: int64
+ type: integer
+ reportID:
+ description: The ID of the traffic replay report created.
+ type: string
+ reportURL:
+ description: The URL to the traffic replay report.
+ type: string
+ startedTime:
+ description: Information when the traffic replay has started.
+ format: date-time
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/deployments.yaml b/charts/speedscale/speedscale-operator/2.3.45/templates/deployments.yaml
new file mode 100644
index 0000000000..e5f3292579
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/deployments.yaml
@@ -0,0 +1,132 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ annotations:
+ operator.speedscale.com/ignore: "true"
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+ labels:
+ app: speedscale-operator
+ controlplane.speedscale.com/component: operator
+ {{- if .Values.globalLabels }}
+{{ toYaml .Values.globalLabels | indent 4}}
+ {{- end }}
+ name: speedscale-operator
+ namespace: {{ .Release.Namespace }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: speedscale-operator
+ controlplane.speedscale.com/component: operator
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ annotations:
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 8}}
+ {{- end }}
+ labels:
+ app: speedscale-operator
+ controlplane.speedscale.com/component: operator
+ {{- if .Values.globalLabels }}
+{{ toYaml .Values.globalLabels | indent 8}}
+ {{- end }}
+ spec:
+ containers:
+ - command:
+ - /operator
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ envFrom:
+ - configMapRef:
+ name: speedscale-operator
+ # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core
+ # When a key exists in multiple sources, the value associated with the last source will take precedence.
+ # Values defined by an Env with a duplicate key will take precedence.
+ - configMapRef:
+ name: speedscale-operator-override
+ optional: true
+ - secretRef:
+ name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
+ optional: false
+ image: '{{ .Values.image.registry }}/operator:{{ .Values.image.tag }}'
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ livenessProbe:
+ failureThreshold: 5
+ httpGet:
+ path: /healthz
+ port: health-check
+ scheme: HTTP
+ initialDelaySeconds: 30
+ periodSeconds: 30
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: operator
+ ports:
+ - containerPort: 443
+ name: webhook-server
+ - containerPort: 8081
+ name: health-check
+ readinessProbe:
+ failureThreshold: 10
+ httpGet:
+ path: /readyz
+ port: health-check
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources: {{- toYaml .Values.operator.resources | nindent 10 }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: false
+ # Run as root to bind 443 https://github.com/kubernetes/kubernetes/issues/56374
+ runAsUser: 0
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp
+ - mountPath: /tmp/k8s-webhook-server/serving-certs
+ name: webhook-certs
+ readOnly: true
+ - mountPath: /etc/ssl/speedscale
+ name: speedscale-tls-out
+ readOnly: true
+ hostNetwork: {{ .Values.hostNetwork }}
+ securityContext:
+ runAsNonRoot: true
+ serviceAccountName: speedscale-operator
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - emptyDir: {}
+ name: tmp
+ - name: webhook-certs
+ secret:
+ secretName: speedscale-webhook-certs
+ - name: speedscale-tls-out
+ secret:
+ secretName: speedscale-certs
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.tolerations }}
+ tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/hooks.yaml b/charts/speedscale/speedscale-operator/2.3.45/templates/hooks.yaml
new file mode 100644
index 0000000000..b6b080f3e0
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/hooks.yaml
@@ -0,0 +1,79 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ helm.sh/hook-weight: "4"
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+ creationTimestamp: null
+ name: speedscale-operator-pre-install
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- if .Values.globalLabels }}
+{{ toYaml .Values.globalLabels | indent 4}}
+ {{- end }}
+spec:
+ backoffLimit: 0
+ ttlSecondsAfterFinished: 30
+ template:
+ metadata:
+ annotations:
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 8}}
+ {{- end }}
+ creationTimestamp: null
+ labels:
+ {{- if .Values.globalLabels }}
+{{ toYaml .Values.globalLabels | indent 8}}
+ {{- end }}
+ spec:
+ containers:
+ - args:
+ - |-
+ # ensure valid settings before the chart reports a successfull install
+ {{- if .Values.http_proxy }}
