Commit new Chart releases for TrueCharts
Signed-off-by: TrueCharts-Bot <bot@truecharts.org>
This commit is contained in:
parent
7142af67de
commit
d768aaf10d
|
@ -0,0 +1,30 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# OWNERS file for Kubernetes
|
||||
OWNERS
|
||||
# helm-docs templates
|
||||
*.gotmpl
|
||||
# docs folder
|
||||
/docs
|
||||
# icon
|
||||
icon.png
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
title: Changelog
|
||||
---
|
||||
|
||||
|
||||
*for the complete changelog, please refer to the website*
|
||||
|
||||
**Important:**
|
||||
|
||||
|
||||
## [authelia-23.5.5](https://github.com/truecharts/charts/compare/authelia-23.5.4...authelia-23.5.5) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,54 @@
|
|||
annotations:
|
||||
max_scale_version: 24.04.0
|
||||
min_scale_version: 23.10.0
|
||||
truecharts.org/SCALE-support: "true"
|
||||
truecharts.org/category: security
|
||||
truecharts.org/max_helm_version: "3.14"
|
||||
truecharts.org/min_helm_version: "3.12"
|
||||
truecharts.org/train: premium
|
||||
apiVersion: v2
|
||||
appVersion: 4.37.5
|
||||
dependencies:
|
||||
- name: common
|
||||
version: 20.0.9
|
||||
repository: oci://tccr.io/truecharts
|
||||
condition: ""
|
||||
alias: ""
|
||||
tags: []
|
||||
import-values: []
|
||||
- name: redis
|
||||
version: 13.0.3
|
||||
repository: oci://tccr.io/truecharts
|
||||
condition: redis.enabled
|
||||
alias: ""
|
||||
tags: []
|
||||
import-values: []
|
||||
deprecated: false
|
||||
description: Authelia is a Single Sign-On Multi-Factor portal for web apps
|
||||
home: https://truecharts.org/charts/premium/authelia
|
||||
icon: https://truecharts.org/img/hotlink-ok/chart-icons/authelia.png
|
||||
keywords:
|
||||
- authelia
|
||||
- authentication
|
||||
- login
|
||||
- SSO
|
||||
- Authentication
|
||||
- Security
|
||||
- Two-Factor
|
||||
- U2F
|
||||
- YubiKey
|
||||
- Push Notifications
|
||||
- LDAP
|
||||
kubeVersion: '>=1.24.0-0'
|
||||
maintainers:
|
||||
- name: TrueCharts
|
||||
email: info@truecharts.org
|
||||
url: https://truecharts.org
|
||||
name: authelia
|
||||
sources:
|
||||
- https://github.com/authelia/chartrepo
|
||||
- https://github.com/authelia/authelia
|
||||
- https://github.com/truecharts/charts/tree/master/charts/premium/authelia
|
||||
- https://ghcr.io/authelia/authelia
|
||||
type: application
|
||||
version: 23.5.5
|
|
@ -0,0 +1,106 @@
|
|||
Business Source License 1.1
|
||||
|
||||
Parameters
|
||||
|
||||
Licensor: The TrueCharts Project, it's owner and it's contributors
|
||||
Licensed Work: The TrueCharts "Blocky" Helm Chart
|
||||
Additional Use Grant: You may use the licensed work in production, as long
|
||||
as it is directly sourced from a TrueCharts provided
|
||||
official repository, catalog or source. You may also make private
|
||||
modification to the directly sourced licenced work,
|
||||
when used in production.
|
||||
|
||||
The following cases are, due to their nature, also
|
||||
defined as 'production use' and explicitly prohibited:
|
||||
- Bundling, including or displaying the licensed work
|
||||
with(in) another work intended for production use,
|
||||
with the apparent intend of facilitating and/or
|
||||
promoting production use by third parties in
|
||||
violation of this license.
|
||||
|
||||
Change Date: 2050-01-01
|
||||
|
||||
Change License: 3-clause BSD license
|
||||
|
||||
For information about alternative licensing arrangements for the Software,
|
||||
please contact: legal@truecharts.org
|
||||
|
||||
Notice
|
||||
|
||||
The Business Source License (this document, or the “License”) is not an Open
|
||||
Source license. However, the Licensed Work will eventually be made available
|
||||
under an Open Source License, as stated in this License.
|
||||
|
||||
License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
|
||||
“Business Source License” is a trademark of MariaDB Corporation Ab.
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
Business Source License 1.1
|
||||
|
||||
Terms
|
||||
|
||||
The Licensor hereby grants you the right to copy, modify, create derivative
|
||||
works, redistribute, and make non-production use of the Licensed Work. The
|
||||
Licensor may make an Additional Use Grant, above, permitting limited
|
||||
production use.
|
||||
|
||||
Effective on the Change Date, or the fourth anniversary of the first publicly
|
||||
available distribution of a specific version of the Licensed Work under this
|
||||
License, whichever comes first, the Licensor hereby grants you rights under
|
||||
the terms of the Change License, and the rights granted in the paragraph
|
||||
above terminate.
|
||||
|
||||
If your use of the Licensed Work does not comply with the requirements
|
||||
currently in effect as described in this License, you must purchase a
|
||||
commercial license from the Licensor, its affiliated entities, or authorized
|
||||
resellers, or you must refrain from using the Licensed Work.
|
||||
|
||||
All copies of the original and modified Licensed Work, and derivative works
|
||||
of the Licensed Work, are subject to this License. This License applies
|
||||
separately for each version of the Licensed Work and the Change Date may vary
|
||||
for each version of the Licensed Work released by Licensor.
|
||||
|
||||
You must conspicuously display this License on each original or modified copy
|
||||
of the Licensed Work. If you receive the Licensed Work in original or
|
||||
modified form from a third party, the terms and conditions set forth in this
|
||||
License apply to your use of that work.
|
||||
|
||||
Any use of the Licensed Work in violation of this License will automatically
|
||||
terminate your rights under this License for the current and all other
|
||||
versions of the Licensed Work.
|
||||
|
||||
This License does not grant you any right in any trademark or logo of
|
||||
Licensor or its affiliates (provided that you may use a trademark or logo of
|
||||
Licensor as expressly required by this License).
|
||||
|
||||
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
|
||||
AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
|
||||
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
|
||||
TITLE.
|
||||
|
||||
MariaDB hereby grants you permission to use this License’s text to license
|
||||
your works, and to refer to it using the trademark “Business Source License”,
|
||||
as long as you comply with the Covenants of Licensor below.
|
||||
|
||||
Covenants of Licensor
|
||||
|
||||
In consideration of the right to use this License’s text and the “Business
|
||||
Source License” name and trademark, Licensor covenants to MariaDB, and to all
|
||||
other recipients of the licensed work to be provided by Licensor:
|
||||
|
||||
1. To specify as the Change License the GPL Version 2.0 or any later version,
|
||||
or a license that is compatible with GPL Version 2.0 or a later version,
|
||||
where “compatible” means that software provided under the Change License can
|
||||
be included in a program with software provided under GPL Version 2.0 or a
|
||||
later version. Licensor may specify additional Change Licenses without
|
||||
limitation.
|
||||
|
||||
2. To either: (a) specify an additional grant of rights to use that does not
|
||||
impose any additional restriction on the right granted in this License, as
|
||||
the Additional Use Grant; or (b) insert the text “None”.
|
||||
|
||||
3. To specify a Change Date.
|
||||
|
||||
4. Not to modify this License in any other way.
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
title: README
|
||||
---
|
||||
|
||||
## General Info
|
||||
|
||||
TrueCharts can be installed as both _normal_ Helm Charts or as Apps on TrueNAS SCALE.
|
||||
However only installations using the TrueNAS SCALE Apps system are supported.
|
||||
|
||||
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/premium/authelia)
|
||||
|
||||
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
|
||||
|
||||
## Support
|
||||
|
||||
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE/guides/scale-intro).
|
||||
- See the [Website](https://truecharts.org)
|
||||
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
|
||||
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
|
||||
|
||||
---
|
||||
|
||||
## Sponsor TrueCharts
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
||||
|
||||
_All Rights Reserved - The TrueCharts Project_
|
|
@ -0,0 +1,9 @@
|
|||
|
||||
|
||||
## [authelia-23.5.5](https://github.com/truecharts/charts/compare/authelia-23.5.4...authelia-23.5.5) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,8 @@
|
|||
Authelia is a Single Sign-On Multi-Factor portal for web apps
|
||||
|
||||
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/premium/authelia](https://truecharts.org/charts/premium/authelia)
|
||||
|
||||
---
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,582 @@
|
|||
image:
|
||||
repository: ghcr.io/authelia/authelia
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 4.37.5@sha256:25fc5423238b6f3a1fc967fda3f6a9212846aeb4a720327ef61c8ccff52dbbe2
|
||||
manifestManager:
|
||||
enabled: true
|
||||
workload:
|
||||
main:
|
||||
replicas: 2
|
||||
strategy: RollingUpdate
|
||||
podSpec:
|
||||
containers:
|
||||
main:
|
||||
command:
|
||||
- authelia
|
||||
args:
|
||||
- --config=/configuration.yaml
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: authelia-paths
|
||||
probes:
|
||||
liveness:
|
||||
type: http
|
||||
path: "/api/health"
|
||||
readiness:
|
||||
type: http
|
||||
path: "/api/health"
|
||||
startup:
|
||||
type: http
|
||||
path: "/api/health"
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
main:
|
||||
port: 9091
|
||||
targetPort: 9091
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
mountPath: "/config"
|
||||
cnpg:
|
||||
main:
|
||||
enabled: true
|
||||
user: authelia
|
||||
database: authelia
|
||||
# Enabled redis
|
||||
# ... for more options see https://github.com/tccr.io/truecharts/charts/tree/master/tccr.io/truecharts/redis
|
||||
redis:
|
||||
enabled: true
|
||||
domain: example.com
|
||||
##
|
||||
## Server Configuration
|
||||
##
|
||||
server:
|
||||
##
|
||||
## Port sets the configured port for the daemon, service, and the probes.
|
||||
## Default is 9091 and should not need to be changed.
|
||||
##
|
||||
port: 9091
|
||||
## Buffers usually should be configured to be the same value.
|
||||
## Explanation at https://www.authelia.com/docs/configuration/server.html
|
||||
## Read buffer size adjusts the server's max incoming request size in bytes.
|
||||
## Write buffer size does the same for outgoing responses.
|
||||
read_buffer_size: 4096
|
||||
write_buffer_size: 4096
|
||||
## Set the single level path Authelia listens on.
|
||||
## Must be alphanumeric chars and should not contain any slashes.
|
||||
path: ""
|
||||
log:
|
||||
## Level of verbosity for logs: info, debug, trace.
|
||||
level: trace
|
||||
## Format the logs are written as: json, text.
|
||||
format: text
|
||||
## TODO: Statefulness check should check if this is set, and the configMap should enable it.
|
||||
## File path where the logs will be written. If not set logs are written to stdout.
|
||||
# file_path: /config/authelia.log
|
||||
## Default redirection URL
|
||||
##
|
||||
## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
|
||||
## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
|
||||
## in such a case.
|
||||
##
|
||||
## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
|
||||
## Default is https://www.<domain> (value at the top of the values.yaml).
|
||||
default_redirection_url: ""
|
||||
# default_redirection_url: https://example.com
|
||||
|
||||
theme: light
|
||||
##
|
||||
## TOTP Configuration
|
||||
##
|
||||
## Parameters used for TOTP generation
|
||||
totp:
|
||||
## The issuer name displayed in the Authenticator application of your choice
|
||||
## See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
||||
## Defaults to <domain>.
|
||||
issuer: ""
|
||||
## The period in seconds a one-time password is current for. Changing this will require all users to register
|
||||
## their TOTP applications again. Warning: before changing period read the docs link below.
|
||||
period: 30
|
||||
## The skew controls number of one-time passwords either side of the current one that are valid.
|
||||
## Warning: before changing skew read the docs link below.
|
||||
## See: https://www.authelia.com/docs/configuration/one-time-password.html#period-and-skew to read the documentation.
|
||||
skew: 1
|
||||
##
|
||||
## Password Policy Config
|
||||
##
|
||||
## Parameters used for Password Policies
|
||||
password_policy:
|
||||
## See: https://www.authelia.com/configuration/security/password-policy/
|
||||
standard:
|
||||
enabled: false
|
||||
min_length: 8
|
||||
max_length: 0
|
||||
require_uppercase: false
|
||||
require_lowercase: false
|
||||
require_number: false
|
||||
require_special: false
|
||||
zxcvbn:
|
||||
## See https://www.authelia.com/configuration/security/password-policy/#zxcvbn for more info
|
||||
enabled: false
|
||||
min_score: 3
|
||||
##
|
||||
## Duo Push API Configuration
|
||||
##
|
||||
## Parameters used to contact the Duo API. Those are generated when you protect an application of type
|
||||
## "Partner Auth API" in the management panel.
|
||||
duo_api:
|
||||
enabled: false
|
||||
hostname: api-123456789.example.com
|
||||
integration_key: ABCDEF
|
||||
plain_api_key: ""
|
||||
## NTP settings
|
||||
ntp:
|
||||
address: "time.cloudflare.com:123"
|
||||
version: 4
|
||||
max_desync: 3s
|
||||
disable_startup_check: false
|
||||
disable_failure: true
|
||||
##
|
||||
## Authentication Backend Provider Configuration
|
||||
##
|
||||
## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
|
||||
##
|
||||
## The available providers are: `file`, `ldap`. You must use one and only one of these providers.
|
||||
authentication_backend:
|
||||
## Disable both the HTML element and the API for reset password functionality
|
||||
disable_reset_password: false
|
||||
## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
|
||||
## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
|
||||
## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
|
||||
## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
|
||||
## See the below documentation for more information.
|
||||
## Duration Notation docs: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
|
||||
## Refresh Interval docs: https://www.authelia.com/docs/configuration/authentication/ldap.html#refresh-interval
|
||||
refresh_interval: 5m
|
||||
## LDAP backend configuration.
|
||||
##
|
||||
## This backend allows Authelia to be scaled to more
|
||||
## than one instance and therefore is recommended for
|
||||
## production.
|
||||
ldap:
|
||||
## Enable LDAP Backend.
|
||||
enabled: false
|
||||
## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
|
||||
## Acceptable options are as follows:
|
||||
## - 'activedirectory' - For Microsoft Active Directory.
|
||||
## - 'custom' - For custom specifications of attributes and filters.
|
||||
## This currently defaults to 'custom' to maintain existing behaviour.
|
||||
##
|
||||
## Depending on the option here certain other values in this section have a default value, notably all of the
|
||||
## attribute mappings have a default value that this config overrides, you can read more about these default values
|
||||
## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults
|
||||
implementation: activedirectory
|
||||
## The url to the ldap server. Format: <scheme>://<address>[:<port>].
|
||||
## Scheme can be ldap or ldaps in the format (port optional).
|
||||
url: ldap://openldap.default.svc.cluster.local
|
||||
## Connection Timeout.
|
||||
timeout: 5s
|
||||
## Use StartTLS with the LDAP connection.
|
||||
start_tls: false
|
||||
tls:
|
||||
## Server Name for certificate validation (in case it's not set correctly in the URL).
|
||||
server_name: ""
|
||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
||||
skip_verify: false
|
||||
## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
|
||||
minimum_version: TLS1.2
|
||||
## The base dn for every LDAP query.
|
||||
base_dn: DC=example,DC=com
|
||||
## The attribute holding the username of the user. This attribute is used to populate the username in the session
|
||||
## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
|
||||
## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this
|
||||
## attribute holds the unique identifiers for the users binding the user and the configuration stored in database.
|
||||
## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user
|
||||
## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also
|
||||
## be used but we don't recommend using them, we instead advise to use the attributes mentioned above
|
||||
## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt.
|
||||
username_attribute: "uid"
|
||||
## An additional dn to define the scope to all users.
|
||||
additional_users_dn: OU=Users
|
||||
## The users filter used in search queries to find the user profile based on input filled in login form.
|
||||
## Various placeholders are available in the user filter:
|
||||
## - {input} is a placeholder replaced by what the user inputs in the login form.
|
||||
## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`.
|
||||
## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
|
||||
## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later
|
||||
## versions, so please don't use it.
|
||||
##
|
||||
## Recommended settings are as follows:
|
||||
## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
|
||||
## - OpenLDAP:
|
||||
## - (&({username_attribute}={input})(objectClass=person))
|
||||
## - (&({username_attribute}={input})(objectClass=inetOrgPerson))
|
||||
##
|
||||
## To allow sign in both with username and email, one can use a filter like
|
||||
## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
||||
users_filter: ""
|
||||
## An additional dn to define the scope of groups.
|
||||
additional_groups_dn: OU=Groups
|
||||
## The groups filter used in search queries to find the groups of the user.
|
||||
## - {input} is a placeholder replaced by what the user inputs in the login form.
|
||||
## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`).
|
||||
## - {dn} is a matcher replaced by the user distinguished name, aka, user DN.
|
||||
## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`.
|
||||
## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
|
||||
## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later
|
||||
## versions, so please don't use it.
|
||||
## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in
|
||||
## later version, so please don't use it.
|
||||
##
|
||||
## If your groups use the `groupOfUniqueNames` structure use this instead:
|
||||
## (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
|
||||
groups_filter: ""
|
||||
## The attribute holding the name of the group
|
||||
group_name_attribute: "cn"
|
||||
## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
|
||||
## first one returned by the LDAP server is used.
|
||||
mail_attribute: "mail"
|
||||
## The attribute holding the display name of the user. This will be used to greet an authenticated user.
|
||||
display_name_attribute: "displayname"
|
||||
## The username of the admin user.
|
||||
user: CN=admin,DC=example,DC=com
|
||||
plain_password: ""
|
||||
##
|
||||
## File (Authentication Provider)
|
||||
##
|
||||
## With this backend, the users database is stored in a file which is updated when users reset their passwords.
|
||||
## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
|
||||
## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
|
||||
## implications it is highly recommended you leave the default values. Before considering changing these settings
|
||||
## please read the docs page below:
|
||||
## https://www.authelia.com/docs/configuration/authentication/file.html#password-hash-algorithm-tuning
|
||||
##
|
||||
## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
|
||||
##
|
||||
file:
|
||||
enabled: true
|
||||
path: /config/users_database.yml
|
||||
password:
|
||||
algorithm: argon2id
|
||||
iterations: 1
|
||||
key_length: 32
|
||||
salt_length: 16
|
||||
memory: 1024
|
||||
parallelism: 8
|
||||
##
|
||||
## Access Control Configuration
|
||||
##
|
||||
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
|
||||
##
|
||||
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
|
||||
## to anyone. Otherwise restrictions follow the rules defined.
|
||||
##
|
||||
## Note: One can use the wildcard * to match any subdomain.
|
||||
## It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
||||
##
|
||||
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
|
||||
##
|
||||
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
|
||||
##
|
||||
## - 'domain' defines which domain or set of domains the rule applies to.
|
||||
##
|
||||
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
|
||||
## provided. If provided, the parameter represents either a user or a group. It should be of the form
|
||||
## 'user:<username>' or 'group:<groupname>'.
|
||||
##
|
||||
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
|
||||
##
|
||||
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
|
||||
## is optional and matches any resource if not provided.
|
||||
##
|
||||
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
|
||||
access_control:
|
||||
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
|
||||
## resource if there is no policy to be applied to the user.
|
||||
default_policy: deny
|
||||
networks_access_control: []
|
||||
# networks_access_control:
|
||||
# - name: private
|
||||
# networks:
|
||||
# - 10.0.0.0/8
|
||||
# - 172.16.0.0/12
|
||||
# - 192.168.0.0/16
|
||||
# - name: vpn
|
||||
# networks:
|
||||
# - 10.9.0.0/16
|
||||
|
||||
rules: []
|
||||
# rules:
|
||||
# - domain: public.example.com
|
||||
# policy: bypass
|
||||
# - domain: "*.example.com"
|
||||
# policy: bypass
|
||||
# methods:
|
||||
# - OPTIONS
|
||||
# - domain: secure.example.com
|
||||
# policy: one_factor
|
||||
# networks:
|
||||
# - private
|
||||
# - vpn
|
||||
# - 192.168.1.0/24
|
||||
# - 10.0.0.1
|
||||
# - domain:
|
||||
# - secure.example.com
|
||||
# - private.example.com
|
||||
# policy: two_factor
|
||||
# - domain: singlefactor.example.com
|
||||
# policy: one_factor
|
||||
# - domain: "mx2.mail.example.com"
|
||||
# subject: "group:admins"
|
||||
# policy: deny
|
||||
# - domain: "*.example.com"
|
||||
# subject:
|
||||
# - "group:admins"
|
||||
# - "group:moderators"
|
||||
# policy: two_factor
|
||||
# - domain: dev.example.com
|
||||
# resources:
|
||||
# - "^/groups/dev/.*$"
|
||||
# subject: "group:dev"
|
||||
# policy: two_factor
|
||||
# - domain: dev.example.com
|
||||
# resources:
|
||||
# - "^/users/john/.*$"
|
||||
# subject:
|
||||
# - ["group:dev", "user:john"]
|
||||
# - "group:admins"
|
||||
# policy: two_factor
|
||||
# - domain: "{user}.example.com"
|
||||
# policy: bypass
|
||||
##
|
||||
## Session Provider Configuration
|
||||
##
|
||||
## The session cookies identify the user once logged in.
|
||||
## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
|
||||
session:
|
||||
## The name of the session cookie. (default: authelia_session).
|
||||
name: authelia_session
|
||||
## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
|
||||
## Please read https://www.authelia.com/docs/configuration/session.html#same_site
|
||||
same_site: lax
|
||||
## The time in seconds before the cookie expires and session is reset.
|
||||
expiration: 1h
|
||||
## The inactivity time in seconds before the session is reset.
|
||||
inactivity: 5m
|
||||
## The remember me duration.
|
||||
## Value is in seconds, or duration notation. Value of 0 disables remember me.
|
||||
## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
|
||||
## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to
|
||||
## spy or attack. Currently the default is 1M or 1 month.
|
||||
remember_me_duration: 1M
|
||||
##
|
||||
## Redis Provider
|
||||
##
|
||||
## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
|
||||
##
|
||||
## The redis connection details
|
||||
redisProvider:
|
||||
port: 6379
|
||||
## Optional username to be used with authentication.
|
||||
# username: authelia
|
||||
username: ""
|
||||
## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
|
||||
database_index: 0
|
||||
## The maximum number of concurrent active connections to Redis.
|
||||
maximum_active_connections: 8
|
||||
## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
|
||||
minimum_idle_connections: 0
|
||||
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
|
||||
tls:
|
||||
enabled: false
|
||||
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
||||
server_name: ""
|
||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
||||
skip_verify: false
|
||||
## Minimum TLS version for the connection.
|
||||
minimum_version: TLS1.2
|
||||
## The Redis HA configuration options.
|
||||
## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
|
||||
high_availability:
|
||||
enabled: false
|
||||
enabledSecret: false
|
||||
## Sentinel Name / Master Name
|
||||
sentinel_name: mysentinel
|
||||
## The additional nodes to pre-seed the redis provider with (for sentinel).
|
||||
## If the host in the above section is defined, it will be combined with this list to connect to sentinel.
|
||||
## For high availability to be used you must have either defined; the host above or at least one node below.
|
||||
nodes: []
|
||||
# nodes:
|
||||
# - host: sentinel-0.databases.svc.cluster.local
|
||||
# port: 26379
|
||||
# - host: sentinel-1.databases.svc.cluster.local
|
||||
# port: 26379
|
||||
|
||||
## Choose the host with the lowest latency.
|
||||
route_by_latency: false
|
||||
## Choose the host randomly.
|
||||
route_randomly: false
|
||||
##
|
||||
## Regulation Configuration
|
||||
##
|
||||
## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done
|
||||
## in a short period of time.
|
||||
regulation:
|
||||
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
|
||||
max_retries: 3
|
||||
## The time range during which the user can attempt login before being banned. The user is banned if the
|
||||
## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
|
||||
## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
|
||||
find_time: 2m
|
||||
## The length of time before a banned user can login again. Ban Time accepts duration notation.
|
||||
## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
|
||||
ban_time: 5m
|
||||
##
|
||||
## Storage Provider Configuration
|
||||
##
|
||||
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
|
||||
storage:
|
||||
##
|
||||
## PostgreSQL (Storage Provider)
|
||||
##
|
||||
postgres:
|
||||
port: 5432
|
||||
database: authelia
|
||||
username: authelia
|
||||
sslmode: disable
|
||||
timeout: 5s
|
||||
##
|
||||
## Notification Provider
|
||||
##
|
||||
##
|
||||
## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration.
|
||||
## The available providers are: filesystem, smtp. You must use one and only one of these providers.
|
||||
notifier:
|
||||
## You can disable the notifier startup check by setting this to true.
|
||||
disable_startup_check: false
|
||||
##
|
||||
## File System (Notification Provider)
|
||||
##
|
||||
## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
|
||||
##
|
||||
filesystem:
|
||||
enabled: true
|
||||
filename: /config/notification.txt
|
||||
##
|
||||
## SMTP (Notification Provider)
|
||||
##
|
||||
## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
|
||||
## [Security] By default Authelia will:
|
||||
## - force all SMTP connections over TLS including unauthenticated connections
|
||||
## - use the disable_require_tls boolean value to disable this requirement
|
||||
## (only works for unauthenticated connections)
|
||||
## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
|
||||
## (configure in tls section)
|
||||
smtp:
|
||||
enabled: false
|
||||
enabledSecret: false
|
||||
host: smtp.mail.svc.cluster.local
|
||||
port: 25
|
||||
timeout: 5s
|
||||
username: test
|
||||
plain_password: test
|
||||
sender: admin@example.com
|
||||
## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
|
||||
identifier: localhost
|
||||
## Subject configuration of the emails sent.
|
||||
## {title} is replaced by the text from the notifier
|
||||
subject: "[Authelia] {title}"
|
||||
## This address is used during the startup check to verify the email configuration is correct.
|
||||
## It's not important what it is except if your email server only allows local delivery.
|
||||
startup_check_address: test@authelia.com
|
||||
disable_require_tls: false
|
||||
disable_html_emails: false
|
||||
tls:
|
||||
## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
|
||||
server_name: ""
|
||||
## Skip verifying the server certificate (to allow a self-signed certificate).
|
||||
## In preference to setting this we strongly recommend you add the public portion of the certificate to the
|
||||
## certificates directory which is defined by the `certificates_directory` option at the top of the config.
|
||||
skip_verify: false
|
||||
## Minimum TLS version for either StartTLS or SMTPS.
|
||||
minimum_version: TLS1.2
|
||||
identity_providers:
|
||||
oidc:
|
||||
## Enables this in the config map. Currently in beta stage.
|
||||
## See https://www.authelia.com/docs/configuration/identity-providers/oidc.html#roadmap
|
||||
enabled: false
|
||||
access_token_lifespan: 1h
|
||||
authorize_code_lifespan: 1m
|
||||
id_token_lifespan: 1h
|
||||
refresh_token_lifespan: 90m
|
||||
enable_client_debug_messages: false
|
||||
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
|
||||
## security reasons.
|
||||
minimum_parameter_entropy: 8
|
||||
clients: []
