bootstrapper: tie up all dns related services
diff --git a/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl b/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl
index 5a1689f..1332d17 100644
--- a/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl
+++ b/charts/cert-manager-webhook-pcloud/templates/_helpers.tpl
@@ -45,4 +45,4 @@
{{- define "cert-manager-webhook-pcloud.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "cert-manager-webhook-pcloud.fullname" .) }}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
diff --git a/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml b/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml
index faba034..e54fd33 100644
--- a/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml
+++ b/charts/cert-manager-webhook-pcloud/templates/apiservice.yaml
@@ -1,7 +1,7 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
- name: v1alpha1.{{ .Values.groupName }}
+ name: v1alpha1.{{ .Values.apiGroupName }}
labels:
app: {{ include "cert-manager-webhook-pcloud.name" . }}
chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
@@ -10,10 +10,10 @@
annotations:
cert-manager.io/inject-ca-from: "{{ .Values.certManager.namespace }}/{{ include "cert-manager-webhook-pcloud.servingCertificate" . }}"
spec:
- group: {{ .Values.groupName }}
+ group: {{ .Values.apiGroupName }}
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
- version: v1alpha1
\ No newline at end of file
+ version: v1alpha1
diff --git a/charts/cert-manager-webhook-pcloud/templates/deployment.yaml b/charts/cert-manager-webhook-pcloud/templates/deployment.yaml
index 6c39bc5..a9bf3c3 100644
--- a/charts/cert-manager-webhook-pcloud/templates/deployment.yaml
+++ b/charts/cert-manager-webhook-pcloud/templates/deployment.yaml
@@ -33,8 +33,10 @@
- --v={{ .Values.logLevel }}
{{- end }}
env:
- - name: GROUP_NAME
- value: {{ .Values.groupName | quote }}
+ - name: API_GROUP_NAME
+ value: {{ .Values.apiGroupName | quote }}
+ - name: RESOLVER_NAME
+ value: {{ .Values.resolverName | quote }}
ports:
- name: https
containerPort: 443
diff --git a/charts/cert-manager-webhook-pcloud/templates/rbac.yaml b/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
index c3d8405..acd44c1 100644
--- a/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
+++ b/charts/cert-manager-webhook-pcloud/templates/rbac.yaml
@@ -65,7 +65,7 @@
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- - {{ .Values.groupName }}
+ - {{ .Values.apiGroupName }}
resources:
- "*"
verbs:
@@ -120,6 +120,34 @@
kind: ServiceAccount
name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
+---
+# TODO(gio): limit access by resourceNames
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - "configmaps"
+ verbs:
+ - "get"
+ - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
+subjects:
+ - apiGroup: ""
+ kind: ServiceAccount
+ name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
+ namespace: {{ .Values.certManager.namespace | quote }}
{{- if .Values.features.apiPriorityAndFairness }}
---
# Grant cert-manager-webhook-pcloud permission to read the flow control mechanism (APF)
@@ -162,4 +190,4 @@
kind: ServiceAccount
name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
namespace: {{ .Values.certManager.namespace | quote }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/cert-manager-webhook-pcloud/templates/role.yaml b/charts/cert-manager-webhook-pcloud/templates/role.yaml
index 8671ae4..9c18ba1 100644
--- a/charts/cert-manager-webhook-pcloud/templates/role.yaml
+++ b/charts/cert-manager-webhook-pcloud/templates/role.yaml
@@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: cert-manager-pcloud
+ name: cert-manager-{{ .Values.resolverName }}