+ HTTP_PROXY={{ .Values.http_proxy | quote }} \
+ {{- end }}
+ {{- if .Values.https_proxy }}
+ HTTPS_PROXY={{ .Values.https_proxy | quote }} \
+ {{- end }}
+ {{- if .Values.no_proxy }}
+ NO_PROXY={{ .Values.no_proxy | quote }} \
+ {{- end }}
+ speedctl init --overwrite --no-rcfile-update \
+ --api-key $SPEEDSCALE_API_KEY \
+ --app-url $SPEEDSCALE_APP_URL
+
+ # in case we're in istio
+ curl -X POST http://127.0.0.1:15000/quitquitquit || true
+ command:
+ - sh
+ - -c
+ envFrom:
+ - secretRef:
+ name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
+ optional: false
+ image: '{{ .Values.image.registry }}/speedscale-cli:{{ .Values.image.tag }}'
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: speedscale-cli
+ resources:
+ limits:
+ memory: "128M"
+ cpu: "1"
+ requests:
+ memory: "64M"
+ cpu: "100m"
+ restartPolicy: Never
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.tolerations }}
+ tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/rbac.yaml b/charts/speedscale/speedscale-operator/2.3.45/templates/rbac.yaml
new file mode 100644
index 0000000000..fc2a886835
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/rbac.yaml
@@ -0,0 +1,246 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ creationTimestamp: null
+ name: speedscale-operator
+ {{- if .Values.globalAnnotations }}
+ annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
+ {{- end }}
+rules:
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ - statefulsets
+ - daemonsets
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - apps
+ resources:
+ - replicasets
+ verbs:
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - batch
+ resources:
+ - jobs
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - list
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - list
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - clusterrolebindings
+ - clusterroles
+ verbs:
+ - get
+ - list
+- apiGroups:
+ - ""
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - secrets
+ - pods
+ - services
+ - serviceaccounts
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - pods/log
+ verbs:
+ - get
+ - list
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - metrics.k8s.io
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - rolebindings
+ - roles
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - networking.istio.io
+ resources:
+ - envoyfilters
+ - sidecars
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - security.istio.io
+ resources:
+ - peerauthentications
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - speedscale.com
+ resources:
+ - trafficreplays
+ - agenttasks
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - speedscale.com
+ resources:
+ - trafficreplays/status
+ - agenttasks/status
+ verbs:
+ - get
+ - update
+ - patch
+- apiGroups:
+ - argoproj.io
+ resources:
+ - rollouts
+ verbs:
+ - get
+ - list
+ - patch
+ - update
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: speedscale-operator
+ {{- if .Values.globalAnnotations }}
+ annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: speedscale-operator
+subjects:
+- kind: ServiceAccount
+ name: speedscale-operator
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+ creationTimestamp: null
+ labels:
+ app: speedscale-operator
+ controlplane.speedscale.com/component: operator
+ name: speedscale-operator
+ namespace: {{ .Release.Namespace }}
+ {{- if .Values.globalAnnotations }}
+ annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
+ {{- end }}
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/secrets.yaml b/charts/speedscale/speedscale-operator/2.3.45/templates/secrets.yaml
new file mode 100644
index 0000000000..1fb6999e4c
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/secrets.yaml
@@ -0,0 +1,18 @@
+---
+{{ if .Values.apiKey }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: speedscale-apikey
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "3"
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+type: Opaque
+data:
+ SPEEDSCALE_API_KEY: {{ .Values.apiKey | b64enc }}
+ SPEEDSCALE_APP_URL: {{ .Values.appUrl | b64enc }}
+{{ end }}
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/services.yaml b/charts/speedscale/speedscale-operator/2.3.45/templates/services.yaml
new file mode 100644
index 0000000000..f9da2c25c1
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/services.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ creationTimestamp: null
+ labels:
+ app: speedscale-operator