|
||||
# clients:
|
||||
# -
|
||||
## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
|
||||
# id: myapp
|
||||
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
|
||||
# description: My Application
|
||||
|
||||
## The client secret is a shared secret between Authelia and the consumer of this client.
|
||||
# secret: apple123
|
||||
|
||||
## Sets the client to public. This should typically not be set, please see the documentation for usage.
|
||||
# public: false
|
||||
|
||||
## The policy to require for this client; one_factor or two_factor.
|
||||
# authorization_policy: two_factor
|
||||
|
||||
## Configures the consent mode; auto, explicit or implicit
|
||||
# consent_mode: auto
|
||||
|
||||
## Audience this client is allowed to request.
|
||||
# audience: []
|
||||
|
||||
## Scopes this client is allowed to request.
|
||||
# scopes:
|
||||
# - openid
|
||||
# - profile
|
||||
# - email
|
||||
# - groups
|
||||
|
||||
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
|
||||
# redirect_uris:
|
||||
# - https://oidc.example.com/oauth2/callback
|
||||
|
||||
## Grant Types configures which grants this client can obtain.
|
||||
## It's not recommended to configure this unless you know what you're doing.
|
||||
# grant_types:
|
||||
# - refresh_token
|
||||
# - authorization_code
|
||||
|
||||
## Response Types configures which responses this client can be sent.
|
||||
## It's not recommended to configure this unless you know what you're doing.
|
||||
# response_types:
|
||||
# - code
|
||||
|
||||
## Response Modes configures which response modes this client supports.
|
||||
## It's not recommended to configure this unless you know what you're doing.
|
||||
# response_modes:
|
||||
# - form_post
|
||||
# - query
|
||||
# - fragment
|
||||
|
||||
## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
|
||||
# userinfo_signing_algorithm: none
|
||||
|
||||
portal:
|
||||
open:
|
||||
enabled: true
|
||||
|
||||
ingress:
|
||||
main:
|
||||
required: true
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1 @@
|
|||
{{- include "tc.v1.common.lib.chart.notes" $ -}}
|
|
@ -0,0 +1,376 @@
|
|||
{{/* Define the configmap */}}
|
||||
{{- define "authelia.configmap.paths" -}}
|
||||
enabled: true
|
||||
data:
|
||||
AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
|
||||
AUTHELIA_JWT_SECRET_FILE: "/secrets/JWT_TOKEN"
|
||||
AUTHELIA_SESSION_SECRET_FILE: "/secrets/SESSION_ENCRYPTION_KEY"
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: "/secrets/ENCRYPTION_KEY"
|
||||
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: "/secrets/STORAGE_PASSWORD"
|
||||
{{- if .Values.authentication_backend.ldap.enabled }}
|
||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE: "/secrets/LDAP_PASSWORD"
|
||||
{{- end }}
|
||||
{{- if .Values.notifier.smtp.enabled }}
|
||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: "/secrets/SMTP_PASSWORD"
|
||||
{{- end }}
|
||||
AUTHELIA_SESSION_REDIS_PASSWORD_FILE: "/secrets/REDIS_PASSWORD"
|
||||
{{- if .Values.redisProvider.high_availability.enabled }}
|
||||
AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE: "/secrets/REDIS_SENTINEL_PASSWORD"
|
||||
{{- end }}
|
||||
{{- if .Values.duo_api.enabled }}
|
||||
AUTHELIA_DUO_API_SECRET_KEY_FILE: "/secrets/DUO_API_KEY"
|
||||
{{- end }}
|
||||
{{- if .Values.identity_providers.oidc.enabled }}
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: "/secrets/OIDC_HMAC_SECRET"
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: "/secrets/OIDC_PRIVATE_KEY"
|
||||
{{- end }}
|
||||
|
||||
{{- end -}}
|
||||
|
||||
{{- define "authelia.configmap.configfile" -}}
|
||||
enabled: true
|
||||
data:
|
||||
configuration.yaml: |
|
||||
---
|
||||
theme: {{ .Values.theme | default "light" }}
|
||||
default_redirection_url: {{ default (printf "https://www.%s" .Values.domain) .Values.default_redirection_url }}
|
||||
ntp:
|
||||
address: {{ .Values.ntp.address | default "time.cloudflare.com:123" }}
|
||||
version: {{ .Values.ntp.version | default 4 }}
|
||||
max_desync: {{ .Values.ntp.max_desync | default "3s" }}
|
||||
disable_startup_check: {{ .Values.ntp.disable_startup_check | default false }}
|
||||
disable_failure: {{ .Values.ntp.disable_failure | default true }}
|
||||
server:
|
||||
host: 0.0.0.0
|
||||
port: {{ .Values.server.port | default 9091 }}
|
||||
{{- if ne "" (.Values.server.path | default "") }}
|
||||
path: {{ .Values.server.path }}
|
||||
{{- end }}
|
||||
buffers:
|
||||
write: {{ .Values.server.write_buffer_size | default 4096 }}
|
||||
read: {{ .Values.server.read_buffer_size | default 4096 }}
|
||||
enable_pprof: {{ .Values.server.enable_pprof | default false }}
|
||||
enable_expvars: {{ .Values.server.enable_expvars | default false }}
|
||||
log:
|
||||
level: {{ .Values.log.level | default "info" }}
|
||||
format: {{ .Values.log.format | default "text" }}
|
||||
{{- if ne "" (.Values.log.file_path | default "") }}
|
||||
file_path: {{ .Values.log.file_path }}
|
||||
keep_stdout: true
|
||||
{{- end }}
|
||||
totp:
|
||||
issuer: {{ .Values.totp.issuer | default .Values.domain }}
|
||||
period: {{ .Values.totp.period | default 30 }}
|
||||
skew: {{ .Values.totp.skew | default 1 }}
|
||||
{{- if .Values.password_policy.enabled }}
|
||||
password_policy:
|
||||
standard:
|
||||
enabled: {{ .Values.password_policy.standard.enabled | default false }}
|
||||
min_length: {{ .Values.password_policy.standard.min_length | default 8 }}
|
||||
max_length: {{ .Values.password_policy.standard.max_length | default 0 }}
|
||||
require_uppercase: {{ .Values.password_policy.standard.require_uppercase | default false }}
|
||||
require_lowercase: {{ .Values.password_policy.standard.require_lowercase | default false }}
|
||||
require_number: {{ .Values.password_policy.standard.require_number | default false }}
|
||||
require_special: {{ .Values.password_policy.standard.require_special | default false }}
|
||||
zxcvbn:
|
||||
enabled: {{ .Values.password_policy.zxcvbn.enabled | default false }}
|
||||
min_score: {{ .Values.password_policy.zxcvbn.min_score | default 3 }}
|
||||
{{- end -}}
|
||||
{{- if .Values.duo_api.enabled }}
|
||||
duo_api:
|
||||
hostname: {{ .Values.duo_api.hostname }}
|
||||
integration_key: {{ .Values.duo_api.integration_key }}
|
||||
{{- end -}}
|
||||
{{- with $auth := .Values.authentication_backend }}
|
||||
authentication_backend:
|
||||
password_reset:
|
||||
disable: {{ $auth.disable_reset_password }}
|
||||
{{- if $auth.file.enabled }}
|
||||
file:
|
||||
path: {{ $auth.file.path }}
|
||||
password:
|
||||
{{- $p := $auth.file.password -}}
|
||||
{{- if $p.algorithm }}
|
||||
algorithm: {{ $p.algorithm }}
|
||||
{{- end -}}
|
||||
{{- if $p.iterations }}
|
||||
iterations: {{ $p.iterations }}
|
||||
{{- end -}}
|
||||
{{- if $p.key_length }}
|
||||
key_length: {{ $p.key_length }}
|
||||
{{- end -}}
|
||||
{{- if $p.salt_length }}
|
||||
salt_length: {{ $p.salt_length }}
|
||||
{{- end -}}
|
||||
{{- if $p.memory }}
|
||||
memory: {{ $p.memory }}
|
||||
{{- end -}}
|
||||
{{- if $p.parallelism }}
|
||||
parallelism: {{ $p.parallelism }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if $auth.ldap.enabled }}
|
||||
ldap:
|
||||
implementation: {{ $auth.ldap.implementation | default "custom" }}
|
||||
url: {{ $auth.ldap.url }}
|
||||
timeout: {{ $auth.ldap.timeout | default "5s" }}
|
||||
start_tls: {{ $auth.ldap.start_tls }}
|
||||
tls:
|
||||
{{- if hasKey $auth.ldap.tls "server_name" }}
|
||||
server_name: {{ $auth.ldap.tls.server_name | default $auth.ldap.host }}
|
||||
{{- end }}
|
||||
minimum_version: {{ $auth.ldap.tls.minimum_version | default "TLS1.2" }}
|
||||
skip_verify: {{ $auth.ldap.tls.skip_verify | default false }}
|
||||
{{- if $auth.ldap.base_dn }}
|
||||
base_dn: {{ $auth.ldap.base_dn }}
|
||||
{{- end -}}
|
||||
{{- if $auth.ldap.username_attribute }}
|
||||
username_attribute: {{ $auth.ldap.username_attribute }}
|
||||
{{- end -}}
|
||||
{{- if $auth.ldap.additional_users_dn }}
|
||||
additional_users_dn: {{ $auth.ldap.additional_users_dn }}
|
||||
{{- end -}}
|
||||
{{- if $auth.ldap.users_filter }}
|
||||
users_filter: {{ $auth.ldap.users_filter }}
|
||||
{{- end -}}
|
||||
{{- if $auth.ldap.additional_groups_dn }}
|
||||
additional_groups_dn: {{ $auth.ldap.additional_groups_dn }}
|
||||
{{- end -}}
|
||||
{{- if $auth.ldap.groups_filter }}
|
||||
groups_filter: {{ $auth.ldap.groups_filter }}
|
||||
{{- end -}}
|
||||
{{- if $auth.ldap.group_name_attribute }}
|
||||
group_name_attribute: {{ $auth.ldap.group_name_attribute }}
|
||||
{{- end -}}
|
||||
{{- if $auth.ldap.mail_attribute }}
|
||||
mail_attribute: {{ $auth.ldap.mail_attribute }}
|
||||
{{- end -}}
|
||||
{{- if $auth.ldap.display_name_attribute }}
|
||||
display_name_attribute: {{ $auth.ldap.display_name_attribute }}
|
||||
{{- end }}
|
||||
user: {{ $auth.ldap.user }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- with $session := .Values.session }}
|
||||
session:
|
||||
name: {{ $session.name | default "authelia_session" }}
|
||||
domain: {{ required "A valid .Values.domain entry required!" $.Values.domain }}
|
||||
same_site: {{ $session.same_site | default "lax" }}
|
||||
expiration: {{ $session.expiration | default "1M" }}
|
||||
inactivity: {{ $session.inactivity | default "5m" }}
|
||||
remember_me_duration: {{ $session.remember_me_duration | default "1M" }}
|
||||
{{- end }}
|
||||
redis:
|
||||
host: {{ .Values.redis.creds.plain }}
|
||||
{{- with $redis := .Values.redisProvider }}
|
||||
port: {{ $redis.port | default 6379 }}
|
||||
{{- if not (eq $redis.username "") }}
|
||||
username: {{ $redis.username }}
|
||||
{{- end }}
|
||||
maximum_active_connections: {{ $redis.maximum_active_connections | default 8 }}
|
||||
minimum_idle_connections: {{ $redis.minimum_idle_connections | default 0 }}
|
||||
{{- if $redis.tls.enabled }}
|
||||
tls:
|
||||
server_name: {{ $redis.tls.server_name }}
|
||||
minimum_version: {{ $redis.tls.minimum_version | default "TLS1.2" }}
|
||||
skip_verify: {{ $redis.tls.skip_verify }}
|
||||
{{- end }}
|
||||
{{- if $redis.high_availability.enabled }}
|
||||
high_availability:
|
||||
sentinel_name: {{ $redis.high_availability.sentinel_name }}
|
||||
{{- if $redis.high_availability.nodes }}
|
||||
nodes:
|
||||
{{- range $node := $redis.high_availability.nodes }}
|
||||
- host: {{ $node.host }}
|
||||
port: {{ $node.port | default 26379 }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
route_by_latency: {{ $redis.high_availability.route_by_latency }}
|
||||
route_randomly: {{ $redis.high_availability.route_randomly }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
regulation:
|
||||
max_retries: {{ .Values.regulation.max_retries | default 3 }}
|
||||
find_time: {{ .Values.regulation.find_time | default "1m" }}
|
||||
ban_time: {{ .Values.regulation.ban_time | default "5m" }}
|
||||
storage:
|
||||
postgres:
|
||||
host: {{ $.Values.cnpg.main.creds.host }}
|
||||
{{- with $storage := .Values.storage }}
|
||||
port: {{ $storage.postgres.port | default 5432 }}
|
||||
database: {{ $storage.postgres.database | default "authelia" }}
|
||||
username: {{ $storage.postgres.username | default "authelia" }}
|
||||
timeout: {{ $storage.postgres.timeout | default "5s" }}
|
||||
ssl:
|
||||
mode: {{ $storage.postgres.sslmode | default "disable" }}
|
||||
{{- end }}
|
||||
{{- with $notifier := .Values.notifier }}
|
||||
notifier:
|
||||
disable_startup_check: {{ $.Values.notifier.disable_startup_check }}
|
||||
{{- if $notifier.filesystem.enabled }}
|
||||
filesystem:
|
||||
filename: {{ $notifier.filesystem.filename }}
|
||||
{{- end }}
|
||||
{{- if $notifier.smtp.enabled }}
|
||||
smtp:
|
||||
host: {{ $notifier.smtp.host }}
|
||||
port: {{ $notifier.smtp.port | default 25 }}
|
||||
timeout: {{ $notifier.smtp.timeout | default "5s" }}
|
||||
{{- with $notifier.smtp.username }}
|
||||
username: {{ . }}
|
||||
{{- end }}
|
||||
sender: {{ $notifier.smtp.sender | quote }}
|
||||
identifier: {{ $notifier.smtp.identifier | quote }}
|
||||
subject: {{ $notifier.smtp.subject | quote }}
|
||||
startup_check_address: {{ $notifier.smtp.startup_check_address | quote }}
|
||||
disable_require_tls: {{ $notifier.smtp.disable_require_tls }}
|
||||
disable_html_emails: {{ $notifier.smtp.disable_html_emails }}
|
||||
tls:
|
||||
server_name: {{ $notifier.smtp.tls.server_name | default $notifier.smtp.host }}
|
||||
minimum_version: {{ $notifier.smtp.tls.minimum_version | default "TLS1.2" }}
|
||||
skip_verify: {{ $notifier.smtp.tls.skip_verify | default false }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.identity_providers.oidc.enabled }}
|
||||
identity_providers:
|
||||
oidc:
|
||||
access_token_lifespan: {{ .Values.identity_providers.oidc.access_token_lifespan | default "1h" }}
|
||||
authorize_code_lifespan: {{ .Values.identity_providers.oidc.authorize_code_lifespan | default "1m" }}
|
||||
id_token_lifespan: {{ .Values.identity_providers.oidc.id_token_lifespan | default "1h" }}
|
||||
refresh_token_lifespan: {{ .Values.identity_providers.oidc.refresh_token_lifespan | default "90m" }}
|
||||
enable_client_debug_messages: {{ .Values.identity_providers.oidc.enable_client_debug_messages | default false }}
|
||||
minimum_parameter_entropy: {{ .Values.identity_providers.oidc.minimum_parameter_entropy | default 8 }}
|
||||
{{- if .Values.identity_providers.oidc.clients }}
|
||||
clients:
|
||||
{{- range $client := .Values.identity_providers.oidc.clients }}
|
||||
- id: {{ $client.id }}
|
||||
description: {{ $client.description | default $client.id }}
|
||||
secret: {{ $client.secret | default (randAlphaNum 128) }}
|
||||
{{- if $client.public }}
|
||||
public: {{ $client.public }}
|
||||
{{- end }}
|
||||
authorization_policy: {{ $client.authorization_policy | default "two_factor" }}
|
||||
consent_mode: {{ $client.consent_mode | default "auto" }}
|
||||
redirect_uris:
|
||||
{{- range $client.redirect_uris }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- if $client.audience }}
|
||||
audience:
|
||||
{{- range $client.audience }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
scopes:
|
||||
{{- range ($client.scopes | default (list "openid" "profile" "email" "groups")) }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
grant_types:
|
||||
{{- range ($client.grant_types | default (list "refresh_token" "authorization_code")) }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
response_types:
|
||||
{{- range ($client.response_types | default (list "code")) }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- if $client.response_modes }}
|
||||
response_modes:
|
||||
{{- range $client.response_modes }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
userinfo_signing_algorithm: {{ $client.userinfo_signing_algorithm | default "none" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
access_control:
|
||||
{{- if not .Values.access_control.rules }}
|
||||
{{- if (eq .Values.access_control.default_policy "bypass") }}
|
||||
default_policy: one_factor
|
||||
{{- else if (eq .Values.access_control.default_policy "deny") }}
|
||||
default_policy: two_factor
|
||||
{{- else }}
|
||||
default_policy: {{ .Values.access_control.default_policy }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
default_policy: {{ .Values.access_control.default_policy }}
|
||||
{{- end }}
|
||||
|
||||
{{- if and .Values.access_control.networks (not .Values.access_control.networks_access_control) -}}
|
||||
{{- fail "Please change [.Values.access_control.networks] to [.Values.access_control.networks_access_control]" -}}
|
||||
{{- end -}}
|
||||
{{- if not .Values.access_control.networks_access_control }}
|
||||
networks: []
|
||||
{{- else }}
|
||||
networks:
|
||||
{{- range $net := .Values.access_control.networks_access_control }}
|
||||
- name: {{ $net.name }}
|
||||
networks:
|
||||
{{- range $net.networks }}
|
||||
- {{ . | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if not .Values.access_control.rules }}
|
||||
rules: []
|
||||
{{- else }}
|
||||
rules:
|
||||
{{- range $rule := .Values.access_control.rules }}
|
||||
{{- if $rule.domain }}
|
||||
- domain:
|
||||
{{- if kindIs "string" $rule.domain }}
|
||||
- {{ $rule.domain | squote }}
|
||||
{{- else -}}
|
||||
{{- range $rule.domain }}
|
||||
- {{ . | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- if $rule.domain_regex }}
|
||||
domain_regex:
|
||||
{{- if kindIs "string" $rule.domain_regex }}
|
||||
- {{ $rule.domain_regex | squote }}
|
||||
{{- else -}}
|
||||
{{- range $rule.domain_regex }}
|
||||
- {{ . | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $rule.policy }}
|
||||
policy: {{ . }}
|
||||
{{- end -}}
|
||||
{{- if $rule.networks }}
|
||||
networks:
|
||||
{{- if kindIs "string" $rule.networks }}
|
||||
- {{ $rule.networks | squote }}
|
||||
{{- else -}}
|
||||
{{- range $rule.networks }}
|
||||
- {{ . | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $rule.subject }}
|
||||
subject:
|
||||
{{- if kindIs "string" $rule.subject }}
|
||||
- {{ $rule.subject | squote }}
|
||||
{{- else -}}
|
||||
{{- range $rule.subject }}
|
||||
- {{ . | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $rule.resources }}
|
||||
resources:
|
||||
{{- if kindIs "string" $rule.resources }}
|
||||
- {{ $rule.resources | squote }}
|
||||
{{- else -}}
|
||||
{{- range $rule.resources }}
|
||||
- {{ . | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
...
|
||||
{{- end -}}
|
|
@ -0,0 +1,53 @@
|
|||
{{/* Define the secrets */}}
|
||||
{{- define "authelia.secrets" -}}
|
||||
{{- $basename := include "tc.v1.common.lib.chart.names.fullname" $ -}}
|
||||
{{- $fetchname := printf "%s-authelia-secrets" $basename -}}
|
||||
|
||||
{{/* Initialize all keys */}}
|
||||
{{- $oidckey := genPrivateKey "rsa" }}
|
||||
{{- $oidcsecret := randAlphaNum 32 }}
|
||||
{{- $jwtsecret := randAlphaNum 50 }}
|
||||
{{- $sessionsecret := randAlphaNum 50 }}
|
||||
{{- $encryptionkey := randAlphaNum 100 }}
|
||||
|
||||
enabled: true
|
||||
data:
|
||||
{{ with (lookup "v1" "Secret" .Release.Namespace $fetchname) }}
|
||||
{{/* Get previous values and decode */}}
|
||||
{{ $sessionsecret = (index .data "SESSION_ENCRYPTION_KEY") | b64dec }}
|
||||
{{ $jwtsecret = (index .data "JWT_TOKEN") | b64dec }}
|
||||
{{ $encryptionkey = (index .data "ENCRYPTION_KEY") | b64dec }}
|
||||
|
||||
{{/* Check if those keys ever existed. as OIDC is optional */}}
|
||||
{{ if and (hasKey .data "OIDC_PRIVATE_KEY") (hasKey .data "OIDC_HMAC_SECRET") }}
|
||||
{{ $oidckey = (index .data "OIDC_PRIVATE_KEY") | b64dec }}
|
||||
{{ $oidcsecret = (index .data "OIDC_HMAC_SECRET") | b64dec }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
SESSION_ENCRYPTION_KEY: {{ $sessionsecret }}
|
||||
JWT_TOKEN: {{ $jwtsecret }}
|
||||
ENCRYPTION_KEY: {{ $encryptionkey }}
|
||||
|
||||
{{- if .Values.authentication_backend.ldap.enabled }}
|
||||
LDAP_PASSWORD: {{ .Values.authentication_backend.ldap.plain_password | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{- if and .Values.notifier.smtp.enabled .Values.notifier.smtp.plain_password }}
|
||||
SMTP_PASSWORD: {{ .Values.notifier.smtp.plain_password | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.duo_api.enabled }}
|
||||
DUO_API_KEY: {{ .Values.duo_api.plain_api_key | quote }}
|
||||
{{- end }}
|
||||
|
||||
STORAGE_PASSWORD: {{ $.Values.cnpg.main.creds.password | trimAll "\"" }}
|
||||
|
||||
REDIS_PASSWORD: {{ .Values.redis.creds.redisPassword | trimAll "\"" }}
|
||||
{{- if .Values.redisProvider.high_availability.enabled }}
|
||||
REDIS_SENTINEL_PASSWORD: {{ .Values.redis.sentinelPassword | trimAll "\"" }}
|
||||
{{- end }}
|
||||
|
||||
OIDC_PRIVATE_KEY: |
|
||||
{{- $oidckey | nindent 4 }}
|
||||
OIDC_HMAC_SECRET: {{ $oidcsecret }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,77 @@
|
|||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "tc.v1.common.loader.init" . }}
|
||||
|
||||
{{/* Render configmap for authelia */}}
|
||||
{{- $configmapPaths := include "authelia.configmap.paths" . | fromYaml -}}
|
||||
{{- if $configmapPaths -}}
|
||||
{{- $_ := set .Values.configmap "authelia-paths" $configmapPaths -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $configmapFile := include "authelia.configmap.configfile" . | fromYaml -}}
|
||||
{{- if $configmapFile -}}
|
||||
{{- $_ := set .Values.configmap "authelia-configfile" $configmapFile -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Render secrets for authelia */}}
|
||||
{{- $secret := include "authelia.secrets" . | fromYaml -}}
|
||||
{{- if $secret -}}
|
||||
{{- $_ := set .Values.secret "authelia-secrets" $secret -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append the general configMap volume to the volumes */}}
|
||||
{{- define "authelia.configmapVolume" -}}
|
||||
enabled: true
|
||||
mountPath: /configuration.yaml
|
||||
subPath: configuration.yaml
|
||||
readOnly: true
|
||||
type: "configmap"
|
||||
objectName: authelia-configfile
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append the general secret volumes to the volumes */}}
|
||||
{{- define "authelia.secretVolumes" -}}
|
||||
enabled: true
|
||||
mountPath: "/secrets"
|
||||
readOnly: true
|
||||
type: "secret"
|
||||
objectName: authelia-secrets
|
||||
items:
|
||||
- key: "JWT_TOKEN"
|
||||
path: JWT_TOKEN
|
||||
- key: "SESSION_ENCRYPTION_KEY"
|
||||
path: SESSION_ENCRYPTION_KEY
|
||||
- key: "ENCRYPTION_KEY"
|
||||
path: ENCRYPTION_KEY
|
||||
- key: "STORAGE_PASSWORD"
|
||||
path: STORAGE_PASSWORD
|
||||
{{- if .Values.authentication_backend.ldap.enabled }}
|
||||
- key: "LDAP_PASSWORD"
|
||||
path: LDAP_PASSWORD
|
||||
{{- end }}
|
||||
{{- if and .Values.notifier.smtp.enabled .Values.notifier.smtp.plain_password }}
|
||||
- key: "SMTP_PASSWORD"
|
||||
path: SMTP_PASSWORD
|
||||
{{- end }}
|
||||
- key: "REDIS_PASSWORD"
|
||||
path: REDIS_PASSWORD
|
||||
{{- if .Values.redisProvider.high_availability.enabled}}
|
||||
- key: "REDIS_SENTINEL_PASSWORD"
|
||||
path: REDIS_SENTINEL_PASSWORD
|
||||
{{- end }}
|
||||
{{- if .Values.duo_api.enabled }}
|
||||
- key: "DUO_API_KEY"
|
||||
path: DUO_API_KEY
|
||||
{{- end }}
|
||||
{{- if .Values.identity_providers.oidc.enabled }}
|
||||
- key: "OIDC_PRIVATE_KEY"
|
||||
path: OIDC_PRIVATE_KEY
|
||||
- key: "OIDC_HMAC_SECRET"
|
||||
path: OIDC_HMAC_SECRET
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- $_ := set .Values.persistence "authelia-configfile" (include "authelia.configmapVolume" . | fromYaml) -}}
|
||||
{{- $_ := set .Values.persistence "authelia-secrets" (include "authelia.secretVolumes" . | fromYaml) -}}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "tc.v1.common.loader.apply" . }}
|
|
@ -0,0 +1,4 @@
|
|||
icon_url: https://truecharts.org/img/hotlink-ok/chart-icons/authelia.png
|
||||
categories:
|
||||
- security
|
||||
screenshots: []
|
|
@ -0,0 +1,30 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# OWNERS file for Kubernetes
|
||||
OWNERS
|
||||
# helm-docs templates
|
||||
*.gotmpl
|
||||
# docs folder
|
||||
/docs
|
||||
# icon
|
||||
icon.png
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
title: Changelog
|
||||
---
|
||||
|
||||
|
||||
*for the complete changelog, please refer to the website*
|
||||
|
||||
**Important:**
|
||||
|
||||
|
||||
## [blocky-14.3.5](https://github.com/truecharts/charts/compare/blocky-14.3.4...blocky-14.3.5) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,47 @@
|
|||
annotations:
|
||||
max_scale_version: 24.04.0
|
||||
min_scale_version: 23.10.0
|
||||
truecharts.org/SCALE-support: "true"
|
||||
truecharts.org/category: network
|
||||
truecharts.org/max_helm_version: "3.14"
|
||||
truecharts.org/min_helm_version: "3.12"
|
||||
truecharts.org/train: premium
|
||||
apiVersion: v2
|
||||
appVersion: 0.23.0
|
||||
dependencies:
|
||||
- name: common
|
||||
version: 20.0.9
|
||||
repository: oci://tccr.io/truecharts
|
||||
condition: ""
|
||||
alias: ""
|
||||
tags: []
|
||||
import-values: []
|
||||
- name: redis
|
||||
version: 13.0.3
|
||||
repository: oci://tccr.io/truecharts
|
||||
condition: redis.enabled
|
||||
alias: ""
|
||||
tags: []
|
||||
import-values: []
|
||||
deprecated: false
|
||||
description: Blocky is a DNS proxy, DNS enhancer and ad-blocker for the local network written in Go
|
||||
home: https://truecharts.org/charts/premium/blocky
|
||||
icon: https://truecharts.org/img/hotlink-ok/chart-icons/blocky.png
|
||||
keywords:
|
||||
- dns
|
||||
- blocky
|
||||
kubeVersion: '>=1.24.0-0'
|
||||
maintainers:
|
||||
- name: TrueCharts
|
||||
email: info@truecharts.org
|
||||
url: https://truecharts.org
|
||||
name: blocky
|
||||
sources:
|
||||
- https://github.com/Mozart409/blocky-frontend
|
||||
- https://0xerr0r.github.io/blocky/
|
||||
- https://github.com/0xERR0R/blocky
|
||||
- https://github.com/truecharts/charts/tree/master/charts/premium/blocky
|
||||
- https://hub.docker.com/r/spx01/blocky
|
||||
- https://quay.io/oriedge/k8s_gateway
|
||||
type: application
|
||||
version: 14.3.5
|
|
@ -0,0 +1,106 @@
|
|||
Business Source License 1.1
|
||||
|
||||
Parameters
|
||||
|
||||
Licensor: The TrueCharts Project, it's owner and it's contributors
|
||||
Licensed Work: The TrueCharts "Blocky" Helm Chart
|
||||
Additional Use Grant: You may use the licensed work in production, as long
|
||||
as it is directly sourced from a TrueCharts provided
|
||||
official repository, catalog or source. You may also make private
|
||||
modification to the directly sourced licenced work,
|
||||
when used in production.
|
||||
|
||||
The following cases are, due to their nature, also
|
||||
defined as 'production use' and explicitly prohibited:
|
||||
- Bundling, including or displaying the licensed work
|
||||
with(in) another work intended for production use,
|
||||
with the apparent intend of facilitating and/or
|
||||
promoting production use by third parties in
|
||||
violation of this license.
|
||||
|
||||
Change Date: 2050-01-01
|
||||
|
||||
Change License: 3-clause BSD license
|
||||
|
||||
For information about alternative licensing arrangements for the Software,
|
||||
please contact: legal@truecharts.org
|
||||
|
||||
Notice
|
||||
|
||||
The Business Source License (this document, or the “License”) is not an Open
|
||||
Source license. However, the Licensed Work will eventually be made available
|
||||
under an Open Source License, as stated in this License.
|
||||
|
||||
License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
|
||||
“Business Source License” is a trademark of MariaDB Corporation Ab.
