Skip to content

Commit

Permalink
Charts CI
Browse files Browse the repository at this point in the history 
```
Updated:
  kasten/k10:
    - 6.5.13
  speedscale/speedscale-operator:
    - 2.1.320
```
  • Loading branch information
@github-actions
github-actions[bot] committed May 4, 2024
1 parent 6654484 commit 50966c9
Show file tree
Hide file tree
Showing 22 changed files with 291 additions and 46 deletions.
Binary file added assets/kasten/k10-6.5.1301.tgz
View file
Binary file not shown.
Binary file added assets/speedscale/speedscale-operator-2.1.320.tgz
View file
Binary file not shown.
2 changes: 1 addition & 1 deletion charts/kasten/k10/Chart.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ dependencies:
repository: ""
version: 25.18.0
digest: sha256:e35117c8aba9f6bde24ae45b5e05b0342b03029dfb2676236c389572cc502066
generated: "2024-04-20T03:47:20.475656567Z"
generated: "2024-05-03T18:14:59.697223332Z"
4 changes: 2 additions & 2 deletions charts/kasten/k10/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: k10
apiVersion: v2
appVersion: 6.5.12
appVersion: 6.5.13
dependencies:
- condition: grafana.enabled
name: grafana
Expand All @@ -21,4 +21,4 @@ maintainers:
- email: contact@kasten.io
name: kastenIO
name: k10
version: 6.5.1201
version: 6.5.1301
3 changes: 3 additions & 0 deletions charts/kasten/k10/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ Parameter | Description | Default
`license` | License string obtained from Kasten | `None`
`rbac.create` | Whether to enable RBAC with a specific cluster role and binding for K10 | `true`
`scc.create` | Whether to create a SecurityContextConstraints for K10 ServiceAccounts | `false`
`scc.priority` | Sets the SecurityContextConstraints priority | `15`
`services.dashboardbff.hostNetwork` | Whether the dashboardbff pods may use the node network | `false`
`services.executor.hostNetwork` | Whether the executor pods may use the node network | `false`
`services.executor.workerCount` | Specifies count of running executor workers | 8
Expand Down Expand Up @@ -103,6 +104,7 @@ Parameter | Description | Default
`secrets.awsAccessKeyId` | AWS access key ID (required for AWS deployment) | `None`
`secrets.awsSecretAccessKey` | AWS access key secret | `None`
`secrets.awsIamRole` | ARN of the AWS IAM role assumed by K10 to perform any AWS operation. | `None`
`secrets.awsClientSecretName` | The secret that contains AWS access key ID, AWS access key secret and AWS IAM role for AWS | `None`
`secrets.googleApiKey` | Non-default base64 encoded GCP Service Account key | `None`
`secrets.googleProjectId` | Sets Google Project ID other than the one used in the GCP Service Account | `None`
`secrets.azureTenantId` | Azure tenant ID (required for Azure deployment) | `None`
Expand All @@ -118,6 +120,7 @@ Parameter | Description | Default
`secrets.vsphereEndpoint` | vSphere endpoint for login | `None`
`secrets.vsphereUsername` | vSphere username for login | `None`
`secrets.vspherePassword` | vSphere password for login | `None`
`secrets.vsphereClientSecretName` | The secret that contains vSphere username, vSphere password and vSphere endpoint | `None`
`secrets.dockerConfig` | Set base64 encoded docker config to use for image pull operations. Alternative to the ``secrets.dockerConfigPath`` | `None`
`secrets.dockerConfigPath` | Use ``--set-file secrets.dockerConfigPath=path_to_docker_config.yaml`` to specify docker config for image pull. Will be overwritten if ``secrets.dockerConfig`` is set | `None`
`cacertconfigmap.name` | Name of the ConfigMap that contains a certificate for a trusted root certificate authority | `None`
Expand Down
2 changes: 1 addition & 1 deletion charts/kasten/k10/templates/_definitions.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,8 @@ crypto:
dashboardbff:
- vbrintegrationapi
state:
- admin
- events
- admin
{{- end -}}
{{- define "k10.aggregatedAPIs" -}}actions apps repositories vault{{- end -}}
{{- define "k10.configAPIs" -}}config{{- end -}}
Expand Down
97 changes: 90 additions & 7 deletions charts/kasten/k10/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,11 +118,7 @@
{{- /* FIPS */ -}}
{{- $fips := .Values.fips | default dict -}}
{{- if $fips.enabled -}}
{{- $internal_capabilities = append $internal_capabilities "fips" -}}