+ controlplane.speedscale.com/component: operator
+ name: speedscale-operator
+ namespace: {{ .Release.Namespace }}
+ {{- if .Values.globalAnnotations }}
+ annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
+ {{- end }}
+spec:
+ ports:
+ - port: 443
+ protocol: TCP
+ selector:
+ app: speedscale-operator
+ controlplane.speedscale.com/component: operator
+status:
+ loadBalancer: {}
diff --git a/charts/speedscale/speedscale-operator/2.3.45/templates/tls.yaml b/charts/speedscale/speedscale-operator/2.3.45/templates/tls.yaml
new file mode 100644
index 0000000000..4e293999ef
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/templates/tls.yaml
@@ -0,0 +1,189 @@
+{{- $crt := "" -}}
+{{- $key := "" -}}
+{{- $s := (lookup "v1" "Secret" .Release.Namespace "speedscale-certs") -}}
+{{- if $s -}}
+{{- $crt = index $s.data "tls.crt" | b64dec -}}
+{{- $key = index $s.data "tls.key" | b64dec -}}
+{{ else }}
+{{- $cert := genCA "Speedscale" 3650 -}}
+{{- $crt = $cert.Cert -}}
+{{- $key = $cert.Key -}}
+{{- end -}}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ helm.sh/hook-weight: "5"
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+ creationTimestamp: null
+ name: speedscale-operator-create-jks
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- if .Values.globalLabels }}
+{{ toYaml .Values.globalLabels | indent 4}}
+ {{- end }}
+spec:
+ backoffLimit: 0
+ ttlSecondsAfterFinished: 30
+ template:
+ metadata:
+ annotations:
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 8}}
+ {{- end }}
+ creationTimestamp: null
+ labels:
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 8}}
+ {{- end }}
+ spec:
+ containers:
+ - args:
+ - |-
+ keytool -keystore /usr/lib/jvm/jre/lib/security/cacerts -importcert -noprompt -trustcacerts -storepass changeit -alias speedscale -file /etc/ssl/speedscale/tls.crt
+ kubectl -n ${POD_NAMESPACE} delete secret speedscale-jks || true
+ kubectl -n ${POD_NAMESPACE} create secret generic speedscale-jks --from-file=cacerts.jks=/usr/lib/jvm/jre/lib/security/cacerts
+
+ # in case we're in istio
+ curl -X POST http://127.0.0.1:15000/quitquitquit || true
+ command:
+ - sh
+ - -c
+ volumeMounts:
+ - mountPath: /etc/ssl/speedscale
+ name: speedscale-tls-out
+ readOnly: true
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ envFrom:
+ - secretRef:
+ name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
+ optional: false
+ image: '{{ .Values.image.registry }}/amazoncorretto'
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ name: create-jks
+ resources:
+ limits:
+ memory: "256M"
+ cpu: "1"
+ requests:
+ memory: "128M"
+ cpu: "200m"
+ restartPolicy: Never
+ serviceAccountName: speedscale-operator-provisioning
+ volumes:
+ - name: speedscale-tls-out
+ secret:
+ secretName: speedscale-certs
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.tolerations }}
+ tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end }}
+---
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ helm.sh/hook-weight: "1"
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+ creationTimestamp: null
+ labels:
+ app: speedscale-operator
+ controlplane.speedscale.com/component: operator
+ name: speedscale-operator-provisioning
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ helm.sh/hook-weight: "2"
+ creationTimestamp: null
+ name: speedscale-operator-provisioning
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ helm.sh/hook-weight: "3"
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+ creationTimestamp: null
+ name: speedscale-operator-provisioning
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: speedscale-operator-provisioning
+subjects:
+- kind: ServiceAccount
+ name: speedscale-operator-provisioning
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-delete-policy: before-hook-creation
+ {{- if .Values.globalAnnotations }}
+{{ toYaml .Values.globalAnnotations | indent 4}}
+ {{- end }}
+ creationTimestamp: null
+ name: speedscale-certs
+ namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ $crt | b64enc }}
+ tls.key: {{ $key | b64enc }}
diff --git a/charts/speedscale/speedscale-operator/2.3.45/values.yaml b/charts/speedscale/speedscale-operator/2.3.45/values.yaml
new file mode 100644
index 0000000000..0a357cc314
--- /dev/null
+++ b/charts/speedscale/speedscale-operator/2.3.45/values.yaml
@@ -0,0 +1,138 @@
+# An API key is required to connect to the Speedscale cloud.
+# If you need a key email support@speedscale.com.