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
Business Source License 1.1
|
||||
|
||||
Terms
|
||||
|
||||
The Licensor hereby grants you the right to copy, modify, create derivative
|
||||
works, redistribute, and make non-production use of the Licensed Work. The
|
||||
Licensor may make an Additional Use Grant, above, permitting limited
|
||||
production use.
|
||||
|
||||
Effective on the Change Date, or the fourth anniversary of the first publicly
|
||||
available distribution of a specific version of the Licensed Work under this
|
||||
License, whichever comes first, the Licensor hereby grants you rights under
|
||||
the terms of the Change License, and the rights granted in the paragraph
|
||||
above terminate.
|
||||
|
||||
If your use of the Licensed Work does not comply with the requirements
|
||||
currently in effect as described in this License, you must purchase a
|
||||
commercial license from the Licensor, its affiliated entities, or authorized
|
||||
resellers, or you must refrain from using the Licensed Work.
|
||||
|
||||
All copies of the original and modified Licensed Work, and derivative works
|
||||
of the Licensed Work, are subject to this License. This License applies
|
||||
separately for each version of the Licensed Work and the Change Date may vary
|
||||
for each version of the Licensed Work released by Licensor.
|
||||
|
||||
You must conspicuously display this License on each original or modified copy
|
||||
of the Licensed Work. If you receive the Licensed Work in original or
|
||||
modified form from a third party, the terms and conditions set forth in this
|
||||
License apply to your use of that work.
|
||||
|
||||
Any use of the Licensed Work in violation of this License will automatically
|
||||
terminate your rights under this License for the current and all other
|
||||
versions of the Licensed Work.
|
||||
|
||||
This License does not grant you any right in any trademark or logo of
|
||||
Licensor or its affiliates (provided that you may use a trademark or logo of
|
||||
Licensor as expressly required by this License).
|
||||
|
||||
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
|
||||
AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
|
||||
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
|
||||
TITLE.
|
||||
|
||||
MariaDB hereby grants you permission to use this License’s text to license
|
||||
your works, and to refer to it using the trademark “Business Source License”,
|
||||
as long as you comply with the Covenants of Licensor below.
|
||||
|
||||
Covenants of Licensor
|
||||
|
||||
In consideration of the right to use this License’s text and the “Business
|
||||
Source License” name and trademark, Licensor covenants to MariaDB, and to all
|
||||
other recipients of the licensed work to be provided by Licensor:
|
||||
|
||||
1. To specify as the Change License the GPL Version 2.0 or any later version,
|
||||
or a license that is compatible with GPL Version 2.0 or a later version,
|
||||
where “compatible” means that software provided under the Change License can
|
||||
be included in a program with software provided under GPL Version 2.0 or a
|
||||
later version. Licensor may specify additional Change Licenses without
|
||||
limitation.
|
||||
|
||||
2. To either: (a) specify an additional grant of rights to use that does not
|
||||
impose any additional restriction on the right granted in this License, as
|
||||
the Additional Use Grant; or (b) insert the text “None”.
|
||||
|
||||
3. To specify a Change Date.
|
||||
|
||||
4. Not to modify this License in any other way.
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
title: README
|
||||
---
|
||||
|
||||
## General Info
|
||||
|
||||
TrueCharts can be installed as both _normal_ Helm Charts or as Apps on TrueNAS SCALE.
|
||||
However only installations using the TrueNAS SCALE Apps system are supported.
|
||||
|
||||
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/premium/blocky)
|
||||
|
||||
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
|
||||
|
||||
## Support
|
||||
|
||||
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE/guides/scale-intro).
|
||||
- See the [Website](https://truecharts.org)
|
||||
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
|
||||
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
|
||||
|
||||
---
|
||||
|
||||
## Sponsor TrueCharts
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
||||
|
||||
_All Rights Reserved - The TrueCharts Project_
|
|
@ -0,0 +1,9 @@
|
|||
|
||||
|
||||
## [blocky-14.3.5](https://github.com/truecharts/charts/compare/blocky-14.3.4...blocky-14.3.5) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,8 @@
|
|||
Blocky is a DNS proxy, DNS enhancer and ad-blocker for the local network written in Go
|
||||
|
||||
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/premium/blocky](https://truecharts.org/charts/premium/blocky)
|
||||
|
||||
---
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
Binary file not shown.
Binary file not shown.
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,874 @@
|
|||
{
|
||||
"__inputs": [
|
||||
{
|
||||
"name": "DS_POSTGRES",
|
||||
"label": "Postgres",
|
||||
"description": "",
|
||||
"type": "datasource",
|
||||
"pluginId": "postgres",
|
||||
"pluginName": "Postgres"
|
||||
}
|
||||
],
|
||||
"__requires": [
|
||||
{
|
||||
"type": "panel",
|
||||
"id": "barchart",
|
||||
"name": "Bar chart",
|
||||
"version": ""
|
||||
},
|
||||
{
|
||||
"type": "panel",
|
||||
"id": "bargauge",
|
||||
"name": "Bar gauge",
|
||||
"version": ""
|
||||
},
|
||||
{
|
||||
"type": "grafana",
|
||||
"id": "grafana",
|
||||
"name": "Grafana",
|
||||
"version": "8.1.2"
|
||||
},
|
||||
{
|
||||
"type": "datasource",
|
||||
"id": "postgres",
|
||||
"name": "Postgres",
|
||||
"version": "1.0.0"
|
||||
},
|
||||
{
|
||||
"type": "panel",
|
||||
"id": "piechart",
|
||||
"name": "Pie chart",
|
||||
"version": ""
|
||||
},
|
||||
{
|
||||
"type": "panel",
|
||||
"id": "table",
|
||||
"name": "Table",
|
||||
"version": ""
|
||||
},
|
||||
{
|
||||
"type": "panel",
|
||||
"id": "timeseries",
|
||||
"name": "Time series",
|
||||
"version": ""
|
||||
}
|
||||
],
|
||||
"annotations": {
|
||||
"list": [
|
||||
{
|
||||
"builtIn": 1,
|
||||
"datasource": "-- Grafana --",
|
||||
"enable": true,
|
||||
"hide": true,
|
||||
"iconColor": "rgba(0, 211, 255, 1)",
|
||||
"name": "Annotations & Alerts",
|
||||
"target": {
|
||||
"limit": 100,
|
||||
"matchAny": false,
|
||||
"tags": [],
|
||||
"type": "dashboard"
|
||||
},
|
||||
"type": "dashboard"
|
||||
}
|
||||
]
|
||||
},
|
||||
"editable": true,
|
||||
"gnetId": null,
|
||||
"graphTooltip": 0,
|
||||
"id": null,
|
||||
"iteration": 1631130053746,
|
||||
"links": [],
|
||||
"panels": [
|
||||
{
|
||||
"cacheTimeout": null,
|
||||
"datasource": "${DS_POSTGRES}",
|
||||
"description": "",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"hideFrom": {
|
||||
"legend": false,
|
||||
"tooltip": false,
|
||||
"viz": false
|
||||
}
|
||||
},
|
||||
"displayName": "${__field.labels.response_type}",
|
||||
"mappings": [],
|
||||
"unit": "short"
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 8,
|
||||
"w": 6,
|
||||
"x": 0,
|
||||
"y": 0
|
||||
},
|
||||
"id": 14,
|
||||
"interval": null,
|
||||
"links": [],
|
||||
"options": {
|
||||
"displayLabels": [],
|
||||
"legend": {
|
||||
"displayMode": "table",
|
||||
"placement": "right",
|
||||
"values": ["value"]
|
||||
},
|
||||
"pieType": "pie",
|
||||
"reduceOptions": {
|
||||
"calcs": ["sum"],
|
||||
"fields": "",
|
||||
"values": false
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "single"
|
||||
}
|
||||
},
|
||||
"pluginVersion": "8.1.2",
|
||||
"repeatDirection": "v",
|
||||
"targets": [
|
||||
{
|
||||
"format": "time_series",
|
||||
"group": [],
|
||||
"metricColumn": "none",
|
||||
"rawQuery": true,
|
||||
"rawSql": "SELECT t.response_type, max(t.request_Ts) as time, count(*) as cnt from log_entries t \n WHERE $__timeFilter(t.request_Ts) and \n t.response_type in ($response_type) and \n t.client_name in ($client_name) and \n (length(''$question'') = 0 or POSITION(lower(''$question'') IN t.question_name) > 0)\n group by t.response_type\n order by time",
|
||||
"refId": "A",
|
||||
"select": [
|
||||
[
|
||||
{
|
||||
"params": ["value"],
|
||||
"type": "column"
|
||||
}
|
||||
]
|
||||
],
|
||||
"timeColumn": "time",
|
||||
"where": [
|
||||
{
|
||||
"name": "$__timeFilter",
|
||||
"params": [],
|
||||
"type": "macro"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"timeFrom": null,
|
||||
"timeShift": null,
|
||||
"title": "Query count by response type",
|
||||
"transformations": [],
|
||||
"type": "piechart"
|
||||
},
|
||||
{
|
||||
"datasource": "${DS_POSTGRES}",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"hideFrom": {
|
||||
"legend": false,
|
||||
"tooltip": false,
|
||||
"viz": false
|
||||
}
|
||||
},
|
||||
"mappings": []
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 8,
|
||||
"w": 6,
|
||||
"x": 6,
|
||||
"y": 0
|
||||
},
|
||||
"id": 16,
|
||||
"options": {
|
||||
"displayLabels": [],
|
||||
"legend": {
|
||||
"displayMode": "table",
|
||||
"placement": "right",
|
||||
"values": ["value"]
|
||||
},
|
||||
"pieType": "pie",
|
||||
"reduceOptions": {
|
||||
"calcs": ["lastNotNull"],
|
||||
"fields": "",
|
||||
"values": false
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "single"
|
||||
}
|
||||
},
|
||||
"targets": [
|
||||
{
|
||||
"format": "time_series",
|
||||
"group": [],
|
||||
"metricColumn": "none",
|
||||
"rawQuery": true,
|
||||
"rawSql": "SELECT max(t.request_ts) AS time,\n case when t.reason like ''BLOCKED%'' then SPLIT_PART(SPLIT_PART(t.reason,''('',-1), '')'',1) else '''' end AS metric,\n count(t.reason) AS cnt\nFROM log_entries t\nWHERE t.response_type =''BLOCKED''\n AND $__timeFilter(t.request_Ts)\n AND t.client_name in ($client_name)\n AND (length(''$question'') = 0 or POSITION(lower(''$question'') IN t.question_name) > 0)\nGROUP BY 2\nORDER BY time",
|
||||
"refId": "A",
|
||||
"select": [
|
||||
[
|
||||
{
|
||||
"params": ["duration_ms"],
|
||||
"type": "column"
|
||||
}
|
||||
]
|
||||
],
|
||||
"table": "log_entries",
|
||||
"timeColumn": "request_ts",
|
||||
"timeColumnType": "timestamp",
|
||||
"where": [
|
||||
{
|
||||
"name": "$__timeFilter",
|
||||
"params": [],
|
||||
"type": "macro"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"title": "Blocked by Blacklist",
|
||||
"type": "piechart"
|
||||
},
|
||||
{
|
||||
"cacheTimeout": null,
|
||||
"datasource": "${DS_POSTGRES}",
|
||||
"description": "",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "thresholds"
|
||||
},
|
||||
"mappings": [],
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
}
|
||||
]
|
||||
},
|
||||
"unit": "short"
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 8,
|
||||
"w": 12,
|
||||
"x": 12,
|
||||
"y": 0
|
||||
},
|
||||
"id": 13,
|
||||
"interval": null,
|
||||
"links": [],
|
||||
"options": {
|
||||
"displayMode": "gradient",
|
||||
"orientation": "horizontal",
|
||||
"reduceOptions": {
|
||||
"calcs": ["lastNotNull"],
|
||||
"fields": "",
|
||||
"values": true
|
||||
},
|
||||
"showUnfilled": true,
|
||||
"text": {}
|
||||
},
|
||||
"pluginVersion": "8.1.2",
|
||||
"repeatDirection": "v",
|
||||
"targets": [
|
||||
{
|
||||
"format": "table",
|
||||
"group": [],
|
||||
"metricColumn": "none",
|
||||
"rawQuery": true,
|
||||
"rawSql": "SELECT max(t.request_Ts) as time, t.client_name as metric, count(*) as cnt from log_entries t \n WHERE $__timeFilter(t.request_Ts) and \n t.response_type in ($response_type) and \n t.client_name in ($client_name) and \n (length(''$question'') = 0 or POSITION(lower(''$question'') IN t.question_name) > 0)\n group by t.client_name\n order by 3 desc",
|
||||
"refId": "A",
|
||||
"select": [
|
||||
[
|
||||
{
|
||||
"params": ["value"],
|
||||
"type": "column"
|
||||
}
|
||||
]
|
||||
],
|
||||
"timeColumn": "time",
|
||||
"where": [
|
||||
{
|
||||
"name": "$__timeFilter",
|
||||
"params": [],
|
||||
"type": "macro"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"timeFrom": null,
|
||||
"timeShift": null,
|
||||
"title": "Query count by client",
|
||||
"transformations": [],
|
||||
"type": "bargauge"
|
||||
},
|
||||
{
|
||||
"datasource": "${DS_POSTGRES}",
|
||||
"description": "Top 20 effective top level domain plus one more label",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"axisSoftMin": 0,
|
||||
"fillOpacity": 67,
|
||||
"gradientMode": "none",
|
||||
"hideFrom": {
|
||||
"legend": false,
|
||||
"tooltip": false,
|
||||
"viz": false
|
||||
},
|
||||
"lineWidth": 2
|
||||
},
|
||||
"displayName": "count",
|
||||
"mappings": [],
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
}
|
||||
]
|
||||
},
|
||||
"unit": "short"
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 8,
|
||||
"w": 12,
|
||||
"x": 0,
|
||||
"y": 8
|
||||
},
|
||||
"id": 11,
|
||||
"options": {
|
||||
"barWidth": 0.26,
|
||||
"groupWidth": 0.7,
|
||||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "hidden",
|
||||
"placement": "bottom"
|
||||
},
|
||||
"orientation": "horizontal",
|
||||
"showValue": "never",
|
||||
"stacking": "none",
|
||||
"text": {
|
||||
"valueSize": 10
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "single"
|
||||
}
|
||||
},
|
||||
"targets": [
|
||||
{
|
||||
"format": "table",
|
||||
"group": [],
|
||||
"hide": false,
|
||||
"metricColumn": "question_name",
|
||||
"rawQuery": true,
|
||||
"rawSql": "SELECT t.effective_tldp as metric, count(*) as value from log_entries t \nWHERE $__timeFilter(t.request_Ts) \n and t.response_type in ($response_type) \n and t.client_name in ($client_name) \n and (length(''$question'') = 0 or POSITION(lower(''$question'') IN t.question_name) > 0) \n group by t.effective_tldp order by count(*) desc limit 20",
|
||||
"refId": "A",
|
||||
"select": [
|
||||
[
|
||||
{
|
||||
"params": ["value"],
|
||||
"type": "column"
|
||||
}
|
||||
]
|
||||
],
|
||||
"table": "log_entries",
|
||||
"timeColumn": "request_ts",
|
||||
"where": []
|
||||
}
|
||||
],
|
||||
"title": "Top 20 effective TLD+1",
|
||||
"type": "barchart"
|
||||
},
|
||||
{
|
||||
"datasource": "${DS_POSTGRES}",
|
||||
"description": "",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"axisSoftMin": 0,
|
||||
"fillOpacity": 67,
|
||||
"gradientMode": "none",
|
||||
"hideFrom": {
|
||||
"legend": false,
|
||||
"tooltip": false,
|
||||
"viz": false
|
||||
},
|
||||
"lineWidth": 2
|
||||
},
|
||||
"displayName": "count",
|
||||
"mappings": [],
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
}
|
||||
]
|
||||
},
|
||||
"unit": "short"
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 8,
|
||||
"w": 12,
|
||||
"x": 12,
|
||||
"y": 8
|
||||
},
|
||||
"id": 8,
|
||||
"options": {
|
||||
"barWidth": 0.26,
|
||||
"groupWidth": 0.7,
|
||||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "hidden",
|
||||
"placement": "bottom"
|
||||
},
|
||||
"orientation": "horizontal",
|
||||
"showValue": "never",
|
||||
"stacking": "none",
|
||||
"text": {
|
||||
"valueSize": 10
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "single"
|
||||
}
|
||||
},
|
||||
"targets": [
|
||||
{
|
||||
"format": "table",
|
||||
"group": [],
|
||||
"hide": false,
|
||||
"metricColumn": "question_name",
|
||||
"rawQuery": true,
|
||||
"rawSql": "SELECT t.question_name as metric, count(*) as value from log_entries t \n WHERE $__timeFilter(t.request_Ts) and \n t.response_type in ($response_type) and \n t.client_name in ($client_name) and \n (length(''$question'') = 0 or POSITION(lower(''$question'') IN t.question_name) > 0) \n group by t.question_name order by count(*) desc limit 20",
|
||||
"refId": "A",
|
||||
"select": [
|
||||
[
|
||||
{
|
||||
"params": ["value"],
|
||||
"type": "column"
|
||||
}
|
||||
]
|
||||
],
|
||||
"table": "log_entries",
|
||||
"timeColumn": "request_ts",
|
||||
"where": []
|
||||
}
|
||||
],
|
||||
"title": "Top 20 queried domains",
|
||||
"type": "barchart"
|
||||
},
|
||||
{
|
||||
"datasource": "${DS_POSTGRES}",
|
||||
"description": "",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisLabel": "queries count",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": 0,
|
||||
"drawStyle": "bars",
|
||||
"fillOpacity": 35,
|
||||
"gradientMode": "hue",
|
||||
"hideFrom": {
|
||||
"legend": false,
|
||||
"tooltip": false,
|
||||
"viz": false
|
||||
},
|
||||
"lineInterpolation": "linear",
|
||||
"lineStyle": {
|
||||
"fill": "solid"
|
||||
},
|
||||
"lineWidth": 1,
|
||||
"pointSize": 12,
|
||||
"scaleDistribution": {
|
||||
"type": "linear"
|
||||
},
|
||||
"showPoints": "never",
|
||||
"spanNulls": 3600000,
|
||||
"stacking": {
|
||||
"group": "A",
|
||||
"mode": "none"
|
||||
},
|
||||
"thresholdsStyle": {
|
||||
"mode": "off"
|
||||
}
|
||||
},
|
||||
"displayName": "${__field.labels.client_name}",
|
||||
"mappings": [],
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
},
|
||||
{
|
||||
"color": "red",
|
||||
"value": 80
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 7,
|
||||
"w": 24,
|
||||
"x": 0,
|
||||
"y": 16
|
||||
},
|
||||
"id": 12,
|
||||
"options": {
|
||||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "list",
|
||||
"placement": "right"
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "single"
|
||||
}
|
||||
},
|
||||
"pluginVersion": "8.1.2",
|
||||
"targets": [
|
||||
{
|
||||
"format": "time_series",
|
||||
"group": [],
|
||||
"metricColumn": "none",
|
||||
"rawQuery": true,
|
||||
"rawSql": "SELECT\n $__timeGroupAlias(t.request_Ts, ''30m''),\n t.client_name,\n count(*) as c\nFROM log_entries t\nWHERE\n $__timeFilter(t.request_Ts) and \n t.response_type in ($response_type) and \n t.client_name in ($client_name) and \n (length(''$question'') = 0 or POSITION(lower(''$question'') IN t.question_name) > 0)\nGROUP BY 1,2\nORDER BY 1",
|
||||
"refId": "A",
|
||||
"select": [
|
||||
[
|
||||
{
|
||||
"params": ["duration_ms"],
|
||||
"type": "column"
|
||||
}
|
||||
]
|
||||
],
|
||||
"table": "log_entries",
|
||||
"timeColumn": "request_ts",
|
||||
"timeColumnType": "timestamp",
|
||||
"where": [
|
||||
{
|
||||
"name": "$__timeFilter",
|
||||
"params": [],
|
||||
"type": "macro"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"title": "Queries number per client (30m)",
|
||||
"type": "timeseries"
|
||||
},
|
||||
{
|
||||
"datasource": "${DS_POSTGRES}",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"color": {
|
||||
"mode": "palette-classic"
|
||||
},
|
||||
"custom": {
|
||||
"axisLabel": "",
|
||||
"axisPlacement": "auto",
|
||||
"barAlignment": -1,
|
||||
"drawStyle": "bars",
|
||||
"fillOpacity": 0,
|
||||
"gradientMode": "none",
|
||||
"hideFrom": {
|
||||
"legend": false,
|
||||
"tooltip": false,
|
||||
"viz": false
|
||||
},
|
||||
"lineInterpolation": "stepBefore",
|
||||
"lineStyle": {
|
||||
"fill": "solid"
|
||||
},
|
||||
"lineWidth": 1,
|
||||
"pointSize": 5,
|
||||
"scaleDistribution": {
|
||||
"type": "linear"
|
||||
},
|
||||
"showPoints": "auto",
|
||||
"spanNulls": true,
|
||||
"stacking": {
|
||||
"group": "A",
|
||||
"mode": "none"
|
||||
},
|
||||
"thresholdsStyle": {
|
||||
"mode": "line"
|
||||
}
|
||||
},
|
||||
"mappings": [],
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
}
|
||||
]
|
||||
},
|
||||
"unit": "dtdurationms"
|
||||
},
|
||||
"overrides": []
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 8,
|
||||
"w": 24,
|
||||
"x": 0,
|
||||
"y": 23
|
||||
},
|
||||
"id": 10,
|
||||
"options": {
|
||||
"legend": {
|
||||
"calcs": [],
|
||||
"displayMode": "hidden",
|
||||
"placement": "bottom"
|
||||
},
|
||||
"tooltip": {
|
||||
"mode": "single"
|
||||
}
|
||||
},
|
||||
"targets": [
|
||||
{
|
||||
"format": "time_series",
|
||||
"group": [],
|
||||
"metricColumn": "none",
|
||||
"rawQuery": true,
|
||||
"rawSql": "SELECT\n EXTRACT(EPOCH from t.request_Ts) as time,\n t.duration_ms\nFROM log_entries t\nWHERE\n $__timeFilter(t.request_Ts) and \n t.response_type in ($response_type) and \n t.client_name in ($client_name) and \n (length(''$question'') = 0 or POSITION(lower(''$question'') IN t.question_name) > 0)\nORDER BY request_ts",
|
||||
"refId": "A",
|
||||
"select": [
|
||||
[
|
||||
{
|
||||
"params": ["duration_ms"],
|
||||
"type": "column"
|
||||
}
|
||||
]
|
||||
],
|
||||
"table": "log_entries",
|
||||
"timeColumn": "request_ts",
|
||||
"timeColumnType": "timestamp",
|
||||
"where": [
|
||||
{
|
||||
"name": "$__timeFilter",
|
||||
"params": [],
|
||||
"type": "macro"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"title": "Query duration",
|
||||
"type": "timeseries"
|
||||
},
|
||||
{
|
||||
"datasource": "${DS_POSTGRES}",
|
||||
"description": "Last 100 queries, newest on top",
|
||||
"fieldConfig": {
|
||||
"defaults": {
|
||||
"custom": {
|
||||
"align": null,
|
||||
"displayMode": "auto",
|
||||
"filterable": false
|
||||
},
|
||||
"mappings": [],
|
||||
"thresholds": {
|
||||
"mode": "absolute",
|
||||
"steps": [
|
||||
{
|
||||
"color": "green",
|
||||
"value": null
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"overrides": [
|
||||
{
|
||||
"matcher": {
|
||||
"id": "byName",
|
||||
"options": "time"
|
||||
},
|
||||
"properties": [
|
||||
{
|
||||
"id": "unit",
|
||||
"value": "dateTimeAsIsoNoDateIfToday"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"gridPos": {
|
||||
"h": 8,
|
||||
"w": 24,
|
||||
"x": 0,
|
||||
"y": 31
|
||||
},
|
||||
"id": 4,
|
||||
"options": {
|
||||
"showHeader": true
|
||||
},
|
||||
"pluginVersion": "8.1.2",
|
||||
"targets": [
|
||||
{
|
||||
"format": "table",
|
||||
"group": [],
|
||||
"metricColumn": "none",
|
||||
"rawQuery": true,
|
||||
"rawSql": "SELECT EXTRACT(EPOCH from t.request_Ts) as \"time\", \n t.client_ip as \"client IP\", \n t.client_name as \"client name\", \n t.duration_ms as \"duration in ms\", \n t.response_type as \"response type\", \n t.question_type as \"question type\", \n t.question_name as \"question name\", \n t.effective_tldp as \"effective TLD+1\", \n t.answer as \"answer\" from log_entries t \n WHERE $__timeFilter(t.request_Ts) and \n t.response_type in ($response_type) and \n t.client_name in ($client_name) and \n (length(''$question'') = 0 or POSITION(lower(''$question'') IN t.question_name) > 0) \n order by t.request_Ts desc limit 100",
|
||||
"refId": "A",
|
||||
"select": [
|
||||
[
|
||||
{
|
||||
"params": ["value"],
|
||||
"type": "column"
|
||||
}
|
||||
]
|
||||
],
|
||||
"timeColumn": "time",
|
||||
"where": [
|
||||
{
|
||||
"name": "$__timeFilter",
|
||||
"params": [],
|
||||
"type": "macro"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"timeFrom": null,
|
||||
"timeShift": null,
|
||||
"title": "Last queries",
|
||||
"type": "table"
|
||||
}
|
||||
],
|
||||
"refresh": "",
|
||||
"schemaVersion": 30,
|
||||
"style": "dark",
|
||||
"tags": [],
|
||||
"templating": {
|
||||
"list": [
|
||||
{
|
||||
"current": {
|
||||
"selected": false,
|
||||
"text": "BlockyPostgres",
|
||||
"value": "blockypostgres"
|
||||
},
|
||||
"hide": 0,
|
||||
"includeAll": false,
|
||||
"label": "datasource",
|
||||
"multi": false,
|
||||
"name": "DS_POSTGRES",
|
||||
"options": [],
|
||||
"query": "grafana-postgresql-datasource",
|
||||
"refresh": 1,
|
||||
"regex": "",
|
||||
"skipUrlSync": false,
|
||||
"type": "datasource"
|
||||
},
|
||||
{
|
||||
"allValue": "",
|
||||
"current": {},
|
||||
"datasource": "${DS_POSTGRES}",
|
||||
"definition": "select distinct client_name from log_entries",
|
||||
"description": null,
|
||||
"error": null,
|
||||
"hide": 0,
|
||||
"includeAll": true,
|
||||
"label": "Client name",
|
||||
"multi": true,
|
||||
"name": "client_name",
|
||||
"options": [],
|
||||
"query": "select distinct client_name from log_entries",
|
||||
"refresh": 2,
|
||||
"regex": "",
|
||||
"skipUrlSync": false,
|
||||
"sort": 1,
|
||||
"tagValuesQuery": "",
|
||||
"tagsQuery": "",
|
||||
"type": "query",
|
||||
"useTags": false
|
||||
},
|
||||
{
|
||||
"allValue": null,
|
||||
"current": {},
|
||||
"datasource": "${DS_POSTGRES}",
|
||||
"definition": "select distinct response_type from log_entries",
|
||||
"description": null,
|
||||
"error": null,
|
||||
"hide": 0,
|
||||
"includeAll": true,
|
||||
"label": "Response type",
|
||||
"multi": true,
|
||||
"name": "response_type",
|
||||
"options": [],
|
||||
"query": "select distinct response_type from log_entries",
|
||||
"refresh": 2,
|
||||
"regex": "",
|
||||
"skipUrlSync": false,
|
||||
"sort": 1,
|
||||
"tagValuesQuery": "",
|
||||
"tagsQuery": "",
|
||||
"type": "query",
|
||||
"useTags": false
|
||||
},
|
||||
{
|
||||
"current": {
|
||||
"selected": false,
|
||||
"text": "",
|
||||
"value": ""
|
||||
},
|
||||
"description": null,
|
||||
"error": null,
|
||||
"hide": 0,
|
||||
"label": "Domain (contains)",
|
||||
"name": "question",
|
||||
"options": [
|
||||
{
|
||||
"selected": true,
|
||||
"text": "",
|
||||
"value": ""
|
||||
}
|
||||
],
|
||||
"query": "",
|
||||
"skipUrlSync": false,
|
||||
"type": "textbox"
|
||||
}
|
||||
]
|
||||
},
|
||||
"time": {
|
||||
"from": "now-24h",
|
||||
"to": "now"
|
||||
},
|
||||
"timepicker": {},
|
||||
"timezone": "",
|
||||
"title": "Blocky query",
|
||||
"uid": "AVmWSVWgz",
|
||||
"version": 3
|
||||
}
|
|
@ -0,0 +1,380 @@
|
|||
image:
|
||||
repository: spx01/blocky
|
||||
tag: v0.23@sha256:24855b63986c790093554a1f62b58379a06bc10a90ee073906e7c39bf692adcc
|
||||
pullPolicy: IfNotPresent
|
||||
k8sgatewayImage:
|
||||
repository: quay.io/oriedge/k8s_gateway
|
||||
pullPolicy: IfNotPresent
|
||||
tag: v0.4.0@sha256:7bdbd447c0244b8f89de9cd6f4826ed0ac66c9406fac3a4ac80081020c251c6b
|
||||
|
||||
workload:
|
||||
main:
|
||||
replicas: 2
|
||||
strategy: RollingUpdate
|
||||
podSpec:
|
||||
containers:
|
||||
main:
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
type: exec
|
||||
command:
|
||||
- /app/blocky
|
||||
- healthcheck
|
||||
readiness:
|
||||
enabled: false
|
||||
type: exec
|
||||
command:
|
||||
- /app/blocky
|
||||
- healthcheck
|
||||
startup:
|
||||
enabled: false
|
||||
type: exec
|
||||
command:
|
||||
- /app/blocky
|
||||
- healthcheck
|
||||
# -- Blocky Config File content
|
||||
blockyConfig: {}
|
||||
# upstream:
|
||||
# default:
|
||||
# - 1.1.1.1
|
||||
|
||||
# -- some general blocky settings
|
||||
blocky:
|
||||
# -- Enable prometheus annotations
|
||||
enablePrometheus: true
|
||||
service:
|
||||
main:
|
||||
enabled: true
|
||||
ports:
|
||||
main:
|
||||
enabled: true
|