{{- if not $fips.allowNonFIPSImports -}}
{{- $internal_capabilities = append $internal_capabilities "fips.strict.migrations" -}}
{{- end -}}
{{- $internal_capabilities = append $internal_capabilities "fips.strict" -}}
{{- end -}}

{{- concat $internal_capabilities (.Values.capabilities | default list) | join " " -}}
Expand Down Expand Up @@ -467,6 +463,12 @@ Check if AWS creds are specified
{{- end -}}
{{- end -}}

{{- define "check.awsSecretName" -}}
{{- if .Values.secrets.awsClientSecretName -}}
{{- print true -}}
{{- end -}}
{{- end -}}

{{/*
Check if Azure MSI with Default ID is specified
*/}}
Expand Down Expand Up @@ -602,14 +604,29 @@ Check if Google creds are specified
{{- end -}}
{{- end -}}

{{- define "check.googleCredsSecret" -}}
{{- if .Values.secrets.googleClientSecretName -}}
{{- print true -}}
{{- end -}}
{{- end -}}

{{- define "check.googleCredsOrSecret" -}}
{{- if or (eq (include "check.googlecreds" .) "true") (eq (include "check.googleCredsSecret" .) "true")}}
{{- print true -}}
{{- end -}}
{{- end -}}

{{/*
Check if Google Project ID is specified
Check if Google Project ID is not set without Google API Key
*/}}
{{- define "check.googleproject" -}}
{{- if .Values.secrets.googleProjectId -}}
{{- if not .Values.secrets.googleApiKey -}}
{{- fail "secrets.googleApiKey field is required when using secrets.googleProjectId" -}}
{{- print false -}}
{{- else -}}
{{- print true -}}
{{- end -}}
{{- else -}}
{{- print true -}}
{{- end -}}
{{- end -}}
Expand Down Expand Up @@ -638,6 +655,12 @@ Check if Vsphere creds are specified
{{- end -}}
{{- end -}}

{{- define "check.vsphereClientSecret" -}}
{{- if .Values.secrets.vsphereClientSecretName -}}
{{- print true -}}
{{- end -}}
{{- end -}}

{{/*
Check if Vault token secret creds are specified
*/}}
Expand Down Expand Up @@ -1158,6 +1181,55 @@ running in the same cluster.
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and Grafana is turned on */}}
{{- define "k10.fail.fipsGrafana" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.grafana.enabled) -}}
{{- fail "fips.enabled and grafana.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and Prometheus is turned on */}}
{{- define "k10.fail.fipsPrometheus" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.prometheus.server.enabled) -}}
{{- fail "fips.enabled and prometheus.server.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and Multicluster is turned on */}}
{{- define "k10.fail.fipsMulticluster" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.multicluster.enabled) -}}
{{- fail "fips.enabled and multicluster.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and PDF reporting is turned on */}}
{{- define "k10.fail.fipsPDFReports" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.reporting.pdfReports) -}}
{{- fail "fips.enabled and reporting.pdfReports cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and next gen gateway is turned off */}}
{{- define "k10.fail.fipsGatewayNextGen" -}}
{{- if and ((.Values.fips | default dict).enabled) (not .Values.gateway.next_gen) -}}
{{- fail "gateway.next_gen must be enabled if fips.enabled=true" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and auth.ldap is turned on */}}
{{- define "k10.fail.fipsDexAuthLDAP" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.auth.ldap.enabled) -}}
{{- fail "fips.enabled and auth.ldap.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and auth.openshift is turned on */}}
{{- define "k10.fail.fipsDexAuthOpenshift" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.auth.openshift.enabled) -}}
{{- fail "fips.enabled and auth.openshift.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Check to see whether SIEM logging is enabled */}}
{{- define "k10.siemEnabled" -}}
{{- if or .Values.siem.logging.cluster.enabled .Values.siem.logging.cloud.awsS3.enabled -}}
Expand Down Expand Up @@ -1188,3 +1260,14 @@ running in the same cluster.
{{- $serviceAccount := required "auth.openshift.serviceAccount field is required" .Values.auth.openshift.serviceAccount -}}
{{ printf "%s-k10-secret" $serviceAccount | quote }}
{{- end -}}
{{/*
Returns the required environment variables to enforce FIPS mode using
the Microsoft Go toolchain and Red Hat's OpenSSL.
*/}}
{{- define "k10.enforceFIPSEnvironmentVariables" }}
- name: GOFIPS
value: "1"
- name: OPENSSL_FORCE_FIPS_MODE
value: "1"
{{- end }}
80 changes: 63 additions & 17 deletions charts/kasten/k10/templates/_k10_container.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,16 +94,27 @@ stating that types are not same for the equality check
- name: {{ include "k10.disabledServicesEnvVar" . }}
value: {{ include "get.disabledServices" . | quote }}
{{- end -}}
{{- if eq (include "check.googlecreds" .) "true" }}
{{- if not (eq (include "check.googleproject" . ) "true") -}}
{{- fail "secrets.googleApiKey field is required when using secrets.googleProjectId" -}}
{{- end -}}
{{- $gkeSecret := default "google-secret" .Values.secrets.googleClientSecretName }}
{{- $gkeProjectId := "kasten-gke-project" }}
{{- $gkeApiKey := "/var/run/secrets/kasten.io/kasten-gke-sa.json"}}
{{- if eq (include "check.googleCredsSecret" .) "true" }}
{{- $gkeProjectId = "google-project-id" }}
{{- $gkeApiKey = "/var/run/secrets/kasten.io/google-api-key" }}
{{- end }}
{{- if eq (include "check.googleCredsOrSecret" .) "true" }}
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/var/run/secrets/kasten.io/kasten-gke-sa.json"
value: {{ $gkeApiKey }}
{{- end }}
{{- if eq (include "check.googleproject" .) "true" }}
{{- if eq (include "check.googleCredsOrSecret" .) "true" }}
- name: projectID
valueFrom:
secretKeyRef:
name: google-secret
key: kasten-gke-project
name: {{ $gkeSecret }}
key: {{ $gkeProjectId }}
optional: true
{{- end }}
{{- if or (eq (include "check.azuresecret" .) "true") (eq (include "check.azurecreds" .) "true" ) }}
{{- if eq (include "check.azuresecret" .) "true" }}
Expand Down Expand Up @@ -190,24 +201,44 @@ stating that types are not same for the equality check
value: "{{ .Values.azure.useDefaultMSI }}"
{{- end }}
{{- end }}
{{- if eq (include "check.awscreds" .) "true" }}

{{- /*
There are 3 valid states of the secret provided by customer:
1. Only role set
2. Both aws_access_key_id and aws_secret_access_key are set
3. All of role, aws_access_key_id and aws_secret_access_key are set.
*/}}
{{- if eq (include "check.awsSecretName" .) "true" }}
{{- $customerSecret := (lookup "v1" "Secret" .Release.Namespace .Values.secrets.awsClientSecretName )}}
{{- if $customerSecret }}
{{- if and (not $customerSecret.data.role) (not $customerSecret.data.aws_access_key_id) (not $customerSecret.data.aws_secret_access_key) }}
{{ fail "Provided secret must contain at least AWS IAM Role or AWS access key ID together with AWS secret access key"}}
{{- end }}
{{- if not (or (and $customerSecret.data.aws_access_key_id $customerSecret.data.aws_secret_access_key) (and (not $customerSecret.data.aws_access_key_id) (not $customerSecret.data.aws_secret_access_key))) }}
{{ fail "Provided secret lacks aws_access_key_id or aws_secret_access_key" }}
{{- end }}
{{- end }}
{{- end }}
{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" "metering" "kanister" | has $service}}
{{- $awsSecretName := default "aws-creds" .Values.secrets.awsClientSecretName }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-creds
name: {{ $awsSecretName }}
key: aws_access_key_id
optional: true
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-creds
name: {{ $awsSecretName }}
key: aws_secret_access_key
{{- if .Values.secrets.awsIamRole }}
optional: true
- name: K10_AWS_IAM_ROLE
valueFrom:
secretKeyRef:
name: aws-creds
name: {{ $awsSecretName }}
key: role
{{- end }}
optional: true
{{- end }}
{{- if list "controllermanager" "executor" "catalog" | has $service}}
{{- if eq (include "check.gwifenabled" .) "true"}}
Expand Down Expand Up @@ -242,21 +273,22 @@ stating that types are not same for the equality check
{{- end }}
{{- end }}
{{- end }}
{{- if eq (include "check.vspherecreds" .) "true" }}
{{- if or (eq (include "check.vspherecreds" .) "true") (eq (include "check.vsphereClientSecret" .) "true") }}
{{- $vsphereSecretName := default "vsphere-creds" .Values.secrets.vsphereClientSecretName }}
- name: VSPHERE_ENDPOINT
valueFrom:
secretKeyRef:
name: vsphere-creds
name: {{ $vsphereSecretName }}
key: vsphere_endpoint
- name: VSPHERE_USERNAME
valueFrom:
secretKeyRef:
name: vsphere-creds
name: {{ $vsphereSecretName }}
key: vsphere_username
- name: VSPHERE_PASSWORD
valueFrom:
secretKeyRef:
name: vsphere-creds
name: {{ $vsphereSecretName }}
key: vsphere_password
{{- end }}
- name: VERSION
Expand All @@ -270,6 +302,9 @@ stating that types are not same for the equality check
configMapKeyRef:
name: k10-config
key: clustername
{{- end }}
{{- if (.Values.fips | default dict).enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }}
{{- with $capabilities := include "k10.capabilities" . }}
- name: K10_CAPABILITIES
Expand Down Expand Up @@ -730,7 +765,7 @@ stating that types are not same for the equality check
value: {{ .Values.multicluster.primary.ingressURL | quote }}
{{- end }}
{{- end -}}
{{- if or $.stateful (or (eq (include "check.googlecreds" .) "true") (eq $service "auth" "logging")) }}
{{- if or $.stateful (or (eq (include "check.googleCredsOrSecret" .) "true") (eq $service "auth" "logging")) }}
