Merge branch 'main' into ci-update-cloudnative-pg-to-0.27.0

Author: svcAPLBot

values/harbor/harbor-raw.gotmpl

@@ -1,4 +1,5 @@
 {{- $v := .Values }}
+{{- $cm := $v.apps | get "cert-manager" }}
 {{- $h := $v.apps.harbor }}
 {{- $harborDomain := printf "harbor.%s" $v.cluster.domainSuffix }}
 {{- $otomiAdmin := "otomi-admin" }}
@@ -32,21 +33,60 @@ resources:
     issuerRef:
       name: custom-ca
       kind: ClusterIssuer
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: harbor-admin-password
+  data:
+    HARBOR_ADMIN_PASSWORD: "{{ $h.adminPassword | b64enc }}"
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: harbor-registry-credentials
+  data:
+    REGISTRY_PASSWD: "{{ $h.registry.credentials.password | b64enc }}"
+    REGISTRY_HTPASSWD: "{{ $h.registry.credentials.htpasswd | b64enc }}"
+{{- if ne $h.secretKey nil }}
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: harbor-secret-key
+  data:
+    secretKey: "{{ $h.secretKey | b64enc }}"
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: harbor-core-secret
+  data:
+    secret: "{{ $h.core.secret | b64enc }}"
+{{- end }}
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: harbor-jobservice-secret
+  data:
+    JOBSERVICE_SECRET: "{{ $h.jobservice.secret | default "" | b64enc }}"
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: harbor-registry-http
+  data:
+    REGISTRY_HTTP_SECRET: "{{ $h.registry.secret | default "" | b64enc }}"
 {{- if eq $obj.type "minioLocal" }}
 - apiVersion: v1
   kind: Secret
   metadata:
     name: minio-creds
   data:
-    MINIO_ACCESS_KEY: "{{ $otomiAdmin | b64enc }}"
-    MINIO_SECRET_KEY: "{{ $v.otomi.adminPassword | b64enc }}"
+    REGISTRY_STORAGE_S3_ACCESSKEY: "{{ $otomiAdmin | b64enc }}"
+    REGISTRY_STORAGE_S3_SECRETKEY: "{{ $v.otomi.adminPassword | b64enc }}"
 {{- end }}
 {{- if eq $obj.type "linode" }}
 - apiVersion: v1
   kind: Secret
   metadata:
     name: linode-creds
   data:
-    S3_STORAGE_ACCOUNT: "{{ $obj.linode.accessKeyId | b64enc }}"
-    S3_STORAGE_KEY: "{{ $obj.linode.secretAccessKey | b64enc }}"
+    REGISTRY_STORAGE_S3_ACCESSKEY: "{{ $obj.linode.accessKeyId | b64enc }}"
+    REGISTRY_STORAGE_S3_SECRETKEY: "{{ $obj.linode.secretAccessKey | b64enc }}"
 {{- end }}

values/harbor/harbor.gotmpl

@@ -14,9 +14,9 @@ fullnameOverride: harbor
 # logLevel - debug, info, warning, error or fatal
 logLevel: warning
 
-harborAdminPassword: {{ $h.adminPassword | quote }}
+existingSecretAdminPassword: harbor-admin-password
 nameOverride: harbor
-secretKey: {{ $h | get "secretKey" nil }}
+existingSecretSecretKey: harbor-secret-key
 
 updateStrategy:
     type: Recreate
@@ -30,8 +30,7 @@ core:
     {{- end }}
 
   resources: {{- $h.resources.core | toYaml | nindent 4 }}
-  secret: {{ $h | get "core.secret" nil | quote }}
-  # secretName: {{ $harborSecretName }}
+  existingSecret: harbor-core-secret
   xsrfKey: {{ $h | get "core.xsrfKey" nil }}
 
 database:
@@ -68,7 +67,7 @@ jobservice:
   jobLoggers:
     - stdout
   resources: {{- $h.resources.jobservice | toYaml | nindent 4 }}
-  secret: {{ $h | get "jobservice.secret" nil | quote }}
+  existingSecret: harbor-jobservice-secret
 
 metrics:
   serviceMonitor:
@@ -131,16 +130,14 @@ persistence:
       bucket: harbor
       region: us-east-1
       regionendpoint: http://minio.minio.svc.cluster.local:9000
-      accesskey: otomi-admin
-      secretkey: {{ $v.otomi.adminPassword | quote }}
+      existingSecret: minio-creds
       secure: false
       v4auth: true
       {{- end }}
       {{- if eq $obj.type "linode" }}
       bucket: {{ $obj.linode.buckets.harbor }}
       regionendpoint: https://{{ $obj.linode.region }}.linodeobjects.com
-      accesskey: {{ $obj.linode.accessKeyId }}
-      secretkey: {{ $obj.linode.secretAccessKey | quote }}
+      existingSecret: linode-creds
       region: {{ $obj.linode.region }}
       encrypt: false
       secure: true
@@ -174,7 +171,7 @@ redis:
 