||||
port: 4000
|
||||
protocol: http
|
||||
targetPort: 4000
|
||||
dns:
|
||||
enabled: true
|
||||
ports:
|
||||
dns:
|
||||
enabled: true
|
||||
port: 53
|
||||
protocol: udp
|
||||
targetPort: 53
|
||||
dnstcp:
|
||||
enabled: true
|
||||
protocol: tcp
|
||||
port: "{{ .Values.service.dns.ports.dns.port }}"
|
||||
targetPort: 53
|
||||
dot:
|
||||
enabled: true
|
||||
ports:
|
||||
dot:
|
||||
enabled: true
|
||||
port: 853
|
||||
protocol: tcp
|
||||
targetPort: 853
|
||||
https:
|
||||
enabled: true
|
||||
ports:
|
||||
https:
|
||||
enabled: true
|
||||
port: 4443
|
||||
protocol: https
|
||||
targetPort: 4443
|
||||
k8sgateway:
|
||||
enabled: true
|
||||
ports:
|
||||
k8sgateway:
|
||||
enabled: true
|
||||
port: 5353
|
||||
protocol: udp
|
||||
targetPort: 5353
|
||||
## TODO Add support for SCALE certificates and certificates secrets here
|
||||
certFile: ""
|
||||
keyFile: ""
|
||||
logLevel: info
|
||||
logFormat: text
|
||||
logTimestamp: true
|
||||
logPrivacy: false
|
||||
dohUserAgent: ""
|
||||
minTlsServeVersion: 1.2
|
||||
# -- set the default DNS upstream servers
|
||||
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
||||
defaultUpstreams:
|
||||
- 1.1.1.1
|
||||
- 1.0.0.1
|
||||
- 8.8.8.8
|
||||
- 8.8.4.4
|
||||
- 9.9.9.9
|
||||
- 149.112.112.112
|
||||
- 208.67.222.222
|
||||
- 208.67.220.220
|
||||
- 8.26.56.26
|
||||
- 8.20.247.20
|
||||
- 185.228.168.9
|
||||
- 185.228.169.9
|
||||
- 76.76.19.19
|
||||
- 76.223.122.150
|
||||
- 76.76.2.0
|
||||
- 76.76.10.0
|
||||
# -- set additional upstreams
|
||||
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
||||
upstreams:
|
||||
# - name: group2
|
||||
# dnsservers:
|
||||
# - 1.1.1.1
|
||||
|
||||
# -- set bootstrap dns (not needed)
|
||||
# Ensures bootstrap encryption and ensure it doesn't use k8s dns
|
||||
bootstrapDns:
|
||||
# -- Upstream
|
||||
upstream: ""
|
||||
# -- IP's linked to upstream DoT/DoH DNS name
|
||||
ips: []
|
||||
# -- set additional bootstrap dns (not needed, only used if bootstrapDns is set)
|
||||
additionalBootstrapDns: []
|
||||
# - upstream: ""
|
||||
# ips: []
|
||||
|
||||
# -- Return empty answer for these queries
|
||||
filtering:
|
||||
# -- Ensures filtering by query type
|
||||
queryTypes: []
|
||||
# -- Set manual custom DNS resolution
|
||||
customDNS:
|
||||
customTTL: 1h
|
||||
filterUnmappedTypes: true
|
||||
rewrite: []
|
||||
# - in: something.com
|
||||
# out: somethingelse.com
|
||||
mapping: []
|
||||
# - domain: something.com
|
||||
# dnsserver: 192.168.178.1
|
||||
# -- Setup client-name lookup
|
||||
clientLookup:
|
||||
# -- upstream used for client-name lookup
|
||||
upstream: ""
|
||||
singleNameOrder: []
|
||||
clients:
|
||||
# - domain: laptop
|
||||
# ips: []
|
||||
# -- Setup caching
|
||||
caching:
|
||||
minTime: 5m
|
||||
maxTime: 30m
|
||||
maxItemsCount: 0
|
||||
prefetching: false
|
||||
prefetchExpires: 2h
|
||||
prefetchThreshold: 5
|
||||
prefetchMaxItemsCount: 0
|
||||
cacheTimeNegative: 30m
|
||||
# -- set conditional settings
|
||||
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
||||
conditional:
|
||||
rewrite: []
|
||||
# - in: something.com
|
||||
# out: somethingelse.com
|
||||
mapping: []
|
||||
# - domain: something.com
|
||||
# dnsserver: 192.168.178.1
|
||||
# -- set blocking settings using Lists
|
||||
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
||||
blocking:
|
||||
# -- Sets the blocktype
|
||||
blockType: nxDomain
|
||||
# -- Sets the block ttl
|
||||
blockTTL: 6h
|
||||
# -- Sets the block refreshPeriod
|
||||
refreshPeriod: 4h
|
||||
# -- Sets the block download timeout
|
||||
downloadTimeout: 60s
|
||||
# -- Sets the block download attempt count
|
||||
downloadAttempts: 3
|
||||
# -- Sets the block download cooldown
|
||||
downloadCooldown: 2s
|
||||
# -- Set the start strategy (blocking | failOnError | fast)
|
||||
startStrategy: blocking
|
||||
# -- Sets how many list-groups can be processed at the same time
|
||||
processingConcurrency: 4
|
||||
# -- Add blocky whitelists
|
||||
whitelist: []
|
||||
# - name: ads
|
||||
# lists:
|
||||
# - https://someurl.com/list.txt
|
||||
# - /somefile.txt
|
||||
|
||||
# -- Blocky blacklists
|
||||
blacklist: []
|
||||
# - name: ads
|
||||
# lists:
|
||||
# - https://someurl.com/list.txt
|
||||
# - /somefile.txt
|
||||
|
||||
# -- Blocky clientGroupsBlock
|
||||
clientGroupsBlock: []
|
||||
# - name: default
|
||||
# groups:
|
||||
# - ads
|
||||
# -- configure using hostsfile for lookups
|
||||
# Allows for using the hosts configured in kubernetes and such
|
||||
hostsFile:
|
||||
enabled: false
|
||||
filePath: /etc/hosts
|
||||
hostsTTL: 60m
|
||||
refreshPeriod: 30m
|
||||
## TODO: add this with postgresql support as well
|
||||
# queryLog:
|
||||
# type: csv
|
||||
# target: /logs
|
||||
# logRetentionDays: 0
|
||||
# creationAttempts: 3
|
||||
# CreationCooldown: 2
|
||||
podOptions:
|
||||
automountServiceAccountToken: true
|
||||
portal:
|
||||
open:
|
||||
enabled: false
|
||||
serviceAccount:
|
||||
main:
|
||||
# -- Specifies whether a service account should be created
|
||||
enabled: true
|
||||
primary: true
|
||||
# -- Create a ClusterRole and ClusterRoleBinding
|
||||
# @default -- See below
|
||||
rbac:
|
||||
main:
|
||||
# -- Enables or disables the ClusterRole and ClusterRoleBinding
|
||||
enabled: true
|
||||
primary: true
|
||||
clusterWide: true
|
||||
# -- Set Rules on the ClusterRole
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
- namespaces
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
k8sgateway:
|
||||
enabled: true
|
||||
# -- TTL for non-apex responses (in seconds)
|
||||
ttl: 300
|
||||
# -- Limit what kind of resources to watch, e.g. watchedResources: ["Ingress"]
|
||||
watchedResources: []
|
||||
# -- Service name of a secondary DNS server (should be `serviceName.namespace`)
|
||||
secondary: ""
|
||||
# -- Override the default `serviceName.namespace` domain apex
|
||||
apex: ""
|
||||
# -- list of processed domains
|
||||
domains: []
|
||||
# -- Delegated domain
|
||||
# - domain: "example.com"
|
||||
# # -- Optional configuration option for DNS01 challenge that will redirect all acme
|
||||
# # challenge requests to external cloud domain (e.g. managed by cert-manager)
|
||||
# # See: https://cert-manager.io/docs/configuration/acme/dns01/
|
||||
# dnsChallenge:
|
||||
# enabled: false
|
||||
# domain: dns01.clouddns.com
|
||||
|
||||
forward:
|
||||
enabled: false
|
||||
primary: tls://1.1.1.1
|
||||
secondary: tls://1.0.0.1
|
||||
options:
|
||||
- name: tls_servername
|
||||
value: cloudflare-dns.com
|
||||
|
||||
configmap:
|
||||
dashboard:
|
||||
enabled: true
|
||||
labels:
|
||||
grafana_dashboard: "1"
|
||||
data:
|
||||
blocky.json: >-
|
||||
{{ .Files.Get "dashboard.json" | indent 8 }}
|
||||
blockypostgres.json: >-
|
||||
{{ .Files.Get "dashboardpsql.json" | indent 8 }}
|
||||
datasource:
|
||||
enabled: true
|
||||
labels:
|
||||
grafana_datasources: "1"
|
||||
data:
|
||||
datasourceblockypsql.yaml: |-
|
||||
apiVersion: 1
|
||||
datasources:
|
||||
- name: BlockyPostgres
|
||||
type: postgres
|
||||
uid: blockypostgres
|
||||
url: {{ printf "%s.%s:5432" (.Values.cnpg.main.creds.host | trimAll "\"") .Release.Namespace }}
|
||||
access: proxy
|
||||
user: {{ .Values.cnpg.main.user }}
|
||||
secureJsonData:
|
||||
password: {{ .Values.cnpg.main.creds.password | default "na" }}
|
||||
jsonData:
|
||||
database: {{ .Values.cnpg.main.database }}
|
||||
sslmode: 'disable' # disable/require/verify-ca/verify-full
|
||||
maxOpenConns: 100 # Grafana v5.4+
|
||||
maxIdleConns: 100 # Grafana v5.4+
|
||||
maxIdleConnsAuto: true # Grafana v9.5.1+
|
||||
connMaxLifetime: 14400 # Grafana v5.4+
|
||||
postgresVersion: 1500 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10
|
||||
timescaledb: false
|
||||
|
||||
metrics:
|
||||
main:
|
||||
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
|
||||
# @default -- See values.yaml
|
||||
enabled: true
|
||||
type: "servicemonitor"
|
||||
endpoints:
|
||||
- port: main
|
||||
path: /metrics
|
||||
# -- Enable and configure Prometheus Rules for the chart under this key.
|
||||
# @default -- See values.yaml
|
||||
prometheusRule:
|
||||
enabled: false
|
||||
labels: {}
|
||||
# -- Configure additionial rules for the chart under this key.
|
||||
# @default -- See prometheusrules.yaml
|
||||
rules: []
|
||||
# - alert: UnifiPollerAbsent
|
||||
# annotations:
|
||||
# description: Unifi Poller has disappeared from Prometheus service discovery.
|
||||
# summary: Unifi Poller is down.
|
||||
# expr: |
|
||||
# absent(up{job=~".*unifi-poller.*"} == 1)
|
||||
# for: 5m
|
||||
# labels:
|
||||
# severity: critical
|
||||
|
||||
redis:
|
||||
enabled: true
|
||||
# CANNOT be defined in above yaml section
|
||||
queryLog:
|
||||
# optional one of: mysql, postgresql, csv, csv-client. If empty, log to console
|
||||
type: "postgresql"
|
||||
# directory (should be mounted as volume in docker) for csv, db connection string for mysql, ignored for included postgresql
|
||||
# target: /var/log/something
|
||||
# postgresql target: postgres://user:password@db_host_or_ip:5432/db_name
|
||||
# if > 0, deletes log files which are older than ... days
|
||||
logRetentionDays: 0
|
||||
# optional: Max attempts to create specific query log writer, default: 3
|
||||
creationAttempts: 3
|
||||
# optional: Time between the creation attempts, default: 2s
|
||||
creationCooldown: 2s
|
||||
|
||||
cnpg:
|
||||
main:
|
||||
enabled: true
|
||||
user: blocky
|
||||
database: blocky
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1 @@
|
|||
{{- include "tc.v1.common.lib.chart.notes" $ -}}
|
|
@ -0,0 +1,231 @@
|
|||
{{/* Define the config */}}
|
||||
{{- define "blocky.configmap" -}}
|
||||
{{- $config := mustMerge ( include "blocky.config" . | fromYaml ) ( .Values.blockyConfig ) }}
|
||||
enabled: true
|
||||
data:
|
||||
config.yml: |
|
||||
{{ $config | toYaml | indent 4 }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "blocky.config" -}}
|
||||
redis:
|
||||
address: {{ printf "%v-%v" .Release.Name "redis" }}:6379
|
||||
password: {{ .Values.redis.creds.redisPassword | trimAll "\"" }}
|
||||
database: 0
|
||||
required: true
|
||||
connectionAttempts: 10
|
||||
connectionCooldown: 3s
|
||||
prometheus:
|
||||
enable: true
|
||||
path: /metrics
|
||||
queryLog:
|
||||
# optional one of: postgresql, csv, csv-client. If empty, log to console
|
||||
type: {{ .Values.queryLog.type }}
|
||||
# directory (should be mounted as volume in docker) for csv, db connection string for mysql/postgresql
|
||||
#postgresql target: postgres://user:password@db_host_or_ip:5432/db_name
|
||||
{{- if eq .Values.queryLog.type "postgresql" }}
|
||||
target: {{ .Values.cnpg.main.creds.std }}
|
||||
{{- else }}
|
||||
target: {{ .Values.queryLog.target }}
|
||||
{{- end }}
|
||||
# if > 0, deletes log files which are older than ... days
|
||||
logRetentionDays: {{ .Values.queryLog.logRetentionDays | default 0 }}
|
||||
# optional: Max attempts to create specific query log writer
|
||||
creationAttempts: {{ .Values.queryLog.creationAttempts | default 3 }}
|
||||
# optional: Time between the creation attempts
|
||||
creationCooldown: {{ .Values.queryLog.creationAttempts | default "2s" }}
|
||||
|
||||
upstream:
|
||||
default:
|
||||
{{- .Values.defaultUpstreams | toYaml | nindent 8 }}
|
||||
{{- range $id, $value := .Values.upstreams }}
|
||||
{{ $value.name }}:
|
||||
{{- $value.dnsservers | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
ports:
|
||||
{{- if .Values.service.dns.enabled }}
|
||||
dns: {{ .Values.service.dns.ports.dns.targetPort }}
|
||||
{{- end }}
|
||||
{{- if .Values.service.dot.enabled }}
|
||||
tls: {{ .Values.service.dot.ports.dot.targetPort }}
|
||||
{{- end }}
|
||||
{{- if .Values.service.main.enabled }}
|
||||
http: {{ .Values.service.main.ports.main.targetPort }}
|
||||
{{- end }}
|
||||
{{- if .Values.service.https.enabled }}
|
||||
https: {{ .Values.service.https.ports.https.targetPort }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.certFile }}
|
||||
certFile: {{ .Values.certFile }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.keyFile }}
|
||||
keyFile: {{ .Values.keyFile }}
|
||||
{{- end }}
|
||||
|
||||
log:
|
||||
{{- if .Values.logLevel }}
|
||||
level: {{ .Values.logLevel }}
|
||||
{{- end }}
|
||||
{{- if .Values.logTimestamp }}
|
||||
timestamp: {{ .Values.logTimestamp }}
|
||||
{{- end }}
|
||||
{{- if .Values.logPrivacy }}
|
||||
privacy: {{ .Values.logPrivacy }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.dohUserAgent }}
|
||||
dohUserAgent: {{ .Values.dohUserAgent }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.minTlsServeVersion }}
|
||||
minTlsServeVersion: {{ .Values.minTlsServeVersion }}
|
||||
{{- end }}
|
||||
|
||||
caching:
|
||||
{{ toYaml .Values.caching | indent 2 }}
|
||||
|
||||
{{- if .Values.hostsFile.enabled }}
|
||||
{{ $hostsfile := omit .Values.hostsFile "enabled" }}
|
||||
hostsFile:
|
||||
{{ toYaml $hostsfile | indent 2 }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.bootstrapDns.upstream .Values.bootstrapDns.ips }}
|
||||
bootstrapDns:
|
||||
{{- if .Values.bootstrapDns.upstream }}
|
||||
- upstream: {{ .Values.bootstrapDns.upstream }}
|
||||
{{- end }}
|
||||
{{- if .Values.bootstrapDns.ips }}
|
||||
ips:
|
||||
{{- range $id, $value := .Values.bootstrapDns.ips }}
|
||||
- {{ $value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{/* Add additional Bootstrap DNS */}}
|
||||
{{- range .Values.additionalBootstrapDns }}
|
||||
{{- with .upstream }}
|
||||
- upstream: {{ . }}
|
||||
{{- end }}
|
||||
{{- if .ips }}
|
||||
ips:
|
||||
{{- range $id, $value := .ips }}
|
||||
- {{ $value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.filtering.filtering }}
|
||||
filtering:
|
||||
{{- if .Values.filtering.ips }}
|
||||
queryTypes:
|
||||
{{- range $id, $value := .Values.filtering.ips }}
|
||||
- {{ $value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.customDNS.filterUnmappedTypes .Values.customDNS.customTTL .Values.customDNS.rewrite .Values.customDNS.mapping }}
|
||||
customDNS:
|
||||
{{- if .Values.customDNS.upstream }}
|
||||
upstream: {{ .Values.customDNS.upstream }}
|
||||
{{- end }}
|
||||
{{- if .Values.customDNS.customTTL }}
|
||||
customTTL: {{ .Values.customDNS.customTTL }}
|
||||
{{- end }}
|
||||
{{- if .Values.customDNS.rewrite }}
|
||||
rewrite:
|
||||
{{- range $id, $value := .Values.customDNS.rewrite }}
|
||||
{{ $value.in }}: {{ $value.out }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.customDNS.mapping }}
|
||||
mapping:
|
||||
{{- range $id, $value := .Values.customDNS.mapping }}
|
||||
{{ $value.domain }}: {{ $value.dnsserver }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.clientLookup.upstream .Values.clientLookup.ips }}
|
||||
clientLookup:
|
||||
{{- if .Values.clientLookup.upstream }}
|
||||
upstream: {{ .Values.clientLookup.upstream }}
|
||||
{{- end }}
|
||||
{{- if .Values.clientLookup.ips }}
|
||||
singleNameOrder:
|
||||
{{- range $id, $value := .Values.clientLookup.ips }}
|
||||
- {{ $value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.clientLookup.clients }}
|
||||
clients:
|
||||
{{- range $id, $value := .Values.clientLookup.clients }}
|
||||
{{ $value.domain }}:
|
||||
{{- range $id, $value := .ips }}
|
||||
- {{ $value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.conditional.rewrite .Values.conditional.mapping ( and .Values.k8sgateway.enabled .Values.k8sgateway.domains ) }}
|
||||
conditional:
|
||||
{{- if .Values.conditional.rewrite }}
|
||||
rewrite:
|
||||
{{- range $id, $value := .Values.conditional.rewrite }}
|
||||
{{ $value.in }}: {{ $value.out }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.conditional.mapping ( and .Values.k8sgateway.enabled .Values.k8sgateway.domains ) }}
|
||||
mapping:
|
||||
{{- if and .Values.k8sgateway.enabled .Values.k8sgateway.domains }}
|
||||
{{- range $id, $value := .Values.k8sgateway.domains }}
|
||||
{{ .domain }}: 127.0.0.1:{{ $.Values.service.k8sgateway.ports.k8sgateway.targetPort }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- range $id, $value := .Values.conditional.mapping }}
|
||||
{{ $value.domain }}: {{ $value.dnsserver }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
blocking:
|
||||
blockType: {{ .Values.blocking.blockType }}
|
||||
blockTTL: {{ .Values.blocking.blockTTL }}
|
||||
refreshPeriod: {{ .Values.blocking.refreshPeriod }}
|
||||
downloadTimeout: {{ .Values.blocking.downloadTimeout }}
|
||||
downloadAttempts: {{ .Values.blocking.downloadAttempts }}
|
||||
downloadCooldown: {{ .Values.blocking.downloadCooldown }}
|
||||
startStrategy: {{ .Values.blocking.startStrategy }}
|
||||
processingConcurrency: {{ .Values.blocking.processingConcurrency }}
|
||||
{{- if .Values.blocking.whitelist }}
|
||||
whiteLists:
|
||||
{{- range $id, $value := .Values.blocking.whitelist }}
|
||||
{{ $value.name }}:
|
||||
{{- $value.lists | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.blocking.blacklist }}
|
||||
blackLists:
|
||||
{{- range $id, $value := .Values.blocking.blacklist }}
|
||||
{{ $value.name }}:
|
||||
{{- $value.lists | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.blocking.clientGroupsBlock }}
|
||||
clientGroupsBlock:
|
||||
{{- range $id, $value := .Values.blocking.clientGroupsBlock }}
|
||||
{{ $value.name }}:
|
||||
{{- $value.groups | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- end -}}
|
|
@ -0,0 +1,90 @@
|
|||
{{- define "k8sgateway.container" -}}
|
||||
enabled: true
|
||||
imageSelector: k8sgatewayImage
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
readOnlyRootFilesystem: true
|
||||
args: ["-conf", "/etc/coredns/Corefile"]
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
path: /ready
|
||||
port: 8181
|
||||
liveness:
|
||||
enabled: true
|
||||
path: /health
|
||||
port: 8080
|
||||
startup:
|
||||
enabled: true
|
||||
path: /ready
|
||||
port: 8181
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the matchable regex from domain
|
||||
*/}}
|
||||
{{- define "k8sgateway.configmap.regex" -}}
|
||||
{{- if .dnsChallenge.domain }}
|
||||
{{- .dnsChallenge.domain | replace "." "[.]" -}}
|
||||
{{- else -}}
|
||||
{{ "unset" }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Define the configmap */}}
|
||||
{{- define "k8sgateway.configmap" -}}
|
||||
{{- $values := .Values.k8sgateway }}
|
||||
{{- $fqdn := ( include "tc.v1.common.lib.chart.names.fqdn" . ) }}
|
||||
enabled: true
|
||||
data:
|
||||
Corefile: |
|
||||
.:{{ .Values.service.k8sgateway.ports.k8sgateway.targetPort }} {
|
||||
errors
|
||||
log
|
||||
health {
|
||||
lameduck 5s
|
||||
}
|
||||
ready
|
||||
{{- range .Values.k8sgateway.domains }}
|
||||
{{- if .dnsChallenge.enabled }}
|
||||
{{- if not .dnsChallenge.domain -}}
|
||||
{{- fail "DNS01 challenge domain is mandatory" -}}
|
||||
{{- end }}
|
||||
|
||||
template IN ANY {{ required "Delegated domain ('domain') is mandatory" .domain }} {
|
||||
match "_acme-challenge[.](.*)[.]{{ include "k8sgateway.configmap.regex" . }}"
|
||||
{{- $name := "{{ \"{{ .Name }}\" }}" }}
|
||||
{{- $index := "{{ \"{{ index .Match 1 }}\" }}" }}
|
||||
answer "{{ $name }} 5 IN CNAME {{ $index }}.{{ .dnsChallenge.domain }}"
|
||||
fallthrough
|
||||
}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
k8s_gateway {{ range .Values.k8sgateway.domains }}"{{ required "Delegated domain ('domain') is mandatory " .domain }}"{{ end }} {
|
||||
apex {{ $values.apex | default $fqdn }}
|
||||
ttl {{ $values.ttl }}
|
||||
{{- if $values.secondary }}
|
||||
secondary {{ $values.secondary }}
|
||||
{{- end }}
|
||||
{{- if $values.watchedResources }}
|
||||
resources {{ join " " $values.watchedResources }}
|
||||
{{- end }}
|
||||
fallthrough
|
||||
}
|
||||
|
||||
prometheus 0.0.0.0:9153
|
||||
{{- if .Values.k8sgateway.forward.enabled }}
|
||||
forward . {{ .Values.k8sgateway.forward.primary }} {{ .Values.k8sgateway.forward.secondary }} {
|
||||
{{- range .Values.k8sgateway.forward.options }}
|
||||
{{ .name }} {{ .value }}
|
||||
{{- end }}
|
||||
}
|
||||
{{- else }}
|
||||
forward . 1.1.1.1
|
||||
{{- end }}
|
||||
loop
|
||||
reload
|
||||
loadbalance
|
||||
}
|
||||
{{- end -}}
|
|
@ -0,0 +1,106 @@
|
|||
{{/* Make sure all variables are set properly */}}
|
||||
{{- if eq .Values.queryLog.type "postgresql" -}}
|
||||
{{- $_ := set .Values.cnpg.main "enabled" true -}}
|
||||
{{- end }}
|
||||
{{- include "tc.v1.common.loader.init" . }}
|
||||
|
||||
{{/* Render configmap for blocky */}}
|
||||
{{- $configmapFile := include "blocky.configmap" . | fromYaml -}}
|
||||
{{- if $configmapFile -}}
|
||||
{{- $_ := set .Values.configmap "config" $configmapFile -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $gatewayconfig := include "k8sgateway.configmap" . | fromYaml -}}
|
||||
{{- if $gatewayconfig -}}
|
||||
{{- $_ := set .Values.configmap "corefile" $gatewayconfig -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Always mount the configmap, with the basic config, plus the 'blockyConfig' */}}
|
||||
{{- define "blocky.configmap.mount" -}}
|
||||
enabled: true
|
||||
type: configmap
|
||||
mountPath: /app/config.yml
|
||||
objectName: config
|
||||
readOnly: true
|
||||
subPath: config.yml
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append the general configMap volume to the volumes */}}
|
||||
{{- define "k8sgateway.configvolume" -}}
|
||||
enabled: true
|
||||
type: configmap
|
||||
objectName: corefile
|
||||
items:
|
||||
- key: Corefile
|
||||
path: Corefile
|
||||
targetSelector:
|
||||
main:
|
||||
k8sgateway:
|
||||
mountPath: "/etc/coredns"
|
||||
readOnly: true
|
||||
|
||||
{{- end -}}
|
||||
|
||||
{{- $_ := set .Values.persistence "tc-config" (include "blocky.configmap.mount" . | fromYaml) -}}
|
||||
|
||||
{{- if and .Values.k8sgateway.enabled .Values.k8sgateway.domains -}}
|
||||
{{- $_ := set .Values.persistence "config-volume" (include "k8sgateway.configvolume" . | fromYaml) -}}
|
||||
{{- $_ := set .Values.workload.main.podSpec.containers "k8sgateway" (include "k8sgateway.container" . | fromYaml) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Define path for api */}}
|
||||
{{- define "blocky.api" -}}
|
||||
{{- $fullname := include "tc.v1.common.lib.chart.names.fullname" . -}}
|
||||
path: "/api"
|
||||
# -- Ignored if not kubeVersion >= 1.14-0
|
||||
pathType: Prefix
|
||||
service:
|
||||
# -- Overrides the service name reference for this path
|
||||
name: {{ printf "%s-main" $fullname }}
|
||||
port: {{ .Values.service.main.ports.main.port }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* inject websocket path to all main ingress hosts*/}}
|
||||
{{- define "blocky.apiinjector" -}}
|
||||
{{- $path := list (include "blocky.api" . | fromYaml) -}}
|
||||
{{- if .Values.ingress.main.enabled }}
|
||||
{{- range .Values.ingress.main.hosts }}
|
||||
{{- $newpaths := list }}
|
||||
{{- $newpaths := concat .paths $path }}
|
||||
{{- $_ := set . "paths" ( deepCopy $newpaths ) -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* inject api paths in ingress */}}
|
||||
{{- include "blocky.apiinjector" . }}
|
||||
|
||||
{{/* Define path for DoH */}}
|
||||
{{- define "blocky.doh" -}}
|
||||
{{- $fullname := include "tc.v1.common.lib.chart.names.fullname" . -}}
|
||||
path: "/dns-query"
|
||||
# -- Ignored if not kubeVersion >= 1.14-0
|
||||
pathType: Prefix
|
||||
service:
|
||||
# -- Overrides the service name reference for this path
|
||||
name: {{ printf "%s-main" $fullname }}
|
||||
port: {{ .Values.service.main.ports.main.port }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* inject websocket path to all main ingress hosts*/}}
|
||||
{{- define "blocky.dohinjector" -}}
|
||||
{{- $path := list (include "blocky.doh" . | fromYaml) -}}
|
||||
{{- if .Values.ingress.main.enabled }}
|
||||
{{- range .Values.ingress.main.hosts }}
|
||||
{{- $newpaths := list }}
|
||||
{{- $newpaths := concat .paths $path }}
|
||||
{{- $_ := set . "paths" ( deepCopy $newpaths ) -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* inject api paths in ingress */}}
|
||||
{{- include "blocky.dohinjector" . }}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "tc.v1.common.loader.apply" . }}
|
|
@ -0,0 +1,4 @@
|
|||
icon_url: https://truecharts.org/img/hotlink-ok/chart-icons/blocky.png
|
||||
categories:
|
||||
- network
|
||||
screenshots: []
|
|
@ -0,0 +1,30 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# OWNERS file for Kubernetes
|
||||
OWNERS
|
||||
# helm-docs templates
|
||||
*.gotmpl
|
||||
# docs folder
|
||||
/docs
|
||||
# icon
|
||||
icon.png
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
title: Changelog
|
||||
---
|
||||
|
||||
|
||||
*for the complete changelog, please refer to the website*
|
||||
|
||||
**Important:**
|
||||
|
||||
|
||||
## [clusterissuer-7.5.3](https://github.com/truecharts/charts/compare/clusterissuer-7.5.2...clusterissuer-7.5.3) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,37 @@
|
|||
annotations:
|
||||
max_scale_version: 24.04.0
|
||||
min_scale_version: 23.10.0
|
||||
truecharts.org/SCALE-support: "true"
|
||||
truecharts.org/category: core
|
||||
truecharts.org/max_helm_version: "3.14"
|
||||
truecharts.org/min_helm_version: "3.12"
|
||||
truecharts.org/train: premium
|
||||
apiVersion: v2
|
||||
appVersion: latest
|
||||
dependencies:
|
||||
- name: common
|
||||
version: 20.0.9
|
||||
repository: oci://tccr.io/truecharts
|
||||
condition: ""
|
||||
alias: ""
|
||||
tags: []
|
||||
import-values: []
|
||||
deprecated: false
|
||||
description: Certificate management for Kubernetes
|
||||
home: https://truecharts.org/charts/premium/clusterissuer
|
||||
icon: https://truecharts.org/img/hotlink-ok/chart-icons/clusterissuer.png
|
||||
keywords:
|
||||
- cert-manager
|
||||
- certificates
|
||||
kubeVersion: '>=1.24.0-0'
|
||||
maintainers:
|
||||
- name: TrueCharts
|
||||
email: info@truecharts.org
|
||||
url: https://truecharts.org
|
||||
name: clusterissuer
|
||||
sources:
|
||||
- https://cert-manager.io/
|
||||
- https://github.com/truecharts/charts/tree/master/charts/premium/clusterissuer
|
||||
- https://hub.docker.com/_/hello-world
|
||||
type: application
|
||||
version: 7.5.3
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
title: README
|
||||
---
|
||||
|
||||
## General Info
|
||||
|
||||
TrueCharts can be installed as both _normal_ Helm Charts or as Apps on TrueNAS SCALE.