volumeMounts:
{{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }}
volumeMounts:
Expand Down Expand Up @@ -777,7 +812,7 @@ stating that types are not same for the equality check
readOnly: true
{{- end }}
{{- end }}
{{- if eq (include "check.googlecreds" .) "true" }}
{{- if eq (include "check.googleCredsOrSecret" .) "true"}}
- name: service-account
mountPath: "/var/run/secrets/kasten.io"
{{- end }}
Expand Down Expand Up @@ -812,6 +847,10 @@ stating that types are not same for the equality check
image: {{ include "get.kanisterToolsImage" .}}
imagePullPolicy: {{ .Values.kanisterToolsImage.pullPolicy }}
{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "kanister-sidecar" | include "k10.resource.request" | indent 8}}
{{- if (.Values.fips | default dict).enabled }}
env:
{{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }}
{{- end }}
volumeMounts:
- name: {{ $service }}-persistent-storage
mountPath: {{ .Values.global.persistence.mountPath | quote }}
Expand All @@ -831,6 +870,10 @@ stating that types are not same for the equality check
image: {{ include "get.dexImage" . }}
{{- if .Values.auth.ldap.enabled }}
command: ["/usr/local/bin/dex", "serve", "/dex-config/config.yaml"]
{{- if (.Values.fips | default dict).enabled }}
env:
{{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }}
{{- end }}
{{- else if .Values.auth.openshift.enabled }}
{{- /*
In the case of OpenShift, a template config is used instead of a plain config for Dex.
Expand All @@ -852,6 +895,9 @@ stating that types are not same for the equality check
{{- else }}
value: {{ .Values.auth.openshift.clientSecret }}
{{- end }}
{{- if (.Values.fips | default dict).enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }}
{{- end }}
ports:
- name: http
Expand Down
2 changes: 1 addition & 1 deletion charts/kasten/k10/templates/_k10_image_tag.tpl
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{{- define "k10.imageTag" -}}6.5.12{{- end -}}
{{- define "k10.imageTag" -}}6.5.13{{- end -}}
3 changes: 3 additions & 0 deletions charts/kasten/k10/templates/_k10_metering.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,9 @@ spec:
configMapKeyRef:
name: k10-config
key: clustername
{{- end }}
{{- if (.Values.fips | default dict).enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }}
{{- with $capabilities := include "k10.capabilities" . }}
- name: K10_CAPABILITIES
Expand Down
5 changes: 3 additions & 2 deletions charts/kasten/k10/templates/_k10_template.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,10 +164,11 @@ spec:
persistentVolumeClaim:
claimName: {{ $statefulContainer }}-pv-claim
{{- end }}
{{- if eq (include "check.googlecreds" .) "true" }}
{{- if eq (include "check.googleCredsOrSecret" .) "true" }}
{{- $gkeSecret := default "google-secret" .Values.secrets.googleClientSecretName }}
- name: service-account
secret:
secretName: google-secret
secretName: {{ $gkeSecret }}
{{- end }}
{{- if and (list "controllermanager" "executor" "catalog" | has $pod) (eq (include "check.projectSAToken" .) "true")}}
- name: bound-sa-token
Expand Down
Loading

0 comments on commit 50966c9

Please sign in to comment.