rules:
- apiGroups:
- - dodo.cloud
+ - {{ .Values.apiGroupName }}
resources:
- - pcloud-dns-solver
+ - {{ .Values.resolverName }}
verbs:
- "*" # TODO(giolekva): limit
---
@@ -17,7 +17,7 @@
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: cert-manager-pcloud
+ name: cert-manager-{{ .Values.resolverName }}
subjects:
- kind: ServiceAccount
name: {{ .Values.certManager.name }}
diff --git a/charts/cert-manager-webhook-pcloud/values.yaml b/charts/cert-manager-webhook-pcloud/values.yaml
index 3516468..fccfcd7 100644
--- a/charts/cert-manager-webhook-pcloud/values.yaml
+++ b/charts/cert-manager-webhook-pcloud/values.yaml
@@ -1,4 +1,5 @@
-groupName: dodo.cloud
+apiGroupName: ""
+resolverName: ""
logLevel: 6
certManager:
namespace: cert-manager
@@ -7,8 +8,8 @@
repository: giolekva/dns-challenge-solver
tag: latest
pullPolicy: Always
-nameOverride: ''
-fullnameOverride: ''
+nameOverride: ""
+fullnameOverride: ""
service:
type: ClusterIP
port: 443
diff --git a/charts/dns-ns-controller/templates/api-config.yaml b/charts/dns-ns-controller/templates/api-config.yaml
new file mode 100644
index 0000000..e489493
--- /dev/null
+++ b/charts/dns-ns-controller/templates/api-config.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ .Values.apiConfigMapName }}
+ namespace: {{ .Release.Namespace }}
+data:
+ createTXTAddr: "http://controller-manager.{{ .Release.Namespace }}.svc.cluster.local/create-txt-record"
+ deleteTXTAddr: "http://controller-manager.{{ .Release.Namespace }}.svc.cluster.local/delete-txt-record"
diff --git a/charts/dns-ns-controller/values.yaml b/charts/dns-ns-controller/values.yaml
index b4b4230..824e7a8 100644
--- a/charts/dns-ns-controller/values.yaml
+++ b/charts/dns-ns-controller/values.yaml
@@ -6,3 +6,4 @@
volume:
claimName: data
mountPath: /etc/zone-configs
+apiConfigMapName: api-config
diff --git a/core/dns-challenge-solver/.gitignore b/core/dns-challenge-solver/.gitignore
new file mode 100644
index 0000000..a375168
--- /dev/null
+++ b/core/dns-challenge-solver/.gitignore
@@ -0,0 +1,2 @@
+dns-challenge-solver
+dns-challenge-solver*
\ No newline at end of file
diff --git a/core/dns-challenge-solver/main.go b/core/dns-challenge-solver/main.go
index a08b6ef..df35f74 100644
--- a/core/dns-challenge-solver/main.go
+++ b/core/dns-challenge-solver/main.go
@@ -2,13 +2,16 @@
import (
"bytes"
+ "context"
"encoding/json"
"fmt"
"io"
"net/http"
+ "os"
"strings"
extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
@@ -16,11 +19,17 @@
"github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd"
)
-const groupName = "dodo.cloud"
+var (
+ groupName = os.Getenv("API_GROUP_NAME")
+ resolverName = os.Getenv("RESOLVER_NAME")
+)
func main() {
if groupName == "" {
- panic("GROUP_NAME must be specified")
+ panic("API_GROUP_NAME must be specified")
+ }
+ if resolverName == "" {
+ panic("RESOLVER_NAME must be specified")
}
cmd.RunWebhookServer(groupName,
&pcloudDNSProviderSolver{},
@@ -102,8 +111,13 @@
// be used by your provider here, you should reference a Kubernetes Secret
// resource and fetch these credentials using a Kubernetes clientset.
type pcloudDNSProviderConfig struct {
- CreateAddress string `json:"createAddress,omitempty"`
- DeleteAddress string `json:"deleteAddress,omitempty"`
+ APIConfigMapName string `json:"apiConfigMapName,omitempty"`
+ APIConfigMapNamespace string `json:"apiConfigMapNamespace,omitempty"`
+}
+
+type apiConfig struct {
+ CreateAddress string `json:"createTXTAddr,omitempty"`
+ DeleteAddress string `json:"deleteTXTAddr,omitempty"`
}
// Name is used as the name for this DNS solver when referencing it on the ACME
@@ -113,7 +127,7 @@
// within a single webhook deployment**.