|
||||
However only installations using the TrueNAS SCALE Apps system are supported.
|
||||
|
||||
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/premium/clusterissuer)
|
||||
|
||||
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
|
||||
|
||||
## Support
|
||||
|
||||
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE/guides/scale-intro).
|
||||
- See the [Website](https://truecharts.org)
|
||||
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
|
||||
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
|
||||
|
||||
---
|
||||
|
||||
## Sponsor TrueCharts
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
||||
|
||||
_All Rights Reserved - The TrueCharts Project_
|
|
@ -0,0 +1,9 @@
|
|||
|
||||
|
||||
## [clusterissuer-7.5.3](https://github.com/truecharts/charts/compare/clusterissuer-7.5.2...clusterissuer-7.5.3) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,8 @@
|
|||
Certificate management for Kubernetes
|
||||
|
||||
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/premium/clusterissuer](https://truecharts.org/charts/premium/clusterissuer)
|
||||
|
||||
---
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
Binary file not shown.
|
@ -0,0 +1,104 @@
|
|||
image:
|
||||
repository: hello-world
|
||||
tag: latest@sha256:d000bc569937abbe195e20322a0bde6b2922d805332fd6d8a68b19f524b7d21d
|
||||
pullPolicy: IfNotPresent
|
||||
manifestManager:
|
||||
enabled: true
|
||||
workload:
|
||||
main:
|
||||
enabled: false
|
||||
podSpec:
|
||||
containers:
|
||||
main:
|
||||
enabled: false
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
service:
|
||||
main:
|
||||
enabled: false
|
||||
ports:
|
||||
main:
|
||||
enabled: false
|
||||
port: 9999
|
||||
portal:
|
||||
open:
|
||||
enabled: false
|
||||
operator:
|
||||
verify:
|
||||
additionalOperators:
|
||||
- cert-manager
|
||||
enabled: true
|
||||
failOnError: false
|
||||
clusterIssuer:
|
||||
selfSigned:
|
||||
enabled: true
|
||||
name: "selfsigned"
|
||||
CA: []
|
||||
# - name: myca
|
||||
# selfSigned: true
|
||||
# selfSignedCommonName: "my-selfsigned-ca"
|
||||
# # Used to manually define a CA-crt not used when selfSigned is enabled
|
||||
# crt: ""
|
||||
# key: ""
|
||||
# # TODO: Add option to use SCALE CA certs
|
||||
|
||||
ACME: []
|
||||
# - name: letsencrypt
|
||||
# # Used for both logging in to the DNS provider AND ACME registration
|
||||
# email: ""
|
||||
# server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
# # Used primarily for the SCALE GUI
|
||||
# customServer: 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
# email: ""
|
||||
# # Options: HTTP01, cloudflare, route53, akamai, digitalocean, rfc2136, acmedns
|
||||
# type: ""
|
||||
# # for cloudflare
|
||||
# cfapikey: ""
|
||||
# cfapitoken: ""
|
||||
# # for route53
|
||||
# region: ""
|
||||
# accessKeyID: ""
|
||||
# route53SecretAccessKey: ""
|
||||
# # optional for route53
|
||||
# role: ""
|
||||
# # for akamai
|
||||
# serviceConsumerDomain: ""
|
||||
# akclientToken: ""
|
||||
# akclientSecret: ""
|
||||
# akaccessToken: ""
|
||||
# # for digitalocean
|
||||
# doaccessToken: ""
|
||||
# # for rfc2136
|
||||
# nameserver: ""
|
||||
# tsigKeyName: ""
|
||||
# tsigAlgorithm: ""
|
||||
# rfctsigSecret: ""
|
||||
# # for acmedns
|
||||
# name: sd
|
||||
# acmednsHost: asdf
|
||||
# # Pick one of the bellow acmednsConfig
|
||||
# acmednsConfigJson:
|
||||
# acmednsConfig:
|
||||
# - domain: ""
|
||||
# username: ""
|
||||
# password: ""
|
||||
# fulldomain: ""
|
||||
# subdomain: ""
|
||||
# allowFrom: []
|
||||
|
||||
clusterCertificates:
|
||||
# Namespaces in which the certificates must be available
|
||||
# Accepts comma-separated regex expressions
|
||||
# replicationNamespaces: 'ix-.*'
|
||||
certificates: []
|
||||
# - name: mycert
|
||||
# enabled: true
|
||||
# certificateIssuer: selfsigned
|
||||
# hosts:
|
||||
# - my.domain.com
|
||||
# - '*.my.domain.com'
|
|
@ -0,0 +1,446 @@
|
|||
groups:
|
||||
- name: Container Image
|
||||
description: Image to be used for container
|
||||
- name: General Settings
|
||||
description: General Deployment Settings
|
||||
- name: Workload Settings
|
||||
description: Workload Settings
|
||||
- name: App Configuration
|
||||
description: App Specific Config Options
|
||||
- name: Networking and Services
|
||||
description: Configure Network and Services for Container
|
||||
- name: Storage and Persistence
|
||||
description: Persist and Share Data that is Separate from the Container
|
||||
- name: Ingress
|
||||
description: Ingress Configuration
|
||||
- name: Security and Permissions
|
||||
description: Configure Security Context and Permissions
|
||||
- name: Resources and Devices
|
||||
description: "Specify Resources/Devices to be Allocated to Workload"
|
||||
- name: Middlewares
|
||||
description: Traefik Middlewares
|
||||
- name: Metrics
|
||||
description: Metrics
|
||||
- name: Addons
|
||||
description: Addon Configuration
|
||||
- name: Backup Configuration
|
||||
description: Configure Velero Backup Schedule
|
||||
- name: Advanced
|
||||
description: Advanced Configuration
|
||||
- name: Postgresql
|
||||
description: Postgresql
|
||||
- name: Documentation
|
||||
description: Documentation
|
||||
|
||||
questions:
|
||||
- variable: global
|
||||
group: General Settings
|
||||
label: "Global Settings"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: stopAll
|
||||
label: Stop All
|
||||
description: "Stops All Running pods and hibernates cnpg"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
- variable: clusterIssuer
|
||||
group: App Configuration
|
||||
label: Cluster Certificate Issuer
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: ACME
|
||||
label: 'ACME Issuer'
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: ACMEEntry
|
||||
label: 'ACME Issuer Entry'
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: name
|
||||
label: Name
|
||||
description: "Name to give the issuer"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
valid_chars: '^[a-z]+(-?[a-z]){0,63}-?[a-z]+$'
|
||||
default: ""
|
||||
- variable: type
|
||||
label: Type or DNS-Provider
|
||||
description: DNS Provider
|
||||
schema:
|
||||
type: string
|
||||
default: cloudflare
|
||||
enum:
|
||||
- value: cloudflare
|
||||
description: Cloudflare
|
||||
- value: route53
|
||||
description: Route53
|
||||
- value: akamai
|
||||
description: Akamai
|
||||
- value: digitalocean
|
||||
description: Digitalocean
|
||||
- value: rfc2136
|
||||
description: rfc2136 (Advanced)
|
||||
- value: HTTP01
|
||||
description: HTTP01 (Experimental)
|
||||
- value: acmedns
|
||||
description: ACME DNS (Advanced)
|
||||
- variable: server
|
||||
label: Server
|
||||
description: "Server for ACME, for example: letsencrypt"
|
||||
schema:
|
||||
type: string
|
||||
default: 'Letsencrypt-Production'
|
||||
enum:
|
||||
- value: 'https://acme-v02.api.letsencrypt.org/directory'
|
||||
description: Letsencrypt-Production
|
||||
- value: 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
description: Letsencrypt-Staging
|
||||
- value: 'https://api.buypass.no/acme-v02/directory'
|
||||
description: BuyPass-Production
|
||||
- value: 'https://api.test4.buypass.no/acme-v02/directory'
|
||||
description: BuyPass-Staging
|
||||
- value: custom
|
||||
description: Custom
|
||||
- variable: customServer
|
||||
label: Custom ACME Server (Advanced)
|
||||
description: "This can be used to enter your own custom ACME server"
|
||||
schema:
|
||||
type: string
|
||||
show_if: [["server", "=", "custom"]]
|
||||
default: 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
- variable: caBundle
|
||||
label: Trusted CABundle for private ACME server
|
||||
description: "Trusted CABundle for private ACME server, encoded in base64"
|
||||
schema:
|
||||
type: string
|
||||
show_if: [["server", "=", "custom"]]
|
||||
- variable: email
|
||||
label: Email
|
||||
description: "Email adress to use for certificate issuing must match your DNS provider email when required"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: "something@example.com"
|
||||
- variable: cfapikey
|
||||
label: CloudFlare API key
|
||||
description: "CloudFlare API Key"
|
||||
schema:
|
||||
show_if: [["type", "=", "cloudflare"]]
|
||||
type: string
|
||||
default: ""
|
||||
- variable: cfapitoken
|
||||
label: CloudFlare API Token
|
||||
description: "CloudFlare API Token"
|
||||
schema:
|
||||
show_if: [["type", "=", "cloudflare"]]
|
||||
type: string
|
||||
default: ""
|
||||
- variable: region
|
||||
label: Route53 Region
|
||||
description: "Route 53 Region"
|
||||
schema:
|
||||
show_if: [["type", "=", "route53"]]
|
||||
type: string
|
||||
required: true
|
||||
default: "us-west-1"
|
||||
- variable: accessKeyID
|
||||
label: Route53 accessKeyID
|
||||
description: "Route53 accessKeyID"
|
||||
schema:
|
||||
show_if: [["type", "=", "route53"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: route53SecretAccessKey
|
||||
label: Route53 Secret Access Key
|
||||
description: "Route53 Secret Access Key"
|
||||
schema:
|
||||
show_if: [["type", "=", "route53"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: role
|
||||
label: Route53 Role (optional)
|
||||
description: "Route53 Role"
|
||||
schema:
|
||||
show_if: [["type", "=", "route53"]]
|
||||
type: string
|
||||
default: ""
|
||||
- variable: serviceConsumerDomain
|
||||
label: Akamai Service Consumer Domain
|
||||
description: "Akamai Service Consumer Domain"
|
||||
schema:
|
||||
show_if: [["type", "=", "akamai"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: akclientToken
|
||||
label: Akamai Client Token
|
||||
description: "Client Token"
|
||||
schema:
|
||||
show_if: [["type", "=", "akamai"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: akclientSecret
|
||||
label: Akamai Client Secret
|
||||
description: "Akamai Client Secret"
|
||||
schema:
|
||||
show_if: [["type", "=", "akamai"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: akaccessToken
|
||||
label: Akamai Access Token
|
||||
description: "Akamai Access Token"
|
||||
schema:
|
||||
show_if: [["type", "=", "akamai"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: doaccessToken
|
||||
label: Digitalocean Access Token
|
||||
description: "Digitalocean Access Token"
|
||||
schema:
|
||||
show_if: [["type", "=", "digitalocean"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: nameserver
|
||||
label: rfc2136 Namesever
|
||||
description: "rfc2136 Namesever"
|
||||
schema:
|
||||
show_if: [["type", "=", "rfc2136"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: tsigKeyName
|
||||
label: rfc2136 tsig Key Name
|
||||
description: "rfc2136 tsig Key Name"
|
||||
schema:
|
||||
show_if: [["type", "=", "rfc2136"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: tsigAlgorithm
|
||||
label: rfc2136 tsig Algorithm
|
||||
description: "rfc2136 tsig Algorithm"
|
||||
schema:
|
||||
show_if: [["type", "=", "rfc2136"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: rfctsigSecret
|
||||
label: rfc2136 sig Secret
|
||||
description: "rfc2136 sig Secret"
|
||||
schema:
|
||||
show_if: [["type", "=", "rfc2136"]]
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: acmednsHost
|
||||
label: ACME DNS host
|
||||
description: "ACME DNS API server address"
|
||||
schema:
|
||||
show_if: [["type", "=", "acmedns"]]
|
||||
type: string
|
||||
required: true
|
||||
default: "https://auth.acme-dns.io"
|
||||
- variable: acmednsConfig
|
||||
label: ACME DNS config
|
||||
description: "ACME DNS per-domain auth configuration"
|
||||
schema:
|
||||
show_if: [["type", "=", "acmedns"]]
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: acmednsEntry
|
||||
label: 'ACME DNS entry'
|
||||
schema:
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: domain
|
||||
label: Domain
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
- variable: username
|
||||
label: Username
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
- variable: password
|
||||
label: Password
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
- variable: fulldomain
|
||||
label: Full domain
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
- variable: subdomain
|
||||
label: Subdomain
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
- variable: allowFrom
|
||||
label: Allow from
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: cidr
|
||||
label: CIDR
|
||||
schema:
|
||||
type: ipaddr
|
||||
cidr: true
|
||||
required: true
|
||||
- variable: CA
|
||||
label: Certificate Authority Issuer
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: CAEntry
|
||||
label: 'CA Issuer Entry'
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: name
|
||||
label: Name
|
||||
description: "Name to give the issuer"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
valid_chars: '^[a-z]+(-?[a-z]){0,63}-?[a-z]+$'
|
||||
default: ""
|
||||
- variable: selfSigned
|
||||
label: selfSigned
|
||||
description: "Create Self Signed CA cert"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: selfSignedCommonName
|
||||
label: selfSigned CommonName
|
||||
description: "Common name for selfSigned Certiticate Authority"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
show_if: [["selfSigned", "=", true]]
|
||||
default: "my-selfsigned-ca"
|
||||
- variable: crt
|
||||
label: "Custom CA cert (experimental)"
|
||||
description: "certificate for Certiticate Authority"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
max_length: 10240
|
||||
show_if: [["selfSigned", "=", false]]
|
||||
default: ""
|
||||
- variable: key
|
||||
label: "Custom CA key (experimental)"
|
||||
description: "key Certiticate Authority"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
max_length: 10240
|
||||
show_if: [["selfSigned", "=", false]]
|
||||
default: ""
|
||||
- variable: selfSigned
|
||||
label: 'SelfSigned Issuer'
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: enabled
|
||||
description: "Enable self-signed issuer"
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: name
|
||||
label: Name
|
||||
description: "Name to give the issuer"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
valid_chars: '^[a-z]+(-?[a-z]){0,63}-?[a-z]+$'
|
||||
default: "selfsigned"
|
||||
- variable: clusterCertificates
|
||||
group: App Configuration
|
||||
label: Cluster Wide Certificates (Advanced)
|
||||
description: "Creates certificates for use within the entire cluster. Can be used to create wildcard certificates."
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: certificates
|
||||
label: Cluster Certificates
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: CertEntry
|
||||
label: 'Certificate Entry'
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: Enabled
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: name
|
||||
label: Certificate Name
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: certificateIssuer
|
||||
label: Cert-Manager clusterIssuer
|
||||
description: "One of the Cert-Manager clusterIssuers defined above"
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
valid_chars: '^[a-z]+(-?[a-z]){0,63}-?[a-z]+$'
|
||||
default: "selfsigned"
|
||||
- variable: hosts
|
||||
label: Certificate Hosts
|
||||
description: "NOTE: Creation of wildcard certificates with an ACME issuer requires a DNSO1 solver to be set up."
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: host
|
||||
label: Host
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
required: true
|
||||
- variable: customMetrics
|
||||
group: Metrics
|
||||
label: Prometheus Metrics
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: enabled
|
||||
label: Enabled
|
||||
description: Enable Prometheus Metrics
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
|
@ -0,0 +1 @@
|
|||
{{- include "tc.v1.common.lib.chart.notes" $ -}}
|
|
@ -0,0 +1,128 @@
|
|||
{{- define "certmanager.clusterissuer.acme" -}}
|
||||
{{- $operator := index $.Values.operator "cert-manager" -}}
|
||||
{{- $namespace := $operator.namespace | default "cert-manager" -}}
|
||||
|
||||
{{- $rfctsigSecret := .rfctsigSecret | default "" -}}
|
||||
{{/* https://cert-manager.io/docs/configuration/acme/dns01/rfc2136/#troubleshooting */}}
|
||||
{{- if $rfctsigSecret -}} {{/* If we try to decode and fail, go on and encode it. */}}
|
||||
{{- if (contains "illegal base64" (b64dec $rfctsigSecret)) -}}
|
||||
{{- $rfctsigSecret = b64enc $rfctsigSecret -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- range .Values.clusterIssuer.ACME }}
|
||||
{{- if or (not .name) (not (mustRegexMatch "^[a-z]+(-?[a-z]){0,63}-?[a-z]+$" .name)) -}}
|
||||
{{- fail "ACME - Expected name to be all lowercase with hyphens, but not start or end with a hyphen" -}}
|
||||
{{- end -}}
|
||||
{{- $validTypes := list "HTTP01" "cloudflare" "route53" "digitalocean" "akamai" "rfc2136" "acmedns" -}}
|
||||
{{- if not (mustHas .type $validTypes) -}}
|
||||
{{- fail (printf "Expected ACME type to be one of [%s], but got [%s]" (join ", " $validTypes) .type) -}}
|
||||
{{- end -}}
|
||||
{{- $issuerSecretName := printf "%s-clusterissuer-secret" .name }}
|
||||
{{- $acmednsDict := dict -}}
|
||||
{{- if and (eq .type "acmedns") (not .acmednsConfigJson) }}
|
||||
{{- range .acmednsConfig }}
|
||||
{{/* Transform to a dict with domain as a key, also remove domain from the dict */}}
|
||||
{{- $_ := set $acmednsDict .domain (omit . "domain") -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .name }}
|
||||
spec:
|
||||
acme:
|
||||
email: {{ .email }}
|
||||
server: {{ if eq .server "custom" }}{{ .customServer }}{{ else }}{{ .server }}{{ end }}
|
||||
{{- if .caBundle }}
|
||||
caBundle: {{ .caBundle }}
|
||||
{{- end }}
|
||||
privateKeySecretRef:
|
||||
name: {{ .name }}-acme-clusterissuer-account-key
|
||||
solvers:
|
||||
{{- if eq .type "HTTP01" }}
|
||||
- http01:
|
||||
ingress: {}
|
||||
{{- else }}
|
||||
- dns01:
|
||||
{{- if eq .type "cloudflare" }}
|
||||
cloudflare:
|
||||
email: {{ .email }}
|
||||
{{- if .cfapitoken }}
|
||||
apiTokenSecretRef:
|
||||
name: {{ $issuerSecretName }}
|
||||
key: cf-api-token
|
||||
{{- else if .cfapikey }}
|
||||
apiKeySecretRef:
|
||||
name: {{ $issuerSecretName }}
|
||||
key: cf-api-key
|
||||
{{- else -}}
|
||||
{{- fail "A cloudflare API key or token is required" -}}
|
||||
{{- end -}}
|
||||
{{- else if eq .type "route53" }}
|
||||
route53:
|
||||
region: {{ .region }}
|
||||
accessKeyID: {{ .accessKeyID }}
|
||||
{{- if .role }}
|
||||
role: {{ .role }}
|
||||
{{- end }}
|
||||
secretAccessKeySecretRef:
|
||||
name: {{ $issuerSecretName }}
|
||||
key: route53-secret-access-key
|
||||
{{- else if eq .type "akamai" }}
|
||||
akamai:
|
||||
serviceConsumerDomain: {{ .serviceConsumerDomain }}
|
||||
clientTokenSecretRef:
|
||||
name: {{ $issuerSecretName }}
|
||||
key: akclientToken
|
||||
clientSecretSecretRef:
|
||||
name: {{ $issuerSecretName }}
|
||||
key: akclientSecret
|
||||
accessTokenSecretRef:
|
||||
name: {{ $issuerSecretName }}
|
||||
key: akaccessToken
|
||||
{{- else if eq .type "digitalocean" }}
|
||||
digitalocean:
|
||||
tokenSecretRef:
|
||||
name: {{ $issuerSecretName }}
|
||||
key: doaccessToken
|
||||
{{- else if eq .type "rfc2136" }}
|
||||
rfc2136:
|
||||
nameserver: {{ .nameserver }}
|
||||
tsigKeyName: {{ .tsigKeyName }}
|
||||
tsigAlgorithm: {{ .tsigAlgorithm }}
|
||||
tsigSecretSecretRef:
|
||||
name: {{ $issuerSecretName }}
|
||||
key: rfctsigSecret
|
||||
{{- else if eq .type "acmedns" }}
|
||||
acmeDNS:
|
||||
host: {{ .acmednsHost }}
|
||||
accountSecretRef:
|
||||
name: {{ $issuerSecretName }}
|
||||
key: acmednsJson
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
namespace: {{ $namespace }}
|
||||
name: {{ $issuerSecretName }}
|
||||
type: Opaque
|
||||
stringData:
|
||||
cf-api-token: {{ .cfapitoken | default "" }}
|
||||
cf-api-key: {{ .cfapikey | default "" }}
|
||||
route53-secret-access-key: {{ .route53SecretAccessKey | default "" }}
|
||||
akclientToken: {{ .akclientToken | default "" }}
|
||||
akclientSecret: {{ .akclientSecret | default "" }}
|
||||
akaccessToken: {{ .akaccessToken | default "" }}
|
||||
doaccessToken: {{ .doaccessToken | default "" }}
|
||||
rfctsigSecret: {{ $rfctsigSecret }}
|
||||
{{- if .acmednsConfigJson }}
|
||||
acmednsJson: {{ .acmednsConfigJson }}
|
||||
{{- else if $acmednsDict }}
|
||||
acmednsJson: {{ toJson $acmednsDict | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,54 @@
|
|||
{{- define "certmanager.clusterissuer.ca" -}}
|
||||
{{- $operator := index $.Values.operator "cert-manager" -}}
|
||||
{{- $namespace := $operator.namespace | default "cert-manager" -}}
|
||||
|
||||
{{- range .Values.clusterIssuer.CA }}
|
||||
{{- if not (mustRegexMatch "^[a-z]+(-?[a-z]){0,63}-?[a-z]+$" .name) -}}
|
||||
{{- fail "CA - Expected name to be all lowercase with hyphens, but not start or end with a hyphen" -}}
|
||||
{{- end -}}
|
||||
{{- if .selfSigned }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .name }}-selfsigned-ca-issuer
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ .name }}-selfsigned-ca
|
||||
namespace: {{ $namespace }}
|
||||
spec:
|
||||
isCA: true
|
||||
commonName: {{ .selfSignedCommonName }}
|
||||
secretName: {{ .name }}-ca
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
size: 256
|
||||
issuerRef:
|
||||
name: {{ .name }}-selfsigned-ca-issuer
|
||||
kind: ClusterIssuer
|
||||
group: cert-manager.io
|
||||
{{- else }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ .name }}-ca
|
||||
namespace: {{ $namespace }}
|
||||
data:
|
||||
tls.crt: {{ .crt | replace " CERTIFICATE" "_CERTIFICATE" | replace " " "\n" | replace "_CERTIFICATE" " CERTIFICATE" | b64enc }}
|
||||
tls.key: {{ .key | replace " PRIVATE KEY" "_PRIVATE_KEY" | replace " " "\n" | replace "_PRIVATE_KEY" " PRIVATE KEY" | b64enc }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .name }}
|
||||
spec:
|
||||
ca:
|
||||
secretName: {{ .name }}-ca
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,34 @@
|
|||
{{- define "certmanager.clusterissuer.clusterCertificates" -}}
|
||||
{{- if .Values.clusterCertificates -}}
|
||||
{{- $secretTemplates := dict -}}
|
||||
{{- $certNamespace := (include "tc.v1.common.lib.metadata.namespace" (dict "rootCtx" $ "objectData" dict "caller" "ClusterCertificates")) -}}
|
||||
{{- $replicationNamespaces := ".*" -}}
|
||||
{{- if .Values.clusterCertificates.replicationNamespaces -}}
|
||||
{{- $replicationNamespaces = .Values.clusterCertificates.replicationNamespaces -}}
|
||||
{{- else if .Values.ixChartContext -}}
|
||||
{{- $replicationNamespaces = "ix-.*" -}}
|
||||
{{- end -}}
|
||||
{{- $reflectorAnnotations := (dict
|
||||
"reflector.v1.k8s.emberstack.com/reflection-allowed" "true"
|
||||
"reflector.v1.k8s.emberstack.com/reflection-auto-enabled" "true"
|
||||
"reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces" (printf "%v,%v" $certNamespace $replicationNamespaces)
|
||||
"reflector.v1.k8s.emberstack.com/reflection-auto-namespaces" $replicationNamespaces ) -}}
|
||||
{{- $certAnnotations := (mustMerge ($reflectorAnnotations) (include "tc.v1.common.lib.metadata.allAnnotations" $ | fromYaml)) -}}
|
||||
|
||||
{{- $_ := set $secretTemplates "annotations" $certAnnotations -}}
|
||||
|
||||
{{- if not $.Values.certificate -}}
|
||||
{{- $_ := set $.Values "certificate" dict -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- range .Values.clusterCertificates.certificates -}}
|
||||
{{- $_ := set $.Values.certificate .name (dict
|
||||
"enabled" .enabled
|
||||
"hosts" .hosts
|
||||
"certificateIssuer" .certificateIssuer
|
||||
"certificateSecretTemplate" $secretTemplates
|
||||
) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- end -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,14 @@
|
|||
{{- define "certmanager.clusterissuer.selfsigned" -}}
|
||||
{{- if .Values.clusterIssuer.selfSigned.enabled -}}
|
||||
{{- if not (mustRegexMatch "^[a-z]+(-?[a-z]){0,63}-?[a-z]+$" .Values.clusterIssuer.selfSigned.name) -}}
|
||||
{{- fail "Self Singed Issuer - Expected name to be all lowercase with hyphens, but not start or end with a hyphen" -}}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .Values.clusterIssuer.selfSigned.name }}
|
||||
spec:
|
||||
selfSigned: {}
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,16 @@
|
|||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "tc.v1.common.loader.init" . }}
|
||||
|
||||
{{/*
|
||||
Generate certificate data and set them to $.Values.ceritificate
|
||||
Let common handle the creation of the objects
|
||||
*/}}
|
||||
{{- include "certmanager.clusterissuer.clusterCertificates" . }}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "tc.v1.common.loader.apply" . }}
|
||||
|
||||
{{/* Generate the cluster issuers */}}
|
||||
{{- include "certmanager.clusterissuer.acme" . }}
|
||||
{{- include "certmanager.clusterissuer.selfsigned" . }}
|
||||
{{- include "certmanager.clusterissuer.ca" . }}
|
|
@ -0,0 +1,4 @@
|
|||
icon_url: https://truecharts.org/img/hotlink-ok/chart-icons/clusterissuer.png
|
||||
categories:
|
||||
- core
|
||||
screenshots: []
|
|
@ -0,0 +1,30 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# OWNERS file for Kubernetes
|
||||
OWNERS
|
||||
# helm-docs templates
|
||||
*.gotmpl
|
||||
# docs folder
|
||||
/docs
|
||||
# icon
|
||||
icon.png
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
title: Changelog
|
||||
---
|
||||
|
||||
|
||||
*for the complete changelog, please refer to the website*
|
||||
|
||||
**Important:**
|
||||
|
||||
|
||||
## [grafana-14.6.3](https://github.com/truecharts/charts/compare/grafana-14.6.2...grafana-14.6.3) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,41 @@
|
|||
annotations:
|
||||
max_scale_version: 24.04.0
|
||||
min_scale_version: 23.10.0
|
||||
truecharts.org/SCALE-support: "true"
|
||||
truecharts.org/category: metrics
|
||||
truecharts.org/max_helm_version: "3.14"
|
||||
truecharts.org/min_helm_version: "3.12"
|
||||
truecharts.org/train: premium
|
||||
apiVersion: v2
|
||||
appVersion: 10.4.0
|
||||
dependencies:
|
||||
- name: common
|
||||
version: 20.0.9
|
||||
repository: oci://tccr.io/truecharts
|
||||
condition: ""
|
||||
alias: ""
|
||||
tags: []
|
||||
import-values: []
|
||||
deprecated: false
|
||||
description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, Elasticsearch, OpenTSDB, Prometheus and InfluxDB.