+apiKey: ""
+
+# A secret name can be referenced instead of the api key itself.
+# The secret must be of the format:
+#
+# type: Opaque
+# data:
+# SPEEDSCALE_API_KEY:
+# SPEEDSCALE_APP_URL:
+apiKeySecret: ""
+
+# Speedscale domain to use.
+appUrl: "app.speedscale.com"
+
+# The name of your cluster.
+clusterName: "my-cluster"
+
+# Speedscale components image settings.
+image:
+ registry: gcr.io/speedscale
+ tag: v2.3.45
+ pullPolicy: Always
+
+# Log level for Speedscale components.
+logLevel: "info"
+
+# Namespaces to be watched by Speedscale Operator as a list of names.
+namespaceSelector: []
+
+# Instructs operator to deploy resources necessary to interact with your cluster from the Speedscale dashboard.
+dashboardAccess: true
+
+# Filter Rule to apply to the Speedscale Forwarder
+filterRule: "standard"
+
+# Data Loss Prevention settings.
+dlp:
+ # Instructs operator to enable data loss prevention features
+ enabled: false
+
+ # Configuration for data loss prevention
+ config: "standard"
+
+# If the operator pod/webhooks need to be on the host network.
+# This is only needed if the control plane cannot connect directly to a pod
+# for eg. if Calico is used as EKS's default networking
+# https://docs.tigera.io/calico/3.25/getting-started/kubernetes/managed-public-cloud/eks#install-eks-with-calico-networking
+hostNetwork: false
+
+# A set of annotations to be applied to all Speedscale related deployments,
+# services, jobs, pods, etc.
+#
+# Example:
+# annotation.first: value
+# annotation.second: value
+globalAnnotations: {}
+
+# A set of labels to be applied to all Speedscale related deployments,
+# services, jobs, pods, etc.
+#
+# Example:
+# label1: value
+# label2: value
+globalLabels: {}
+
+# A full affinity object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity
+affinity: {}
+
+# The list of tolerations as detailed: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+tolerations: []
+
+# A nodeselector object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
+nodeSelector: {}
+
+# Deploy a demo app at startup. Set this to an empty string to not deploy.
+# Valid values: ["java", ""]
+deployDemo: "java"
+
+# Proxy connection settings if required by your network. These translate to standard proxy environment
+# variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY
+http_proxy: ""
+https_proxy: ""
+no_proxy: ""
+
+# control if sidecar init containers should run with privileged set
+privilegedSidecars: false
+
+# control if the sidecar should enable/disable use of the smart dns lookup feature (requires NET_ADMIN)
+disableSidecarSmartReverseDNS: false
+
+# Operator settings. These limits are recommended unless you have a cluster
+# with a very large number of workloads (for eg. 10k+ deployments, replicasets, etc.).
+operator:
+ resources:
+ limits:
+ cpu: 500m
+ memory: 512Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ # how long to wait for the SUT to become ready
+ test_prep_timeout: 10m
+ # timeout for deploying & upgrading control plane components
+ control_plane_timeout: 5m
+
+
+# Default sidecar settings. Example:
+# sidecar:
+# resources:
+# limits:
+# cpu: 500m
+# memory: 512Mi
+# ephemeral-storage: 100Mi
+# requests:
+# cpu: 10m
+# memory: 32Mi
+# ephemeral-storage: 100Mi
+# ignore_src_hosts: example.com, example.org
+# ignore_src_ips: 8.8.8.8, 1.1.1.1
+# ignore_dst_hosts: example.com, example.org
+# ignore_dst_ips: 8.8.8.8, 1.1.1.1
+# insert_init_first: false
+# tls_out: false
+# reinitialize_iptables: false