// For example, `cloudflare` may be used as the name of a solver.
func (c *pcloudDNSProviderSolver) Name() string {
- return "pcloud-dns-solver"
+ return resolverName
}
// Present is responsible for actually presenting the DNS record with the
@@ -125,10 +139,13 @@
fmt.Printf("Received challenge %+v\n", ch)
cfg, err := loadConfig(ch.Config)
if err != nil {
- fmt.Printf("")
return err
}
- zm := &zoneControllerManager{cfg.CreateAddress, cfg.DeleteAddress}
+ apiCfg, err := loadAPIConfig(c.client, cfg)
+ if err != nil {
+ return err
+ }
+ zm := &zoneControllerManager{apiCfg.CreateAddress, apiCfg.DeleteAddress}
domain, entry := getDomainAndEntry(ch)
return zm.CreateTextRecord(domain, entry, ch.Key)
}
@@ -144,7 +161,11 @@
if err != nil {
return err
}
- zm := &zoneControllerManager{cfg.CreateAddress, cfg.DeleteAddress}
+ apiCfg, err := loadAPIConfig(c.client, cfg)
+ if err != nil {
+ return err
+ }
+ zm := &zoneControllerManager{apiCfg.CreateAddress, apiCfg.DeleteAddress}
domain, entry := getDomainAndEntry(ch)
return zm.DeleteTextRecord(domain, entry, ch.Key)
}
@@ -184,6 +205,22 @@
return cfg, nil
}
+func loadAPIConfig(client *kubernetes.Clientset, cfg pcloudDNSProviderConfig) (apiConfig, error) {
+ config, err := client.CoreV1().ConfigMaps(cfg.APIConfigMapNamespace).Get(context.Background(), cfg.APIConfigMapName, metav1.GetOptions{})
+ if err != nil {
+ return apiConfig{}, fmt.Errorf("unable to get api config map `%s` `%s`; %v", cfg.APIConfigMapName, cfg.APIConfigMapNamespace, err)
+ }
+ create, ok := config.Data["createTXTRecord"]
+ if !ok {
+ return apiConfig{}, fmt.Errorf("create address missing")
+ }
+ delete, ok := config.Data["deleteTXTRecord"]
+ if !ok {
+ return apiConfig{}, fmt.Errorf("delete address missing")
+ }
+ return apiConfig{create, delete}, nil
+}
+
func getDomainAndEntry(ch *v1alpha1.ChallengeRequest) (string, string) {
// Both ch.ResolvedZone and ch.ResolvedFQDN end with a dot: '.'
entry := strings.TrimSuffix(ch.ResolvedFQDN, ch.ResolvedZone)
diff --git a/core/installer/app.go b/core/installer/app.go
index f732e8e..511f1a4 100644
--- a/core/installer/app.go
+++ b/core/installer/app.go
@@ -110,7 +110,6 @@
CreateIngressPublic(valuesTmpls, tmpls),
CreateCertManager(valuesTmpls, tmpls),
CreateCertManagerWebhookGandi(valuesTmpls, tmpls),
- CreateCertManagerWebhookGandiRole(valuesTmpls, tmpls),
CreateCSIDriverSMB(valuesTmpls, tmpls),
CreateResourceRendererController(valuesTmpls, tmpls),
CreateHeadscaleController(valuesTmpls, tmpls),
@@ -497,34 +496,18 @@
}
func CreateCertManagerWebhookGandi(fs embed.FS, tmpls *template.Template) App {
- schema, err := fs.ReadFile("values-tmpl/cert-manager-webhook-gandi.jsonschema")
+ schema, err := fs.ReadFile("values-tmpl/cert-manager-webhook-pcloud.jsonschema")
if err != nil {
panic(err)
}
return App{
- "cert-manager-webhook-gandi",
+ "cert-manager-webhook-pcloud",
[]string{},
[]*template.Template{
- tmpls.Lookup("cert-manager-webhook-gandi.yaml"),
+ tmpls.Lookup("cert-manager-webhook-pcloud.yaml"),
},
string(schema),
- tmpls.Lookup("cert-manager-webhook-gandi.md"),
- }
-}
-
-func CreateCertManagerWebhookGandiRole(fs embed.FS, tmpls *template.Template) App {
- schema, err := fs.ReadFile("values-tmpl/cert-manager-webhook-gandi-role.jsonschema")
- if err != nil {
- panic(err)
- }
- return App{
- "cert-manager-webhook-gandi-role",
- []string{},
- []*template.Template{
- tmpls.Lookup("cert-manager-webhook-gandi-role.yaml"),