|
||||
home: https://truecharts.org/charts/premium/grafana
|
||||
icon: https://truecharts.org/img/hotlink-ok/chart-icons/grafana.png
|
||||
keywords:
|
||||
- analytics
|
||||
- monitoring
|
||||
- metrics
|
||||
- logs
|
||||
kubeVersion: '>=1.24.0-0'
|
||||
maintainers:
|
||||
- name: TrueCharts
|
||||
email: info@truecharts.org
|
||||
url: https://truecharts.org
|
||||
name: grafana
|
||||
sources:
|
||||
- https://grafana.com/
|
||||
- https://github.com/bitnami/bitnami-docker-grafana
|
||||
- https://github.com/truecharts/charts/tree/master/charts/premium/grafana
|
||||
- https://quay.io/kiwigrid/k8s-sidecar
|
||||
- https://hub.docker.com/r/grafana/grafana
|
||||
type: application
|
||||
version: 14.6.3
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
title: README
|
||||
---
|
||||
|
||||
## General Info
|
||||
|
||||
TrueCharts can be installed as both _normal_ Helm Charts or as Apps on TrueNAS SCALE.
|
||||
However only installations using the TrueNAS SCALE Apps system are supported.
|
||||
|
||||
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/premium/grafana)
|
||||
|
||||
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
|
||||
|
||||
## Support
|
||||
|
||||
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE/guides/scale-intro).
|
||||
- See the [Website](https://truecharts.org)
|
||||
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
|
||||
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
|
||||
|
||||
---
|
||||
|
||||
## Sponsor TrueCharts
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
||||
|
||||
_All Rights Reserved - The TrueCharts Project_
|
|
@ -0,0 +1,9 @@
|
|||
|
||||
|
||||
## [grafana-14.6.3](https://github.com/truecharts/charts/compare/grafana-14.6.2...grafana-14.6.3) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,8 @@
|
|||
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, Elasticsearch, OpenTSDB, Prometheus and InfluxDB.
|
||||
|
||||
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/premium/grafana](https://truecharts.org/charts/premium/grafana)
|
||||
|
||||
---
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
Binary file not shown.
|
@ -0,0 +1,346 @@
|
|||
image:
|
||||
repository: grafana/grafana
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 10.4.0@sha256:f9811e4e687ffecf1a43adb9b64096c50bc0d7a782f8608530f478b6542de7d5
|
||||
|
||||
sidecarImage:
|
||||
repository: quay.io/kiwigrid/k8s-sidecar
|
||||
tag: 1.26.1@sha256:b8d5067137fec093cf48670dc3a1dbb38f9e734f3a6683015c2e89a45db5fd16
|
||||
|
||||
securityContext:
|
||||
container:
|
||||
readOnlyRootFilesystem: false
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
main:
|
||||
protocol: http
|
||||
targetPort: 3000
|
||||
port: 3000
|
||||
workload:
|
||||
main:
|
||||
replicas: 2
|
||||
strategy: RollingUpdate
|
||||
podSpec:
|
||||
containers:
|
||||
main:
|
||||
env:
|
||||
GF_SECURITY_ADMIN_USER: "admin"
|
||||
GF_SECURITY_ADMIN_PASSWORD: "testpassword"
|
||||
GF_INSTALL_PLUGINS: ""
|
||||
GF_AUTH_LDAP_ENABLED: "false"
|
||||
GF_AUTH_LDAP_ALLOW_SIGN_UP: "false"
|
||||
GF_SERVER_HTTP_PORT: 3000
|
||||
GF_DATABASE_TYPE: postgres
|
||||
GF_DATABASE_NAME: "{{ .Values.cnpg.main.user }}"
|
||||
GF_DATABASE_USER: "{{ .Values.cnpg.main.database }}"
|
||||
GF_DATABASE_SSL_MODE: disable
|
||||
GF_DATABASE_HOST:
|
||||
secretKeyRef:
|
||||
name: cnpg-main-urls
|
||||
key: host
|
||||
GF_DATABASE_PASSWORD:
|
||||
secretKeyRef:
|
||||
name: cnpg-main-user
|
||||
key: password
|
||||
probes:
|
||||
liveness:
|
||||
path: "/api/health"
|
||||
readiness:
|
||||
path: "/api/health"
|
||||
startup:
|
||||
path: "/api/health"
|
||||
dashboards:
|
||||
enabled: true
|
||||
imageSelector: sidecarImage
|
||||
env:
|
||||
IGNORE_ALREADY_PROCESSED: false
|
||||
METHOD: WATCH
|
||||
LABEL: grafana_dashboard
|
||||
LABEL_VALUE: "1"
|
||||
LOG_LEVEL: info
|
||||
FOLDER: /tmp/dashboards
|
||||
RESOURCE: both
|
||||
NAMESPACE: "ALL"
|
||||
UNIQUE_FILENAMES: false
|
||||
# NAMESPACE: null
|
||||
# FOLDER_ANNOTATION: null
|
||||
# script: null
|
||||
# WATCH_SERVER_TIMEOUT: 3600
|
||||
# WATCH_CLIENT_TIMEOUT: 3600
|
||||
SKIP_TLS_VERIFY: false
|
||||
REQ_USERNAME: "{{ .Values.workload.main.podSpec.containers.main.env.GF_SECURITY_ADMIN_USER }}"
|
||||
REQ_PASSWORD: "{{ .Values.workload.main.podSpec.containers.main.env.GF_SECURITY_ADMIN_PASSWORD }}"
|
||||
REQ_URL: "http://localhost:3000/api/admin/provisioning/dashboards/reload"
|
||||
REQ_METHOD: POST
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
datasources:
|
||||
enabled: true
|
||||
imageSelector: sidecarImage
|
||||
env:
|
||||
IGNORE_ALREADY_PROCESSED: false
|
||||
METHOD: WATCH
|
||||
LABEL: grafana_datasources
|
||||
LABEL_VALUE: "1"
|
||||
LOG_LEVEL: info
|
||||
FOLDER: /etc/grafana/provisioning/datasources
|
||||
RESOURCE: both
|
||||
NAMESPACE: "ALL"
|
||||
UNIQUE_FILENAMES: false
|
||||
# NAMESPACE: null
|
||||
# FOLDER_ANNOTATION: null
|
||||
# script: null
|
||||
# WATCH_SERVER_TIMEOUT: 3600
|
||||
# WATCH_CLIENT_TIMEOUT: 3600
|
||||
SKIP_TLS_VERIFY: false
|
||||
REQ_USERNAME: "{{ .Values.workload.main.podSpec.containers.main.env.GF_SECURITY_ADMIN_USER }}"
|
||||
REQ_PASSWORD: "{{ .Values.workload.main.podSpec.containers.main.env.GF_SECURITY_ADMIN_PASSWORD }}"
|
||||
REQ_URL: "http://localhost:3000/api/admin/provisioning/datasources/reload"
|
||||
REQ_METHOD: POST
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
alerts:
|
||||
enabled: true
|
||||
imageSelector: sidecarImage
|
||||
env:
|
||||
IGNORE_ALREADY_PROCESSED: false
|
||||
METHOD: WATCH
|
||||
LABEL: grafana_alerts
|
||||
LABEL_VALUE: "1"
|
||||
LOG_LEVEL: info
|
||||
FOLDER: /etc/grafana/provisioning/alerts
|
||||
RESOURCE: both
|
||||
NAMESPACE: "ALL"
|
||||
UNIQUE_FILENAMES: false
|
||||
# NAMESPACE: null
|
||||
# FOLDER_ANNOTATION: null
|
||||
# script: null
|
||||
# WATCH_SERVER_TIMEOUT: 3600
|
||||
# WATCH_CLIENT_TIMEOUT: 3600
|
||||
SKIP_TLS_VERIFY: false
|
||||
REQ_USERNAME: "{{ .Values.workload.main.podSpec.containers.main.env.GF_SECURITY_ADMIN_USER }}"
|
||||
REQ_PASSWORD: "{{ .Values.workload.main.podSpec.containers.main.env.GF_SECURITY_ADMIN_PASSWORD }}"
|
||||
REQ_URL: "http://localhost:3000/api/admin/provisioning/alerts/reload"
|
||||
REQ_METHOD: POST
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
plugins:
|
||||
enabled: true
|
||||
imageSelector: sidecarImage
|
||||
env:
|
||||
IGNORE_ALREADY_PROCESSED: false
|
||||
METHOD: WATCH
|
||||
LABEL: grafana_plugins
|
||||
LABEL_VALUE: "1"
|
||||
LOG_LEVEL: info
|
||||
FOLDER: /etc/grafana/provisioning/plugins
|
||||
RESOURCE: both
|
||||
NAMESPACE: "ALL"
|
||||
UNIQUE_FILENAMES: false
|
||||
# NAMESPACE: null
|
||||
# FOLDER_ANNOTATION: null
|
||||
# script: null
|
||||
# WATCH_SERVER_TIMEOUT: 3600
|
||||
# WATCH_CLIENT_TIMEOUT: 3600
|
||||
SKIP_TLS_VERIFY: false
|
||||
REQ_USERNAME: "{{ .Values.workload.main.podSpec.containers.main.env.GF_SECURITY_ADMIN_USER }}"
|
||||
REQ_PASSWORD: "{{ .Values.workload.main.podSpec.containers.main.env.GF_SECURITY_ADMIN_PASSWORD }}"
|
||||
REQ_URL: "http://localhost:3000/api/admin/provisioning/plugins/reload"
|
||||
REQ_METHOD: POST
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
notifiers:
|
||||
enabled: true
|
||||
imageSelector: sidecarImage
|
||||
env:
|
||||
IGNORE_ALREADY_PROCESSED: false
|
||||
METHOD: WATCH
|
||||
LABEL: grafana_notifiers
|
||||
LABEL_VALUE: "1"
|
||||
LOG_LEVEL: info
|
||||
FOLDER: /etc/grafana/provisioning/notifiers
|
||||
RESOURCE: both
|
||||
NAMESPACE: "ALL"
|
||||
UNIQUE_FILENAMES: false
|
||||
# NAMESPACE: null
|
||||
# FOLDER_ANNOTATION: null
|
||||
# script: null
|
||||
# WATCH_SERVER_TIMEOUT: 3600
|
||||
# WATCH_CLIENT_TIMEOUT: 3600
|
||||
SKIP_TLS_VERIFY: false
|
||||
REQ_USERNAME: "{{ .Values.workload.main.podSpec.containers.main.env.GF_SECURITY_ADMIN_USER }}"
|
||||
REQ_PASSWORD: "{{ .Values.workload.main.podSpec.containers.main.env.GF_SECURITY_ADMIN_PASSWORD }}"
|
||||
REQ_URL: "http://localhost:3000/api/admin/provisioning/notifiers/reload"
|
||||
REQ_METHOD: POST
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
|
||||
configmap:
|
||||
dashboard-provider:
|
||||
enabled: true
|
||||
data:
|
||||
provider.yaml: |-
|
||||
apiVersion: 1
|
||||
providers:
|
||||
- name: sidecarProvider
|
||||
orgId: 1
|
||||
folder: ''
|
||||
type: file
|
||||
disableDeletion: false
|
||||
allowUiUpdates: false
|
||||
updateIntervalSeconds: 30
|
||||
options:
|
||||
foldersFromFilesStructure: false
|
||||
path: /tmp/dashboards
|
||||
config:
|
||||
enabled: true
|
||||
data:
|
||||
grafana.ini: |-
|
||||
paths:
|
||||
data: /var/lib/grafana/
|
||||
logs: /var/log/grafana
|
||||
plugins: /var/lib/grafana/plugins
|
||||
provisioning: /etc/grafana/provisioning
|
||||
analytics:
|
||||
check_for_updates: true
|
||||
log:
|
||||
mode: console
|
||||
grafana_net:
|
||||
url: https://grafana.net
|
||||
server:
|
||||
domain: "{{ if (and .Values.ingress.main.enabled .Values.ingress.main.hosts) }}{{ .Values.ingress.main.hosts | first }}{{ else }}''{{ end }}"
|
||||
ldap.toml: |-
|
||||
# nope
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
type: configmap
|
||||
objectName: config
|
||||
mountPath: /etc/grafana/grafana.ini
|
||||
subPath: grafana.ini
|
||||
ldap:
|
||||
enabled: true
|
||||
type: configmap
|
||||
objectName: config
|
||||
mountPath: /etc/grafana/ldap.toml
|
||||
subPath: ldap.toml
|
||||
data:
|
||||
enabled: true
|
||||
mountPath: "/var/lib/grafana"
|
||||
grafana-tmp:
|
||||
enabled: true
|
||||
type: emptyDir
|
||||
mountPath: /app/tmp
|
||||
targetSelectAll: true
|
||||
sc-dashboard-volume:
|
||||
enabled: true
|
||||
type: emptyDir
|
||||
mountPath: /tmp/dashboards
|
||||
targetSelectAll: true
|
||||
sc-dashboard-config:
|
||||
enabled: true
|
||||
type: configmap
|
||||
objectName: dashboard-provider
|
||||
mountPath: /etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml
|
||||
subPath: provider.yaml
|
||||
sc-datasource-volume:
|
||||
enabled: true
|
||||
type: emptyDir
|
||||
mountPath: /etc/grafana/provisioning/datasources
|
||||
targetSelectAll: true
|
||||
sc-alerts-volume:
|
||||
enabled: true
|
||||
type: emptyDir
|
||||
mountPath: /etc/grafana/provisioning/alerts
|
||||
targetSelectAll: true
|
||||
sc-plugins-volume:
|
||||
enabled: true
|
||||
type: emptyDir
|
||||
mountPath: /etc/grafana/provisioning/plugins
|
||||
targetSelectAll: true
|
||||
sc-notifiers-volume:
|
||||
enabled: true
|
||||
type: emptyDir
|
||||
mountPath: /etc/grafana/provisioning/notifiers
|
||||
targetSelectAll: true
|
||||
metrics:
|
||||
main:
|
||||
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
|
||||
# @default -- See values.yaml
|
||||
enabled: true
|
||||
type: "servicemonitor"
|
||||
endpoints:
|
||||
- port: main
|
||||
path: /metrics
|
||||
# -- Enable and configure Prometheus Rules for the chart under this key.
|
||||
# @default -- See values.yaml
|
||||
prometheusRule:
|
||||
enabled: false
|
||||
labels: {}
|
||||
# -- Configure additionial rules for the chart under this key.
|
||||
# @default -- See prometheusrules.yaml
|
||||
rules: []
|
||||
# - alert: UnifiPollerAbsent
|
||||
# annotations:
|
||||
# description: Unifi Poller has disappeared from Prometheus service discovery.
|
||||
# summary: Unifi Poller is down.
|
||||
# expr: |
|
||||
# absent(up{job=~".*unifi-poller.*"} == 1)
|
||||
# for: 5m
|
||||
# labels:
|
||||
# severity: critical
|
||||
portal:
|
||||
open:
|
||||
enabled: true
|
||||
|
||||
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
|
||||
rbac:
|
||||
main:
|
||||
enabled: true
|
||||
primary: true
|
||||
clusterWide: true
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps", "secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
|
||||
serviceAccount:
|
||||
main:
|
||||
enabled: true
|
||||
primary: true
|
||||
|
||||
podOptions:
|
||||
automountServiceAccountToken: true
|
||||
|
||||
cnpg:
|
||||
main:
|
||||
enabled: true
|
||||
user: grafana
|
||||
database: grafana
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1 @@
|
|||
{{- include "tc.v1.common.lib.chart.notes" $ -}}
|
|
@ -0,0 +1 @@
|
|||
{{ include "tc.v1.common.loader.all" . }}
|
|
@ -0,0 +1,4 @@
|
|||
icon_url: https://truecharts.org/img/hotlink-ok/chart-icons/grafana.png
|
||||
categories:
|
||||
- metrics
|
||||
screenshots: []
|
|
@ -0,0 +1,30 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# OWNERS file for Kubernetes
|
||||
OWNERS
|
||||
# helm-docs templates
|
||||
*.gotmpl
|
||||
# docs folder
|
||||
/docs
|
||||
# icon
|
||||
icon.png
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
title: Changelog
|
||||
---
|
||||
|
||||
|
||||
*for the complete changelog, please refer to the website*
|
||||
|
||||
**Important:**
|
||||
|
||||
|
||||
## [metallb-config-6.5.3](https://github.com/truecharts/charts/compare/metallb-config-6.5.2...metallb-config-6.5.3) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,38 @@
|
|||
annotations:
|
||||
max_scale_version: 24.04.0
|
||||
min_scale_version: 23.10.0
|
||||
truecharts.org/SCALE-support: "true"
|
||||
truecharts.org/category: core
|
||||
truecharts.org/max_helm_version: "3.14"
|
||||
truecharts.org/min_helm_version: "3.12"
|
||||
truecharts.org/train: premium
|
||||
apiVersion: v2
|
||||
appVersion: latest
|
||||
dependencies:
|
||||
- name: common
|
||||
version: 20.0.9
|
||||
repository: oci://tccr.io/truecharts
|
||||
condition: ""
|
||||
alias: ""
|
||||
tags: []
|
||||
import-values: []
|
||||
deprecated: false
|
||||
description: A network load-balancer implementation for Kubernetes using standard routing protocols
|
||||
home: https://truecharts.org/charts/premium/metallb-config
|
||||
icon: https://truecharts.org/img/hotlink-ok/chart-icons/metallb-config.png
|
||||
keywords:
|
||||
- metallb
|
||||
- loadbalancer
|
||||
kubeVersion: '>=1.24.0-0'
|
||||
maintainers:
|
||||
- name: TrueCharts
|
||||
email: info@truecharts.org
|
||||
url: https://truecharts.org
|
||||
name: metallb-config
|
||||
sources:
|
||||
- https://metallb.universe.tf
|
||||
- https://github.com/metallb/metallb
|
||||
- https://github.com/truecharts/charts/tree/master/charts/premium/metallb-config
|
||||
- https://hub.docker.com/_/hello-world
|
||||
type: application
|
||||
version: 6.5.3
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
title: README
|
||||
---
|
||||
|
||||
## General Info
|
||||
|
||||
TrueCharts can be installed as both _normal_ Helm Charts or as Apps on TrueNAS SCALE.
|
||||
However only installations using the TrueNAS SCALE Apps system are supported.
|
||||
|
||||
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/premium/metallb-config)
|
||||
|
||||
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
|
||||
|
||||
## Support
|
||||
|
||||
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE/guides/scale-intro).
|
||||
- See the [Website](https://truecharts.org)
|
||||
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
|
||||
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
|
||||
|
||||
---
|
||||
|
||||
## Sponsor TrueCharts
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
||||
|
||||
_All Rights Reserved - The TrueCharts Project_
|
|
@ -0,0 +1,9 @@
|
|||
|
||||
|
||||
## [metallb-config-6.5.3](https://github.com/truecharts/charts/compare/metallb-config-6.5.2...metallb-config-6.5.3) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,8 @@
|
|||
A network load-balancer implementation for Kubernetes using standard routing protocols
|
||||
|
||||
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/premium/metallb-config](https://truecharts.org/charts/premium/metallb-config)
|
||||
|
||||
---
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
Binary file not shown.
|
@ -0,0 +1,73 @@
|
|||
image:
|
||||
repository: hello-world
|
||||
tag: latest@sha256:d000bc569937abbe195e20322a0bde6b2922d805332fd6d8a68b19f524b7d21d
|
||||
pullPolicy: IfNotPresent
|
||||
manifestManager:
|
||||
enabled: false
|
||||
workload:
|
||||
main:
|
||||
enabled: false
|
||||
podSpec:
|
||||
containers:
|
||||
main:
|
||||
enabled: false
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
service:
|
||||
main:
|
||||
enabled: false
|
||||
ports:
|
||||
main:
|
||||
enabled: false
|
||||
port: 9999
|
||||
operator:
|
||||
verify:
|
||||
enabled: true
|
||||
additionalOperators: ["metallb"]
|
||||
portal:
|
||||
open:
|
||||
enabled: false
|
||||
ipAddressPools: []
|
||||
# - name: example
|
||||
# autoAssign: true
|
||||
# avoidBuggyIPs: true
|
||||
# addresses:
|
||||
# - 192.168.1.1-192.168.1.100
|
||||
L2Advertisements: []
|
||||
# - name: l2adv
|
||||
# addressPools:
|
||||
# - pool1
|
||||
# nodeSelectors:
|
||||
# - nodeA
|
||||
BGPAdvertisements: []
|
||||
# - name: bgpadv
|
||||
# addressPools:
|
||||
# - pool1
|
||||
# aggregationLength: 24
|
||||
# localpref: 100
|
||||
# communities:
|
||||
# - 1234:1
|
||||
# peers:
|
||||
# - peer1
|
||||
Communities: []
|
||||
# - name: community1
|
||||
# value: 1234:1
|
||||
Peers: []
|
||||
# - name: peer1
|
||||
# myASN: 1234
|
||||
# password: pass
|
||||
# routerID: 1234
|
||||
# bfdProfile: profile
|
||||
# ebgpMultiHop: false
|
||||
# holdTime: 10
|
||||
# keepaliveTime: 10
|
||||
# peerAddress: 172.30.0.2
|
||||
# peerPort: 179
|
||||
# sourceAddress: 172.30.0.3
|
||||
# nodeSelectors:
|
||||
# - nodeA
|
|
@ -0,0 +1,368 @@
|
|||
groups:
|
||||
- name: Container Image
|
||||
description: Image to be used for container
|
||||
- name: General Settings
|
||||
description: General Deployment Settings
|
||||
- name: Workload Settings
|
||||
description: Workload Settings
|
||||
- name: App Configuration
|
||||
description: App Specific Config Options
|
||||
- name: Networking and Services
|
||||
description: Configure Network and Services for Container
|
||||
- name: Storage and Persistence
|
||||
description: Persist and Share Data that is Separate from the Container
|
||||
- name: Ingress
|
||||
description: Ingress Configuration
|
||||
- name: Security and Permissions
|
||||
description: Configure Security Context and Permissions
|
||||
- name: Resources and Devices
|
||||
description: "Specify Resources/Devices to be Allocated to Workload"
|
||||
- name: Middlewares
|
||||
description: Traefik Middlewares
|
||||
- name: Metrics
|
||||
description: Metrics
|
||||
- name: Addons
|
||||
description: Addon Configuration
|
||||
- name: Backup Configuration
|
||||
description: Configure Velero Backup Schedule
|
||||
- name: Advanced
|
||||
description: Advanced Configuration
|
||||
- name: Postgresql
|
||||
description: Postgresql
|
||||
- name: Documentation
|
||||
description: Documentation
|
||||
|
||||
questions:
|
||||
- variable: global
|
||||
group: General Settings
|
||||
label: "Global Settings"
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: stopAll
|
||||
label: Stop All
|
||||
description: "Stops All Running pods and hibernates cnpg"
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
- variable: ipAddressPools
|
||||
group: App Configuration
|
||||
label: IP Address Pools Object
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: ipAddressPoolsEntry
|
||||
label: IP Address Pool Entry
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: name
|
||||
label: Name
|
||||
description: Name of the IP address pool
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: autoAssign
|
||||
label: Auto Assign
|
||||
description: AutoAssign flag used to prevent MetallB from automatic
|
||||
allocation for a pool.
|
||||
schema:
|
||||
type: boolean
|
||||
default: true
|
||||
- variable: avoidBuggyIPs
|
||||
label: Avoid Buggy IPs
|
||||
description: AvoidBuggyIPs prevents addresses ending with .0 and .255
|
||||
to be used by a pool.
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: addresses
|
||||
label: Addresses Pools
|
||||
description: A list of IP address ranges over which MetalLB has authority.
|
||||
You can list multiple ranges in a single pool, they will all share
|
||||
the same settings. Each range can be either a CIDR prefix, or an
|
||||
explicit start-end range of IPs.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: addressPoolEntry
|
||||
label: Address Pool Entry
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
required: true
|
||||
- variable: L2Advertisements
|
||||
group: App Configuration
|
||||
label: L2 Advertisements
|
||||
description: L2Advertisement allows to advertise the LoadBalancer IPs provided
|
||||
by the selected pools via L2.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: L2AdvertisementEntry
|
||||
label: L2 Advertisement Entry
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: name
|
||||
label: Name
|
||||
description: Name of the L2 Advertisement
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: addressPools
|
||||
label: Address Pools
|
||||
description: The list of IPAddressPools to advertise via this advertisement,
|
||||
selected by name.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: addressPoolEntry
|
||||
label: Address Pool Entry
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
required: true
|
||||
- variable: nodeSelectors
|
||||
label: Node Selectors
|
||||
description: NodeSelectors allows to limit the nodes to announce as
|
||||
next hops for the LoadBalancer IP. When empty, all the nodes having are
|
||||
announced as next hops.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: nodeSelectorEntry
|
||||
label: Node Selector Entry
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
required: true
|
||||
- variable: Communities
|
||||
group: App Configuration
|
||||
label: Communities
|
||||
description: Community is a collection of aliases for communities. Users can
|
||||
define named aliases to be used in the BGPPeer CRD.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: CommunityEntry
|
||||
label: Community Entry
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: name
|
||||
label: Name
|
||||
description: The name of the alias for the community.
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: value
|
||||
label: Value
|
||||
description: The BGP community value corresponding to the given name.
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: Peers
|
||||
group: App Configuration
|
||||
label: Peers
|
||||
description: BGPPeer is the Schema for the peers API.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: PeerEntry
|
||||
label: Peer Entry
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: name
|
||||
label: Name
|
||||
description: The name of the peer.
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: bfdProfile
|
||||
label: BFD Profile
|
||||
description: The name of the BFD Profile to be used for the BFD session
|
||||
associated to the BGP session. If not set, the BFD session won't
|
||||
be set up.
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: ebgpMultiHop
|
||||
label: EBGP MultiHop
|
||||
description: TTo set if the BGPPeer is multi-hops away. Needed for
|
||||
FRR mode only.
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
- variable: holdTime
|
||||
label: Hold Time
|
||||
description: Requested BGP hold time, per RFC4271.
|
||||
schema:
|
||||
type: int
|
||||
- variable: keepaliveTime
|
||||
label: Keep Alive Time
|
||||
description: Requested BGP keep alive time, per RFC4271.
|
||||
schema:
|
||||
type: int
|
||||
- variable: myASN
|
||||
label: My ASN
|
||||
description: AS number to use for the local end of the session.
|
||||
schema:
|
||||
type: int
|
||||
- variable: password
|
||||
label: Password
|
||||
description: Authentication password for routers enforcing TCP MD5
|
||||
authenticated sessions
|
||||
schema:
|
||||
type: string
|
||||
private: true
|
||||
default: ""
|
||||
- variable: peerASN
|
||||
label: Peer ASN
|
||||
description: AS number to expect from the remote end of the session.
|
||||
schema:
|
||||
type: string
|
||||
valid_chars: '^[0-9]*$'
|
||||
default: ""
|
||||
- variable: peerAddress
|
||||
label: Peer Address
|
||||
description: Address to dial when establishing the session.
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: peerPort
|
||||
label: Peer Port
|
||||
description: Port to dial when establishing the session.
|
||||
schema:
|
||||
type: string
|
||||
valid_chars: '^[0-9]*$'
|
||||
default: ""
|
||||
- variable: routerID
|
||||
label: Router ID
|
||||
description: BGP router ID to advertise to the peer
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: sourceAddress
|
||||
label: Source Address
|
||||
description: Source address to use when establishing the session.