+sidecar: {}
+
+# Forwarder settings
+# forwarder:
+# resources:
+# limits:
+# cpu: 500m
+# memory: 500M
+# requests:
+# cpu: 300m
+# memory: 250M
+forwarder: {}
diff --git a/index.yaml b/index.yaml
index a2dc787143..a10a27f887 100644
--- a/index.yaml
+++ b/index.yaml
@@ -6782,6 +6782,28 @@ entries:
- assets/cloudcasa/cloudcasa-3.4.1.tgz
version: 3.4.1
cockroachdb:
+ - annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: CockroachDB
+ catalog.cattle.io/kube-version: '>=1.8-0'
+ catalog.cattle.io/release-name: cockroachdb
+ apiVersion: v1
+ appVersion: 24.3.1
+ created: "2024-12-22T00:01:44.052556682Z"
+ description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
+ digest: 87f7fd9b7d8cdfd02566b9e514700d42dd9668aae1050dcca9b53e85702be634
+ home: https://www.cockroachlabs.com
+ icon: file://assets/icons/cockroachdb.png
+ kubeVersion: '>=1.8-0'
+ maintainers:
+ - email: helm-charts@cockroachlabs.com
+ name: cockroachlabs
+ name: cockroachdb
+ sources:
+ - https://github.com/cockroachdb/cockroach
+ urls:
+ - assets/cockroach-labs/cockroachdb-15.0.2.tgz
+ version: 15.0.2
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: CockroachDB
@@ -30749,6 +30771,54 @@ entries:
- assets/loft/loft-3.2.0.tgz
version: 3.2.0
microgateway:
+ - annotations:
+ artifacthub.io/category: security
+ artifacthub.io/license: MIT
+ artifacthub.io/links: |
+ - name: Airlock Microgateway Documentation
+ url: https://docs.airlock.com/microgateway/4.4/
+ - name: Airlock Microgateway Labs
+ url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
+ - name: Airlock Microgateway Forum
+ url: https://forum.airlock.com/
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Airlock Microgateway
+ catalog.cattle.io/kube-version: '>=1.25.0-0'
+ catalog.cattle.io/release-name: ""
+ charts.openshift.io/name: Airlock Microgateway
+ apiVersion: v2
+ appVersion: 4.4.2
+ created: "2024-12-22T00:01:43.464277866Z"
+ description: A Helm chart for deploying the Airlock Microgateway
+ digest: 142a88c1c19f4e302c72e03c1495e258a174c7161c0afcdf44278ac6356c7f5d
+ home: https://www.airlock.com/en/microgateway
+ icon: file://assets/icons/microgateway.svg
+ keywords:
+ - WAF
+ - Web Application Firewall
+ - WAAP
+ - Web Application and API protection
+ - OWASP
+ - Airlock
+ - Microgateway
+ - Security
+ - Filtering
+ - DevSecOps
+ - shift left
+ - control plane
+ - Operator
+ kubeVersion: '>=1.25.0-0'
+ maintainers:
+ - email: support@airlock.com
+ name: Airlock
+ url: https://www.airlock.com/
+ name: microgateway
+ sources:
+ - https://github.com/airlock/microgateway
+ type: application
+ urls:
+ - assets/airlock/microgateway-4.4.2.tgz
+ version: 4.4.2
- annotations:
artifacthub.io/category: security
artifacthub.io/license: MIT
@@ -31134,6 +31204,53 @@ entries:
- assets/airlock/microgateway-4.2.3.tgz
version: 4.2.3
microgateway-cni:
+ - annotations:
+ artifacthub.io/category: security
+ artifacthub.io/license: MIT
+ artifacthub.io/links: |
+ - name: Airlock Microgateway Documentation
+ url: https://docs.airlock.com/microgateway/4.4/
+ - name: Airlock Microgateway Labs
+ url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io
+ - name: Airlock Microgateway Forum
+ url: https://forum.airlock.com/
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Airlock Microgateway CNI
+ catalog.cattle.io/kube-version: '>=1.25.0-0'
+ catalog.cattle.io/release-name: ""
+ charts.openshift.io/name: Airlock Microgateway CNI
+ apiVersion: v2
+ appVersion: 4.4.2
+ created: "2024-12-22T00:01:43.469864659Z"