- },
- string(schema),
- tmpls.Lookup("cert-manager-webhook-gandi-role.md"),
+ tmpls.Lookup("cert-manager-webhook-pcloud.md"),
}
}
diff --git a/core/installer/bootstrapper.go b/core/installer/bootstrapper.go
index 953666c..94c1e2d 100644
--- a/core/installer/bootstrapper.go
+++ b/core/installer/bootstrapper.go
@@ -21,6 +21,8 @@
const IPAddressPoolConfigRepo = "config-repo"
const IPAddressPoolIngressPublic = "ingress-public"
+const dnsAPIConfigMapName = "api-config"
+
type Bootstrapper struct {
cl ChartLoader
ns NamespaceCreator
@@ -407,8 +409,7 @@
"csi-driver-smb",
"ingress-public",
"cert-manager",
- "cert-manager-webhook-gandi",
- "cert-manager-webhook-gandi-role",
+ "cert-manager-webhook-pcloud",
}
for _, name := range appsToInstall {
if err := install(name); err != nil {
@@ -541,6 +542,7 @@
"MountPath": volumeMountPath,
"Size": "1Gi",
},
+ "APIConfigMapName": dnsAPIConfigMapName,
},
Release: Release{
Namespace: ns,
diff --git a/core/installer/values-tmpl/cert-manager-webhook-gandi.jsonschema b/core/installer/values-tmpl/cert-manager-webhook-gandi.jsonschema
deleted file mode 100644
index f42d895..0000000
--- a/core/installer/values-tmpl/cert-manager-webhook-gandi.jsonschema
+++ /dev/null
@@ -1,6 +0,0 @@
-{
- "type": "object",
- "properties": {
- },
- "additionalProperties": false
-}
diff --git a/core/installer/values-tmpl/cert-manager-webhook-gandi.md b/core/installer/values-tmpl/cert-manager-webhook-gandi.md
deleted file mode 100644
index 6590062..0000000
--- a/core/installer/values-tmpl/cert-manager-webhook-gandi.md
+++ /dev/null
@@ -1 +0,0 @@
-Installs cert-manager DNS01 resolver for Gandi.net domain registrar
diff --git a/core/installer/values-tmpl/cert-manager-webhook-pcloud.jsonschema b/core/installer/values-tmpl/cert-manager-webhook-pcloud.jsonschema
new file mode 100644
index 0000000..a6adce7
--- /dev/null
+++ b/core/installer/values-tmpl/cert-manager-webhook-pcloud.jsonschema
@@ -0,0 +1,8 @@
+{
+ "type": "object",
+ "properties": {
+ "APIGroupName": { "type": "string" },
+ "ResolverName": { "type": "string" }
+ },
+ "additionalProperties": false
+}
diff --git a/core/installer/values-tmpl/cert-manager-webhook-pcloud.md b/core/installer/values-tmpl/cert-manager-webhook-pcloud.md
new file mode 100644
index 0000000..39df923
--- /dev/null
+++ b/core/installer/values-tmpl/cert-manager-webhook-pcloud.md
@@ -0,0 +1 @@
+Installs cert-manager DNS01 resolver for pcloud internal DNS server
diff --git a/core/installer/values-tmpl/cert-manager-webhook-gandi.yaml b/core/installer/values-tmpl/cert-manager-webhook-pcloud.yaml
similarity index 71%
rename from core/installer/values-tmpl/cert-manager-webhook-gandi.yaml
rename to core/installer/values-tmpl/cert-manager-webhook-pcloud.yaml
index bbadd91..d75634b 100644
--- a/core/installer/values-tmpl/cert-manager-webhook-gandi.yaml
+++ b/core/installer/values-tmpl/cert-manager-webhook-pcloud.yaml
@@ -1,7 +1,7 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
- name: cert-manager-webhook-gandi
+ name: cert-manager-webhook-pcloud
namespace: {{ .Global.PCloudEnvName }}-cert-manager
spec:
dependsOn:
@@ -9,7 +9,7 @@
namespace: {{ .Global.PCloudEnvName }}-cert-manager # TODO(giolekva): derivative
chart:
spec:
- chart: charts/cert-manager-webhook-gandi
+ chart: charts/cert-manager-webhook-pcloud
sourceRef:
kind: GitRepository
name: pcloud
@@ -17,12 +17,14 @@
interval: 1m0s
timeout: 20m0s
values:
- fullnameOverride: {{ .Global.PCloudEnvName }}-cert-manager-webhook-gandi
+ fullnameOverride: {{ .Global.PCloudEnvName }}-cert-manager-webhook-pcloud
certManager:
namespace: {{ .Global.PCloudEnvName }}-cert-manager
name: {{ .Global.PCloudEnvName }}-cert-manager
image:
- repository: giolekva/cert-manager-webhook-gandi
- tag: v0.2.0
- pullPolicy: IfNotPresent
+ repository: giolekva/dns-challenge-solver
+ tag: latest
+ pullPolicy: Always
logLevel: 2
+ apiGroupName: dodo.cloud
+ resolverName: dns-resolver-pcloud
diff --git a/core/installer/values-tmpl/dns-challenge-resolver.yaml b/core/installer/values-tmpl/dns-challenge-resolver.yaml
new file mode 100644
index 0000000..ddabaa8
--- /dev/null
+++ b/core/installer/values-tmpl/dns-challenge-resolver.yaml
@@ -0,0 +1,3 @@
+certManager:
+ namespace: dodo-cert-manager
+ serviceAccountName: dodo-cert-manager
diff --git a/core/installer/values-tmpl/dns-zone-controller.jsonschema b/core/installer/values-tmpl/dns-zone-controller.jsonschema
index 7a71483..4c67ac3 100644
--- a/core/installer/values-tmpl/dns-zone-controller.jsonschema
+++ b/core/installer/values-tmpl/dns-zone-controller.jsonschema
@@ -8,7 +8,8 @@
"MountPath": { "type": "string" }
},
"additionalProperties": false
- }
+ },
+ "APIConfigMapName": { "type": "string" }
},
"additionalProperties": false
}
diff --git a/core/installer/values-tmpl/dns-zone-controller.yaml b/core/installer/values-tmpl/dns-zone-controller.yaml
index 0df7edb..51fe1e3 100644
--- a/core/installer/values-tmpl/dns-zone-controller.yaml
+++ b/core/installer/values-tmpl/dns-zone-controller.yaml
@@ -21,3 +21,4 @@
volume:
claimName: {{ .Values.Volume.ClaimName }}
mountPath: {{ .Values.Volume.MountPath }}
+ apiConfigMapName: {{ .Values.APIConfigMapName }}
diff --git a/core/installer/values-tmpl/gerrit-values.yaml b/core/installer/values-tmpl/gerrit-values.yaml
new file mode 100644
index 0000000..c78c5d2
--- /dev/null
+++ b/core/installer/values-tmpl/gerrit-values.yaml
@@ -0,0 +1,335 @@
+images:
+ busybox:
+ registry: docker.io
+ tag: latest
+ # Registry used for container images created by this project
+ registry:
+ # The registry name must NOT contain a trailing slash
+ name:
+ ImagePullSecret:
+ # Leave blank, if no ImagePullSecret is needed.
+ name: image-pull-secret
+ # If set to false, the gerrit chart expects either a ImagePullSecret
+ # with the name configured above to be present on the cluster or that no
+ # credentials are needed.
+ create: false
+ username:
+ password:
+ version: latest
+ imagePullPolicy: Always
+ # Additional ImagePullSecrets that already exist and should be used by the
+ # pods of this chart. E.g. to pull busybox from dockerhub.
+ additionalImagePullSecrets: []
+
+# Additional labels that should be applied to all resources
+additionalLabels: {}
+
+storageClasses:
+ # Storage class used for storing logs and other pod-specific persisted data
+ default:
+ # If create is set to false, an existing StorageClass with the given
+ # name is expected to exist in the cluster. Setting create to true will
+ # create a storage class with the parameters given below.
+ name: longhorn
+ create: false
+ provisioner: kubernetes.io/aws-ebs
+ reclaimPolicy: Delete
+ # Use the parameters key to set all parameters needed for the provisioner
+ parameters:
+ type: gp2
+ fsType: ext4
+ mountOptions: []
+ allowVolumeExpansion: false
+ # Storage class used for storing git repositories. Has to provide RWM access.