 registry:
   priorityClassName: otomi-critical
-  secret: {{ $h | get "registry.secret" nil | quote }}
+  existingSecret: harbor-registry-http
 
   registry:
       {{- if $v.otomi.linodeLkeImageRepository }}
@@ -191,8 +188,7 @@ registry:
   relativeurls: false
   credentials:
     username: {{ $h.registry.credentials.username }}
-    password: {{ $h.registry.credentials.password | quote }}
-    htpasswdString: {{ $h.registry.credentials.htpasswd }}
+    existingSecret: harbor-registry-credentials
 
 trivy:
   priorityClassName: otomi-critical

values/loki/loki-raw.gotmpl

@@ -1,5 +1,7 @@
 {{- $v := .Values }}
 {{- $l := $v.apps | get "loki" }}
+{{- $otomiAdmin := "otomi-admin" }}
+{{- $obj := $v.obj.provider }}
 {{- if $v.otomi.isMultitenant }}
 resources:
   - apiVersion: v1
@@ -10,4 +12,28 @@ resources:
       name: reverse-proxy-auth-config
     data:
       authn.yaml: {{ tpl (readFile "auth-config.gotmpl") (dict "adminPassword" $l.adminPassword "teams" $v.teamConfig) | b64enc }}
-{{- end }}
+  {{- if eq $obj.type "linode" }}
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      labels:
+        app: loki
+      name: loki-s3-linode-credentials
+    type: Opaque
+    data:
+      AWS_ACCESS_KEY_ID: "{{ $obj.linode.accessKeyId | b64enc }}"
+      AWS_SECRET_ACCESS_KEY: "{{ $obj.linode.secretAccessKey | b64enc }}"
+  {{- end }}
+  {{- if eq $obj.type "minioLocal" }}
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      labels:
+        app: loki
+      name: loki-s3-minio-credentials
+    type: Opaque
+    data:
+      AWS_ACCESS_KEY_ID: "{{ $otomiAdmin | b64enc }}"
+      AWS_SECRET_ACCESS_KEY: "{{ $v.otomi.adminPassword | b64enc }}"
+  {{- end }}
+  {{- end }}

values/loki/loki.gotmpl

@@ -2,6 +2,14 @@
 {{- $l:= $v.apps.loki }}
 {{- $obj := $v.obj.provider }}
 {{- $useObjectStorage := eq $obj.type "minioLocal" "linode" }}
+{{- $s3SecretName := "" }}
+{{- if $useObjectStorage }}
+  {{- if eq $obj.type "linode" }}
+    {{- $s3SecretName = "loki-s3-linode-credentials" }}
+  {{- else if eq $obj.type "minioLocal" }}
+    {{- $s3SecretName = "loki-s3-minio-credentials" }}
+  {{- end }}
+{{- end }}
 
 nameOverride: loki
 
@@ -30,6 +38,7 @@ loki:
   podAnnotations:
     sidecar.istio.io/inject: "false"
   auth_enabled: true
+
   schemaConfig:
     configs:
     - from: "2020-09-07"
@@ -43,6 +52,7 @@ loki:
       index:
         prefix: loki_index_
         period: 24h
+
   storageConfig:
     boltdb_shipper:
       active_index_directory: /var/loki/index
@@ -55,13 +65,13 @@ loki:
       {{- end }}
     {{- if $useObjectStorage }}
     aws:
-      {{- if eq $obj.type "minioLocal" }}
-      s3: http://otomi-admin:{{ $v.otomi.adminPassword }}@minio.minio.svc.cluster.local.:9000/loki
-      s3forcepathstyle: true
-      {{- end }}
       {{- if eq $obj.type "linode" }}
-      s3: https://{{ $obj.linode.accessKeyId }}:{{ $obj.linode.secretAccessKey }}@{{ $obj.linode.region }}.linodeobjects.com/{{ $obj.linode.buckets.loki }}
+      s3: s3://{{ $obj.linode.region }}.linodeobjects.com/{{ $obj.linode.buckets.loki }}
+      {{- else if eq $obj.type "minioLocal" }}
+      s3: s3://@minio.minio.svc.cluster.local:9000/loki
+      {{- end }}
       s3forcepathstyle: true
+      {{- if eq $obj.type "linode" }}
       sse_encryption: false
       http_config:
           idle_conn_timeout: 90s
@@ -85,6 +95,12 @@ loki:
 ingester:
   resources: {{- $l.resources.ingester | toYaml | nindent 4 }}
 
+  {{- if $s3SecretName }}
+  extraEnvFrom:
+    - secretRef:
+        name: {{ $s3SecretName }}
+  {{- end }}
+
   autoscaling:
     enabled: {{ $l.autoscaling.ingester.enabled }}
     minReplicas: {{ $l.autoscaling.ingester.minReplicas }}
@@ -107,6 +123,13 @@ gateway:
 
 querier:
   resources: {{- $l.resources.querier | toYaml | nindent 4 }}
+
+  {{- if $s3SecretName }}
+  extraEnvFrom:
+    - secretRef:
+        name: {{ $s3SecretName }}
+  {{- end }}
+
   autoscaling:
     enabled: {{ $l.autoscaling.querier.enabled }}
     minReplicas: {{ $l.autoscaling.querier.minReplicas }}
@@ -123,6 +146,13 @@ querier:
 
 distributor:
   resources: {{- $l.resources.distributor | toYaml | nindent 4 }}
+
+  {{- if $s3SecretName }}
+  extraEnvFrom:
+    - secretRef:
+        name: {{ $s3SecretName }}
+  {{- end }}
+
   autoscaling:
     enabled: {{ $l.autoscaling.distributor.enabled }}
     minReplicas: {{ $l.autoscaling.distributor.minReplicas }}
@@ -134,6 +164,13 @@ queryFrontend:
   resources: {{- $l.resources.queryFrontend | toYaml | nindent 4 }}
   podAnnotations:
     checksum/team-config: {{ ( toString (keys $v.teamConfig | sortAlpha ) ) | sha256sum }}
+
+  {{- if $s3SecretName }}
+  extraEnvFrom:
+    - secretRef:
+        name: {{ $s3SecretName }}
+  {{- end }}
+
   autoscaling:
     enabled: {{ $l.autoscaling.queryFrontend.enabled }}
     minReplicas: {{ $l.autoscaling.queryFrontend.minReplicas }}
@@ -160,10 +197,12 @@ queryFrontend:
     volumeMounts:
       - name: reverse-proxy-auth-config
         mountPath: /etc/reverse-proxy-conf
+
   extraVolumes:
   - name: reverse-proxy-auth-config
     secret:
       secretName: reverse-proxy-auth-config
+
   extraPorts:
   - port: 3101
     protocol: TCP
@@ -174,6 +213,12 @@ compactor:
   enabled: true
   resources: {{- $l.resources.compactor | toYaml | nindent 4 }}
 
+  {{- if $s3SecretName }}
+  extraEnvFrom:
+    - secretRef:
+        name: {{ $s3SecretName }}
+  {{- end }}
+
   {{- if not $useObjectStorage }}
   persistence:
     enabled: true

values/oauth2-proxy/oauth2-proxy-raw.gotmpl

@@ -1,10 +1,21 @@
 {{- $v := .Values }}
+{{- $k := $v.apps.keycloak }}
+{{- $oauth2 := $v.apps | get "oauth2-proxy" }}
 {{- $escapedDomain := $v.cluster.domainSuffix | replace "." "\\." }}
 {{- $consoleUrl := printf "https://console.%s" $v.cluster.domainSuffix }}
 {{- $cm := $v.apps | get "cert-manager" }}
 {{- $ingress :=  $v.ingress.platformClass }}
 
 resources:
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: oauth2-proxy-client-access
+    type: Opaque
+    data:
+      client-id: {{ $k.idp.clientID | b64enc }}
+      client-secret: {{ $k.idp.clientSecret | b64enc }}
+      cookie-secret: {{ $oauth2 | get "config.cookieSecret" (randAlpha 32) | b64enc }}
   - apiVersion: networking.k8s.io/v1
     kind: Ingress
     metadata:

values/oauth2-proxy/oauth2-proxy.gotmpl

@@ -21,9 +21,7 @@
 {{- $domains = append $domains (print "." $v.cluster.domainSuffix) }}
 
 config:
-  clientID: {{ $k.idp.clientID | quote }}
-  clientSecret: {{ $k.idp.clientSecret | quote }}
-  cookieSecret: {{ $oauth2 | get "config.cookieSecret" (randAlpha 16) }}
+  existingSecret: oauth2-proxy-client-access
   configFile: |-
     # Defaults
     email_domains = [ "*" ]