+ description: A Helm chart for deploying the Airlock Microgateway CNI plugin
+ digest: 1fa6e6e4f7063cf9eea8771a0ecd135ce6337c1f3567c68d23f2379a32b90411
+ home: https://www.airlock.com/en/microgateway
+ icon: file://assets/icons/microgateway-cni.svg
+ keywords:
+ - WAF
+ - Web Application Firewall
+ - WAAP
+ - Web Application and API protection
+ - OWASP
+ - Airlock
+ - Microgateway
+ - Security
+ - Filtering
+ - DevSecOps
+ - shift left
+ - CNI
+ kubeVersion: '>=1.25.0-0'
+ maintainers:
+ - email: support@airlock.com
+ name: Airlock
+ url: https://www.airlock.com/
+ name: microgateway-cni
+ sources:
+ - https://github.com/airlock/microgateway
+ type: application
+ urls:
+ - assets/airlock/microgateway-cni-4.4.2.tgz
+ version: 4.4.2
- annotations:
artifacthub.io/category: security
artifacthub.io/license: MIT
@@ -39834,6 +39951,48 @@ entries:
- assets/quobyte/quobyte-cluster-0.1.8.tgz
version: 0.1.8
redpanda:
+ - annotations:
+ artifacthub.io/images: |
+ - name: redpanda
+ image: docker.redpanda.com/redpandadata/redpanda:v24.3.1
+ - name: busybox
+ image: busybox:latest
+ artifacthub.io/license: Apache-2.0
+ artifacthub.io/links: |
+ - name: Documentation
+ url: https://docs.redpanda.com
+ - name: "Helm (>= 3.10.0)"
+ url: https://helm.sh/docs/intro/install/
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Redpanda
+ catalog.cattle.io/kube-version: '>=1.21-0'
+ catalog.cattle.io/release-name: redpanda
+ apiVersion: v2
+ appVersion: v24.3.2
+ created: "2024-12-22T00:01:48.85601719Z"
+ dependencies:
+ - condition: console.enabled
+ name: console
+ repository: https://charts.redpanda.com
+ version: '>=0.5 <1.0'
+ - condition: connectors.enabled
+ name: connectors
+ repository: https://charts.redpanda.com
+ version: '>=0.1.2 <1.0'
+ description: Redpanda is the real-time engine for modern apps.
+ digest: ef35fd6483b9bacd8dd8f0716d263cdc8d217716ad11a0d56d02772253e3d835
+ icon: file://assets/icons/redpanda.svg
+ kubeVersion: '>=1.21-0'
+ maintainers:
+ - name: redpanda-data
+ url: https://github.com/orgs/redpanda-data/people
+ name: redpanda
+ sources:
+ - https://github.com/redpanda-data/helm-charts
+ type: application
+ urls:
+ - assets/redpanda/redpanda-5.9.18.tgz
+ version: 5.9.18
- annotations:
artifacthub.io/images: |
- name: redpanda
@@ -43657,6 +43816,37 @@ entries:
- assets/redpanda/redpanda-4.0.33.tgz
version: 4.0.33
speedscale-operator:
+ - annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Speedscale Operator
+ catalog.cattle.io/kube-version: '>= 1.17.0-0'
+ catalog.cattle.io/release-name: speedscale-operator
+ apiVersion: v1
+ appVersion: 2.3.45
+ created: "2024-12-22T00:01:49.027003766Z"
+ description: Stress test your APIs with real world scenarios. Collect and replay
+ traffic without scripting.
+ digest: 3a6bee132c61d19f4e7724c65741d9979366855e8fe40e474f6b56f0fbd85475
+ home: https://speedscale.com
+ icon: file://assets/icons/speedscale-operator.png
+ keywords:
+ - speedscale
+ - test
+ - testing
+ - regression
+ - reliability
+ - load
+ - replay
+ - network
+ - traffic
+ kubeVersion: '>= 1.17.0-0'
+ maintainers:
+ - email: support@speedscale.com
+ name: Speedscale Support
+ name: speedscale-operator
+ urls:
+ - assets/speedscale/speedscale-operator-2.3.45.tgz
+ version: 2.3.45
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Speedscale Operator
@@ -51816,4 +52006,4 @@ entries:
urls:
- assets/netfoundry/ziti-host-1.5.1.tgz
version: 1.5.1
-generated: "2024-12-20T00:01:50.193243037Z"
+generated: "2024-12-22T00:01:43.440903076Z"