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
- variable: nodeSelectors
|
||||
label: Node Selectors
|
||||
description: Only connect to this peer on nodes that match one of
|
||||
these selectors.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: nodeSelectorEntry
|
||||
label: Node Selector Entry
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
required: true
|
||||
- variable: BGPAdvertisements
|
||||
group: App Configuration
|
||||
label: BGP Advertisements
|
||||
description: BGPAdvertisement allows to advertise the IPs coming from the
|
||||
selected IPAddressPools via BGP.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: BGPAdvertisementEntry
|
||||
label: BGP Advertisement Entry
|
||||
schema:
|
||||
additional_attrs: true
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: name
|
||||
label: Name
|
||||
description: Name of the BGP Advertisement
|
||||
schema:
|
||||
type: string
|
||||
required: true
|
||||
default: ""
|
||||
- variable: addressPools
|
||||
label: Address Pools
|
||||
description: The list of IPAddressPools to advertise via this advertisement,
|
||||
selected by name.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: addressPoolEntry
|
||||
label: Address Pool Entry
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
required: true
|
||||
- variable: aggregationLength
|
||||
label: Aggregation Length
|
||||
description: The aggregation-length advertisement option lets you
|
||||
"roll up" the /32s into a larger prefix. Defaults to 32. Works for
|
||||
IPv4 addresses.
|
||||
schema:
|
||||
type: string
|
||||
valid_chars: '^[0-9]*$'
|
||||
default: ""
|
||||
- variable: localpref
|
||||
label: Local Pref
|
||||
description: The BGP LOCAL_PREF attribute which is used by BGP best
|
||||
path algorithm, Path with higher localpref is preferred over one
|
||||
with lower localpref.
|
||||
schema:
|
||||
type: string
|
||||
valid_chars: '^[0-9]*$'
|
||||
default: ""
|
||||
- variable: communities
|
||||
label: Communities
|
||||
description: The BGP communities to be associated with the announcement.
|
||||
Each item can be a community of the form 1234:1234 or the name of
|
||||
an alias defined in the Community CRD.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: communityEntry
|
||||
label: Community Entry
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
required: true
|
||||
- variable: peers
|
||||
label: Peers
|
||||
description: Peers limits the BGPpeer to advertise the ips of the
|
||||
selected pools to. When empty, the loadbalancer IP is announced
|
||||
to all the BGPPeers configured.
|
||||
schema:
|
||||
type: list
|
||||
default: []
|
||||
items:
|
||||
- variable: peerEntry
|
||||
label: Peer Entry
|
||||
schema:
|
||||
type: string
|
||||
default: ""
|
||||
required: true
|
|
@ -0,0 +1 @@
|
|||
{{- include "tc.v1.common.lib.chart.notes" $ -}}
|
|
@ -0,0 +1,33 @@
|
|||
{{- define "metallb.bgpadv" -}}
|
||||
{{- range .Values.BGPAdvertisements }}
|
||||
---
|
||||
apiVersion: metallb.io/v1beta1
|
||||
kind: BGPAdvertisement
|
||||
metadata:
|
||||
name: {{ .name }}
|
||||
namespace: {{ $.Values.operatorNamespace }}
|
||||
spec:
|
||||
ipAddressPools:
|
||||
{{- range .addressPools }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- with .aggregationLength }}
|
||||
aggregationLength: {{ . | int }}
|
||||
{{- end }}
|
||||
{{- with .localpref }}
|
||||
localpref: {{ . | int }}
|
||||
{{- end }}
|
||||
{{- if .communities }}
|
||||
communities:
|
||||
{{- range .communities }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .peers }}
|
||||
peers:
|
||||
{{- range .peers }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,16 @@
|
|||
{{- define "metallb.comm" -}}
|
||||
{{- if .Values.Communities }}
|
||||
---
|
||||
apiVersion: metallb.io/v1beta1
|
||||
kind: Community
|
||||
metadata:
|
||||
name: communities
|
||||
namespace: {{ $.Values.operatorNamespace }}
|
||||
spec:
|
||||
communities:
|
||||
{{- range .Values.Communities }}
|
||||
- name: {{ .name }}
|
||||
value: {{ .value }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,17 @@
|
|||
{{- define "metallb.pool" -}}
|
||||
{{- range .Values.ipAddressPools }}
|
||||
---
|
||||
apiVersion: metallb.io/v1beta1
|
||||
kind: IPAddressPool
|
||||
metadata:
|
||||
name: {{ .name }}
|
||||
namespace: {{ $.Values.operatorNamespace }}
|
||||
spec:
|
||||
addresses:
|
||||
{{- range .addresses }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
autoAssign: {{ .autoAssign | default true }}
|
||||
avoidBuggyIPs: {{ .avoidBuggyIPs | default false }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,22 @@
|
|||
{{- define "metallb.l2adv" -}}
|
||||
{{- range .Values.L2Advertisements }}
|
||||
---
|
||||
apiVersion: metallb.io/v1beta1
|
||||
kind: L2Advertisement
|
||||
metadata:
|
||||
name: {{ .name }}
|
||||
namespace: {{ $.Values.operatorNamespace }}
|
||||
spec:
|
||||
ipAddressPools:
|
||||
{{- range .addressPools }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- if .nodeSelectors }}
|
||||
{{- range .nodeSelectors }}
|
||||
nodeSelectors:
|
||||
- matchLabels:
|
||||
kubernetes.io/hostname: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,51 @@
|
|||
{{- define "metallb.peers" -}}
|
||||
{{- range .Values.Peers }}
|
||||
---
|
||||
apiVersion: metallb.io/v1beta2
|
||||
kind: BGPPeer
|
||||
metadata:
|
||||
name: {{ .name }}
|
||||
namespace: {{ $.Values.operatorNamespace }}
|
||||
spec:
|
||||
{{- with .password }}
|
||||
password: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .routerID }}
|
||||
routerID: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .bfdProfile }}
|
||||
bfdProfile: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .ebgpMultiHop }}
|
||||
ebgpMultiHop: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .holdTime }}
|
||||
holdTime: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .keepaliveTime }}
|
||||
keepaliveTime: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .myASN }}
|
||||
myASN: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .peerASN }}
|
||||
peerASN: {{ . | int }}
|
||||
{{- end }}
|
||||
{{- with .peerAddress }}
|
||||
peerAddress: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .peerPort }}
|
||||
peerPort: {{ . | int }}
|
||||
{{- end }}
|
||||
{{- with .sourceAddress }}
|
||||
sourceAddress: {{ . }}
|
||||
{{- end }}
|
||||
{{- if .nodeSelectors }}
|
||||
nodeSelectors:
|
||||
{{- range .nodeSelectors }}
|
||||
- matchLabels:
|
||||
kubernetes.io/hostname: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,21 @@
|
|||
{{/* Make sure all variables are set properly */}}
|
||||
{{- include "tc.v1.common.loader.init" . }}
|
||||
|
||||
{{- $operatorNamespace := "metallb-system" -}}
|
||||
{{- if .Values.operator.metallb -}}
|
||||
{{ $operatorNamespace = ( $.Values.operator.metallb.namespace | default "metallb-system") }}
|
||||
{{- end -}}
|
||||
{{- $_ := set $.Values "operatorNamespace" $operatorNamespace -}}
|
||||
|
||||
{{/* Render the templates */}}
|
||||
{{ include "tc.v1.common.loader.apply" . }}
|
||||
|
||||
{{- include "metallb.l2adv" . }}
|
||||
|
||||
{{- include "metallb.peers" . }}
|
||||
|
||||
{{- include "metallb.bgpadv" . }}
|
||||
|
||||
{{- include "metallb.comm" . }}
|
||||
|
||||
{{- include "metallb.pool" . }}
|
|
@ -0,0 +1,4 @@
|
|||
icon_url: https://truecharts.org/img/hotlink-ok/chart-icons/metallb-config.png
|
||||
categories:
|
||||
- core
|
||||
screenshots: []
|
|
@ -0,0 +1,30 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
# OWNERS file for Kubernetes
|
||||
OWNERS
|
||||
# helm-docs templates
|
||||
*.gotmpl
|
||||
# docs folder
|
||||
/docs
|
||||
# icon
|
||||
icon.png
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
title: Changelog
|
||||
---
|
||||
|
||||
|
||||
*for the complete changelog, please refer to the website*
|
||||
|
||||
**Important:**
|
||||
|
||||
|
||||
## [nextcloud-29.5.6](https://github.com/truecharts/charts/compare/nextcloud-29.5.5...nextcloud-29.5.6) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,53 @@
|
|||
annotations:
|
||||
max_scale_version: 24.04.0
|
||||
min_scale_version: 23.10.0
|
||||
truecharts.org/SCALE-support: "true"
|
||||
truecharts.org/category: cloud
|
||||
truecharts.org/max_helm_version: "3.14"
|
||||
truecharts.org/min_helm_version: "3.12"
|
||||
truecharts.org/train: premium
|
||||
apiVersion: v2
|
||||
appVersion: 28.0.3
|
||||
dependencies:
|
||||
- name: common
|
||||
version: 20.0.9
|
||||
repository: oci://tccr.io/truecharts
|
||||
condition: ""
|
||||
alias: ""
|
||||
tags: []
|
||||
import-values: []
|
||||
- name: redis
|
||||
version: 13.0.3
|
||||
repository: oci://tccr.io/truecharts
|
||||
condition: redis.enabled
|
||||
alias: ""
|
||||
tags: []
|
||||
import-values: []
|
||||
deprecated: false
|
||||
description: A private cloud server that puts the control and security of your own data back into your hands.
|
||||
home: https://truecharts.org/charts/premium/nextcloud
|
||||
icon: https://truecharts.org/img/hotlink-ok/chart-icons/nextcloud.png
|
||||
keywords:
|
||||
- nextcloud
|
||||
- storage
|
||||
- http
|
||||
- web
|
||||
- php
|
||||
kubeVersion: '>=1.24.0-0'
|
||||
maintainers:
|
||||
- name: TrueCharts
|
||||
email: info@truecharts.org
|
||||
url: https://truecharts.org
|
||||
name: nextcloud
|
||||
sources:
|
||||
- https://github.com/nextcloud/docker
|
||||
- https://github.com/nextcloud/helm
|
||||
- https://github.com/truecharts/charts/tree/master/charts/premium/nextcloud
|
||||
- https://hub.docker.com/r/clamav/clamav
|
||||
- https://github.com/truecharts/containers/tree/master/apps/nextcloud-push-notify
|
||||
- https://hub.docker.com/r/collabora/code
|
||||
- https://github.com/truecharts/containers/tree/master/apps/nextcloud-imaginary
|
||||
- https://hub.docker.com/r/nginxinc/nginx-unprivileged
|
||||
- https://github.com/truecharts/containers/tree/master/apps/nextcloud-fpm
|
||||
type: application
|
||||
version: 29.5.6
|
|
@ -0,0 +1,106 @@
|
|||
Business Source License 1.1
|
||||
|
||||
Parameters
|
||||
|
||||
Licensor: The TrueCharts Project, it's owner and it's contributors
|
||||
Licensed Work: The TrueCharts "Blocky" Helm Chart
|
||||
Additional Use Grant: You may use the licensed work in production, as long
|
||||
as it is directly sourced from a TrueCharts provided
|
||||
official repository, catalog or source. You may also make private
|
||||
modification to the directly sourced licenced work,
|
||||
when used in production.
|
||||
|
||||
The following cases are, due to their nature, also
|
||||
defined as 'production use' and explicitly prohibited:
|
||||
- Bundling, including or displaying the licensed work
|
||||
with(in) another work intended for production use,
|
||||
with the apparent intend of facilitating and/or
|
||||
promoting production use by third parties in
|
||||
violation of this license.
|
||||
|
||||
Change Date: 2050-01-01
|
||||
|
||||
Change License: 3-clause BSD license
|
||||
|
||||
For information about alternative licensing arrangements for the Software,
|
||||
please contact: legal@truecharts.org
|
||||
|
||||
Notice
|
||||
|
||||
The Business Source License (this document, or the “License”) is not an Open
|
||||
Source license. However, the Licensed Work will eventually be made available
|
||||
under an Open Source License, as stated in this License.
|
||||
|
||||
License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
|
||||
“Business Source License” is a trademark of MariaDB Corporation Ab.
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
Business Source License 1.1
|
||||
|
||||
Terms
|
||||
|
||||
The Licensor hereby grants you the right to copy, modify, create derivative
|
||||
works, redistribute, and make non-production use of the Licensed Work. The
|
||||
Licensor may make an Additional Use Grant, above, permitting limited
|
||||
production use.
|
||||
|
||||
Effective on the Change Date, or the fourth anniversary of the first publicly
|
||||
available distribution of a specific version of the Licensed Work under this
|
||||
License, whichever comes first, the Licensor hereby grants you rights under
|
||||
the terms of the Change License, and the rights granted in the paragraph
|
||||
above terminate.
|
||||
|
||||
If your use of the Licensed Work does not comply with the requirements
|
||||
currently in effect as described in this License, you must purchase a
|
||||
commercial license from the Licensor, its affiliated entities, or authorized
|
||||
resellers, or you must refrain from using the Licensed Work.
|
||||
|
||||
All copies of the original and modified Licensed Work, and derivative works
|
||||
of the Licensed Work, are subject to this License. This License applies
|
||||
separately for each version of the Licensed Work and the Change Date may vary
|
||||
for each version of the Licensed Work released by Licensor.
|
||||
|
||||
You must conspicuously display this License on each original or modified copy
|
||||
of the Licensed Work. If you receive the Licensed Work in original or
|
||||
modified form from a third party, the terms and conditions set forth in this
|
||||
License apply to your use of that work.
|
||||
|
||||
Any use of the Licensed Work in violation of this License will automatically
|
||||
terminate your rights under this License for the current and all other
|
||||
versions of the Licensed Work.
|
||||
|
||||
This License does not grant you any right in any trademark or logo of
|
||||
Licensor or its affiliates (provided that you may use a trademark or logo of
|
||||
Licensor as expressly required by this License).
|
||||
|
||||
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
|
||||
AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
|
||||
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
|
||||
TITLE.
|
||||
|
||||
MariaDB hereby grants you permission to use this License’s text to license
|
||||
your works, and to refer to it using the trademark “Business Source License”,
|
||||
as long as you comply with the Covenants of Licensor below.
|
||||
|
||||
Covenants of Licensor
|
||||
|
||||
In consideration of the right to use this License’s text and the “Business
|
||||
Source License” name and trademark, Licensor covenants to MariaDB, and to all
|
||||
other recipients of the licensed work to be provided by Licensor:
|
||||
|
||||
1. To specify as the Change License the GPL Version 2.0 or any later version,
|
||||
or a license that is compatible with GPL Version 2.0 or a later version,
|
||||
where “compatible” means that software provided under the Change License can
|
||||
be included in a program with software provided under GPL Version 2.0 or a
|
||||
later version. Licensor may specify additional Change Licenses without
|
||||
limitation.
|
||||
|
||||
2. To either: (a) specify an additional grant of rights to use that does not
|
||||
impose any additional restriction on the right granted in this License, as
|
||||
the Additional Use Grant; or (b) insert the text “None”.
|
||||
|
||||
3. To specify a Change Date.
|
||||
|
||||
4. Not to modify this License in any other way.
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
title: README
|
||||
---
|
||||
|
||||
## General Info
|
||||
|
||||
TrueCharts can be installed as both _normal_ Helm Charts or as Apps on TrueNAS SCALE.
|
||||
However only installations using the TrueNAS SCALE Apps system are supported.
|
||||
|
||||
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/premium/nextcloud)
|
||||
|
||||
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
|
||||
|
||||
## Support
|
||||
|
||||
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE/guides/scale-intro).
|
||||
- See the [Website](https://truecharts.org)
|
||||
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
|
||||
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
|
||||
|
||||
---
|
||||
|
||||
## Sponsor TrueCharts
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
||||
|
||||
_All Rights Reserved - The TrueCharts Project_
|
|
@ -0,0 +1,9 @@
|
|||
|
||||
|
||||
## [nextcloud-29.5.6](https://github.com/truecharts/charts/compare/nextcloud-29.5.5...nextcloud-29.5.6) (2024-03-16)
|
||||
|
||||
### Chore
|
||||
|
||||
|
||||
|
||||
- rename `enterprise`- train to `premium`-train
|
|
@ -0,0 +1,8 @@
|
|||
A private cloud server that puts the control and security of your own data back into your hands.
|
||||
|
||||
This App is supplied by TrueCharts, for more information visit the manual: [https://truecharts.org/charts/premium/nextcloud](https://truecharts.org/charts/premium/nextcloud)
|
||||
|
||||
---
|
||||
|
||||
TrueCharts can only exist due to the incredible effort of our staff.
|
||||
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,516 @@
|
|||
image:
|
||||
repository: tccr.io/tccr/nextcloud-fpm
|
||||
pullPolicy: IfNotPresent
|
||||
tag: v28.0.3@sha256:77b7353be48b28d1bc1dcfa8bed1e0f3c989f6223647f9c99b07db0e8ab78c8d
|
||||
nginxImage:
|
||||
repository: nginxinc/nginx-unprivileged
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 1.25.4@sha256:060d468f78f016c7cfd49a548ed5d3456891cba1b54767b4ed48907981266f06
|
||||
imaginaryImage:
|
||||
repository: tccr.io/tccr/nextcloud-imaginary
|
||||
pullPolicy: IfNotPresent
|
||||
tag: v20230401@sha256:6be7b4432a536d6004b94edea7dd3573f0cc061328b729ed8043236a0784f98c
|
||||
hpbImage:
|
||||
repository: tccr.io/tccr/nextcloud-push-notify
|
||||
pullPolicy: IfNotPresent
|
||||
tag: v0.6.9@sha256:1950fd07cc1292551b16c7080514c24d8c22ce7947e06cbb12fd968d13970373
|
||||
clamavImage:
|
||||
repository: clamav/clamav
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 1.3.0@sha256:57555703249b4c57d760753bf3655871d3c51958bd5bd4a0dac6eb73c1c36516
|
||||
collaboraImage:
|
||||
repository: collabora/code
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 23.05.9.4.1@sha256:18768e665a817a06d17a608bcb0744dd0275e72d805644cad5ad1923f7d623b5
|
||||
nextcloud:
|
||||
# Initial Credentials
|
||||
credentials:
|
||||
initialAdminUser: admin
|
||||
initialAdminPassword: adminpass
|
||||
# General settings
|
||||
general:
|
||||
# Custom Nextcloud Scripts
|
||||
run_optimize: true
|
||||
default_phone_region: GR
|
||||
# IP used for exposing nextcloud,
|
||||
# often the loadbalancer IP
|
||||
accessIP: ""
|
||||
# Allows Nextcloud to connect to unsecure (http) endpoints
|
||||
force_enable_allow_local_remote_servers: false
|
||||
# File settings
|
||||
files:
|
||||
shared_folder_name: Shared
|
||||
max_chunk_size: 10485760
|
||||
# Expiration settings
|
||||
expirations:
|
||||
activity_expire_days: 90
|
||||
trash_retention_obligation: auto
|
||||
versions_retention_obligation: auto
|
||||
# Previews settings
|
||||
previews:
|
||||
enabled: true
|
||||
# It will also deploy the container
|
||||
imaginary: true
|
||||
cron: true
|
||||
schedule: "*/30 * * * *"
|
||||
max_x: 2048
|
||||
max_y: 2048
|
||||
max_memory: 1024
|
||||
max_file_size_image: 50
|
||||
# Setting for Imaginary
|
||||
max_allowed_resolution: 18.0
|
||||
jpeg_quality: 60
|
||||
square_sizes: 32 256
|
||||
width_sizes: 256 384
|
||||
height_sizes: 256
|
||||
# Casings are important
|
||||
# https://github.com/nextcloud/server/blob/master/config/config.sample.php#L1269
|
||||
# Only the last part of the provider is needed
|
||||
providers:
|
||||
- PNG
|
||||
- JPEG
|
||||
# Logging settings
|
||||
logging:
|
||||
log_level: 2
|
||||
log_file: /var/www/html/data/logs/nextcloud.log
|
||||
log_audit_file: /var/www/html/data/logs/audit.log
|
||||
log_date_format: d/m/Y H:i:s
|
||||
# ClamAV settings
|
||||
clamav:
|
||||
# It will also deploy the container
|
||||
# Note that this runs as root
|
||||
enabled: false
|
||||
stream_max_length: 26214400
|
||||
file_max_size: -1
|
||||
infected_action: only_log
|
||||
# Notify Push settings
|
||||
notify_push:
|
||||
# It will also deploy the container
|
||||
enabled: true
|
||||
# Collabora settings
|
||||
collabora:
|
||||
# It will also deploy the container
|
||||
enabled: false
|
||||
# default|compact|tabbed
|
||||
interface_mode: default
|
||||
username: admin
|
||||
password: changeme
|
||||
dictionaries:
|
||||
- de_DE
|
||||
- en_GB
|
||||
- en_US
|
||||
- el_GR
|
||||
- es_ES
|
||||
- fr_FR
|
||||
- pt_BR
|
||||
- pt_PT
|
||||
- it
|
||||
- nl
|
||||
- ru
|
||||
onlyoffice:
|
||||
# It will not deploy the container
|
||||
# Only add the OnlyOffice settings
|
||||
enabled: false
|
||||
url: ""
|
||||
internal_url: ""
|
||||
verify_ssl: true
|
||||
jwt: ""
|
||||
jwt_header: Authorization
|
||||
# PHP settings
|
||||
php:
|
||||
memory_limit: 1G
|
||||
upload_limit: 10G
|
||||
pm_max_children: 180
|
||||
pm_start_servers: 18
|
||||
pm_min_spare_servers: 12
|
||||
pm_max_spare_servers: 30
|
||||
opcache:
|
||||
interned_strings_buffer: 32
|
||||
max_accelerated_files: 10000
|
||||
memory_consumption: 128
|
||||
revalidate_freq: 60
|
||||
jit_buffer_size: 128
|
||||
# Do NOT edit below this line
|
||||
workload:
|
||||
# Nextcloud php-fpm
|
||||
main:
|
||||
type: Deployment
|
||||
podSpec:
|
||||
containers:
|
||||
main:
|
||||
enabled: true
|
||||
primary: true
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: nextcloud-config
|
||||
probes:
|
||||
liveness:
|
||||
enabled: true
|
||||
type: exec
|
||||
command: /healthcheck.sh
|
||||
readiness:
|
||||
enabled: true
|
||||
type: exec
|
||||
command: /healthcheck.sh
|
||||
startup:
|
||||
enabled: true
|
||||
type: tcp
|
||||
port: "{{ .Values.service.nextcloud.ports.nextcloud.targetPort }}"
|
||||
nginx:
|
||||
enabled: true
|
||||
type: Deployment
|
||||
strategy: RollingUpdate
|
||||
replicas: 1
|
||||
podSpec:
|
||||
containers:
|
||||
nginx:
|
||||
enabled: true
|
||||
primary: true
|
||||
imageSelector: nginxImage
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
path: /robots.txt
|
||||
port: "{{ .Values.service.main.ports.main.port }}"
|
||||
httpHeaders:
|
||||
Host: kube.internal.healthcheck
|
||||
liveness:
|
||||
enabled: true
|
||||
path: /robots.txt
|
||||
port: "{{ .Values.service.main.ports.main.port }}"
|
||||
httpHeaders:
|
||||
Host: kube.internal.healthcheck
|
||||
startup:
|
||||
enabled: true
|
||||
type: tcp
|
||||
port: "{{ .Values.service.main.ports.main.port }}"
|
||||
notify:
|
||||
enabled: true
|
||||
type: Deployment
|
||||
strategy: RollingUpdate
|
||||
replicas: 1
|
||||
podSpec:
|
||||
containers:
|
||||
notify:
|
||||
primary: true
|
||||
enabled: true
|
||||
imageSelector: hpbImage
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: hpb-config
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
path: /push/test/cookie
|
||||
port: 7867
|
||||
httpHeaders:
|
||||
Host: kube.internal.healthcheck
|
||||
liveness:
|
||||
enabled: true
|
||||
path: /push/test/cookie
|
||||
port: 7867
|
||||
httpHeaders:
|
||||
Host: kube.internal.healthcheck
|
||||
startup:
|
||||
enabled: true
|
||||
type: tcp
|
||||
port: 7867
|
||||
imaginary:
|
||||
enabled: true
|
||||
type: Deployment
|
||||
strategy: RollingUpdate
|
||||
replicas: 1
|
||||
podSpec:
|
||||
containers:
|
||||
imaginary:
|
||||
primary: true
|
||||
enabled: true
|
||||
imageSelector: imaginaryImage
|
||||
command: imaginary
|
||||
args:
|
||||
- -p
|
||||
- "{{ .Values.service.imaginary.ports.imaginary.port }}"
|
||||
- -concurrency
|
||||
- "10"
|
||||
- -max-allowed-resolution
|
||||
- "{{ .Values.nextcloud.previews.max_allowed_resolution }}"
|
||||
- -enable-url-source
|
||||
- -return-size
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
path: /health
|
||||
port: "{{ .Values.service.imaginary.ports.imaginary.port }}"
|
||||
liveness:
|
||||
enabled: true
|
||||
path: /health
|
||||
port: "{{ .Values.service.imaginary.ports.imaginary.port }}"
|
||||
startup:
|
||||
enabled: true
|
||||
type: tcp
|
||||
port: "{{ .Values.service.imaginary.ports.imaginary.port }}"
|
||||
clamav:
|
||||
enabled: true
|
||||
type: Deployment
|
||||
strategy: RollingUpdate
|
||||
replicas: 1
|
||||
podSpec:
|
||||
containers:
|
||||
clamav:
|
||||
primary: true
|
||||
enabled: true
|
||||
imageSelector: clamavImage
|
||||
# FIXME: https://github.com/Cisco-Talos/clamav/issues/478
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
readOnlyRootFilesystem: false
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: clamav-config
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
type: exec
|
||||
command: clamdcheck.sh
|
||||
liveness:
|
||||
enabled: true
|
||||
type: exec
|
||||
command: clamdcheck.sh
|
||||
startup:
|
||||
enabled: true
|
||||
type: tcp
|
||||
port: "{{ .Values.service.clamav.ports.clamav.targetPort }}"
|
||||
collabora:
|
||||
enabled: true
|
||||
type: Deployment
|
||||
strategy: RollingUpdate
|
||||
replicas: 1
|
||||
podSpec:
|
||||
containers:
|
||||
collabora:
|
||||
primary: true
|
||||
enabled: true
|
||||
imageSelector: collaboraImage
|
||||
securityContext:
|
||||
runAsUser: 100
|
||||
runAsGroup: 102
|
||||
readOnlyRootFilesystem: false
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- CHOWN
|
||||
- FOWNER
|
||||
- SYS_CHROOT
|
||||
- MKNOD
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: collabora-config
|
||||
probes:
|
||||
readiness:
|
||||
enabled: true
|
||||
type: http
|
||||
path: /collabora/
|
||||
port: "{{ .Values.service.collabora.ports.collabora.targetPort }}"
|
||||
liveness:
|
||||
enabled: true
|
||||
type: http
|
||||
path: /collabora/
|
||||
port: "{{ .Values.service.collabora.ports.collabora.targetPort }}"
|
||||
startup:
|
||||
enabled: true
|
||||
type: tcp
|
||||
port: "{{ .Values.service.collabora.ports.collabora.targetPort }}"
|
||||
cronjobs:
|
||||
# Don't change names, it's used in the persistence
|
||||
- name: nextcloud-cron
|
||||
enabled: true
|
||||
schedule: "*/5 * * * *"
|
||||
cmd:
|
||||
- echo "Running [php -f /var/www/html/cron.php] ..."
|
||||
- php -f /var/www/html/cron.php
|
||||
- echo "Finished [php -f /var/www/html/cron.php]"
|
||||
- name: preview-cron
|
||||
enabled: "{{ .Values.nextcloud.previews.cron }}"
|
||||
schedule: "{{ .Values.nextcloud.previews.schedule }}"
|
||||
cmd:
|
||||
- echo "Running [occ preview:pre-generate] ..."