+ shared:
+ # If create is set to false, an existing StorageClass with RWM access
+ # mode and the given name has to be provided.
+ name: longhorn
+ create: false
+ provisioner: nfs
+ reclaimPolicy: Delete
+ # Use the parameters key to set all parameters needed for the provisioner
+ parameters:
+ mountOptions: vers=4.1
+ mountOptions: []
+ allowVolumeExpansion: false
+
+
+nfsWorkaround:
+ enabled: false
+ chownOnStartup: false
+ idDomain: localdomain.com
+
+
+networkPolicies:
+ enabled: false
+ dnsPorts:
+ - 53
+ - 8053
+
+
+gitRepositoryStorage:
+ externalPVC:
+ use: false
+ name: git-repositories-pvc
+ size: 5Gi
+
+logStorage:
+ enabled: false
+ externalPVC:
+ use: false
+ name: gerrit-logs-pvc
+ size: 5Gi
+ cleanup:
+ enabled: false
+ additionalPodLabels: {}
+ schedule: "0 0 * * *"
+ retentionDays: 14
+ resources:
+ requests:
+ cpu: 100m
+ memory: 256Mi
+ limits:
+ cpu: 100m
+ memory: 256Mi
+
+caCert:
+
+ingress:
+ enabled: false
+ host:
+ # The maximum body size to allow for requests. Use "0" to allow unlimited
+ # reuqest body sizes.
+ maxBodySize: 50m
+ additionalAnnotations:
+ kubernetes.io/ingress.class: nginx
+ # nginx.ingress.kubernetes.io/server-alias: example.com
+ # nginx.ingress.kubernetes.io/whitelist-source-range: xxx.xxx.xxx.xxx
+ tls:
+ enabled: false
+ secret:
+ create: true
+ # `name` will only be used, if `create` is set to false to bind an
+ # existing secret. Otherwise the name will be automatically generated to
+ # avoid conflicts between multiple chart installations.
+ name:
+ # `cert`and `key` will only be used, if the secret will be created by
+ # this chart.
+ cert: |-
+ -----BEGIN CERTIFICATE-----
+
+ -----END CERTIFICATE-----
+ key: |-
+ -----BEGIN RSA PRIVATE KEY-----
+
+ -----END RSA PRIVATE KEY-----
+
+
+gitGC:
+ image: k8sgerrit/git-gc
+
+ tolerations: []
+ nodeSelector: {}
+ affinity: {}
+ additionalPodLabels: {}
+
+ schedule: 0 6,18 * * *
+
+ resources:
+ requests:
+ cpu: 100m
+ memory: 256Mi
+ limits:
+ cpu: 100m
+ memory: 256Mi
+
+ logging:
+ persistence:
+ enabled: true
+ size: 1Gi
+
+
+gerrit:
+ images:
+ gerritInit: k8sgerrit/gerrit-init
+ gerrit: k8sgerrit/gerrit
+
+ tolerations: []
+ topologySpreadConstraints: {}
+ nodeSelector: {}
+ affinity: {}
+ additionalAnnotations: {}
+ additionalPodLabels: {}
+
+ replicas: 1
+ updatePartition: 0
+
+ # The memory limit has to be higher than the configures heap-size for Java!
+ resources:
+ requests:
+ cpu: 1
+ memory: 5Gi
+ limits:
+ cpu: 1
+ memory: 6Gi
+
+ persistence:
+ enabled: true
+ size: 10Gi
+
+ livenessProbe:
+ initialDelaySeconds: 30
+ periodSeconds: 5
+
+ readinessProbe:
+ initialDelaySeconds: 5
+ periodSeconds: 1
+
+ startupProbe:
+ initialDelaySeconds: 10
+ periodSeconds: 30
+
+ gracefulStopTimeout: 90
+
+ # The general NetworkPolicy rules implemented by this chart may be too restrictive
+ # for some setups, e.g. when trying to replicate to a Gerrit replica. Here
+ # custom rules may be added to whitelist some additional connections.
+ networkPolicy:
+ ingress: []
+ egress: []
+ # An example for an egress rule to allow replication to a Gerrit replica
+ # installed with the gerrit-replica setup in the same cluster and namespace
+ # by using the service as the replication destination
+ # (e.g. http://gerrit-replica-git-backend-service:80/git/${name}.git):
+ #
+ # - to:
+ # - podSelector:
+ # matchLabels:
+ # app: git-backend
+
+ service:
+ additionalAnnotations: {}
+ loadBalancerSourceRanges: []
+ type: LoadBalancer
+ externalTrafficPolicy: Cluster
+ http:
+ port: 80
+ ssh:
+ enabled: true
+ port: 29418
+
+ # `gerrit.keystore` expects a base64-encoded Java-keystore
+ # Since Java keystores are binary files, adding the unencoded content and
+ # automatic encoding using helm does not work here.
+ keystore:
+
+ index:
+ # Either `lucene` or `elasticsearch`
+ type: lucene
+
+ pluginManagement:
+ plugins:
+ - name: gitiles
+ # A plugin packaged in the gerrit.war-file
+ # - name: download-commands
+
+ # A plugin packaged in the gerrit.war-file that will also be installed as a
+ # lib
+ # - name: replication
+ # installAsLibrary: true
+
+ # A plugin that will be downloaded on startup
+ # - name: delete-project
+ # url: https://example.com/gerrit-plugins/delete-project.jar
+ # sha1:
+ # installAsLibrary: false
+
+ # Only downloaded plugins will be cached. This will be ignored, if no plugins
+ # are downloaded.
+ libs: []
+ cache:
+ enabled: false
+ size: 1Gi
+
+ priorityClassName:
+
+ etc:
+ # Some values are expected to have a specific value for the deployment installed
+ # by this chart to work. These are marked with `# FIXED`.
+ # Do not change them!
+ config:
+ gerrit.config: |-
+ [gerrit]
+ basePath = git # FIXED
+ serverId = gerrit-1
+ # The canonical web URL has to be set to the Ingress host, if an Ingress
+ # is used. If a LoadBalancer-service is used, this should be set to the
+ # LoadBalancer's external IP. This can only be done manually after installing
+ # the chart, when you know the external IP the LoadBalancer got from the
+ # cluster.
+ canonicalWebUrl = http://192.168.100.215/
+ disableReverseDnsLookup = true
+ [index]
+ type = LUCENE
+ [auth]
+ type = DEVELOPMENT_BECOME_ANY_ACCOUNT
+ gitBasicAuthPolicy = HTTP
+ [httpd]
+ # If using an ingress use proxy-http or proxy-https
+ listenUrl = proxy-http://*:8080/
+ requestLog = true
+ gracefulStopTimeout = 1m
+ [sshd]
+ listenAddress = off
+ [transfer]
+ timeout = 120 s
+ [user]
+ name = Gerrit Code Review
+ email = gerrit@example.com
+ anonymousCoward = Unnamed User
+ [cache]
+ directory = cache
+ [container]
+ user = gerrit # FIXED
+ javaHome = /usr/lib/jvm/java-11-openjdk # FIXED
+ javaOptions = -Djavax.net.ssl.trustStore=/var/gerrit/etc/keystore # FIXED
+ javaOptions = -Xms200m
+ # Has to be lower than 'gerrit.resources.limits.memory'. Also
+ # consider memories used by other applications in the container.
+ javaOptions = -Xmx4g
+
+ replication.config: |-
+ [gerrit]
+ autoReload = false
+ replicateOnStartup = true
+ defaultForceUpdate = true
+
+ # [remote "replica"]
+ # url = http://gerrit-replica.example.com/git/${name}.git
+ # replicationDelay = 0
+ # timeout = 30
+
+ secret:
+ secure.config: |-
+ # Password for the keystore added as value for 'gerritReplica.keystore'
+ # Only needed, if SSL is enabled.
+ #[httpd]
+ # sslKeyPassword = gerrit
+
+ # Credentials for replication targets
+ # [remote "replica"]
+ # username = git
+ # password = secret
+
+ # ssh_host_ecdsa_key: |-
+ # -----BEGIN EC PRIVATE KEY-----
+
+ # -----END EC PRIVATE KEY-----
+
+ # ssh_host_ecdsa_key.pub: ecdsa-sha2-nistp256...
+
+ additionalConfigMaps:
+ # - name:
+ # subDir:
+ # data:
+ # file.txt: test