|
||||
- occ preview:pre-generate
|
||||
- echo "Finished [occ preview:pre-generate]"
|
||||
service:
|
||||
# Main service links to ingress easier
|
||||
# That's why the nginx is swapped with nextcloud
|
||||
main:
|
||||
targetSelector: nginx
|
||||
ports:
|
||||
main:
|
||||
targetSelector: nginx
|
||||
port: 8080
|
||||
nextcloud:
|
||||
enabled: true
|
||||
targetSelector: main
|
||||
ports:
|
||||
nextcloud:
|
||||
enabled: true
|
||||
targetSelector: main
|
||||
port: 9000
|
||||
targetPort: 9000
|
||||
notify:
|
||||
enabled: true
|
||||
targetSelector: notify
|
||||
ports:
|
||||
notify:
|
||||
enabled: true
|
||||
primary: true
|
||||
port: 7867
|
||||
targetPort: 7867
|
||||
targetSelector: notify
|
||||
metrics:
|
||||
enabled: true
|
||||
port: 7868
|
||||
targetSelector: notify
|
||||
imaginary:
|
||||
enabled: true
|
||||
targetSelector: imaginary
|
||||
ports:
|
||||
imaginary:
|
||||
enabled: true
|
||||
port: 9090
|
||||
targetSelector: imaginary
|
||||
clamav:
|
||||
enabled: true
|
||||
targetSelector: clamav
|
||||
ports:
|
||||
clamav:
|
||||
enabled: true
|
||||
port: 3310
|
||||
targetPort: 3310
|
||||
targetSelector: clamav
|
||||
collabora:
|
||||
enabled: true
|
||||
targetSelector: collabora
|
||||
ports:
|
||||
collabora:
|
||||
enabled: true
|
||||
port: 9980
|
||||
targetPort: 9980
|
||||
targetSelector: collabora
|
||||
persistence:
|
||||
php-tune:
|
||||
enabled: true
|
||||
type: configmap
|
||||
objectName: php-tune
|
||||
targetSelector:
|
||||
main:
|
||||
main:
|
||||
mountPath: /usr/local/etc/php-fpm.d/zz-tune.conf
|
||||
subPath: zz-tune.conf
|
||||
readOnly: true
|
||||
redis-session:
|
||||
enabled: true
|
||||
type: configmap
|
||||
objectName: redis-session
|
||||
targetSelector:
|
||||
main:
|
||||
main:
|
||||
mountPath: /usr/local/etc/php/conf.d/redis-session.ini
|
||||
subPath: redis-session.ini
|
||||
readOnly: true
|
||||
opcache-recommended:
|
||||
enabled: true
|
||||
type: configmap
|
||||
objectName: opcache
|
||||
targetSelector:
|
||||
main:
|
||||
main:
|
||||
mountPath: /usr/local/etc/php/conf.d/opcache-recommended.ini
|
||||
subPath: opcache-recommended.ini
|
||||
readOnly: true
|
||||
nginx:
|
||||
enabled: true
|
||||
type: configmap
|
||||
objectName: nginx-config
|
||||
targetSelector:
|
||||
nginx:
|
||||
nginx:
|
||||
mountPath: /etc/nginx/nginx.conf
|
||||
subPath: nginx.conf
|
||||
readOnly: true
|
||||
nginx-temp:
|
||||
enabled: true
|
||||
type: emptyDir
|
||||
targetSelector:
|
||||
nginx:
|
||||
nginx:
|
||||
mountPath: /tmp/nginx
|
||||
html:
|
||||
enabled: true
|
||||
targetSelector:
|
||||
main:
|
||||
main:
|
||||
mountPath: /var/www/html
|
||||
nextcloud-cron:
|
||||
nextcloud-cron:
|
||||
mountPath: /var/www/html
|
||||
preview-cron:
|
||||
preview-cron:
|
||||
mountPath: /var/www/html
|
||||
nginx:
|
||||
nginx:
|
||||
mountPath: /var/www/html
|
||||
readOnly: true
|
||||
config:
|
||||
enabled: true
|
||||
targetSelector:
|
||||
main:
|
||||
main:
|
||||
mountPath: /var/www/html/config
|
||||
nextcloud-cron:
|
||||
nextcloud-cron:
|
||||
mountPath: /var/www/html/config
|
||||
preview-cron:
|
||||
preview-cron:
|
||||
mountPath: /var/www/html/config
|
||||
notify:
|
||||
notify:
|
||||
mountPath: /var/www/html/config
|
||||
readOnly: true
|
||||
nginx:
|
||||
nginx:
|
||||
mountPath: /var/www/html/config
|
||||
readOnly: true
|
||||
data:
|
||||
enabled: true
|
||||
targetSelector:
|
||||
main:
|
||||
main:
|
||||
mountPath: /var/www/html/data
|
||||
init-perms:
|
||||
mountPath: /var/www/html/data
|
||||
nextcloud-cron:
|
||||
nextcloud-cron:
|
||||
mountPath: /var/www/html/data
|
||||
preview-cron:
|
||||
preview-cron:
|
||||
mountPath: /var/www/html/data
|
||||
nginx:
|
||||
nginx:
|
||||
mountPath: /var/www/html/data
|
||||
readOnly: true
|
||||
cnpg:
|
||||
main:
|
||||
enabled: true
|
||||
user: nextcloud
|
||||
database: nextcloud
|
||||
redis:
|
||||
enabled: true
|
||||
username: default
|
||||
portal:
|
||||
open:
|
||||
enabled: true
|
||||
updated: true
|
||||
|
||||
ingress:
|
||||
main:
|
||||
required: true
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1 @@
|
|||
{{- include "tc.v1.common.lib.chart.notes" $ -}}
|
|
@ -0,0 +1,443 @@
|
|||
{{- define "nextcloud.accessurl" -}}
|
||||
{{- $accessUrl := .Values.chartContext.appUrl -}}
|
||||
{{- if or (contains "127.0.0.1" $accessUrl) (contains "localhost" $accessUrl) -}}
|
||||
{{- if .Values.nextcloud.general.accessIP -}}
|
||||
{{- $prot := "http" -}}
|
||||
{{- $host := .Values.nextcloud.general.accessIP -}}
|
||||
{{- $port := .Values.service.main.ports.main.port -}}
|
||||
{{/*
|
||||
Allowing here to override protocol and port
|
||||
should be enough to make it work with any rev proxy
|
||||
*/}}
|
||||
{{- $accessUrl = printf "%v://%v:%v" $prot $host $port -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $accessUrl -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "nextcloud.accesshost" -}}
|
||||
{{- $accessUrl := (include "nextcloud.accessurl" $) -}}
|
||||
{{- $accessHost := regexReplaceAll ".*://(.*)" $accessUrl "${1}" -}}
|
||||
{{- $accessHost = regexReplaceAll "(.*):.*" $accessHost "${1}" -}}
|
||||
|
||||
{{- $accessHost -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Define the configmap */}}
|
||||
{{- define "nextcloud.configmaps" -}}
|
||||
{{- $fullname := (include "tc.v1.common.lib.chart.names.fullname" $) -}}
|
||||
{{- $fqdn := (include "tc.v1.common.lib.chart.names.fqdn" $) -}}
|
||||
{{- $accessUrl := (include "nextcloud.accessurl" $) -}}
|
||||
{{- $accessHost := (include "nextcloud.accesshost" $) -}}
|
||||
{{- $accessHostPort := regexReplaceAll ".*://(.*)" $accessUrl "${1}" -}}
|
||||
{{- $accessProtocol := regexReplaceAll "(.*)://.*" $accessUrl "${1}" -}}
|
||||
{{- $redisHost := .Values.redis.creds.plainhost | trimAll "\"" -}}
|
||||
{{- $redisPass := .Values.redis.creds.redisPassword | trimAll "\"" -}}
|
||||
{{- $healthHost := "kube.internal.healthcheck" -}}
|
||||
|
||||
php-tune:
|
||||
enabled: true
|
||||
data:
|
||||
zz-tune.conf: |
|
||||
[www]
|
||||
pm.max_children = {{ .Values.nextcloud.php.pm_max_children }}
|
||||
pm.start_servers = {{ .Values.nextcloud.php.pm_start_servers }}
|
||||
pm.min_spare_servers = {{ .Values.nextcloud.php.pm_min_spare_servers }}
|
||||
pm.max_spare_servers = {{ .Values.nextcloud.php.pm_max_spare_servers }}
|
||||
|
||||
opcache:
|
||||
enabled: true
|
||||
data:
|
||||
opcache-recommended.ini: |
|
||||
opcache.enable=1
|
||||
opcache.save_comments=1
|
||||
opcache.jit=1255
|
||||
opcache.interned_strings_buffer={{ .Values.nextcloud.opcache.interned_strings_buffer }}
|
||||
opcache.max_accelerated_files={{ .Values.nextcloud.opcache.max_accelerated_files }}
|
||||
opcache.memory_consumption={{ .Values.nextcloud.opcache.memory_consumption }}
|
||||
opcache.revalidate_freq={{ .Values.nextcloud.opcache.revalidate_freq }}
|
||||
opcache.jit_buffer_size={{ printf "%vM" .Values.nextcloud.opcache.jit_buffer_size }}
|
||||
|
||||
redis-session:
|
||||
enabled: true
|
||||
data:
|
||||
redis-session.ini: |
|
||||
session.save_handler = redis
|
||||
session.save_path = {{ printf "tcp://%v:6379?auth=%v" $redisHost $redisPass | quote }}
|
||||
redis.session.locking_enabled = 1
|
||||
redis.session.lock_retries = -1
|
||||
redis.session.lock_wait_time = 10000
|
||||
|
||||
hpb-config:
|
||||
enabled: {{ .Values.nextcloud.notify_push.enabled }}
|
||||
data:
|
||||
NEXTCLOUD_URL: {{ printf "http://%v:%v" $fullname .Values.service.main.ports.main.port }}
|
||||
HPB_HOST: {{ $healthHost }}
|
||||
CONFIG_FILE: {{ printf "%v/config.php" .Values.persistence.config.targetSelector.notify.notify.mountPath }}
|
||||
METRICS_PORT: {{ .Values.service.notify.ports.metrics.port | quote }}
|
||||
|
||||
clamav-config:
|
||||
enabled: {{ .Values.nextcloud.clamav.enabled }}
|
||||
data:
|
||||
CLAMAV_NO_CLAMD: "false"
|
||||
CLAMAV_NO_FRESHCLAMD: "true"
|
||||
CLAMAV_NO_MILTERD: "true"
|
||||
CLAMD_STARTUP_TIMEOUT: "1800"
|
||||
|
||||
collabora-config:
|
||||
enabled: {{ .Values.nextcloud.collabora.enabled }}
|
||||
data:
|
||||
aliasgroup1: {{ $accessUrl }}
|
||||
server_name: {{ $accessHostPort }}
|
||||
dictionaries: {{ join " " .Values.nextcloud.collabora.dictionaries }}
|
||||
username: {{ .Values.nextcloud.collabora.username | quote }}
|
||||
password: {{ .Values.nextcloud.collabora.password | quote }}
|
||||
DONT_GEN_SSL_CERT: "true"
|
||||
# mount_jail_tree is only used for local storage
|
||||
# not needed for WOPI https://github.com/CollaboraOnline/online/issues/3604#issuecomment-989833814
|
||||
extra_params: |
|
||||
--o:ssl.enable=false
|
||||
--o:ssl.termination=true
|
||||
--o:net.service_root=/collabora
|
||||
--o:home_mode.enable=true
|
||||
--o:welcome.enable=false
|
||||
--o:logging.level=warning
|
||||
--o:logging.level_startup=warning
|
||||
--o:security.seccomp=true
|
||||
--o:mount_jail_tree=false
|
||||
--o:user_interface.mode={{ .Values.nextcloud.collabora.interface_mode }}
|
||||
|
||||
nextcloud-config:
|
||||
enabled: true
|
||||
data:
|
||||
{{/* Database */}}
|
||||
POSTGRES_DB: {{ .Values.cnpg.main.database | quote }}
|
||||
POSTGRES_USER: {{ .Values.cnpg.main.user | quote }}
|
||||
POSTGRES_PASSWORD: {{ .Values.cnpg.main.creds.password | trimAll "\"" }}
|
||||
POSTGRES_HOST: {{ .Values.cnpg.main.creds.host | trimAll "\"" }}
|
||||
|
||||
{{/* Redis */}}
|
||||
NX_REDIS_HOST: {{ $redisHost }}
|
||||
NX_REDIS_PASS: {{ $redisPass }}
|
||||
|
||||
{{/* Nextcloud INITIAL credentials */}}
|
||||
NEXTCLOUD_ADMIN_USER: {{ .Values.nextcloud.credentials.initialAdminUser | quote }}
|
||||
NEXTCLOUD_ADMIN_PASSWORD: {{ .Values.nextcloud.credentials.initialAdminPassword | quote }}
|
||||
|
||||
{{/* PHP Variables */}}
|
||||
PHP_MEMORY_LIMIT: {{ .Values.nextcloud.php.memory_limit | quote }}
|
||||
PHP_UPLOAD_LIMIT: {{ .Values.nextcloud.php.upload_limit | quote }}
|
||||
|
||||
{{/* Notify Push */}}
|
||||
NX_NOTIFY_PUSH: {{ .Values.nextcloud.notify_push.enabled | quote }}
|
||||
{{- if .Values.nextcloud.notify_push.enabled }}
|
||||
NX_NOTIFY_PUSH_ENDPOINT: {{ $accessUrl }}/push
|
||||
{{- end }}
|
||||
|
||||
{{/* Previews */}}
|
||||
NX_PREVIEWS: {{ .Values.nextcloud.previews.enabled | quote }}
|
||||
NX_PREVIEW_PROVIDERS: {{ join " " .Values.nextcloud.previews.providers }}
|
||||
NX_PREVIEW_MAX_X: {{ .Values.nextcloud.previews.max_x | quote }}
|
||||
NX_PREVIEW_MAX_Y: {{ .Values.nextcloud.previews.max_y | quote }}
|
||||
NX_PREVIEW_MAX_MEMORY: {{ .Values.nextcloud.previews.max_memory | quote }}
|
||||
NX_PREVIEW_MAX_FILESIZE_IMAGE: {{ .Values.nextcloud.previews.max_file_size_image | quote }}
|
||||
NX_JPEG_QUALITY: {{ .Values.nextcloud.previews.jpeg_quality | quote }}
|
||||
NX_PREVIEW_SQUARE_SIZES: {{ .Values.nextcloud.previews.square_sizes | quote }}
|
||||
NX_PREVIEW_WIDTH_SIZES: {{ .Values.nextcloud.previews.width_sizes | quote }}
|
||||
NX_PREVIEW_HEIGHT_SIZES: {{ .Values.nextcloud.previews.height_sizes | quote }}
|
||||
|
||||
{{/* Imaginary */}}
|
||||
NX_IMAGINARY: {{ and .Values.nextcloud.previews.enabled .Values.nextcloud.previews.imaginary | quote }}
|
||||
{{- if and .Values.nextcloud.previews.enabled .Values.nextcloud.previews.imaginary }}
|
||||
NX_IMAGINARY_URL: {{ printf "http://%v-imaginary:%v" $fullname .Values.service.imaginary.ports.imaginary.port }}
|
||||
{{- end }}
|
||||
|
||||
{{/* Expirations */}}
|
||||
NX_ACTIVITY_EXPIRE_DAYS: {{ .Values.nextcloud.expirations.activity_expire_days | quote }}
|
||||
NX_TRASH_RETENTION: {{ .Values.nextcloud.expirations.trash_retention_obligation | quote }}
|
||||
NX_VERSIONS_RETENTION: {{ .Values.nextcloud.expirations.versions_retention_obligation | quote }}
|
||||
|
||||
{{/* General */}}
|
||||
NX_RUN_OPTIMIZE: {{ .Values.nextcloud.general.run_optimize | quote }}
|
||||
NX_DEFAULT_PHONE_REGION: {{ .Values.nextcloud.general.default_phone_region | quote }}
|
||||
NEXTCLOUD_DATA_DIR: {{ .Values.persistence.data.targetSelector.main.main.mountPath }}
|
||||
NX_FORCE_ENABLE_ALLOW_LOCAL_REMOTE_SERVERS: {{ .Values.nextcloud.general.force_enable_allow_local_remote_servers | quote }}
|
||||
|
||||
{{/* Files */}}
|
||||
NX_SHARED_FOLDER_NAME: {{ .Values.nextcloud.files.shared_folder_name | quote }}
|
||||
NX_MAX_CHUNKSIZE: {{ .Values.nextcloud.files.max_chunk_size | mul 1 | quote }}
|
||||
|
||||
{{/* Logging */}}
|
||||
NX_LOG_LEVEL: {{ .Values.nextcloud.logging.log_level | quote }}
|
||||
NX_LOG_FILE: {{ .Values.nextcloud.logging.log_file | quote }}
|
||||
NX_LOG_FILE_AUDIT: {{ .Values.nextcloud.logging.log_audit_file | quote }}
|
||||
NX_LOG_DATE_FORMAT: {{ .Values.nextcloud.logging.log_date_format | quote }}
|
||||
NX_LOG_TIMEZONE: {{ .Values.TZ | quote }}
|
||||
|
||||
{{/* ClamAV */}}
|
||||
NX_CLAMAV: {{ .Values.nextcloud.clamav.enabled | quote }}
|
||||
{{- if .Values.nextcloud.clamav.enabled }}
|
||||
NX_CLAMAV_HOST: {{ printf "%v-clamav" $fullname }}
|
||||
NX_CLAMAV_PORT: {{ .Values.service.clamav.ports.clamav.targetPort | quote }}
|
||||
NX_CLAMAV_STREAM_MAX_LENGTH: {{ .Values.nextcloud.clamav.stream_max_length | mul 1 | quote }}
|
||||
NX_CLAMAV_FILE_MAX_SIZE: {{ .Values.nextcloud.clamav.file_max_size | quote }}
|
||||
NX_CLAMAV_INFECTED_ACTION: {{ .Values.nextcloud.clamav.infected_action | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{/* Collabora */}}
|
||||
NX_COLLABORA: {{ .Values.nextcloud.collabora.enabled | quote }}
|
||||
{{- if .Values.nextcloud.collabora.enabled }}
|
||||
NX_COLLABORA_URL: {{ printf "%v/collabora" $accessUrl | quote }}
|
||||
# Ideally this would be a combo of: public ip, pod cidr, svc cidr
|
||||
# But not always people have static IP.
|
||||
NX_COLLABORA_ALLOWLIST: "0.0.0.0/0"
|
||||
{{- end }}
|
||||
|
||||
{{/* Only Office */}}
|
||||
NX_ONLYOFFICE: {{ .Values.nextcloud.onlyoffice.enabled | quote }}
|
||||
{{- if .Values.nextcloud.onlyoffice.enabled }}
|
||||
NX_ONLYOFFICE_URL: {{ .Values.nextcloud.onlyoffice.url | quote }}
|
||||
NX_ONLYOFFICE_INTERNAL_URL: {{ .Values.nextcloud.onlyoffice.internal_url | quote }}
|
||||
NX_ONLYOFFICE_VERIFY_SSL: {{ .Values.nextcloud.onlyoffice.verify_ssl | quote }}
|
||||
NX_ONLYOFFICE_NEXTCLOUD_INTERNAL_URL: {{ printf "http://%v.svc.cluster.local:%v" $fqdn .Values.service.main.ports.main.port }}
|
||||
NX_ONLYOFFICE_JWT: {{ .Values.nextcloud.onlyoffice.jwt | quote }}
|
||||
NX_ONLYOFFICE_JWT_HEADER: {{ .Values.nextcloud.onlyoffice.jwt_header | quote }}
|
||||
{{- end }}
|
||||
|
||||
{{/* URLs */}}
|
||||
NX_OVERWRITE_HOST: {{ $accessHostPort }}
|
||||
NX_OVERWRITE_CLI_URL: {{ $accessUrl }}
|
||||
# Return the protocol part of the URL
|
||||
NX_OVERWRITE_PROTOCOL: {{ $accessProtocol | lower }}
|
||||
# IP (or range in this case) of the proxy(ies)
|
||||
NX_TRUSTED_PROXIES: |
|
||||
{{ .Values.chartContext.podCIDR }}
|
||||
{{ .Values.chartContext.svcCIDR }}
|
||||
# fullname-* will allow access from the
|
||||
# other services in the same namespace
|
||||
NX_TRUSTED_DOMAINS: |
|
||||
127.0.0.1
|
||||
localhost
|
||||
{{ $fullname }}
|
||||
{{ printf "%v-*" $fullname }}
|
||||
{{ $healthHost }}
|
||||
{{- if not (contains "127.0.0.1" $accessHost) }}
|
||||
{{- $accessHost | nindent 6 }}
|
||||
{{- end -}}
|
||||
{{- with .Values.nextcloud.general.accessIP }}
|
||||
{{- . | nindent 6 }}
|
||||
{{- end }}
|
||||
|
||||
# TODO: Replace locations with ingress
|
||||
# like /push, /.well-known/carddav, /.well-known/caldav
|
||||
# needs some work as nginx converts urls to pretty urls
|
||||
# before matching them to locations, so ingress needs to
|
||||
# take that into consideration.
|
||||
nginx-config:
|
||||
enabled: true
|
||||
data:
|
||||
nginx.conf: |
|
||||
worker_processes auto;
|
||||
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
# Set to /tmp so it can run as non-root
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
# Set to /tmp so it can run as non-root
|
||||
client_body_temp_path /tmp/nginx/client_temp;
|
||||
proxy_temp_path /tmp/nginx/proxy_temp_path;
|
||||
fastcgi_temp_path /tmp/nginx/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/nginx/uwsgi_temp;
|
||||
scgi_temp_path /tmp/nginx/scgi_temp;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
# Prevent nginx HTTP Server Detection
|
||||
server_tokens off;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
#gzip on;
|
||||
|
||||
upstream php-handler {
|
||||
server {{ printf "%v-nextcloud" $fullname }}:{{ .Values.service.nextcloud.ports.nextcloud.targetPort }};
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ .Values.service.main.ports.main.port }};
|
||||
absolute_redirect off;
|
||||
|
||||
{{- if .Values.nextcloud.notify_push.enabled }}
|
||||
# Forward Notify_Push "High Performance Backend" to it's own container
|
||||
location ^~ /push/ {
|
||||
# The trailing "/" is important!
|
||||
proxy_pass http://{{ printf "%v-notify" $fullname }}:{{ .Values.service.notify.ports.notify.targetPort }}/;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
}
|
||||
{{- end }}
|
||||
|
||||
# HSTS settings
|
||||
# WARNING: Only add the preload option once you read about
|
||||
# the consequences in https://hstspreload.org/. This option
|
||||
# will add the domain to a hardcoded list that is shipped
|
||||
# in all major browsers and getting removed from this list
|
||||
# could take several months.
|
||||
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
|
||||
|
||||
# Set max upload size
|
||||
client_max_body_size {{ .Values.nextcloud.php.upload_limit | default "512M" }};
|
||||
fastcgi_buffers 64 4K;
|
||||
|
||||
# Enable gzip but do not remove ETag headers
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_comp_level 4;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||
|
||||
# Pagespeed is not supported by Nextcloud, so if your server is built
|
||||
# with the `ngx_pagespeed` module, uncomment this line to disable it.
|
||||
#pagespeed off;
|
||||
|
||||
include mime.types;
|
||||
types {
|
||||
text/javascript js mjs;
|
||||
}
|
||||
|
||||
# HTTP response headers borrowed from Nextcloud `.htaccess`
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
# Remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
||||
# Path to the root of your installation
|
||||
root {{ .Values.persistence.html.targetSelector.nginx.nginx.mountPath }};
|
||||
|
||||
# Specify how to handle directories -- specifying `/index.php$request_uri`
|
||||
# here as the fallback means that Nginx always exhibits the desired behaviour
|
||||
# when a client requests a path that corresponds to a directory that exists
|
||||
# on the server. In particular, if that directory contains an index.php file,
|
||||
# that file is correctly served; if it doesn't, then the request is passed to
|
||||
# the front-end controller. This consistent behaviour means that we don't need
|
||||
# to specify custom rules for certain paths (e.g. images and other assets,
|
||||
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
|
||||
# `try_files $uri $uri/ /index.php$request_uri`
|
||||
# always provides the desired behaviour.
|
||||
index index.php index.html /index.php$request_uri;
|
||||
|
||||
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
|
||||
location = / {
|
||||
if ( $http_user_agent ~ ^DavClnt ) {
|
||||
return 302 /remote.php/webdav/$is_args$args;
|
||||
}
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Make a regex exception for `/.well-known` so that clients can still
|
||||
# access it despite the existence of the regex rule
|
||||
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
|
||||
# for `/.well-known`.
|
||||
location ^~ /.well-known {
|
||||
# The rules in this block are an adaptation of the rules
|
||||
# in `.htaccess` that concern `/.well-known`.
|
||||
|
||||
location = /.well-known/carddav { return 301 /remote.php/dav/; }
|
||||
location = /.well-known/caldav { return 301 /remote.php/dav/; }
|
||||
|
||||
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
|
||||
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
|
||||
|
||||
# Let Nextcloud's API for `/.well-known` URIs handle all other
|
||||
# requests by passing them to the front-end controller.
|
||||
return 301 /index.php$request_uri;
|
||||
}
|
||||
|
||||
# Rules borrowed from `.htaccess` to hide certain paths from clients
|
||||
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
|
||||
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
|
||||
|
||||
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
|
||||
# which handle static assets (as seen below). If this block is not declared first,
|
||||
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
|
||||
# to the URI, resulting in a HTTP 500 error response.
|
||||
location ~ \.php(?:$|/) {
|
||||
# Required for legacy support
|
||||
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
|
||||
|
||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
|
||||
try_files $fastcgi_script_name =404;
|
||||
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
#fastcgi_param HTTPS on;
|
||||
|
||||
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
||||
fastcgi_param front_controller_active true; # Enable pretty urls
|
||||
fastcgi_pass php-handler;
|
||||
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
proxy_send_timeout 3600s;
|
||||
proxy_read_timeout 3600s;
|
||||
fastcgi_send_timeout 3600s;
|
||||
fastcgi_read_timeout 3600s;
|
||||
}
|
||||
|
||||
location ~ \.(?:css|js|svg|gif)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 6M; # Cache-Control policy borrowed from `.htaccess`
|
||||
access_log off; # Optional: Don't log access to assets
|
||||
}
|
||||
|
||||
location ~ \.woff2?$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
||||
access_log off; # Optional: Don't log access to assets
|
||||
}
|
||||
|
||||
# Rule borrowed from `.htaccess`
|
||||
location /remote {
|
||||
return 301 /remote.php$request_uri;
|
||||
}
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$request_uri;
|
||||
}
|
||||
}
|
||||
}
|
||||
{{- end -}}
|
|
@ -0,0 +1,34 @@
|
|||
{{- define "nextcloud.cronjobs" -}}
|
||||
{{- range $cj := .Values.cronjobs }}
|
||||
{{- $name := $cj.name | required "Nextcloud - Expected non-empty name in cronjob" -}}
|
||||
{{- $schedule := $cj.schedule | required "Nextcloud - Expected non-empty schedule in cronjob" }}
|
||||
|
||||
{{ $name }}:
|
||||
enabled: {{ $cj.enabled | quote }}
|
||||
type: CronJob
|
||||
schedule: {{ $schedule | quote }}
|
||||
podSpec:
|
||||
restartPolicy: Never
|
||||
containers:
|
||||
{{ $name }}:
|
||||
enabled: true
|
||||
primary: true
|
||||
imageSelector: image
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
{{- range $cj.cmd }}
|
||||
{{- . | nindent 12 }}
|
||||
{{- else -}}
|
||||
{{- fail "Nextcloud - Expected non-empty cmd in cronjob" -}}
|
||||
{{- end }}
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
readiness:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,23 @@
|
|||
{{- define "nextcloud.ingressInjector" -}}
|
||||
{{- if .Values.ingress.main.enabled -}}
|
||||
{{- $injectPaths := list -}}
|
||||
{{- if .Values.nextcloud.collabora.enabled -}}
|
||||
{{- $injectPaths = mustAppend $injectPaths (include "nextcloud.collabora.ingress" $ | fromYaml) -}}
|
||||
{{- end -}}
|
||||
{{/* Append more paths here if needed */}}
|
||||
|
||||
{{- range $host := .Values.ingress.main.hosts -}}
|
||||
{{- $paths := $host.paths -}}
|
||||
{{- $paths = concat $paths $injectPaths -}}
|
||||
{{- $_ := set $host "paths" $paths -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "nextcloud.collabora.ingress" -}}
|
||||
path: /collabora/
|
||||
pathType: Prefix
|
||||
overrideService:
|
||||
name: collabora
|
||||
port: {{ .Values.service.collabora.ports.collabora.port }}
|
||||
{{- end -}}
|
|
@ -0,0 +1,29 @@
|
|||
{{- define "nextcloud.init.perms" -}}
|
||||
{{- $uid := .Values.securityContext.container.runAsUser -}}
|
||||
{{- $gid := .Values.securityContext.container.runAsGroup -}}
|
||||
{{- $path := .Values.persistence.data.targetSelector.main.main.mountPath }}
|
||||
enabled: true
|
||||
type: install
|
||||
imageSelector: alpineImage
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
capabilities:
|
||||
disableS6Caps: true
|
||||
add:
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- CHOWN
|
||||
command: /bin/sh
|
||||
args:
|
||||
- -c
|
||||
- |
|
||||
echo "Setting permissions to 700 on data directory [{{ $path }}] ..."
|
||||
chmod 770 {{ $path }} | echo "Failed to set permissions on data directory [{{ $path }}]"
|
||||
|
||||
echo "Setting ownership to {{ $uid }}:{{ $gid }} on data directory [{{ $path }}] ..."
|
||||
chown {{ $uid }}:{{ $gid }} {{ $path }} | echo "Failed to set ownership on data directory [{{ $path }}]"
|
||||
|
||||
echo "Finished."
|
||||
{{- end -}}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue