diff --git a/oka/apps/jenkins/manifests/bitnamicharts-repo.yaml b/oka/apps/jenkins/manifests/bitnamicharts-repo.yaml new file mode 100644 index 0000000000000000000000000000000000000000..354b8372d74f01133afd57f27e8dbcacac03bdbc --- /dev/null +++ b/oka/apps/jenkins/manifests/bitnamicharts-repo.yaml @@ -0,0 +1,27 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: bitnamicharts + namespace: jenkins +spec: + interval: 10m0s + type: oci + url: oci://registry-1.docker.io/bitnamicharts diff --git a/oka/apps/jenkins/manifests/jenkins-hr.yaml b/oka/apps/jenkins/manifests/jenkins-hr.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c87a95e96ad1de2016e66c5d41c3722695563318 --- /dev/null +++ b/oka/apps/jenkins/manifests/jenkins-hr.yaml @@ -0,0 +1,37 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: jenkins + namespace: jenkins +spec: + chart: + spec: + chart: jenkins + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: bitnamicharts + namespace: jenkins + install: + createNamespace: true + interval: 3m0s + targetNamespace: jenkins + values: {} diff --git a/oka/apps/jenkins/templates/jenkins-ks.yaml b/oka/apps/jenkins/templates/jenkins-ks.yaml new file mode 100644 index 0000000000000000000000000000000000000000..bbf4d7ba9f1e802a172c31fe51efd69ff2a63826 --- /dev/null +++ b/oka/apps/jenkins/templates/jenkins-ks.yaml @@ -0,0 +1,31 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: jenkins + namespace: jenkins +spec: + interval: 1h0m0s + path: ./apps/jenkins/manifests + prune: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system diff --git a/oka/apps/jenkins/templates/jenkins-ns.yaml b/oka/apps/jenkins/templates/jenkins-ns.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ca2fff85a14ad2a58f2f9a8b9740a4bd3267e9d1 --- /dev/null +++ b/oka/apps/jenkins/templates/jenkins-ns.yaml @@ -0,0 +1,24 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + name: jenkins +spec: {} +status: {} diff --git a/oka/cloud-resources/aks/manifests/aks.yaml b/oka/cloud-resources/aks/manifests/aks.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b27b71460390dee1fe08be947fad172fceaaec8d --- /dev/null +++ b/oka/cloud-resources/aks/manifests/aks.yaml @@ -0,0 +1,53 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: containerservice.azure.upbound.io/v1beta1 +kind: KubernetesCluster +metadata: + name: ${cluster_resource_name} +spec: + forProvider: + # Force K8s version + # kubernetesVersion: 1.26 + defaultNodePool: + - name: default + nodeCount: 1 + # nodeCount: ${node_count} + # vmSize: Standard_D2_v2 + vmSize: ${vm_size} + dnsPrefix: pref-${cluster_resource_name} + identity: + - type: SystemAssigned + location: ${cluster_location} + resourceGroupName: ${rg_name} + # # In case we had created the RG with CrossPlane: + # resourceGroupNameSelector: + # matchLabels: + # testing.upbound.io/example-name: example + # tags: + # Environment: Production + publishConnectionDetailsTo: + # name: kubeconfig-myakscluster01 + name: kubeconfig-${cluster_resource_name} + writeConnectionSecretToRef: + # name: kubeconfig-myakscluster01 + name: kubeconfig-${cluster_resource_name} + # namespace: crossplane-system + namespace: managed-resources + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/oka/cloud-resources/aks/templates/aks01.yaml b/oka/cloud-resources/aks/templates/aks01.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ad3e23d802f2be53eed93e12c4ca46b62590c7fb --- /dev/null +++ b/oka/cloud-resources/aks/templates/aks01.yaml @@ -0,0 +1,92 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# TEMPLATE_PARAMETERS: +# =================== +# +# CLUSTER_KUSTOMIZATION_NAME: Name of the Kustomization in the management cluster representing the AKS cluster. +# - Alternatively, it can be patched at: +# .metadata.name +# .metadata.labels.cluster +# .spec.commonMetadata.labels.cluster +# +# PARAMETERS TO PATCH: +# =================== +# +# .spec.postBuild.substitute.providerconfig_name: Name of the Azure ProviderConfig to use to create the AKS cluster. +# .spec.postBuild.substitute.cluster_name: Name of the cluster in the target cloud. It may differ from `CLUSTER_KUSTOMIZATION_NAME` since naming restrictions are often different from K8s resource naming restrictions (e.g., hyphens vs. underscores). +# .spec.postBuild.substitute.k8s_version: Kubernetes version. +# .spec.postBuild.substitute.node_count: Number of worker nodes. +# .spec.postBuild.substitute.vm_size: Flavor of worker node VMs. +# .spec.postBuild.substitute.cluster_location: Target cluster region. +# .spec.postBuild.substitute.rg_name: Target Resource Group. + +# Cluster resource +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: ${CLUSTER_KUSTOMIZATION_NAME} + namespace: managed-resources + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} +spec: + commonMetadata: + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./cloud-resources/aks/manifests + prune: true + wait: true + # force: true + patches: + - patch: |- + apiVersion: containerservice.azure.upbound.io/v1beta1 + kind: KubernetesCluster + metadata: + name: ${cluster_resource_name} + spec: + forProvider: + # Comment for latest version (creation only): + kubernetesVersion: "${k8s_version}" + + defaultNodePool: + - name: default + # nodeCount: 1 # Edit to change no. workers + nodeCount: ${node_count} + + # Comment for latest version (creation only): + orchestratorVersion: "${k8s_version}" + vmSize: ${vm_size} + # Input parameters + postBuild: + substitute: + providerconfig_name: default + cluster_resource_name: ${CLUSTER_KUSTOMIZATION_NAME} + cluster_name: myakscluster01 + k8s_version: "'1.27'" + node_count: "1" + vm_size: Standard_D2_v2 + cluster_location: West Europe + # AKS only + rg_name: CloudNative-OSM diff --git a/oka/cloud-resources/azure-mysql/manifests/dbformysql.yaml b/oka/cloud-resources/azure-mysql/manifests/dbformysql.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e50d695316569150be42cb983038e03940b9c8b0 --- /dev/null +++ b/oka/cloud-resources/azure-mysql/manifests/dbformysql.yaml @@ -0,0 +1,97 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: dbformysql.azure.upbound.io/v1beta1 +kind: Database +metadata: + # annotations: + # meta.upbound.io/example-id: dbformysql/v1beta1/database + labels: + testing.upbound.io/name: ${database_name} + name: ${database_name} +spec: + forProvider: + charset: utf8 + collation: utf8_unicode_ci + resourceGroupName: ${resource_group} + # resourceGroupNameSelector: + # matchLabels: + # testing.upbound.io/name: ${database_name} + serverNameSelector: + matchLabels: + testing.upbound.io/name: ${database_name} + +--- + +apiVersion: dbformysql.azure.upbound.io/v1beta1 +kind: Server +metadata: + # annotations: + # meta.upbound.io/example-id: dbformysql/v1beta1/database + labels: + testing.upbound.io/name: ${database_name} + name: server-${database_name} +spec: + forProvider: + administratorLogin: ${admin_user} + administratorLoginPasswordSecretRef: + key: key + name: ${database_secret_name} + namespace: ${database_secret_namespace} + autoGrowEnabled: true + backupRetentionDays: 7 + geoRedundantBackupEnabled: true + infrastructureEncryptionEnabled: true + location: ${region} + publicNetworkAccessEnabled: false + resourceGroupName: ${resource_group} + # resourceGroupNameSelector: + # matchLabels: + # testing.upbound.io/name: ${database_name} + # skuName: GP_Gen5_2 + skuName: ${sku_name:=GP_Gen5_2} + sslEnforcementEnabled: true + sslMinimalTlsVersionEnforced: TLS1_2 + # storageMb: 5120 + storageMb: ${storage_mb:=5120} + version: "5.7" + +# --- + +# apiVersion: v1 +# kind: Secret +# metadata: +# name: example-secret +# namespace: upbound-system +# type: Opaque +# stringData: +# example-key: dGVzdFBhc3N3b3JkITEyMw== + +# --- + +# apiVersion: azure.upbound.io/v1beta1 +# kind: ResourceGroup +# metadata: +# annotations: +# meta.upbound.io/example-id: dbformysql/v1beta1/database +# labels: +# testing.upbound.io/name: ${database_name} +# name: ${database_name} +# spec: +# forProvider: +# location: West Europe diff --git a/oka/cloud-resources/azure-mysql/templates/azure-mysql01.yaml b/oka/cloud-resources/azure-mysql/templates/azure-mysql01.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3150e1bf7efe89ac48a204efef5feec83dadffe3 --- /dev/null +++ b/oka/cloud-resources/azure-mysql/templates/azure-mysql01.yaml @@ -0,0 +1,47 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Database resource +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: azure-mysql01 + namespace: managed-resources +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./cloud-resources/azure-mysql/resources + prune: true + wait: true + + # Input parameters + postBuild: + substitute: + database_name: azure-mysql01 + resource_group: CloudNative-InfraMgmt-CTIO + region: West Europe + admin_user: MyDemoUser123 + database_secret_name: database-secret + database_secret_namespace: managed-resources + # sku_name: GP_Gen5_2 + # storage_mb: 5120 diff --git a/oka/cloud-resources/eks/manifests/eks-cluster/eks-cluster.yaml b/oka/cloud-resources/eks/manifests/eks-cluster/eks-cluster.yaml new file mode 100644 index 0000000000000000000000000000000000000000..59b0b44593dc04eaab5d9210ddce6094e7a6547a --- /dev/null +++ b/oka/cloud-resources/eks/manifests/eks-cluster/eks-cluster.yaml @@ -0,0 +1,67 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: eks.aws.upbound.io/v1beta1 +kind: Cluster +metadata: + name: ${cluster_resource_name}-cluster + annotations: + crossplane.io/external-name: ${cluster_name} + labels: + provider: aws + cluster: ${cluster_resource_name} + type: cluster +spec: + forProvider: + region: ${cluster_location} + version: ${k8s_version} + roleArnSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: cluster + vpcConfig: + - endpointPrivateAccess: true + endpointPublicAccess: true + subnetIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: subnet + access: private + publishConnectionDetailsTo: + name: kubeconfig-${cluster_resource_name} + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: eks.aws.upbound.io/v1beta1 +kind: ClusterAuth +metadata: + name: ${cluster_resource_name}-clusterauth +spec: + forProvider: + region: ${cluster_location} + clusterName: ${cluster_name} + writeConnectionSecretToRef: + namespace: managed-resources + name: kubeconfig-${cluster_resource_name} + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/oka/cloud-resources/eks/manifests/eks-cluster/nodegroup.yaml b/oka/cloud-resources/eks/manifests/eks-cluster/nodegroup.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e1406d67d6dd33f04e2f32a68aa333eeb65a5ff5 --- /dev/null +++ b/oka/cloud-resources/eks/manifests/eks-cluster/nodegroup.yaml @@ -0,0 +1,56 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: eks.aws.upbound.io/v1beta1 +kind: NodeGroup +metadata: + name: ${cluster_resource_name}-nodegroup + annotations: + crossplane.io/external-name: ${cluster_name}-nodegroup + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + region: ${cluster_location} + clusterNameSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: cluster + nodeRoleArnSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: ec2 + subnetIdSelector: + matchLabels: + cluster: ${cluster_resource_name} + type: subnet + access: private + scalingConfig: + - minSize: 1 + desiredSize: ${node_count} + maxSize: 10 + diskSize: 30 + instanceTypes: + - ${vm_size} + tags: + Name: ${cluster_name} + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/oka/cloud-resources/eks/manifests/iam/role-policy-attachment.yaml b/oka/cloud-resources/eks/manifests/iam/role-policy-attachment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3e61f8182762e3528c2e4c3488bb311bb1850f56 --- /dev/null +++ b/oka/cloud-resources/eks/manifests/iam/role-policy-attachment.yaml @@ -0,0 +1,136 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicyAttachment +metadata: + name: ${cluster_resource_name}-cluster + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + policyArn: arn:aws:iam::aws:policy/AmazonEKSClusterPolicy + roleSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: cluster + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicyAttachment +metadata: + name: ${cluster_resource_name}-service + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + policyArn: arn:aws:iam::aws:policy/AmazonEKSServicePolicy + roleSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: cluster + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicyAttachment +metadata: + name: ${cluster_resource_name}-vpccontroller + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + policyArn: arn:aws:iam::aws:policy/AmazonEKSVPCResourceController + roleSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: cluster + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicyAttachment +metadata: + name: ${cluster_resource_name}-worker + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + policyArn: arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy + roleSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: ec2 + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicyAttachment +metadata: + name: ${cluster_resource_name}-cni + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + policyArn: arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy + roleSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: ec2 + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: RolePolicyAttachment +metadata: + name: ${cluster_resource_name}-registry + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + policyArn: arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly + roleSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: ec2 + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/oka/cloud-resources/eks/manifests/iam/roles.yaml b/oka/cloud-resources/eks/manifests/iam/roles.yaml new file mode 100644 index 0000000000000000000000000000000000000000..03ae559baaaa5c369649cb8004e3fc4c72005c0f --- /dev/null +++ b/oka/cloud-resources/eks/manifests/iam/roles.yaml @@ -0,0 +1,84 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: Role +metadata: + name: ${cluster_resource_name}-eks + annotations: + crossplane.io/external-name: ${cluster_name}-masterRole + labels: + provider: aws + cluster: eks + type: cluster +spec: + forProvider: + assumeRolePolicy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "eks.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + } + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: iam.aws.upbound.io/v1beta1 +kind: Role +metadata: + name: ${cluster_resource_name}-ec2 + annotations: + crossplane.io/external-name: ${cluster_name}-nodeRole + labels: + provider: aws + cluster: eks + type: ec2 +spec: + forProvider: + assumeRolePolicy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + } + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/oka/cloud-resources/eks/manifests/network/gateways.yaml b/oka/cloud-resources/eks/manifests/network/gateways.yaml new file mode 100644 index 0000000000000000000000000000000000000000..96255f8729898d762f1ff6498dd1eb3aef2ae454 --- /dev/null +++ b/oka/cloud-resources/eks/manifests/network/gateways.yaml @@ -0,0 +1,89 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: EIP +metadata: + name: ${cluster_resource_name}-eip + labels: + provider: aws + cluster: ${cluster_resource_name} + type: eip +spec: + forProvider: + region: ${cluster_location} + domain: vpc + tags: + key: Name + value: ${cluster_name}-eip + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: InternetGateway +metadata: + name: ${cluster_resource_name}-igw + labels: + provider: aws + cluster: ${cluster_resource_name} + type: igw +spec: + forProvider: + region: ${cluster_location} + vpcIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + tags: + Name: ${cluster_name}-igw + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: NATGateway +metadata: + name: ${cluster_resource_name}-natgw + labels: + provider: aws + cluster: ${cluster_resource_name} + type: natgw +spec: + forProvider: + region: ${cluster_location} + connectivityType: public + allocationIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: eip + subnetIdSelector: + matchLabels: + type: subnet + provider: aws + cluster: ${cluster_resource_name} + zone: ${cluster_location}a + access: public + tags: + Name: ${cluster_name}-natgw + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/oka/cloud-resources/eks/manifests/network/routes.yaml b/oka/cloud-resources/eks/manifests/network/routes.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b9d57ba1a03d12644eb68d82b370242eeb1e1226 --- /dev/null +++ b/oka/cloud-resources/eks/manifests/network/routes.yaml @@ -0,0 +1,228 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: ec2.aws.upbound.io/v1beta2 +kind: Route +metadata: + name: ${cluster_resource_name}-public-route + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + region: ${cluster_location} + destinationCidrBlock: 0.0.0.0/0 + gatewayIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: igw + routeTableIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: routetable + access: public + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta2 +kind: Route +metadata: + name: ${cluster_resource_name}-private-route + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + region: ${cluster_location} + destinationCidrBlock: 0.0.0.0/0 + natGatewayIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: natgw + routeTableIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: routetable + access: private + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: RouteTable +metadata: + name: ${cluster_resource_name}-public-route-table + labels: + provider: aws + cluster: ${cluster_resource_name} + type: routetable + access: public +spec: + forProvider: + region: ${cluster_location} + vpcIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + tags: + Name: ${cluster_name}-public-route-table + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: RouteTable +metadata: + name: ${cluster_resource_name}-private-route-table + labels: + provider: aws + cluster: ${cluster_resource_name} + type: routetable + access: private +spec: + forProvider: + region: ${cluster_location} + vpcIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + tags: + Name: ${cluster_name}-private-route-table + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: RouteTableAssociation +metadata: + name: ${cluster_resource_name}-public-route-association-1a + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + region: ${cluster_location} + subnetIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: subnet + access: public + zone: ${cluster_location}a + routeTableIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: routetable + access: public + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: RouteTableAssociation +metadata: + name: ${cluster_resource_name}-public-route-association-1b + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + region: ${cluster_location} + subnetIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: subnet + access: public + zone: ${cluster_location}b + routeTableIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: routetable + access: public + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: RouteTableAssociation +metadata: + name: ${cluster_resource_name}-private-route-association-1a + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + region: ${cluster_location} + subnetIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: subnet + access: private + zone: ${cluster_location}a + routeTableIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: routetable + access: private + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: RouteTableAssociation +metadata: + name: ${cluster_resource_name}-private-route-association-1b + labels: + provider: aws + cluster: ${cluster_resource_name} +spec: + forProvider: + region: ${cluster_location} + subnetIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: subnet + access: private + zone: ${cluster_location}b + routeTableIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + type: routetable + access: private + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/oka/cloud-resources/eks/manifests/network/subnets.yaml b/oka/cloud-resources/eks/manifests/network/subnets.yaml new file mode 100644 index 0000000000000000000000000000000000000000..bffbfc3ef53436824de95f91413e48375dcdf88d --- /dev/null +++ b/oka/cloud-resources/eks/manifests/network/subnets.yaml @@ -0,0 +1,130 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Subnet +metadata: + name: ${cluster_resource_name}-public-subnet-${cluster_location}a + labels: + type: subnet + provider: aws + cluster: ${cluster_resource_name} + zone: ${cluster_location}a + access: public +spec: + forProvider: + region: ${cluster_location} + availabilityZone: ${cluster_location}a + cidrBlock: 10.10.0.0/24 + vpcIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + mapPublicIpOnLaunch: true + tags: + kubernetes.io/role/elb: "1" + Name: ${cluster_name}-public-subnet-${cluster_location}a + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Subnet +metadata: + name: ${cluster_resource_name}-public-subnet-${cluster_location}b + labels: + type: subnet + provider: aws + cluster: ${cluster_resource_name} + zone: ${cluster_location}b + access: public +spec: + forProvider: + region: ${cluster_location} + availabilityZone: ${cluster_location}b + cidrBlock: 10.10.1.0/24 + vpcIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + mapPublicIpOnLaunch: true + tags: + kubernetes.io/role/elb: "1" + Name: ${cluster_name}-public-subnet-${cluster_location}b + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Subnet +metadata: + name: ${cluster_resource_name}-private-subnet-${cluster_location}a + labels: + type: subnet + provider: aws + cluster: ${cluster_resource_name} + zone: ${cluster_location}a + access: private +spec: + forProvider: + region: ${cluster_location} + availabilityZone: ${cluster_location}a + cidrBlock: 10.10.2.0/24 + vpcIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + mapPublicIpOnLaunch: false + tags: + kubernetes.io/role/elb: "1" + Name: ${cluster_name}-private-subnet-${cluster_location}a + kubernetes.io/cluster/{cluster_name}: shared + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: Subnet +metadata: + name: ${cluster_resource_name}-private-subnet-${cluster_location}b + labels: + type: subnet + provider: aws + cluster: ${cluster_resource_name} + zone: ${cluster_location}b + access: private +spec: + forProvider: + region: ${cluster_location} + availabilityZone: ${cluster_location}b + cidrBlock: 10.10.3.0/24 + vpcIdSelector: + matchLabels: + provider: aws + cluster: ${cluster_resource_name} + mapPublicIpOnLaunch: false + tags: + kubernetes.io/role/elb: "1" + Name: ${cluster_name}-private-subnet-${cluster_location}b + kubernetes.io/cluster/{cluster_name}: shared + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/oka/cloud-resources/eks/manifests/network/vpc.yaml b/oka/cloud-resources/eks/manifests/network/vpc.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b643ba375585dce708f991db2ca21c490bc9ce1e --- /dev/null +++ b/oka/cloud-resources/eks/manifests/network/vpc.yaml @@ -0,0 +1,36 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: VPC +metadata: + name: ${cluster_resource_name}-vpc + labels: + provider: aws + cluster: eks +spec: + forProvider: + region: ${cluster_location} + cidrBlock: 10.10.0.0/16 + enableDnsHostnames: true + enableDnsSupport: true + tags: + Name: ${cluster_name}-vpc + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/oka/cloud-resources/eks/templates/eks01.yaml b/oka/cloud-resources/eks/templates/eks01.yaml new file mode 100644 index 0000000000000000000000000000000000000000..09728272f67fe4484082826dd92d11c6b3a1bee4 --- /dev/null +++ b/oka/cloud-resources/eks/templates/eks01.yaml @@ -0,0 +1,71 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# TEMPLATE_PARAMETERS: +# =================== +# +# CLUSTER_KUSTOMIZATION_NAME: Name of the cluster in the management cluster (e.g., for `Kustomization`s). +# - Alternatively, it can be patched at: +# .metadata.name +# .metadata.labels.cluster +# .spec.commonMetadata.labels.cluster +# .spec.postBuild.substitute.cluster_resource_name +# +# PARAMETERS TO PATCH: +# =================== +# +# .spec.postBuild.substitute.providerconfig_name: Name of the AWS ProviderConfig to use to create the EKS cluster. +# .spec.postBuild.substitute.cluster_name: Name of the cluster in the target cloud. It may differ from `CLUSTER_KUSTOMIZATION_NAME` since naming restrictions are often different from K8s resource naming restrictions (e.g., hyphens vs. underscores). +# .spec.postBuild.substitute.k8s_version: Kubernetes version. +# .spec.postBuild.substitute.node_count: Number of worker nodes. +# .spec.postBuild.substitute.vm_size: Flavor of worker node VMs. +# .spec.postBuild.substitute.cluster_location: Target cluster region. + +# Cluster resource +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: ${CLUSTER_KUSTOMIZATION_NAME} + namespace: managed-resources + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} +spec: + commonMetadata: + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./cloud-resources/eks/manifests/ + prune: true + # force: true + wait: true + # Input parameters + postBuild: + substitute: + providerconfig_name: default + cluster_resource_name: ${CLUSTER_KUSTOMIZATION_NAME} + cluster_name: ekscluster01 + k8s_version: "'1.28'" + node_count: "1" + vm_size: t3.medium + cluster_location: ap-south-1 diff --git a/oka/cloud-resources/flux-remote-bootstrap/bootstrap/manifests/namespaces/namespaces.yaml b/oka/cloud-resources/flux-remote-bootstrap/bootstrap/manifests/namespaces/namespaces.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4bd715ca2607761f4d9a42a7673dbbce2010166b --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/bootstrap/manifests/namespaces/namespaces.yaml @@ -0,0 +1,31 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Remote namespace `flux-system` +apiVersion: v1 +kind: Namespace +metadata: + name: flux-system + +--- +# Remote namespace `managed-resources` +# - Required for Helm deployments from management cluster +apiVersion: v1 +kind: Namespace +metadata: + name: managed-resources diff --git a/oka/cloud-resources/flux-remote-bootstrap/bootstrap/manifests/secret/secret-template.yaml b/oka/cloud-resources/flux-remote-bootstrap/bootstrap/manifests/secret/secret-template.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3a9d7ebea636451c0193815f1b09d2a7e8c02f15 --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/bootstrap/manifests/secret/secret-template.yaml @@ -0,0 +1,26 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Template for creating remote secrets +apiVersion: v1 +kind: Secret +metadata: + name: ${secret_name} + namespace: ${secret_namespace} +type: Opaque +stringData: {} diff --git a/oka/cloud-resources/flux-remote-bootstrap/bootstrap/templates/remote-cluster-bootstrap.yaml b/oka/cloud-resources/flux-remote-bootstrap/bootstrap/templates/remote-cluster-bootstrap.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d138660e9d37c9ef7f1ae92ce4b56c60467b899f --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/bootstrap/templates/remote-cluster-bootstrap.yaml @@ -0,0 +1,265 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# TEMPLATE PARAMETERS: +# =================== +# +# CLUSTER_KUSTOMIZATION_NAME: Name of the cluster in the management cluster (i.e., the `Kustomization`). +# CLUSTER_NAME: Name of the cluster in the target cloud. It may differ from `CLUSTER_KUSTOMIZATION_NAME` since naming restrictions are often different from K8s resource naming restrictions (e.g., hyphens vs. underscores). +# CLUSTER_AGE_SECRET_NAME: Name of the secret in the management cluster that keeps the private key for age/sops in the remote cluster. + +# Creates required remote namespaces +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-ns + namespace: managed-resources + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} +spec: + # interval: 1h + interval: 5m + retryInterval: 1m + timeout: 5m + dependsOn: + - name: ${CLUSTER_KUSTOMIZATION_NAME} + prune: true + # wait: true + # force: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./cloud-resources/flux-remote-bootstrap/bootstrap/manifests/namespaces + kubeConfig: + secretRef: + name: kubeconfig-${CLUSTER_KUSTOMIZATION_NAME} + key: kubeconfig + +--- +# Creates remote `flux-system.flux-system` secret +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-secret-flux + namespace: managed-resources + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} +spec: + # interval: 1h + interval: 5m + retryInterval: 1m + timeout: 5m + dependsOn: + - name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-ns + prune: true + # wait: true + force: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./cloud-resources/flux-remote-bootstrap/bootstrap/manifests/secret + kubeConfig: + secretRef: + name: kubeconfig-${CLUSTER_KUSTOMIZATION_NAME} + key: kubeconfig + patches: + - patch: |- + apiVersion: v1 + kind: Secret + metadata: + name: ${secret_name} + namespace: ${secret_namespace} + stringData: + username: ${username} + password: ${password} + # Inputs: + postBuild: + substitute: + secret_name: flux-system + secret_namespace: flux-system + substituteFrom: + - kind: Secret + name: flux-system + +--- +# Creates remote `sops-age` secret +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-secret-sops + namespace: managed-resources + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} +spec: + # interval: 1h + interval: 5m + retryInterval: 1m + timeout: 5m + dependsOn: + - name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-ns + prune: true + # wait: true + force: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./cloud-resources/flux-remote-bootstrap/bootstrap/manifests/secret + kubeConfig: + secretRef: + name: kubeconfig-${CLUSTER_KUSTOMIZATION_NAME} + key: kubeconfig + patches: + - patch: |- + apiVersion: v1 + kind: Secret + metadata: + name: ${secret_name} + namespace: ${secret_namespace} + stringData: + age.agekey: ${agekey} + # Inputs: + postBuild: + substitute: + secret_name: sops-age + secret_namespace: flux-system + substituteFrom: + - kind: Secret + name: ${CLUSTER_AGE_SECRET_NAME} + +--- +# Creates remote `fleet-repo.flux-system` secret +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-secret-fleet + namespace: managed-resources + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} +spec: + # interval: 1h + interval: 5m + retryInterval: 1m + timeout: 5m + dependsOn: + - name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-ns + prune: true + # wait: true + force: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./cloud-resources/flux-remote-bootstrap/bootstrap/manifests/secret + kubeConfig: + secretRef: + name: kubeconfig-${CLUSTER_KUSTOMIZATION_NAME} + key: kubeconfig + patches: + - patch: |- + apiVersion: v1 + kind: Secret + metadata: + name: ${secret_name} + namespace: ${secret_namespace} + stringData: + username: ${username} + password: ${password} + # Inputs: + postBuild: + substitute: + secret_name: fleet-repo + secret_namespace: flux-system + substituteFrom: + - kind: Secret + name: fleet-repo + +--- +# Creates remote `sw-catalogs.flux-system` secret +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-secret-catalogs + namespace: managed-resources + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} +spec: + # interval: 1h + interval: 5m + retryInterval: 1m + timeout: 5m + dependsOn: + - name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-ns + prune: true + # wait: true + force: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./cloud-resources/flux-remote-bootstrap/bootstrap/manifests/secret + kubeConfig: + secretRef: + name: kubeconfig-${CLUSTER_KUSTOMIZATION_NAME} + key: kubeconfig + patches: + - patch: |- + apiVersion: v1 + kind: Secret + metadata: + name: ${secret_name} + namespace: ${secret_namespace} + stringData: + username: ${username} + password: ${password} + # Inputs: + postBuild: + substitute: + secret_name: sw-catalogs + secret_namespace: flux-system + substituteFrom: + - kind: Secret + name: sw-catalogs + +--- +# Remote installation of Flux controller (to let the cluster be autonomous) +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-fluxctrl + namespace: managed-resources + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} +spec: + # Tune interval as needed + interval: 10m0s + path: ./clusters/${CLUSTER_KUSTOMIZATION_NAME}/flux-system + dependsOn: + - name: ${CLUSTER_KUSTOMIZATION_NAME}-bstrp-secret-flux + # Avoids removing resources unexpectedly + prune: false + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + kubeConfig: + secretRef: + name: kubeconfig-${CLUSTER_KUSTOMIZATION_NAME} + key: kubeconfig diff --git a/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/apps.yaml b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/apps.yaml new file mode 100644 index 0000000000000000000000000000000000000000..607b8c93aa0eeef7c27fa856122e5c035cb83743 --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/apps.yaml @@ -0,0 +1,41 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: apps + namespace: flux-system + labels: + osm_profile_type: apps +spec: + interval: 10m0s + dependsOn: + - name: infra-configs + sourceRef: + kind: GitRepository + name: fleet-repo + path: ${APPS_PATH} + prune: true + wait: true + timeout: 5m0s + # Decryption configuration starts here + decryption: + provider: sops + secretRef: + name: sops-age diff --git a/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/fleet-repo.yaml b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/fleet-repo.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4f70cd72a1903af20efec47ca311d210db3271e6 --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/fleet-repo.yaml @@ -0,0 +1,30 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: fleet-repo + namespace: flux-system +spec: + interval: 1m0s + ref: + branch: main + secretRef: + name: fleet-repo + url: ${FLEET_REPO_URL} diff --git a/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/flux-system/gotk-components.yaml b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/flux-system/gotk-components.yaml new file mode 100644 index 0000000000000000000000000000000000000000..50cc8d3067a15079b634c678f87f58a1343f5651 --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/flux-system/gotk-components.yaml @@ -0,0 +1,8046 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# This manifest was generated by flux. DO NOT EDIT. +# Flux Version: v2.1.2 +# Components: source-controller,kustomize-controller,helm-controller,notification-controller +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + name: flux-system +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: allow-egress + namespace: flux-system +spec: + egress: + - {} + ingress: + - from: + - podSelector: {} + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: allow-scraping + namespace: flux-system +spec: + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP + podSelector: {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: allow-webhooks + namespace: flux-system +spec: + ingress: + - from: + - namespaceSelector: {} + podSelector: + matchLabels: + app: notification-controller + policyTypes: + - Ingress +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: critical-pods-flux-system + namespace: flux-system +spec: + hard: + pods: "1000" + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical + - system-cluster-critical +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: crd-controller-flux-system +rules: +- apiGroups: + - source.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - kustomize.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - helm.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - notification.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - image.toolkit.fluxcd.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - "" + resources: + - namespaces + - secrets + - configmaps + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: flux-edit-flux-system +rules: +- apiGroups: + - notification.toolkit.fluxcd.io + - source.toolkit.fluxcd.io + - helm.toolkit.fluxcd.io + - image.toolkit.fluxcd.io + - kustomize.toolkit.fluxcd.io + resources: + - '*' + verbs: + - create + - delete + - deletecollection + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: flux-view-flux-system +rules: +- apiGroups: + - notification.toolkit.fluxcd.io + - source.toolkit.fluxcd.io + - helm.toolkit.fluxcd.io + - image.toolkit.fluxcd.io + - kustomize.toolkit.fluxcd.io + resources: + - '*' + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: cluster-reconciler-flux-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: kustomize-controller + namespace: flux-system +- kind: ServiceAccount + name: helm-controller + namespace: flux-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: crd-controller-flux-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crd-controller-flux-system +subjects: +- kind: ServiceAccount + name: kustomize-controller + namespace: flux-system +- kind: ServiceAccount + name: helm-controller + namespace: flux-system +- kind: ServiceAccount + name: source-controller + namespace: flux-system +- kind: ServiceAccount + name: notification-controller + namespace: flux-system +- kind: ServiceAccount + name: image-reflector-controller + namespace: flux-system +- kind: ServiceAccount + name: image-automation-controller + namespace: flux-system +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: buckets.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: Bucket + listKind: BucketList + plural: buckets + singular: bucket + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Bucket is the Schema for the buckets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BucketSpec defines the desired state of an S3 compatible + bucket + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + bucketName: + description: The bucket name. + type: string + endpoint: + description: The bucket endpoint address. + type: string + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS S3 HTTP endpoint. + type: boolean + interval: + description: The interval at which to check for bucket updates. + type: string + provider: + default: generic + description: The S3 compatible storage provider name, default ('generic'). + enum: + - generic + - aws + - gcp + type: string + region: + description: The bucket region. + type: string + secretRef: + description: The name of the secret containing authentication credentials + for the Bucket. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for download operations, defaults to 60s. + type: string + required: + - bucketName + - endpoint + - interval + type: object + status: + default: + observedGeneration: -1 + description: BucketStatus defines the observed state of a bucket + properties: + artifact: + description: Artifact represents the output of the last successful + Bucket sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of this artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: Revision is a human readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm index timestamp, a Helm chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the Bucket. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the artifact output of the + last Bucket sync. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: Bucket is the Schema for the buckets API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BucketSpec specifies the required configuration to produce + an Artifact for an object storage bucket. + properties: + accessFrom: + description: 'AccessFrom specifies an Access Control List for allowing + cross-namespace references to this object. NOTE: Not implemented, + provisional as of https://github.com/fluxcd/flux2/pull/2092' + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + bucketName: + description: BucketName is the name of the object storage bucket. + type: string + endpoint: + description: Endpoint is the object storage address the BucketName + is located at. + type: string + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS HTTP Endpoint. + type: boolean + interval: + description: Interval at which the Bucket Endpoint is checked for + updates. This interval is approximate and may be subject to jitter + to ensure efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + provider: + default: generic + description: Provider of the object storage bucket. Defaults to 'generic', + which expects an S3 (API) compatible object storage. + enum: + - generic + - aws + - gcp + - azure + type: string + region: + description: Region of the Endpoint where the BucketName is located + in. + type: string + secretRef: + description: SecretRef specifies the Secret containing authentication + credentials for the Bucket. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend the reconciliation + of this Bucket. + type: boolean + timeout: + default: 60s + description: Timeout for fetch operations, defaults to 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + required: + - bucketName + - endpoint + - interval + type: object + status: + default: + observedGeneration: -1 + description: BucketStatus records the observed state of a Bucket. + properties: + artifact: + description: Artifact represents the last successful Bucket reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: Path is the relative file path of the Artifact. It + can be used to locate the file in the root of the Artifact storage + on the local file system of the controller managing the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the Bucket. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Bucket object. + format: int64 + type: integer + observedIgnore: + description: ObservedIgnore is the observed exclusion patterns used + for constructing the source artifact. + type: string + url: + description: URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact + data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: gitrepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: GitRepository + listKind: GitRepositoryList + plural: gitrepositories + shortNames: + - gitrepo + singular: gitrepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GitRepositorySpec specifies the required configuration to + produce an Artifact for a Git repository. + properties: + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + include: + description: Include specifies a list of GitRepository resources which + Artifacts should be included in the Artifact produced for this GitRepository. + items: + description: GitRepositoryInclude specifies a local reference to + a GitRepository which Artifact (sub-)contents must be included, + and where they should be placed. + properties: + fromPath: + description: FromPath specifies the path to copy contents from, + defaults to the root of the Artifact. + type: string + repository: + description: GitRepositoryRef specifies the GitRepository which + Artifact contents must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: ToPath specifies the path to copy contents to, + defaults to the name of the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + interval: + description: Interval at which the GitRepository URL is checked for + updates. This interval is approximate and may be subject to jitter + to ensure efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + proxySecretRef: + description: ProxySecretRef specifies the Secret containing the proxy + configuration to use while communicating with the Git server. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + recurseSubmodules: + description: RecurseSubmodules enables the initialization of all submodules + within the GitRepository as cloned from the URL, using their default + settings. + type: boolean + ref: + description: Reference specifies the Git reference to resolve and + monitor for changes, defaults to the 'master' branch. + properties: + branch: + description: Branch to check out, defaults to 'master' if no other + field is defined. + type: string + commit: + description: "Commit SHA to check out, takes precedence over all + reference fields. \n This can be combined with Branch to shallow + clone the branch, in which the commit is expected to exist." + type: string + name: + description: "Name of the reference to check out; takes precedence + over Branch, Tag and SemVer. \n It must be a valid Git reference: + https://git-scm.com/docs/git-check-ref-format#_description Examples: + \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", + \"refs/merge-requests/1/head\"" + type: string + semver: + description: SemVer tag expression to check out, takes precedence + over Tag. + type: string + tag: + description: Tag to check out, takes precedence over Branch. + type: string + type: object + secretRef: + description: SecretRef specifies the Secret containing authentication + credentials for the GitRepository. For HTTPS repositories the Secret + must contain 'username' and 'password' fields for basic auth or + 'bearerToken' field for token auth. For SSH repositories the Secret + must contain 'identity' and 'known_hosts' fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend the reconciliation + of this GitRepository. + type: boolean + timeout: + default: 60s + description: Timeout for Git operations like cloning, defaults to + 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: URL specifies the Git repository URL, it can be an HTTP/S + or SSH address. + pattern: ^(http|https|ssh)://.*$ + type: string + verify: + description: Verification specifies the configuration to verify the + Git commit signature(s). + properties: + mode: + default: HEAD + description: "Mode specifies which Git object(s) should be verified. + \n The variants \"head\" and \"HEAD\" both imply the same thing, + i.e. verify the commit that the HEAD of the Git repository points + to. The variant \"head\" solely exists to ensure backwards compatibility." + enum: + - head + - HEAD + - Tag + - TagAndHEAD + type: string + secretRef: + description: SecretRef specifies the Secret containing the public + keys of trusted Git authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - secretRef + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus records the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the last successful GitRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: Path is the relative file path of the Artifact. It + can be used to locate the file in the root of the Artifact storage + on the local file system of the controller managing the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + includedArtifacts: + description: IncludedArtifacts contains a list of the last successfully + included Artifacts as instructed by GitRepositorySpec.Include. + items: + description: Artifact represents the output of a Source reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of + ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI + annotations. + type: object + path: + description: Path is the relative file path of the Artifact. + It can be used to locate the file in the root of the Artifact + storage on the local file system of the controller managing + the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the GitRepository object. + format: int64 + type: integer + observedIgnore: + description: ObservedIgnore is the observed exclusion patterns used + for constructing the source artifact. + type: string + observedInclude: + description: ObservedInclude is the observed list of GitRepository + resources used to produce the current Artifact. + items: + description: GitRepositoryInclude specifies a local reference to + a GitRepository which Artifact (sub-)contents must be included, + and where they should be placed. + properties: + fromPath: + description: FromPath specifies the path to copy contents from, + defaults to the root of the Artifact. + type: string + repository: + description: GitRepositoryRef specifies the GitRepository which + Artifact contents must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: ToPath specifies the path to copy contents to, + defaults to the name of the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + observedRecurseSubmodules: + description: ObservedRecurseSubmodules is the observed resource submodules + configuration used to produce the current Artifact. + type: boolean + sourceVerificationMode: + description: SourceVerificationMode is the last used verification + mode indicating which Git object(s) have been verified. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 GitRepository is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GitRepositorySpec defines the desired state of a Git repository. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + gitImplementation: + default: go-git + description: Determines which git client library to use. Defaults + to go-git, valid values are ('go-git', 'libgit2'). + enum: + - go-git + - libgit2 + type: string + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + include: + description: Extra git repositories to map into the repository + items: + description: GitRepositoryInclude defines a source with a from and + to path. + properties: + fromPath: + description: The path to copy contents from, defaults to the + root directory. + type: string + repository: + description: Reference to a GitRepository to include. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: The path to copy contents to, defaults to the name + of the source ref. + type: string + required: + - repository + type: object + type: array + interval: + description: The interval at which to check for repository updates. + type: string + recurseSubmodules: + description: When enabled, after the clone is created, initializes + all submodules within, using their default settings. This option + is available only when using the 'go-git' GitImplementation. + type: boolean + ref: + description: The Git reference to checkout and monitor for changes, + defaults to master branch. + properties: + branch: + description: The Git branch to checkout, defaults to master. + type: string + commit: + description: The Git commit SHA to checkout, if specified Tag + filters will be ignored. + type: string + semver: + description: The Git tag semver expression, takes precedence over + Tag. + type: string + tag: + description: The Git tag to checkout, takes precedence over Branch. + type: string + type: object + secretRef: + description: The secret name containing the Git credentials. For HTTPS + repositories the secret must contain username and password fields. + For SSH repositories the secret must contain identity and known_hosts + fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for remote Git operations like cloning, defaults + to 60s. + type: string + url: + description: The repository URL, can be a HTTP/S or SSH address. + pattern: ^(http|https|ssh)://.*$ + type: string + verify: + description: Verify OpenPGP signature for the Git commit HEAD points + to. + properties: + mode: + description: Mode describes what git object should be verified, + currently ('head'). + enum: + - head + type: string + secretRef: + description: The secret name containing the public keys of all + trusted Git authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - mode + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus defines the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the output of the last successful + repository sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of this artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: Revision is a human readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm index timestamp, a Helm chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + includedArtifacts: + description: IncludedArtifacts represents the included artifacts from + the last successful repository sync. + items: + description: Artifact represents the output of a source synchronisation. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of this artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: Revision is a human readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm index timestamp, a Helm chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - path + - url + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the artifact output of the + last repository sync. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 GitRepository is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GitRepositorySpec specifies the required configuration to + produce an Artifact for a Git repository. + properties: + accessFrom: + description: 'AccessFrom specifies an Access Control List for allowing + cross-namespace references to this object. NOTE: Not implemented, + provisional as of https://github.com/fluxcd/flux2/pull/2092' + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + gitImplementation: + default: go-git + description: 'GitImplementation specifies which Git client library + implementation to use. Defaults to ''go-git'', valid values are + (''go-git'', ''libgit2''). Deprecated: gitImplementation is deprecated + now that ''go-git'' is the only supported implementation.' + enum: + - go-git + - libgit2 + type: string + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + include: + description: Include specifies a list of GitRepository resources which + Artifacts should be included in the Artifact produced for this GitRepository. + items: + description: GitRepositoryInclude specifies a local reference to + a GitRepository which Artifact (sub-)contents must be included, + and where they should be placed. + properties: + fromPath: + description: FromPath specifies the path to copy contents from, + defaults to the root of the Artifact. + type: string + repository: + description: GitRepositoryRef specifies the GitRepository which + Artifact contents must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: ToPath specifies the path to copy contents to, + defaults to the name of the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + interval: + description: Interval at which to check the GitRepository for updates. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + recurseSubmodules: + description: RecurseSubmodules enables the initialization of all submodules + within the GitRepository as cloned from the URL, using their default + settings. + type: boolean + ref: + description: Reference specifies the Git reference to resolve and + monitor for changes, defaults to the 'master' branch. + properties: + branch: + description: Branch to check out, defaults to 'master' if no other + field is defined. + type: string + commit: + description: "Commit SHA to check out, takes precedence over all + reference fields. \n This can be combined with Branch to shallow + clone the branch, in which the commit is expected to exist." + type: string + name: + description: "Name of the reference to check out; takes precedence + over Branch, Tag and SemVer. \n It must be a valid Git reference: + https://git-scm.com/docs/git-check-ref-format#_description Examples: + \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", + \"refs/merge-requests/1/head\"" + type: string + semver: + description: SemVer tag expression to check out, takes precedence + over Tag. + type: string + tag: + description: Tag to check out, takes precedence over Branch. + type: string + type: object + secretRef: + description: SecretRef specifies the Secret containing authentication + credentials for the GitRepository. For HTTPS repositories the Secret + must contain 'username' and 'password' fields for basic auth or + 'bearerToken' field for token auth. For SSH repositories the Secret + must contain 'identity' and 'known_hosts' fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend the reconciliation + of this GitRepository. + type: boolean + timeout: + default: 60s + description: Timeout for Git operations like cloning, defaults to + 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: URL specifies the Git repository URL, it can be an HTTP/S + or SSH address. + pattern: ^(http|https|ssh)://.*$ + type: string + verify: + description: Verification specifies the configuration to verify the + Git commit signature(s). + properties: + mode: + description: Mode specifies what Git object should be verified, + currently ('head'). + enum: + - head + type: string + secretRef: + description: SecretRef specifies the Secret containing the public + keys of trusted Git authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - mode + - secretRef + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus records the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the last successful GitRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: Path is the relative file path of the Artifact. It + can be used to locate the file in the root of the Artifact storage + on the local file system of the controller managing the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + contentConfigChecksum: + description: "ContentConfigChecksum is a checksum of all the configurations + related to the content of the source artifact: - .spec.ignore - + .spec.recurseSubmodules - .spec.included and the checksum of the + included artifacts observed in .status.observedGeneration version + of the object. This can be used to determine if the content of the + included repository has changed. It has the format of `:`, + for example: `sha256:`. \n Deprecated: Replaced with explicit + fields for observed artifact content config in the status." + type: string + includedArtifacts: + description: IncludedArtifacts contains a list of the last successfully + included Artifacts as instructed by GitRepositorySpec.Include. + items: + description: Artifact represents the output of a Source reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of + ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI + annotations. + type: object + path: + description: Path is the relative file path of the Artifact. + It can be used to locate the file in the root of the Artifact + storage on the local file system of the controller managing + the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the GitRepository object. + format: int64 + type: integer + observedIgnore: + description: ObservedIgnore is the observed exclusion patterns used + for constructing the source artifact. + type: string + observedInclude: + description: ObservedInclude is the observed list of GitRepository + resources used to to produce the current Artifact. + items: + description: GitRepositoryInclude specifies a local reference to + a GitRepository which Artifact (sub-)contents must be included, + and where they should be placed. + properties: + fromPath: + description: FromPath specifies the path to copy contents from, + defaults to the root of the Artifact. + type: string + repository: + description: GitRepositoryRef specifies the GitRepository which + Artifact contents must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: ToPath specifies the path to copy contents to, + defaults to the name of the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + observedRecurseSubmodules: + description: ObservedRecurseSubmodules is the observed resource submodules + configuration used to produce the current Artifact. + type: boolean + url: + description: URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise GitRepositoryStatus.Artifact + data is recommended. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: helmcharts.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: HelmChart + listKind: HelmChartList + plural: helmcharts + shortNames: + - hc + singular: helmchart + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.chart + name: Chart + type: string + - jsonPath: .spec.version + name: Version + type: string + - jsonPath: .spec.sourceRef.kind + name: Source Kind + type: string + - jsonPath: .spec.sourceRef.name + name: Source Name + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HelmChart is the Schema for the helmcharts API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HelmChartSpec defines the desired state of a Helm chart. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + chart: + description: The name or path the Helm chart is available at in the + SourceRef. + type: string + interval: + description: The interval at which to check the Source for updates. + type: string + reconcileStrategy: + default: ChartVersion + description: Determines what enables the creation of a new artifact. + Valid values are ('ChartVersion', 'Revision'). See the documentation + of the values for an explanation on their behavior. Defaults to + ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: The reference to the Source the chart is available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent, valid values are ('HelmRepository', + 'GitRepository', 'Bucket'). + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + required: + - kind + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + valuesFile: + description: Alternative values file to use as the default chart values, + expected to be a relative path in the SourceRef. Deprecated in favor + of ValuesFiles, for backwards compatibility the file defined here + is merged before the ValuesFiles items. Ignored when omitted. + type: string + valuesFiles: + description: Alternative list of values files to use as the chart + values (values.yaml is not included by default), expected to be + a relative path in the SourceRef. Values files are merged in the + order of this list with the last file overriding the first. Ignored + when omitted. + items: + type: string + type: array + version: + default: '*' + description: The chart version semver expression, ignored for charts + from GitRepository and Bucket sources. Defaults to latest when omitted. + type: string + required: + - chart + - interval + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: HelmChartStatus defines the observed state of the HelmChart. + properties: + artifact: + description: Artifact represents the output of the last successful + chart sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of this artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: Revision is a human readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm index timestamp, a Helm chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmChart. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the last chart pulled. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.chart + name: Chart + type: string + - jsonPath: .spec.version + name: Version + type: string + - jsonPath: .spec.sourceRef.kind + name: Source Kind + type: string + - jsonPath: .spec.sourceRef.name + name: Source Name + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: HelmChart is the Schema for the helmcharts API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HelmChartSpec specifies the desired state of a Helm chart. + properties: + accessFrom: + description: 'AccessFrom specifies an Access Control List for allowing + cross-namespace references to this object. NOTE: Not implemented, + provisional as of https://github.com/fluxcd/flux2/pull/2092' + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + chart: + description: Chart is the name or path the Helm chart is available + at in the SourceRef. + type: string + interval: + description: Interval at which the HelmChart SourceRef is checked + for updates. This interval is approximate and may be subject to + jitter to ensure efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: ReconcileStrategy determines what enables the creation + of a new artifact. Valid values are ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on their + behavior. Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: SourceRef is the reference to the Source the chart is + available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent, valid values are ('HelmRepository', + 'GitRepository', 'Bucket'). + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + required: + - kind + - name + type: object + suspend: + description: Suspend tells the controller to suspend the reconciliation + of this source. + type: boolean + valuesFile: + description: ValuesFile is an alternative values file to use as the + default chart values, expected to be a relative path in the SourceRef. + Deprecated in favor of ValuesFiles, for backwards compatibility + the file specified here is merged before the ValuesFiles items. + Ignored when omitted. + type: string + valuesFiles: + description: ValuesFiles is an alternative list of values files to + use as the chart values (values.yaml is not included by default), + expected to be a relative path in the SourceRef. Values files are + merged in the order of this list with the last file overriding the + first. Ignored when omitted. + items: + type: string + type: array + verify: + description: Verify contains the secret name containing the trusted + public keys used to verify the signature and specifies which provider + to use to check whether OCI image is authentic. This field is only + supported when using HelmRepository source with spec.type 'oci'. + Chart dependencies, which are not bundled in the umbrella chart + artifact, are not verified. + properties: + provider: + default: cosign + description: Provider specifies the technology used to sign the + OCI Artifact. + enum: + - cosign + type: string + secretRef: + description: SecretRef specifies the Kubernetes Secret containing + the trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: Version is the chart version semver expression, ignored + for charts from GitRepository and Bucket sources. Defaults to latest + when omitted. + type: string + required: + - chart + - interval + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: HelmChartStatus records the observed state of the HelmChart. + properties: + artifact: + description: Artifact represents the output of the last successful + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: Path is the relative file path of the Artifact. It + can be used to locate the file in the root of the Artifact storage + on the local file system of the controller managing the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmChart. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedChartName: + description: ObservedChartName is the last observed chart name as + specified by the resolved chart reference. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the HelmChart object. + format: int64 + type: integer + observedSourceArtifactRevision: + description: ObservedSourceArtifactRevision is the last observed Artifact.Revision + of the HelmChartSpec.SourceRef. + type: string + url: + description: URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact + data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: helmrepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: HelmRepository + listKind: HelmRepositoryList + plural: helmrepositories + shortNames: + - helmrepo + singular: helmrepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HelmRepository is the Schema for the helmrepositories API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HelmRepositorySpec defines the reference to a Helm repository. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + interval: + description: The interval at which to check the upstream for updates. + type: string + passCredentials: + description: PassCredentials allows the credentials from the SecretRef + to be passed on to a host that does not match the host as defined + in URL. This may be required if the host of the advertised chart + URLs in the index differ from the defined URL. Enabling this should + be done with caution, as it can potentially result in credentials + getting stolen in a MITM-attack. + type: boolean + secretRef: + description: The name of the secret containing authentication credentials + for the Helm repository. For HTTP/S basic auth the secret must contain + username and password fields. For TLS the secret must contain a + certFile and keyFile, and/or caFile fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout of index downloading, defaults to 60s. + type: string + url: + description: The Helm repository URL, a valid URL contains at least + a protocol and host. + type: string + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: HelmRepositoryStatus defines the observed state of the HelmRepository. + properties: + artifact: + description: Artifact represents the output of the last successful + repository sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of this artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: Revision is a human readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm index timestamp, a Helm chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the last index fetched. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: HelmRepository is the Schema for the helmrepositories API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HelmRepositorySpec specifies the required configuration to + produce an Artifact for a Helm repository index YAML. + properties: + accessFrom: + description: 'AccessFrom specifies an Access Control List for allowing + cross-namespace references to this object. NOTE: Not implemented, + provisional as of https://github.com/fluxcd/flux2/pull/2092' + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + certSecretRef: + description: "CertSecretRef can be given the name of a Secret containing + either or both of \n - a PEM-encoded client certificate (`tls.crt`) + and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) + \n and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are authenticating + with a certificate; the CA cert is useful if you are using a self-signed + server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. + \n It takes precedence over the values specified in the Secret referred + to by `.spec.secretRef`." + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + interval: + description: Interval at which the HelmRepository URL is checked for + updates. This interval is approximate and may be subject to jitter + to ensure efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + passCredentials: + description: PassCredentials allows the credentials from the SecretRef + to be passed on to a host that does not match the host as defined + in URL. This may be required if the host of the advertised chart + URLs in the index differ from the defined URL. Enabling this should + be done with caution, as it can potentially result in credentials + getting stolen in a MITM-attack. + type: boolean + provider: + default: generic + description: Provider used for authentication, can be 'aws', 'azure', + 'gcp' or 'generic'. This field is optional, and only taken into + account if the .spec.type field is set to 'oci'. When not specified, + defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + secretRef: + description: SecretRef specifies the Secret containing authentication + credentials for the HelmRepository. For HTTP/S basic auth the secret + must contain 'username' and 'password' fields. Support for TLS auth + using the 'certFile' and 'keyFile', and/or 'caFile' keys is deprecated. + Please use `.spec.certSecretRef` instead. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend the reconciliation + of this HelmRepository. + type: boolean + timeout: + default: 60s + description: Timeout is used for the index fetch operation for an + HTTPS helm repository, and for remote OCI Repository operations + like pulling for an OCI helm repository. Its default value is 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: Type of the HelmRepository. When this field is set to "oci", + the URL field value must be prefixed with "oci://". + enum: + - default + - oci + type: string + url: + description: URL of the Helm repository, a valid URL contains at least + a protocol and host. + type: string + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: HelmRepositoryStatus records the observed state of the HelmRepository. + properties: + artifact: + description: Artifact represents the last successful HelmRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: Path is the relative file path of the Artifact. It + can be used to locate the file in the root of the Artifact storage + on the local file system of the controller managing the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the HelmRepository object. + format: int64 + type: integer + url: + description: URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise HelmRepositoryStatus.Artifact + data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: ocirepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: OCIRepository + listKind: OCIRepositoryList + plural: ocirepositories + shortNames: + - ocirepo + singular: ocirepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: OCIRepository is the Schema for the ocirepositories API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: OCIRepositorySpec defines the desired state of OCIRepository + properties: + certSecretRef: + description: "CertSecretRef can be given the name of a Secret containing + either or both of \n - a PEM-encoded client certificate (`tls.crt`) + and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) + \n and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are authenticating + with a certificate; the CA cert is useful if you are using a self-signed + server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. + \n Note: Support for the `caFile`, `certFile` and `keyFile` keys + have been deprecated." + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS HTTP container + registry. + type: boolean + interval: + description: Interval at which the OCIRepository URL is checked for + updates. This interval is approximate and may be subject to jitter + to ensure efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + layerSelector: + description: LayerSelector specifies which layer should be extracted + from the OCI artifact. When not specified, the first layer found + in the artifact is selected. + properties: + mediaType: + description: MediaType specifies the OCI media type of the layer + which should be extracted from the OCI Artifact. The first layer + matching this type is selected. + type: string + operation: + description: Operation specifies how the selected layer should + be processed. By default, the layer compressed content is extracted + to storage. When the operation is set to 'copy', the layer compressed + content is persisted to storage as it is. + enum: + - extract + - copy + type: string + type: object + provider: + default: generic + description: The provider used for authentication, can be 'aws', 'azure', + 'gcp' or 'generic'. When not specified, defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + ref: + description: The OCI reference to pull and monitor for changes, defaults + to the latest tag. + properties: + digest: + description: Digest is the image digest to pull, takes precedence + over SemVer. The value should be in the format 'sha256:'. + type: string + semver: + description: SemVer is the range of tags to pull selecting the + latest within the range, takes precedence over Tag. + type: string + tag: + description: Tag is the image tag to pull, defaults to latest. + type: string + type: object + secretRef: + description: SecretRef contains the secret name containing the registry + login credentials to resolve image metadata. The secret must be + of type kubernetes.io/dockerconfigjson. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serviceAccountName: + description: 'ServiceAccountName is the name of the Kubernetes ServiceAccount + used to authenticate the image pull if the service account has attached + pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account' + type: string + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for remote OCI Repository operations like + pulling, defaults to 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: URL is a reference to an OCI artifact repository hosted + on a remote container registry. + pattern: ^oci://.*$ + type: string + verify: + description: Verify contains the secret name containing the trusted + public keys used to verify the signature and specifies which provider + to use to check whether OCI image is authentic. + properties: + provider: + default: cosign + description: Provider specifies the technology used to sign the + OCI Artifact. + enum: + - cosign + type: string + secretRef: + description: SecretRef specifies the Kubernetes Secret containing + the trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: OCIRepositoryStatus defines the observed state of OCIRepository + properties: + artifact: + description: Artifact represents the output of the last successful + OCI Repository sync. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: Path is the relative file path of the Artifact. It + can be used to locate the file in the root of the Artifact storage + on the local file system of the controller managing the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the OCIRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + contentConfigChecksum: + description: "ContentConfigChecksum is a checksum of all the configurations + related to the content of the source artifact: - .spec.ignore - + .spec.layerSelector observed in .status.observedGeneration version + of the object. This can be used to determine if the content configuration + has changed and the artifact needs to be rebuilt. It has the format + of `:`, for example: `sha256:`. \n Deprecated: + Replaced with explicit fields for observed artifact content config + in the status." + type: string + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + observedIgnore: + description: ObservedIgnore is the observed exclusion patterns used + for constructing the source artifact. + type: string + observedLayerSelector: + description: ObservedLayerSelector is the observed layer selector + used for constructing the source artifact. + properties: + mediaType: + description: MediaType specifies the OCI media type of the layer + which should be extracted from the OCI Artifact. The first layer + matching this type is selected. + type: string + operation: + description: Operation specifies how the selected layer should + be processed. By default, the layer compressed content is extracted + to storage. When the operation is set to 'copy', the layer compressed + content is persisted to storage as it is. + enum: + - extract + - copy + type: string + type: object + url: + description: URL is the download link for the artifact output of the + last OCI Repository sync. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: source-controller + namespace: flux-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + control-plane: controller + name: source-controller + namespace: flux-system +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app: source-controller + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: source-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + control-plane: controller + name: source-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: source-controller + strategy: + type: Recreate + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: source-controller + spec: + containers: + - args: + - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + - --storage-path=/data + - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local. + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: TUF_ROOT + value: /tmp/.sigstore + image: ghcr.io/fluxcd/source-controller:v1.1.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 9090 + name: http + protocol: TCP + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: / + port: http + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 50m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /data + name: data + - mountPath: /tmp + name: tmp + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1337 + serviceAccountName: source-controller + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: data + - emptyDir: {} + name: tmp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + labels: + app.kubernetes.io/component: kustomize-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: kustomizations.kustomize.toolkit.fluxcd.io +spec: + group: kustomize.toolkit.fluxcd.io + names: + kind: Kustomization + listKind: KustomizationList + plural: kustomizations + shortNames: + - ks + singular: kustomization + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: Kustomization is the Schema for the kustomizations API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KustomizationSpec defines the configuration to calculate + the desired state from a Source using Kustomize. + properties: + commonMetadata: + description: CommonMetadata specifies the common labels and annotations + that are applied to all resources. Any existing label or annotation + will be overridden if its key matches a common one. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to be added to the object's metadata. + type: object + labels: + additionalProperties: + type: string + description: Labels to be added to the object's metadata. + type: object + type: object + components: + description: Components specifies relative paths to specifications + of other Components. + items: + type: string + type: array + decryption: + description: Decrypt Kubernetes secrets before applying them on the + cluster. + properties: + provider: + description: Provider is the name of the decryption engine. + enum: + - sops + type: string + secretRef: + description: The secret name containing the private OpenPGP keys + used for decryption. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + dependsOn: + description: DependsOn may contain a meta.NamespacedObjectReference + slice with references to Kustomization resources that must be ready + before this Kustomization can be reconciled. + items: + description: NamespacedObjectReference contains enough information + to locate the referenced Kubernetes resource object in any namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + force: + default: false + description: Force instructs the controller to recreate resources + when patching fails due to an immutable field change. + type: boolean + healthChecks: + description: A list of resources to be included in the health assessment. + items: + description: NamespacedObjectKindReference contains enough information + to locate the typed referenced Kubernetes resource object in any + namespace. + properties: + apiVersion: + description: API version of the referent, if not specified the + Kubernetes preferred version will be used. + type: string + kind: + description: Kind of the referent. + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - kind + - name + type: object + type: array + images: + description: Images is a list of (image name, new name, new tag or + digest) for changing image names, tags or digests. This can also + be achieved with a patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, a new tag + or digest, which will replace the original name and tag. + properties: + digest: + description: Digest is the value used to replace the original + image tag. If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace the original + name. + type: string + newTag: + description: NewTag is the value used to replace the original + tag. + type: string + required: + - name + type: object + type: array + interval: + description: The interval at which to reconcile the Kustomization. + This interval is approximate and may be subject to jitter to ensure + efficient use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: The KubeConfig for reconciling the Kustomization on a + remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at + the target cluster. If the --default-service-account flag is set, + its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: SecretRef holds the name of a secret that contains + a key with the kubeconfig file as the value. If no key is set, + the key will default to 'value'. It is recommended that the + kubeconfig is self-contained, and the secret is regularly updated + if credentials such as a cloud-access-token expire. Cloud specific + `cmd-path` auth helpers will not function without adding binaries + and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + patches: + description: Strategic merge and JSON patches, defined as inline YAML + objects, capable of targeting objects based on kind, label and annotation + selectors. + items: + description: Patch contains an inline StrategicMerge or JSON6902 + patch, and the target the patch should be applied to. + properties: + patch: + description: Patch contains an inline StrategicMerge patch or + an inline JSON6902 patch with an array of operation objects. + type: string + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: AnnotationSelector is a string that follows + the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: Group is the API group to select resources + from. Together with Version and Kind it is capable of + unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: LabelSelector is a string that follows the + label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: Version of the API Group to select resources + from. Together with Group and Kind it is capable of unambiguously + identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + path: + description: Path to the directory containing the kustomization.yaml + file, or the set of plain YAMLs a kustomization.yaml should be generated + for. Defaults to 'None', which translates to the root path of the + SourceRef. + type: string + postBuild: + description: PostBuild describes which actions to perform on the YAML + manifest generated by building the kustomize overlay. + properties: + substitute: + additionalProperties: + type: string + description: Substitute holds a map of key/value pairs. The variables + defined in your YAML manifests that match any of the keys defined + in the map will be substituted with the set value. Includes + support for bash string replacement functions e.g. ${var:=default}, + ${var:position} and ${var/substring/replacement}. + type: object + substituteFrom: + description: SubstituteFrom holds references to ConfigMaps and + Secrets containing the variables and their values to be substituted + in the YAML manifests. The ConfigMap and the Secret data keys + represent the var names, and they must match the vars declared + in the manifests for the substitution to happen. + items: + description: SubstituteReference contains a reference to a resource + containing the variables name and value. + properties: + kind: + description: Kind of the values referent, valid values are + ('Secret', 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the values referent. Should reside + in the same namespace as the referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + default: false + description: Optional indicates whether the referenced resource + must exist, or whether to tolerate its absence. If true + and the referenced resource is absent, proceed as if the + resource was present but empty, without any variables + defined. + type: boolean + required: + - kind + - name + type: object + type: array + type: object + prune: + description: Prune enables garbage collection. + type: boolean + retryInterval: + description: The interval at which to retry a previously failed reconciliation. + When not specified, the controller uses the KustomizationSpec.Interval + value to retry failures. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + serviceAccountName: + description: The name of the Kubernetes service account to impersonate + when reconciling this Kustomization. + type: string + sourceRef: + description: Reference of the source where the kustomization file + is. + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, defaults to the namespace + of the Kubernetes resource object that contains the reference. + type: string + required: + - kind + - name + type: object + suspend: + description: This flag tells the controller to suspend subsequent + kustomize executions, it does not apply to already started executions. + Defaults to false. + type: boolean + targetNamespace: + description: TargetNamespace sets or overrides the namespace in the + kustomization.yaml file. + maxLength: 63 + minLength: 1 + type: string + timeout: + description: Timeout for validation, apply and health checking operations. + Defaults to 'Interval' duration. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + wait: + description: Wait instructs the controller to check the health of + all the reconciled resources. When enabled, the HealthChecks are + ignored. Defaults to false. + type: boolean + required: + - interval + - prune + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: KustomizationStatus defines the observed state of a kustomization. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + inventory: + description: Inventory contains the list of Kubernetes resource object + references that have been successfully applied. + properties: + entries: + description: Entries of Kubernetes resource object references. + items: + description: ResourceRef contains the information necessary + to locate a resource within a cluster. + properties: + id: + description: ID is the string representation of the Kubernetes + resource object's metadata, in the format '___'. + type: string + v: + description: Version is the API version of the Kubernetes + resource object's kind. + type: string + required: + - id + - v + type: object + type: array + required: + - entries + type: object + lastAppliedRevision: + description: The last successfully applied revision. Equals the Revision + of the applied Artifact from the referenced Source. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 Kustomization is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: Kustomization is the Schema for the kustomizations API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KustomizationSpec defines the desired state of a kustomization. + properties: + decryption: + description: Decrypt Kubernetes secrets before applying them on the + cluster. + properties: + provider: + description: Provider is the name of the decryption engine. + enum: + - sops + type: string + secretRef: + description: The secret name containing the private OpenPGP keys + used for decryption. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + dependsOn: + description: DependsOn may contain a meta.NamespacedObjectReference + slice with references to Kustomization resources that must be ready + before this Kustomization can be reconciled. + items: + description: NamespacedObjectReference contains enough information + to locate the referenced Kubernetes resource object in any namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + force: + default: false + description: Force instructs the controller to recreate resources + when patching fails due to an immutable field change. + type: boolean + healthChecks: + description: A list of resources to be included in the health assessment. + items: + description: NamespacedObjectKindReference contains enough information + to locate the typed referenced Kubernetes resource object in any + namespace. + properties: + apiVersion: + description: API version of the referent, if not specified the + Kubernetes preferred version will be used. + type: string + kind: + description: Kind of the referent. + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - kind + - name + type: object + type: array + images: + description: Images is a list of (image name, new name, new tag or + digest) for changing image names, tags or digests. This can also + be achieved with a patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, a new tag + or digest, which will replace the original name and tag. + properties: + digest: + description: Digest is the value used to replace the original + image tag. If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace the original + name. + type: string + newTag: + description: NewTag is the value used to replace the original + tag. + type: string + required: + - name + type: object + type: array + interval: + description: The interval at which to reconcile the Kustomization. + type: string + kubeConfig: + description: The KubeConfig for reconciling the Kustomization on a + remote cluster. When specified, KubeConfig takes precedence over + ServiceAccountName. + properties: + secretRef: + description: SecretRef holds the name to a secret that contains + a 'value' key with the kubeconfig file as the value. It must + be in the same namespace as the Kustomization. It is recommended + that the kubeconfig is self-contained, and the secret is regularly + updated if credentials such as a cloud-access-token expire. + Cloud specific `cmd-path` auth helpers will not function without + adding binaries and credentials to the Pod that is responsible + for reconciling the Kustomization. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + type: object + patches: + description: Strategic merge and JSON patches, defined as inline YAML + objects, capable of targeting objects based on kind, label and annotation + selectors. + items: + description: Patch contains an inline StrategicMerge or JSON6902 + patch, and the target the patch should be applied to. + properties: + patch: + description: Patch contains an inline StrategicMerge patch or + an inline JSON6902 patch with an array of operation objects. + type: string + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: AnnotationSelector is a string that follows + the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: Group is the API group to select resources + from. Together with Version and Kind it is capable of + unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: LabelSelector is a string that follows the + label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: Version of the API Group to select resources + from. Together with Group and Kind it is capable of unambiguously + identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: JSON 6902 patches, defined as inline YAML objects. + items: + description: JSON6902Patch contains a JSON6902 patch and the target + the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document with + an array of operation objects. + items: + description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: From contains a JSON-pointer value that references + a location within the target document where the operation + is performed. The meaning of the value depends on the + value of Op, and is NOT taken into account by all operations. + type: string + op: + description: Op indicates the operation to perform. Its + value MUST be one of "add", "remove", "replace", "move", + "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: Path contains the JSON-pointer value that + references a location within the target document where + the operation is performed. The meaning of the value + depends on the value of Op. + type: string + value: + description: Value contains a valid JSON structure. The + meaning of the value depends on the value of Op, and + is NOT taken into account by all operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: AnnotationSelector is a string that follows + the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: Group is the API group to select resources + from. Together with Version and Kind it is capable of + unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: LabelSelector is a string that follows the + label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: Version of the API Group to select resources + from. Together with Group and Kind it is capable of unambiguously + identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: Strategic merge patches, defined as inline YAML objects. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + path: + description: Path to the directory containing the kustomization.yaml + file, or the set of plain YAMLs a kustomization.yaml should be generated + for. Defaults to 'None', which translates to the root path of the + SourceRef. + type: string + postBuild: + description: PostBuild describes which actions to perform on the YAML + manifest generated by building the kustomize overlay. + properties: + substitute: + additionalProperties: + type: string + description: Substitute holds a map of key/value pairs. The variables + defined in your YAML manifests that match any of the keys defined + in the map will be substituted with the set value. Includes + support for bash string replacement functions e.g. ${var:=default}, + ${var:position} and ${var/substring/replacement}. + type: object + substituteFrom: + description: SubstituteFrom holds references to ConfigMaps and + Secrets containing the variables and their values to be substituted + in the YAML manifests. The ConfigMap and the Secret data keys + represent the var names and they must match the vars declared + in the manifests for the substitution to happen. + items: + description: SubstituteReference contains a reference to a resource + containing the variables name and value. + properties: + kind: + description: Kind of the values referent, valid values are + ('Secret', 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the values referent. Should reside + in the same namespace as the referring resource. + maxLength: 253 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + type: object + prune: + description: Prune enables garbage collection. + type: boolean + retryInterval: + description: The interval at which to retry a previously failed reconciliation. + When not specified, the controller uses the KustomizationSpec.Interval + value to retry failures. + type: string + serviceAccountName: + description: The name of the Kubernetes service account to impersonate + when reconciling this Kustomization. + type: string + sourceRef: + description: Reference of the source where the kustomization file + is. + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - GitRepository + - Bucket + type: string + name: + description: Name of the referent + type: string + namespace: + description: Namespace of the referent, defaults to the Kustomization + namespace + type: string + required: + - kind + - name + type: object + suspend: + description: This flag tells the controller to suspend subsequent + kustomize executions, it does not apply to already started executions. + Defaults to false. + type: boolean + targetNamespace: + description: TargetNamespace sets or overrides the namespace in the + kustomization.yaml file. + maxLength: 63 + minLength: 1 + type: string + timeout: + description: Timeout for validation, apply and health checking operations. + Defaults to 'Interval' duration. + type: string + validation: + description: Validate the Kubernetes objects before applying them + on the cluster. The validation strategy can be 'client' (local dry-run), + 'server' (APIServer dry-run) or 'none'. When 'Force' is 'true', + validation will fallback to 'client' if set to 'server' because + server-side validation is not supported in this scenario. + enum: + - none + - client + - server + type: string + required: + - interval + - prune + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: KustomizationStatus defines the observed state of a kustomization. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastAppliedRevision: + description: The last successfully applied revision. The revision + format for Git sources is /. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + snapshot: + description: The last successfully applied revision metadata. + properties: + checksum: + description: The manifests sha1 checksum. + type: string + entries: + description: A list of Kubernetes kinds grouped by namespace. + items: + description: Snapshot holds the metadata of namespaced Kubernetes + objects + properties: + kinds: + additionalProperties: + type: string + description: The list of Kubernetes kinds. + type: object + namespace: + description: The namespace of this entry. + type: string + required: + - kinds + type: object + type: array + required: + - checksum + - entries + type: object + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Kustomization is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: Kustomization is the Schema for the kustomizations API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KustomizationSpec defines the configuration to calculate + the desired state from a Source using Kustomize. + properties: + commonMetadata: + description: CommonMetadata specifies the common labels and annotations + that are applied to all resources. Any existing label or annotation + will be overridden if its key matches a common one. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to be added to the object's metadata. + type: object + labels: + additionalProperties: + type: string + description: Labels to be added to the object's metadata. + type: object + type: object + components: + description: Components specifies relative paths to specifications + of other Components. + items: + type: string + type: array + decryption: + description: Decrypt Kubernetes secrets before applying them on the + cluster. + properties: + provider: + description: Provider is the name of the decryption engine. + enum: + - sops + type: string + secretRef: + description: The secret name containing the private OpenPGP keys + used for decryption. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + dependsOn: + description: DependsOn may contain a meta.NamespacedObjectReference + slice with references to Kustomization resources that must be ready + before this Kustomization can be reconciled. + items: + description: NamespacedObjectReference contains enough information + to locate the referenced Kubernetes resource object in any namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + force: + default: false + description: Force instructs the controller to recreate resources + when patching fails due to an immutable field change. + type: boolean + healthChecks: + description: A list of resources to be included in the health assessment. + items: + description: NamespacedObjectKindReference contains enough information + to locate the typed referenced Kubernetes resource object in any + namespace. + properties: + apiVersion: + description: API version of the referent, if not specified the + Kubernetes preferred version will be used. + type: string + kind: + description: Kind of the referent. + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - kind + - name + type: object + type: array + images: + description: Images is a list of (image name, new name, new tag or + digest) for changing image names, tags or digests. This can also + be achieved with a patch, but this operator is simpler to specify. + items: + description: Image contains an image name, a new name, a new tag + or digest, which will replace the original name and tag. + properties: + digest: + description: Digest is the value used to replace the original + image tag. If digest is present NewTag value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace the original + name. + type: string + newTag: + description: NewTag is the value used to replace the original + tag. + type: string + required: + - name + type: object + type: array + interval: + description: The interval at which to reconcile the Kustomization. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: The KubeConfig for reconciling the Kustomization on a + remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at + the target cluster. If the --default-service-account flag is set, + its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: SecretRef holds the name of a secret that contains + a key with the kubeconfig file as the value. If no key is set, + the key will default to 'value'. It is recommended that the + kubeconfig is self-contained, and the secret is regularly updated + if credentials such as a cloud-access-token expire. Cloud specific + `cmd-path` auth helpers will not function without adding binaries + and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + patches: + description: Strategic merge and JSON patches, defined as inline YAML + objects, capable of targeting objects based on kind, label and annotation + selectors. + items: + description: Patch contains an inline StrategicMerge or JSON6902 + patch, and the target the patch should be applied to. + properties: + patch: + description: Patch contains an inline StrategicMerge patch or + an inline JSON6902 patch with an array of operation objects. + type: string + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: AnnotationSelector is a string that follows + the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: Group is the API group to select resources + from. Together with Version and Kind it is capable of + unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: LabelSelector is a string that follows the + label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: Version of the API Group to select resources + from. Together with Group and Kind it is capable of unambiguously + identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: 'JSON 6902 patches, defined as inline YAML objects. Deprecated: + Use Patches instead.' + items: + description: JSON6902Patch contains a JSON6902 patch and the target + the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document with + an array of operation objects. + items: + description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: From contains a JSON-pointer value that references + a location within the target document where the operation + is performed. The meaning of the value depends on the + value of Op, and is NOT taken into account by all operations. + type: string + op: + description: Op indicates the operation to perform. Its + value MUST be one of "add", "remove", "replace", "move", + "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: Path contains the JSON-pointer value that + references a location within the target document where + the operation is performed. The meaning of the value + depends on the value of Op. + type: string + value: + description: Value contains a valid JSON structure. The + meaning of the value depends on the value of Op, and + is NOT taken into account by all operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the patch document + should be applied to. + properties: + annotationSelector: + description: AnnotationSelector is a string that follows + the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: Group is the API group to select resources + from. Together with Version and Kind it is capable of + unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: LabelSelector is a string that follows the + label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: Version of the API Group to select resources + from. Together with Group and Kind it is capable of unambiguously + identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: 'Strategic merge patches, defined as inline YAML objects. + Deprecated: Use Patches instead.' + items: + x-kubernetes-preserve-unknown-fields: true + type: array + path: + description: Path to the directory containing the kustomization.yaml + file, or the set of plain YAMLs a kustomization.yaml should be generated + for. Defaults to 'None', which translates to the root path of the + SourceRef. + type: string + postBuild: + description: PostBuild describes which actions to perform on the YAML + manifest generated by building the kustomize overlay. + properties: + substitute: + additionalProperties: + type: string + description: Substitute holds a map of key/value pairs. The variables + defined in your YAML manifests that match any of the keys defined + in the map will be substituted with the set value. Includes + support for bash string replacement functions e.g. ${var:=default}, + ${var:position} and ${var/substring/replacement}. + type: object + substituteFrom: + description: SubstituteFrom holds references to ConfigMaps and + Secrets containing the variables and their values to be substituted + in the YAML manifests. The ConfigMap and the Secret data keys + represent the var names and they must match the vars declared + in the manifests for the substitution to happen. + items: + description: SubstituteReference contains a reference to a resource + containing the variables name and value. + properties: + kind: + description: Kind of the values referent, valid values are + ('Secret', 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the values referent. Should reside + in the same namespace as the referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + default: false + description: Optional indicates whether the referenced resource + must exist, or whether to tolerate its absence. If true + and the referenced resource is absent, proceed as if the + resource was present but empty, without any variables + defined. + type: boolean + required: + - kind + - name + type: object + type: array + type: object + prune: + description: Prune enables garbage collection. + type: boolean + retryInterval: + description: The interval at which to retry a previously failed reconciliation. + When not specified, the controller uses the KustomizationSpec.Interval + value to retry failures. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + serviceAccountName: + description: The name of the Kubernetes service account to impersonate + when reconciling this Kustomization. + type: string + sourceRef: + description: Reference of the source where the kustomization file + is. + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - OCIRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, defaults to the namespace + of the Kubernetes resource object that contains the reference. + type: string + required: + - kind + - name + type: object + suspend: + description: This flag tells the controller to suspend subsequent + kustomize executions, it does not apply to already started executions. + Defaults to false. + type: boolean + targetNamespace: + description: TargetNamespace sets or overrides the namespace in the + kustomization.yaml file. + maxLength: 63 + minLength: 1 + type: string + timeout: + description: Timeout for validation, apply and health checking operations. + Defaults to 'Interval' duration. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + validation: + description: 'Deprecated: Not used in v1beta2.' + enum: + - none + - client + - server + type: string + wait: + description: Wait instructs the controller to check the health of + all the reconciled resources. When enabled, the HealthChecks are + ignored. Defaults to false. + type: boolean + required: + - interval + - prune + - sourceRef + type: object + status: + default: + observedGeneration: -1 + description: KustomizationStatus defines the observed state of a kustomization. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + inventory: + description: Inventory contains the list of Kubernetes resource object + references that have been successfully applied. + properties: + entries: + description: Entries of Kubernetes resource object references. + items: + description: ResourceRef contains the information necessary + to locate a resource within a cluster. + properties: + id: + description: ID is the string representation of the Kubernetes + resource object's metadata, in the format '___'. + type: string + v: + description: Version is the API version of the Kubernetes + resource object's kind. + type: string + required: + - id + - v + type: object + type: array + required: + - entries + type: object + lastAppliedRevision: + description: The last successfully applied revision. Equals the Revision + of the applied Artifact from the referenced Source. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: kustomize-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: kustomize-controller + namespace: flux-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: kustomize-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + control-plane: controller + name: kustomize-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: kustomize-controller + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: kustomize-controller + spec: + containers: + - args: + - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/fluxcd/kustomize-controller:v1.1.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: temp + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1337 + serviceAccountName: kustomize-controller + terminationGracePeriodSeconds: 60 + volumes: + - emptyDir: {} + name: temp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + labels: + app.kubernetes.io/component: helm-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: helmreleases.helm.toolkit.fluxcd.io +spec: + group: helm.toolkit.fluxcd.io + names: + kind: HelmRelease + listKind: HelmReleaseList + plural: helmreleases + shortNames: + - hr + singular: helmrelease + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v2beta1 + schema: + openAPIV3Schema: + description: HelmRelease is the Schema for the helmreleases API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HelmReleaseSpec defines the desired state of a Helm release. + properties: + chart: + description: Chart defines the template of the v1beta2.HelmChart that + should be created for this HelmRelease. + properties: + metadata: + description: ObjectMeta holds the template for metadata like labels + and annotations. + properties: + annotations: + additionalProperties: + type: string + description: 'Annotations is an unstructured key value map + stored with a resource that may be set by external tools + to store and retrieve arbitrary metadata. They are not queryable + and should be preserved when modifying objects. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/' + type: object + labels: + additionalProperties: + type: string + description: 'Map of string keys and values that can be used + to organize and categorize (scope and select) objects. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/' + type: object + type: object + spec: + description: Spec holds the template for the v1beta2.HelmChartSpec + for this HelmRelease. + properties: + chart: + description: The name or path the Helm chart is available + at in the SourceRef. + type: string + interval: + description: Interval at which to check the v1beta2.Source + for updates. Defaults to 'HelmReleaseSpec.Interval'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + reconcileStrategy: + default: ChartVersion + description: Determines what enables the creation of a new + artifact. Valid values are ('ChartVersion', 'Revision'). + See the documentation of the values for an explanation on + their behavior. Defaults to ChartVersion when omitted. + enum: + - ChartVersion + - Revision + type: string + sourceRef: + description: The name and namespace of the v1beta2.Source + the chart is available at. + properties: + apiVersion: + description: APIVersion of the referent. + type: string + kind: + description: Kind of the referent. + enum: + - HelmRepository + - GitRepository + - Bucket + type: string + name: + description: Name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace of the referent. + maxLength: 63 + minLength: 1 + type: string + required: + - name + type: object + valuesFile: + description: Alternative values file to use as the default + chart values, expected to be a relative path in the SourceRef. + Deprecated in favor of ValuesFiles, for backwards compatibility + the file defined here is merged before the ValuesFiles items. + Ignored when omitted. + type: string + valuesFiles: + description: Alternative list of values files to use as the + chart values (values.yaml is not included by default), expected + to be a relative path in the SourceRef. Values files are + merged in the order of this list with the last file overriding + the first. Ignored when omitted. + items: + type: string + type: array + verify: + description: Verify contains the secret name containing the + trusted public keys used to verify the signature and specifies + which provider to use to check whether OCI image is authentic. + This field is only supported for OCI sources. Chart dependencies, + which are not bundled in the umbrella chart artifact, are + not verified. + properties: + provider: + default: cosign + description: Provider specifies the technology used to + sign the OCI Helm chart. + enum: + - cosign + type: string + secretRef: + description: SecretRef specifies the Kubernetes Secret + containing the trusted public keys. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - provider + type: object + version: + default: '*' + description: Version semver expression, ignored for charts + from v1beta2.GitRepository and v1beta2.Bucket sources. Defaults + to latest when omitted. + type: string + required: + - chart + - sourceRef + type: object + required: + - spec + type: object + dependsOn: + description: DependsOn may contain a meta.NamespacedObjectReference + slice with references to HelmRelease resources that must be ready + before this HelmRelease can be reconciled. + items: + description: NamespacedObjectReference contains enough information + to locate the referenced Kubernetes resource object in any namespace. + properties: + name: + description: Name of the referent. + type: string + namespace: + description: Namespace of the referent, when not specified it + acts as LocalObjectReference. + type: string + required: + - name + type: object + type: array + install: + description: Install holds the configuration for Helm install actions + for this HelmRelease. + properties: + crds: + description: "CRDs upgrade CRDs from the Helm Chart's crds directory + according to the CRD upgrade policy provided here. Valid values + are `Skip`, `Create` or `CreateReplace`. Default is `Create` + and if omitted CRDs are installed but not updated. \n Skip: + do neither install nor replace (update) any CRDs. \n Create: + new CRDs are created, existing CRDs are neither updated nor + deleted. \n CreateReplace: new CRDs are created, existing CRDs + are updated (replaced) but not deleted. \n By default, CRDs + are applied (installed) during Helm install action. With this + option users can opt-in to CRD replace existing CRDs on Helm + install actions, which is not (yet) natively supported by Helm. + https://helm.sh/docs/chart_best_practices/custom_resource_definitions." + enum: + - Skip + - Create + - CreateReplace + type: string + createNamespace: + description: CreateNamespace tells the Helm install action to + create the HelmReleaseSpec.TargetNamespace if it does not exist + yet. On uninstall, the namespace will not be garbage collected. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm install action. + type: boolean + disableOpenAPIValidation: + description: DisableOpenAPIValidation prevents the Helm install + action from validating rendered templates against the Kubernetes + OpenAPI Schema. + type: boolean + disableWait: + description: DisableWait disables the waiting for resources to + be ready after a Helm install has been performed. + type: boolean + disableWaitForJobs: + description: DisableWaitForJobs disables waiting for jobs to complete + after a Helm install has been performed. + type: boolean + remediation: + description: Remediation holds the remediation configuration for + when the Helm install action for the HelmRelease fails. The + default is to not perform any action. + properties: + ignoreTestFailures: + description: IgnoreTestFailures tells the controller to skip + remediation when the Helm tests are run after an install + action but fail. Defaults to 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: RemediateLastFailure tells the controller to + remediate the last failure, when no retries remain. Defaults + to 'false'. + type: boolean + retries: + description: Retries is the number of retries that should + be attempted on failures before bailing. Remediation, using + an uninstall, is performed between each attempt. Defaults + to '0', a negative integer equals to unlimited retries. + type: integer + type: object + replace: + description: Replace tells the Helm install action to re-use the + 'ReleaseName', but only if that name is a deleted release which + remains in the history. + type: boolean + skipCRDs: + description: "SkipCRDs tells the Helm install action to not install + any CRDs. By default, CRDs are installed if not already present. + \n Deprecated use CRD policy (`crds`) attribute with value `Skip` + instead." + type: boolean + timeout: + description: Timeout is the time to wait for any individual Kubernetes + operation (like Jobs for hooks) during the performance of a + Helm install action. Defaults to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + interval: + description: Interval at which to reconcile the Helm release. This + interval is approximate and may be subject to jitter to ensure efficient + use of resources. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kubeConfig: + description: KubeConfig for reconciling the HelmRelease on a remote + cluster. When used in combination with HelmReleaseSpec.ServiceAccountName, + forces the controller to act on behalf of that Service Account at + the target cluster. If the --default-service-account flag is set, + its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName + is empty. + properties: + secretRef: + description: SecretRef holds the name of a secret that contains + a key with the kubeconfig file as the value. If no key is set, + the key will default to 'value'. It is recommended that the + kubeconfig is self-contained, and the secret is regularly updated + if credentials such as a cloud-access-token expire. Cloud specific + `cmd-path` auth helpers will not function without adding binaries + and credentials to the Pod that is responsible for reconciling + Kubernetes resources. + properties: + key: + description: Key in the Secret, when not specified an implementation-specific + default key is used. + type: string + name: + description: Name of the Secret. + type: string + required: + - name + type: object + required: + - secretRef + type: object + maxHistory: + description: MaxHistory is the number of revisions saved by Helm for + this HelmRelease. Use '0' for an unlimited number of revisions; + defaults to '10'. + type: integer + persistentClient: + description: "PersistentClient tells the controller to use a persistent + Kubernetes client for this release. When enabled, the client will + be reused for the duration of the reconciliation, instead of being + created and destroyed for each (step of a) Helm action. \n This + can improve performance, but may cause issues with some Helm charts + that for example do create Custom Resource Definitions during installation + outside Helm's CRD lifecycle hooks, which are then not observed + to be available by e.g. post-install hooks. \n If not set, it defaults + to true." + type: boolean + postRenderers: + description: PostRenderers holds an array of Helm PostRenderers, which + will be applied in order of their definition. + items: + description: PostRenderer contains a Helm PostRenderer specification. + properties: + kustomize: + description: Kustomization to apply as PostRenderer. + properties: + images: + description: Images is a list of (image name, new name, + new tag or digest) for changing image names, tags or digests. + This can also be achieved with a patch, but this operator + is simpler to specify. + items: + description: Image contains an image name, a new name, + a new tag or digest, which will replace the original + name and tag. + properties: + digest: + description: Digest is the value used to replace the + original image tag. If digest is present NewTag + value is ignored. + type: string + name: + description: Name is a tag-less image name. + type: string + newName: + description: NewName is the value used to replace + the original name. + type: string + newTag: + description: NewTag is the value used to replace the + original tag. + type: string + required: + - name + type: object + type: array + patches: + description: Strategic merge and JSON patches, defined as + inline YAML objects, capable of targeting objects based + on kind, label and annotation selectors. + items: + description: Patch contains an inline StrategicMerge or + JSON6902 patch, and the target the patch should be applied + to. + properties: + patch: + description: Patch contains an inline StrategicMerge + patch or an inline JSON6902 patch with an array + of operation objects. + type: string + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: AnnotationSelector is a string that + follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: Group is the API group to select + resources from. Together with Version and Kind + it is capable of unambiguously identifying and/or + selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: Kind of the API Group to select resources + from. Together with Group and Version it is + capable of unambiguously identifying and/or + selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: LabelSelector is a string that follows + the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: Version of the API Group to select + resources from. Together with Group and Kind + it is capable of unambiguously identifying and/or + selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + patchesJson6902: + description: JSON 6902 patches, defined as inline YAML objects. + items: + description: JSON6902Patch contains a JSON6902 patch and + the target the patch should be applied to. + properties: + patch: + description: Patch contains the JSON6902 patch document + with an array of operation objects. + items: + description: JSON6902 is a JSON6902 operation object. + https://datatracker.ietf.org/doc/html/rfc6902#section-4 + properties: + from: + description: From contains a JSON-pointer value + that references a location within the target + document where the operation is performed. + The meaning of the value depends on the value + of Op, and is NOT taken into account by all + operations. + type: string + op: + description: Op indicates the operation to perform. + Its value MUST be one of "add", "remove", + "replace", "move", "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 + enum: + - test + - remove + - add + - replace + - move + - copy + type: string + path: + description: Path contains the JSON-pointer + value that references a location within the + target document where the operation is performed. + The meaning of the value depends on the value + of Op. + type: string + value: + description: Value contains a valid JSON structure. + The meaning of the value depends on the value + of Op, and is NOT taken into account by all + operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + target: + description: Target points to the resources that the + patch document should be applied to. + properties: + annotationSelector: + description: AnnotationSelector is a string that + follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: Group is the API group to select + resources from. Together with Version and Kind + it is capable of unambiguously identifying and/or + selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: Kind of the API Group to select resources + from. Together with Group and Version it is + capable of unambiguously identifying and/or + selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: LabelSelector is a string that follows + the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: Version of the API Group to select + resources from. Together with Group and Kind + it is capable of unambiguously identifying and/or + selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + - target + type: object + type: array + patchesStrategicMerge: + description: Strategic merge patches, defined as inline + YAML objects. + items: + x-kubernetes-preserve-unknown-fields: true + type: array + type: object + type: object + type: array + releaseName: + description: ReleaseName used for the Helm release. Defaults to a + composition of '[TargetNamespace-]Name'. + maxLength: 53 + minLength: 1 + type: string + rollback: + description: Rollback holds the configuration for Helm rollback actions + for this HelmRelease. + properties: + cleanupOnFail: + description: CleanupOnFail allows deletion of new resources created + during the Helm rollback action when it fails. + type: boolean + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: DisableWait disables the waiting for resources to + be ready after a Helm rollback has been performed. + type: boolean + disableWaitForJobs: + description: DisableWaitForJobs disables waiting for jobs to complete + after a Helm rollback has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + recreate: + description: Recreate performs pod restarts for the resource if + applicable. + type: boolean + timeout: + description: Timeout is the time to wait for any individual Kubernetes + operation (like Jobs for hooks) during the performance of a + Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + serviceAccountName: + description: The name of the Kubernetes service account to impersonate + when reconciling this HelmRelease. + type: string + storageNamespace: + description: StorageNamespace used for the Helm storage. Defaults + to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + suspend: + description: Suspend tells the controller to suspend reconciliation + for this HelmRelease, it does not apply to already started reconciliations. + Defaults to false. + type: boolean + targetNamespace: + description: TargetNamespace to target when performing operations + for the HelmRelease. Defaults to the namespace of the HelmRelease. + maxLength: 63 + minLength: 1 + type: string + test: + description: Test holds the configuration for Helm test actions for + this HelmRelease. + properties: + enable: + description: Enable enables Helm test actions for this HelmRelease + after an Helm install or upgrade action has been performed. + type: boolean + ignoreFailures: + description: IgnoreFailures tells the controller to skip remediation + when the Helm tests are run but fail. Can be overwritten for + tests run after install or upgrade actions in 'Install.IgnoreTestFailures' + and 'Upgrade.IgnoreTestFailures'. + type: boolean + timeout: + description: Timeout is the time to wait for any individual Kubernetes + operation during the performance of a Helm test action. Defaults + to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + timeout: + description: Timeout is the time to wait for any individual Kubernetes + operation (like Jobs for hooks) during the performance of a Helm + action. Defaults to '5m0s'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + uninstall: + description: Uninstall holds the configuration for Helm uninstall + actions for this HelmRelease. + properties: + deletionPropagation: + default: background + description: DeletionPropagation specifies the deletion propagation + policy when a Helm uninstall is performed. + enum: + - background + - foreground + - orphan + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm rollback action. + type: boolean + disableWait: + description: DisableWait disables waiting for all the resources + to be deleted after a Helm uninstall is performed. + type: boolean + keepHistory: + description: KeepHistory tells Helm to remove all associated resources + and mark the release as deleted, but retain the release history. + type: boolean + timeout: + description: Timeout is the time to wait for any individual Kubernetes + operation (like Jobs for hooks) during the performance of a + Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + upgrade: + description: Upgrade holds the configuration for Helm upgrade actions + for this HelmRelease. + properties: + cleanupOnFail: + description: CleanupOnFail allows deletion of new resources created + during the Helm upgrade action when it fails. + type: boolean + crds: + description: "CRDs upgrade CRDs from the Helm Chart's crds directory + according to the CRD upgrade policy provided here. Valid values + are `Skip`, `Create` or `CreateReplace`. Default is `Skip` and + if omitted CRDs are neither installed nor upgraded. \n Skip: + do neither install nor replace (update) any CRDs. \n Create: + new CRDs are created, existing CRDs are neither updated nor + deleted. \n CreateReplace: new CRDs are created, existing CRDs + are updated (replaced) but not deleted. \n By default, CRDs + are not applied during Helm upgrade action. With this option + users can opt-in to CRD upgrade, which is not (yet) natively + supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions." + enum: + - Skip + - Create + - CreateReplace + type: string + disableHooks: + description: DisableHooks prevents hooks from running during the + Helm upgrade action. + type: boolean + disableOpenAPIValidation: + description: DisableOpenAPIValidation prevents the Helm upgrade + action from validating rendered templates against the Kubernetes + OpenAPI Schema. + type: boolean + disableWait: + description: DisableWait disables the waiting for resources to + be ready after a Helm upgrade has been performed. + type: boolean + disableWaitForJobs: + description: DisableWaitForJobs disables waiting for jobs to complete + after a Helm upgrade has been performed. + type: boolean + force: + description: Force forces resource updates through a replacement + strategy. + type: boolean + preserveValues: + description: PreserveValues will make Helm reuse the last release's + values and merge in overrides from 'Values'. Setting this flag + makes the HelmRelease non-declarative. + type: boolean + remediation: + description: Remediation holds the remediation configuration for + when the Helm upgrade action for the HelmRelease fails. The + default is to not perform any action. + properties: + ignoreTestFailures: + description: IgnoreTestFailures tells the controller to skip + remediation when the Helm tests are run after an upgrade + action but fail. Defaults to 'Test.IgnoreFailures'. + type: boolean + remediateLastFailure: + description: RemediateLastFailure tells the controller to + remediate the last failure, when no retries remain. Defaults + to 'false' unless 'Retries' is greater than 0. + type: boolean + retries: + description: Retries is the number of retries that should + be attempted on failures before bailing. Remediation, using + 'Strategy', is performed between each attempt. Defaults + to '0', a negative integer equals to unlimited retries. + type: integer + strategy: + description: Strategy to use for failure remediation. Defaults + to 'rollback'. + enum: + - rollback + - uninstall + type: string + type: object + timeout: + description: Timeout is the time to wait for any individual Kubernetes + operation (like Jobs for hooks) during the performance of a + Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + type: object + values: + description: Values holds the values for this Helm release. + x-kubernetes-preserve-unknown-fields: true + valuesFrom: + description: ValuesFrom holds references to resources containing Helm + values for this HelmRelease, and information about how they should + be merged. + items: + description: ValuesReference contains a reference to a resource + containing Helm values, and optionally the key they can be found + at. + properties: + kind: + description: Kind of the values referent, valid values are ('Secret', + 'ConfigMap'). + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the values referent. Should reside in the + same namespace as the referring resource. + maxLength: 253 + minLength: 1 + type: string + optional: + description: Optional marks this ValuesReference as optional. + When set, a not found error for the values reference is ignored, + but any ValuesKey, TargetPath or transient error will still + result in a reconciliation failure. + type: boolean + targetPath: + description: TargetPath is the YAML dot notation path the value + should be merged at. When set, the ValuesKey is expected to + be a single flat value. Defaults to 'None', which results + in the values getting merged at the root. + maxLength: 250 + pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ + type: string + valuesKey: + description: ValuesKey is the data key where the values.yaml + or a specific value can be found at. Defaults to 'values.yaml'. + When set, must be a valid Data Key, consisting of alphanumeric + characters, '-', '_' or '.'. + maxLength: 253 + pattern: ^[\-._a-zA-Z0-9]+$ + type: string + required: + - kind + - name + type: object + type: array + required: + - chart + - interval + type: object + status: + default: + observedGeneration: -1 + description: HelmReleaseStatus defines the observed state of a HelmRelease. + properties: + conditions: + description: Conditions holds the conditions for the HelmRelease. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + failures: + description: Failures is the reconciliation failure count against + the latest desired state. It is reset after a successful reconciliation. + format: int64 + type: integer + helmChart: + description: HelmChart is the namespaced name of the HelmChart resource + created by the controller for the HelmRelease. + type: string + installFailures: + description: InstallFailures is the install failure count against + the latest desired state. It is reset after a successful reconciliation. + format: int64 + type: integer + lastAppliedRevision: + description: LastAppliedRevision is the revision of the last successfully + applied source. + type: string + lastAttemptedRevision: + description: LastAttemptedRevision is the revision of the last reconciliation + attempt. + type: string + lastAttemptedValuesChecksum: + description: LastAttemptedValuesChecksum is the SHA1 checksum of the + values of the last reconciliation attempt. + type: string + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + lastReleaseRevision: + description: LastReleaseRevision is the revision of the last successful + Helm release. + type: integer + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + upgradeFailures: + description: UpgradeFailures is the upgrade failure count against + the latest desired state. It is reset after a successful reconciliation. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: helm-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: helm-controller + namespace: flux-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: helm-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + control-plane: controller + name: helm-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: helm-controller + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: helm-controller + spec: + containers: + - args: + - --events-addr=http://notification-controller.flux-system.svc.cluster.local./ + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/fluxcd/helm-controller:v0.36.2 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: temp + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 1337 + serviceAccountName: helm-controller + terminationGracePeriodSeconds: 600 + volumes: + - emptyDir: {} + name: temp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: alerts.notification.toolkit.fluxcd.io +spec: + group: notification.toolkit.fluxcd.io + names: + kind: Alert + listKind: AlertList + plural: alerts + singular: alert + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: Alert is the Schema for the alerts API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AlertSpec defines an alerting rule for events involving a + list of objects + properties: + eventSeverity: + default: info + description: Filter events based on severity, defaults to ('info'). + If set to 'info' no events will be filtered. + enum: + - info + - error + type: string + eventSources: + description: Filter events based on the involved objects. + items: + description: CrossNamespaceObjectReference contains enough information + to let you locate the typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + name: + description: Name of the referent + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - name + type: object + type: array + exclusionList: + description: A list of Golang regular expressions to be used for excluding + messages. + items: + type: string + type: array + providerRef: + description: Send events using this provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + summary: + description: Short description of the impact and affected cluster. + type: string + suspend: + description: This flag tells the controller to suspend subsequent + events dispatching. Defaults to false. + type: boolean + required: + - eventSources + - providerRef + type: object + status: + default: + observedGeneration: -1 + description: AlertStatus defines the observed state of Alert + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: Alert is the Schema for the alerts API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AlertSpec defines an alerting rule for events involving a + list of objects. + properties: + eventMetadata: + additionalProperties: + type: string + description: EventMetadata is an optional field for adding metadata + to events dispatched by the controller. This can be used for enhancing + the context of the event. If a field would override one already + present on the original event as generated by the emitter, then + the override doesn't happen, i.e. the original value is preserved, + and an info log is printed. + type: object + eventSeverity: + default: info + description: EventSeverity specifies how to filter events based on + severity. If set to 'info' no events will be filtered. + enum: + - info + - error + type: string + eventSources: + description: EventSources specifies how to filter events based on + the involved object kind, name and namespace. + items: + description: CrossNamespaceObjectReference contains enough information + to let you locate the typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. MatchLabels requires the name to be set to `*`. + type: object + name: + description: Name of the referent If multiple resources are + targeted `*` may be set. + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + exclusionList: + description: ExclusionList specifies a list of Golang regular expressions + to be used for excluding messages. + items: + type: string + type: array + inclusionList: + description: InclusionList specifies a list of Golang regular expressions + to be used for including messages. + items: + type: string + type: array + providerRef: + description: ProviderRef specifies which Provider this Alert should + use. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + summary: + description: Summary holds a short description of the impact and affected + cluster. + maxLength: 255 + type: string + suspend: + description: Suspend tells the controller to suspend subsequent events + handling for this Alert. + type: boolean + required: + - eventSources + - providerRef + type: object + status: + default: + observedGeneration: -1 + description: AlertStatus defines the observed state of the Alert. + properties: + conditions: + description: Conditions holds the conditions for the Alert. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: providers.notification.toolkit.fluxcd.io +spec: + group: notification.toolkit.fluxcd.io + names: + kind: Provider + listKind: ProviderList + plural: providers + singular: provider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProviderSpec defines the desired state of Provider + properties: + address: + description: HTTP/S webhook address of this provider + pattern: ^(http|https):// + type: string + certSecretRef: + description: CertSecretRef can be given the name of a secret containing + a PEM-encoded CA certificate (`caFile`) + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + channel: + description: Alert channel for this provider + type: string + proxy: + description: HTTP/S address of the proxy + pattern: ^(http|https):// + type: string + secretRef: + description: Secret reference containing the provider webhook URL + using "address" as data key + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend subsequent + events handling. Defaults to false. + type: boolean + timeout: + description: Timeout for sending alerts to the provider. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: Type of provider + enum: + - slack + - discord + - msteams + - rocket + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - azuredevops + - googlechat + - webex + - sentry + - azureeventhub + - telegram + - lark + - matrix + - opsgenie + - alertmanager + - grafana + - githubdispatch + type: string + username: + description: Bot username for this provider + type: string + required: + - type + type: object + status: + default: + observedGeneration: -1 + description: ProviderStatus defines the observed state of Provider + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProviderSpec defines the desired state of the Provider. + properties: + address: + description: Address specifies the endpoint, in a generic sense, to + where alerts are sent. What kind of endpoint depends on the specific + Provider type being used. For the generic Provider, for example, + this is an HTTP/S address. For other Provider types this could be + a project ID or a namespace. + maxLength: 2048 + type: string + certSecretRef: + description: "CertSecretRef specifies the Secret containing a PEM-encoded + CA certificate (in the `ca.crt` key). \n Note: Support for the `caFile` + key has been deprecated." + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + channel: + description: Channel specifies the destination channel where events + should be posted. + maxLength: 2048 + type: string + interval: + description: Interval at which to reconcile the Provider with its + Secret references. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + proxy: + description: Proxy the HTTP/S address of the proxy server. + maxLength: 2048 + pattern: ^(http|https)://.*$ + type: string + secretRef: + description: SecretRef specifies the Secret containing the authentication + credentials for this Provider. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend subsequent events + handling for this Provider. + type: boolean + timeout: + description: Timeout for sending alerts to the Provider. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: Type specifies which Provider implementation to use. + enum: + - slack + - discord + - msteams + - rocket + - generic + - generic-hmac + - github + - gitlab + - gitea + - bitbucket + - azuredevops + - googlechat + - googlepubsub + - webex + - sentry + - azureeventhub + - telegram + - lark + - matrix + - opsgenie + - alertmanager + - grafana + - githubdispatch + - pagerduty + - datadog + type: string + username: + description: Username specifies the name under which events are posted. + maxLength: 2048 + type: string + required: + - type + type: object + status: + default: + observedGeneration: -1 + description: ProviderStatus defines the observed state of the Provider. + properties: + conditions: + description: Conditions holds the conditions for the Provider. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: receivers.notification.toolkit.fluxcd.io +spec: + group: notification.toolkit.fluxcd.io + names: + kind: Receiver + listKind: ReceiverList + plural: receivers + singular: receiver + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: Receiver is the Schema for the receivers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ReceiverSpec defines the desired state of the Receiver. + properties: + events: + description: Events specifies the list of event types to handle, e.g. + 'push' for GitHub or 'Push Hook' for GitLab. + items: + type: string + type: array + interval: + default: 10m + description: Interval at which to reconcile the Receiver with its + Secret references. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + resources: + description: A list of resources to be notified about changes. + items: + description: CrossNamespaceObjectReference contains enough information + to let you locate the typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. MatchLabels requires the name to be set to `*`. + type: object + name: + description: Name of the referent If multiple resources are + targeted `*` may be set. + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + secretRef: + description: SecretRef specifies the Secret containing the token used + to validate the payload authenticity. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend subsequent events + handling for this receiver. + type: boolean + type: + description: Type of webhook sender, used to determine the validation + procedure and payload deserialization. + enum: + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - harbor + - dockerhub + - quay + - gcr + - nexus + - acr + type: string + required: + - resources + - secretRef + - type + type: object + status: + default: + observedGeneration: -1 + description: ReceiverStatus defines the observed state of the Receiver. + properties: + conditions: + description: Conditions holds the conditions for the Receiver. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Receiver object. + format: int64 + type: integer + webhookPath: + description: WebhookPath is the generated incoming webhook address + in the format of '/hook/sha256sum(token+name+namespace)'. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta1 Receiver is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: Receiver is the Schema for the receivers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ReceiverSpec defines the desired state of Receiver + properties: + events: + description: A list of events to handle, e.g. 'push' for GitHub or + 'Push Hook' for GitLab. + items: + type: string + type: array + resources: + description: A list of resources to be notified about changes. + items: + description: CrossNamespaceObjectReference contains enough information + to let you locate the typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + name: + description: Name of the referent + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - name + type: object + type: array + secretRef: + description: Secret reference containing the token used to validate + the payload authenticity + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend subsequent + events handling. Defaults to false. + type: boolean + type: + description: Type of webhook sender, used to determine the validation + procedure and payload deserialization. + enum: + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - harbor + - dockerhub + - quay + - gcr + - nexus + - acr + type: string + required: + - resources + - type + type: object + status: + default: + observedGeneration: -1 + description: ReceiverStatus defines the observed state of Receiver + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: Generated webhook URL in the format of '/hook/sha256sum(token+name+namespace)'. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 Receiver is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: Receiver is the Schema for the receivers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ReceiverSpec defines the desired state of the Receiver. + properties: + events: + description: Events specifies the list of event types to handle, e.g. + 'push' for GitHub or 'Push Hook' for GitLab. + items: + type: string + type: array + interval: + description: Interval at which to reconcile the Receiver with its + Secret references. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + resources: + description: A list of resources to be notified about changes. + items: + description: CrossNamespaceObjectReference contains enough information + to let you locate the typed referenced object at cluster level + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + enum: + - Bucket + - GitRepository + - Kustomization + - HelmRelease + - HelmChart + - HelmRepository + - ImageRepository + - ImagePolicy + - ImageUpdateAutomation + - OCIRepository + type: string + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. MatchLabels requires the name to be set to `*`. + type: object + name: + description: Name of the referent If multiple resources are + targeted `*` may be set. + maxLength: 53 + minLength: 1 + type: string + namespace: + description: Namespace of the referent + maxLength: 53 + minLength: 1 + type: string + required: + - kind + - name + type: object + type: array + secretRef: + description: SecretRef specifies the Secret containing the token used + to validate the payload authenticity. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend subsequent events + handling for this receiver. + type: boolean + type: + description: Type of webhook sender, used to determine the validation + procedure and payload deserialization. + enum: + - generic + - generic-hmac + - github + - gitlab + - bitbucket + - harbor + - dockerhub + - quay + - gcr + - nexus + - acr + type: string + required: + - resources + - type + type: object + status: + default: + observedGeneration: -1 + description: ReceiverStatus defines the observed state of the Receiver. + properties: + conditions: + description: Conditions holds the conditions for the Receiver. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Receiver object. + format: int64 + type: integer + url: + description: 'URL is the generated incoming webhook address in the + format of ''/hook/sha256sum(token+name+namespace)''. Deprecated: + Replaced by WebhookPath.' + type: string + webhookPath: + description: WebhookPath is the generated incoming webhook address + in the format of '/hook/sha256sum(token+name+namespace)'. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + name: notification-controller + namespace: flux-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + control-plane: controller + name: notification-controller + namespace: flux-system +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app: notification-controller + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + control-plane: controller + name: webhook-receiver + namespace: flux-system +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http-webhook + selector: + app: notification-controller + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: notification-controller + app.kubernetes.io/instance: flux-system + app.kubernetes.io/part-of: flux + app.kubernetes.io/version: v2.1.2 + control-plane: controller + name: notification-controller + namespace: flux-system +spec: + replicas: 1 + selector: + matchLabels: + app: notification-controller + template: + metadata: + annotations: + prometheus.io/port: "8080" + prometheus.io/scrape: "true" + labels: + app: notification-controller + spec: + containers: + - args: + - --watch-all-namespaces=true + - --log-level=info + - --log-encoding=json + - --enable-leader-election + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/fluxcd/notification-controller:v1.1.0 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 9090 + name: http + protocol: TCP + - containerPort: 9292 + name: http-webhook + protocol: TCP + - containerPort: 8080 + name: http-prom + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: temp + nodeSelector: + kubernetes.io/os: linux + securityContext: + fsGroup: 1337 + serviceAccountName: notification-controller + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: temp diff --git a/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/flux-system/gotk-sync.yaml b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/flux-system/gotk-sync.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4346fee63668b005c5fb5bcb137ccd49ab0eb578 --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/flux-system/gotk-sync.yaml @@ -0,0 +1,44 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +# This manifest was generated by flux. DO NOT EDIT. +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: flux-system + namespace: flux-system +spec: + interval: 1m0s + ref: + branch: main + secretRef: + name: flux-system + url: ${FLEET_REPO_URL} +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: flux-system + namespace: flux-system +spec: + interval: 10m0s + path: ./clusters/${CLUSTER_KUSTOMIZATION_NAME} + prune: true + sourceRef: + kind: GitRepository + name: flux-system diff --git a/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/flux-system/kustomization.yaml b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/flux-system/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..705b72e2781d2718abdb263ab520c256d54131e6 --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/flux-system/kustomization.yaml @@ -0,0 +1,22 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- gotk-components.yaml +- gotk-sync.yaml diff --git a/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/infra-configs.yaml b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/infra-configs.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d2879eb18ca976925c876ce6d156ac5e3a89bc01 --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/infra-configs.yaml @@ -0,0 +1,49 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infra-configs + namespace: flux-system + labels: + osm_profile_type: infra-configs +spec: + dependsOn: + - name: infra-controllers + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: fleet-repo + path: ${INFRA_CONFIGS_PATH} + prune: true + # Decryption configuration starts here + decryption: + provider: sops + secretRef: + name: sops-age + # patches: + # - patch: | + # - op: replace + # path: /spec/acme/server + # value: https://acme-v02.api.letsencrypt.org/directory + # target: + # kind: ClusterIssuer + # name: letsencrypt diff --git a/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/infra-controllers.yaml b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/infra-controllers.yaml new file mode 100644 index 0000000000000000000000000000000000000000..671afc8fb27068d56e88fcbf2e7d6c51e0afa2ad --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/infra-controllers.yaml @@ -0,0 +1,40 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infra-controllers + namespace: flux-system + labels: + osm_profile_type: infra-controllers +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: fleet-repo + path: ${INFRA_CONTROLLERS_PATH} + prune: true + wait: true + # Decryption configuration starts here + decryption: + provider: sops + secretRef: + name: sops-age diff --git a/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/kustomization.yaml b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6e3c9af0f026e6105506f8091156bd84ea446847 --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/kustomization.yaml @@ -0,0 +1,36 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # Repos + - fleet-repo.yaml + - sw-catalogs-repo.yaml + + # Base cluster structure (CRDs, operators and their configs) + - infra-controllers.yaml + - infra-configs.yaml + + # Managed resources + - managed-resources.yaml + + # Managed apps + - apps.yaml + + # Adds also the `flux-system` folder to preserve bootstrap structure + - flux-system diff --git a/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/managed-resources.yaml b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/managed-resources.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2d59cc952516f0dc5c37da0afcc20b00fd136ca2 --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/managed-resources.yaml @@ -0,0 +1,52 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Namespace +# apiVersion: v1 +# kind: Namespace +# metadata: +# name: managed-resources + +--- +# Managed resources +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: managed-resources + namespace: flux-system + labels: + osm_profile_type: managed-resources +spec: + # interval: 10m0s + interval: 7m0s + dependsOn: + - name: infra-configs + sourceRef: + kind: GitRepository + name: fleet-repo + path: ${MANAGED_RESOURCES_PATH} + prune: true + wait: true + # timeout: 5m0s + timeout: 7m0s + retryInterval: 2m0s + # Decryption configuration starts here + decryption: + provider: sops + secretRef: + name: sops-age diff --git a/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/sw-catalogs-repo.yaml b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/sw-catalogs-repo.yaml new file mode 100644 index 0000000000000000000000000000000000000000..75bc138460e46ef2bba9caf8a443f2182c3225fe --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/cluster-base/templates/sw-catalogs-repo.yaml @@ -0,0 +1,30 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: sw-catalogs + namespace: flux-system +spec: + interval: 1m0s + ref: + branch: main + secretRef: + name: sw-catalogs + url: ${SW_CATALOGS_REPO_URL} diff --git a/oka/cloud-resources/flux-remote-bootstrap/empty-kustomization/manifests/configmap/reference-cm.yaml b/oka/cloud-resources/flux-remote-bootstrap/empty-kustomization/manifests/configmap/reference-cm.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f038bd036d2cf50ba39e502bf085c71dfe054ecb --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/empty-kustomization/manifests/configmap/reference-cm.yaml @@ -0,0 +1,25 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Template for creating remote ConfigMaps +apiVersion: v1 +kind: ConfigMap +metadata: + name: ${configmap_name} + namespace: ${configmap_namespace} +data: {} diff --git a/oka/cloud-resources/flux-remote-bootstrap/empty-kustomization/templates/kustomization-placeholder.yaml b/oka/cloud-resources/flux-remote-bootstrap/empty-kustomization/templates/kustomization-placeholder.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9742d3f34361944a68e6ba2506c566e02f947c2c --- /dev/null +++ b/oka/cloud-resources/flux-remote-bootstrap/empty-kustomization/templates/kustomization-placeholder.yaml @@ -0,0 +1,50 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +# Creates required remote namespaces +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: ${CLUSTER_KUSTOMIZATION_NAME} + namespace: managed-resources + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} +spec: + interval: 1m + timeout: 5m + prune: true + # force: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./cloud-resources/flux-remote-bootstrap/empty-kustomization/manifests/configmap + patches: + - patch: |- + apiVersion: v1 + kind: ConfigMap + metadata: + name: ${configmap_name} + namespace: ${configmap_namespace} + data: + kubeconfig: ${kubeconfig_secret_name} + # Inputs: + postBuild: + substitute: + configmap_name: imported-${CLUSTER_KUSTOMIZATION_NAME} + configmap_namespace: managed-resources + kubeconfig_secret_name: kubeconfig-${CLUSTER_KUSTOMIZATION_NAME} diff --git a/oka/cloud-resources/gke/manifests/gke.yaml b/oka/cloud-resources/gke/manifests/gke.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1677801f05db3495153eab07f7d87ce34a1fd24a --- /dev/null +++ b/oka/cloud-resources/gke/manifests/gke.yaml @@ -0,0 +1,91 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: container.gcp.upbound.io/v1beta1 +kind: NodePool +metadata: + annotations: + meta.upbound.io/example-id: container/v1beta1/nodepool + labels: + testing.upbound.io/example-name: ${cluster_name} + name: nodepool-${cluster_resource_name} +spec: + forProvider: + # Force K8s version + # version: '1.27' + clusterSelector: + matchLabels: + testing.upbound.io/example-name: ${cluster_name} + nodeConfig: + - machineType: ${vm_size} + oauthScopes: + - https://www.googleapis.com/auth/cloud-platform + preemptible: ${preemptible_nodes} + serviceAccountSelector: + matchLabels: + testing.upbound.io/example-name: ${cluster_name} + nodeCount: 1 + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: container.gcp.upbound.io/v1beta1 +kind: Cluster +metadata: + annotations: + meta.upbound.io/example-id: container/v1beta1/cluster + labels: + testing.upbound.io/example-name: ${cluster_name} + name: ${cluster_resource_name} +spec: + forProvider: + initialNodeCount: 1 + location: ${cluster_location} + # Force K8s version + minMasterVersion: '1.27' + removeDefaultNodePool: true + # To enable client authentication in GKE: + # See: + masterAuth: + - clientCertificateConfig: + - issueClientCertificate: true + publishConnectionDetailsTo: + name: kubeconfig-${cluster_resource_name} + writeConnectionSecretToRef: + name: kubeconfig-${cluster_resource_name} + namespace: managed-resources + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} + +--- +apiVersion: cloudplatform.gcp.upbound.io/v1beta1 +kind: ServiceAccount +metadata: + annotations: + meta.upbound.io/example-id: container/v1beta1/nodepool + labels: + testing.upbound.io/example-name: ${cluster_name} + name: ${cluster_resource_name} +spec: + forProvider: + displayName: Service Account for Cluster ${cluster_name} + # Use in case you wanted to use different credentials (i.e., ProviderConfig different than default) + providerConfigRef: + name: ${providerconfig_name} diff --git a/oka/cloud-resources/gke/templates/gke01.yaml b/oka/cloud-resources/gke/templates/gke01.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9eccda64033fe4a96dd59d042316a6dc8d977592 --- /dev/null +++ b/oka/cloud-resources/gke/templates/gke01.yaml @@ -0,0 +1,99 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# TEMPLATE_PARAMETERS: +# =================== +# +# CLUSTER_KUSTOMIZATION_NAME: Name of the cluster in the management cluster (e.g., for `Kustomization`s). +# - Alternatively, it can be patched at: +# .metadata.name +# .metadata.labels.cluster +# .spec.commonMetadata.labels.cluster +# +# PARAMETERS TO PATCH: +# =================== +# +# .spec.postBuild.substitute.providerconfig_name: Name of the GCP ProviderConfig to use to create the GKE cluster. +# .spec.postBuild.substitute.cluster_name: Name of the cluster in the target cloud. It may differ from `CLUSTER_KUSTOMIZATION_NAME` since naming restrictions are often different from K8s resource naming restrictions (e.g., hyphens vs. underscores). +# .spec.postBuild.substitute.k8s_version: Kubernetes version. +# .spec.postBuild.substitute.node_count: Number of worker nodes. +# .spec.postBuild.substitute.vm_size: Flavor of worker node VMs. +# .spec.postBuild.substitute.cluster_location: Target cluster region. +# .spec.postBuild.substitute.preemptible_nodes: (default: "false") + +# Cluster resource +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: ${CLUSTER_KUSTOMIZATION_NAME} + namespace: managed-resources + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} +spec: + commonMetadata: + labels: + cluster: ${CLUSTER_KUSTOMIZATION_NAME} + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./cloud-resources/gke/manifests + prune: true + # force: true + wait: true + patches: + - patch: |- + apiVersion: container.gcp.upbound.io/v1beta1 + kind: NodePool + metadata: + name: nodepool-${cluster_resource_name} + spec: + forProvider: + version: "${k8s_version}" + nodeConfig: + - machineType: ${vm_size} + oauthScopes: + - https://www.googleapis.com/auth/cloud-platform + preemptible: ${preemptible_nodes} + serviceAccountSelector: + matchLabels: + testing.upbound.io/example-name: ${cluster_name} + nodeCount: ${node_count} + - patch: |- + apiVersion: container.gcp.upbound.io/v1beta1 + kind: Cluster + metadata: + name: ${cluster_resource_name} + spec: + forProvider: + minMasterVersion: "${k8s_version}" + # Input parameters + postBuild: + substitute: + providerconfig_name: default + cluster_resource_name: ${CLUSTER_KUSTOMIZATION_NAME} + cluster_name: mygkecluster01 + k8s_version: "'1.28'" + node_count: "1" + vm_size: e2-medium + cluster_location: europe-southwest1-a + # GKE only + preemptible_nodes: "false" diff --git a/oka/infra-configs/crossplane/providers/aws/templates/crossplane-providerconfig-aws.yaml b/oka/infra-configs/crossplane/providers/aws/templates/crossplane-providerconfig-aws.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f4fa5b36eac35d1be14288c3c2577c8f8b667a67 --- /dev/null +++ b/oka/infra-configs/crossplane/providers/aws/templates/crossplane-providerconfig-aws.yaml @@ -0,0 +1,37 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# PARAMETERS TO PATCH: +# =================== +# +# .metadata.name: (default: "default") Name of the `ProviderConfig` for the cloud credentials. +# .spec.credentials.secretRef.name: (default: "aws-creds") Name of the secret where the credentials are stored. + +# Default configuration for AWS provider for Crossplane +apiVersion: aws.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: default +spec: + credentials: + source: Secret + secretRef: + namespace: crossplane-system + name: aws-creds + key: creds + \ No newline at end of file diff --git a/oka/infra-configs/crossplane/providers/azure/templates/crossplane-providerconfig-azure.yaml b/oka/infra-configs/crossplane/providers/azure/templates/crossplane-providerconfig-azure.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d557657d975015ad79e51e666d500fa4c6a65610 --- /dev/null +++ b/oka/infra-configs/crossplane/providers/azure/templates/crossplane-providerconfig-azure.yaml @@ -0,0 +1,36 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# PARAMETERS TO PATCH: +# =================== +# +# .metadata.name: (default: "default") Name of the `ProviderConfig` for the cloud credentials. +# .spec.credentials.secretRef.name: (default: "azure-creds") Name of the secret where the credentials are stored. + +# Default configuration for Azure provider for Crossplane +apiVersion: azure.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: default +spec: + credentials: + source: Secret + secretRef: + namespace: crossplane-system + name: azure-creds + key: creds diff --git a/oka/infra-configs/crossplane/providers/gcp/templates/crossplane-providerconfig-gcp.yaml b/oka/infra-configs/crossplane/providers/gcp/templates/crossplane-providerconfig-gcp.yaml new file mode 100644 index 0000000000000000000000000000000000000000..849753b6f141e6ba21ca4c40e1a705a0fb10c50d --- /dev/null +++ b/oka/infra-configs/crossplane/providers/gcp/templates/crossplane-providerconfig-gcp.yaml @@ -0,0 +1,37 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# PARAMETERS TO PATCH: +# =================== +# +# .metadata.name: (default: "default") Name of the `ProviderConfig` for the cloud credentials. +# .spec.credentials.secretRef.name: (default: "gcp-creds") Name of the secret where the credentials are stored. + +# Default configuration for GCP provider for Crossplane +apiVersion: gcp.upbound.io/v1beta1 +kind: ProviderConfig +metadata: + name: default +spec: + projectID: ${GCP_PROJECT} + credentials: + source: Secret + secretRef: + namespace: crossplane-system + name: gcp-creds + key: creds diff --git a/oka/infra-configs/kubernetes-dashboard/templates/cluster-role-binding-dashboard.yaml b/oka/infra-configs/kubernetes-dashboard/templates/cluster-role-binding-dashboard.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9bb21ab31b2c7bf5218b0cca991fd38d7bdb52af --- /dev/null +++ b/oka/infra-configs/kubernetes-dashboard/templates/cluster-role-binding-dashboard.yaml @@ -0,0 +1,29 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: admin-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: admin-user + namespace: kubernetes-dashboard diff --git a/oka/infra-configs/kubernetes-dashboard/templates/sa-dashboard.yaml b/oka/infra-configs/kubernetes-dashboard/templates/sa-dashboard.yaml new file mode 100644 index 0000000000000000000000000000000000000000..51325a198e58e0b24a0eaa70ddf4c3b2dad7d719 --- /dev/null +++ b/oka/infra-configs/kubernetes-dashboard/templates/sa-dashboard.yaml @@ -0,0 +1,22 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: kubernetes-dashboard diff --git a/oka/infra-configs/kubernetes-dashboard/templates/secret-token-dashboard.yaml b/oka/infra-configs/kubernetes-dashboard/templates/secret-token-dashboard.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d7c170cbda35f86ff63f6c054ce5734d4ad1bc75 --- /dev/null +++ b/oka/infra-configs/kubernetes-dashboard/templates/secret-token-dashboard.yaml @@ -0,0 +1,25 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: v1 +kind: Secret +metadata: + name: admin-user + namespace: kubernetes-dashboard + annotations: + kubernetes.io/service-account.name: "admin-user" +type: kubernetes.io/service-account-token diff --git a/oka/infra-configs/osm-workflows/templates/sa-and-role.yaml b/oka/infra-configs/osm-workflows/templates/sa-and-role.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6170b6558401a025e679d76972e47a48608e5c32 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/sa-and-role.yaml @@ -0,0 +1,87 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo + namespace: osm-workflows +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argo-role + namespace: osm-workflows +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - pods + - secrets + - configmaps + - persistentvolumeclaims + - persistentvolumeclaims/finalizers + verbs: + - create + - update + - delete + - get + - patch +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-binding + namespace: osm-workflows +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-role +subjects: +- kind: ServiceAccount + name: argo + namespace: osm-workflows +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: default-binding + namespace: osm-workflows +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-role +subjects: +- kind: ServiceAccount + name: default + namespace: osm-workflows diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/clone-transform-push-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/clone-transform-push-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..537753a1a1b4fc4569bc5e5e631f82db7271a0df --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/clone-transform-push-wft.yaml @@ -0,0 +1,133 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: clone-transform-push-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Transformation template + - name: templateref_name + # value: debugging-wft + - name: templateref_template + # value: ls-command + + entrypoint: main + + templates: + + # Main template + - name: main + inputs: + parameters: + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + - name: templateref_name + - name: templateref_template + steps: + - - name: generate-volume-repos + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-volume-repos.outputs.parameters.pvc-name}}' + - - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-volume-repos.outputs.parameters.pvc-name}}' + - - name: transform + templateRef: + name: "{{inputs.parameters.templateref_name}}" + template: "{{inputs.parameters.templateref_template}}" + arguments: + parameters: + - name: folder + value: "/repos" + - name: volume_name + value: '{{steps.generate-volume-repos.outputs.parameters.pvc-name}}' + - name: mount_path + value: "/repos" + # - - name: list-repo-files + # template: ls-command + # arguments: + # parameters: + # - name: folder + # value: "/repos" + # - name: volume_name + # value: '{{steps.generate-volume-repos.outputs.parameters.pvc-name}}' + # - name: mount_path + # value: "/repos" + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-volume-repos.outputs.parameters.pvc-name}}' + - name: commit_message + value: "My test commit message" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/cloud-accounts-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/cloud-accounts-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..18c739dfed965acc0b0f627ae44d562e21a79aa0 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/cloud-accounts-wft.yaml @@ -0,0 +1,267 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: cloud-accounts-wft + namespace: osm-workflows +spec: + templates: + + # Create a `ProviderConfig` for CrossPlane + - name: create-crossplane-providerconfig + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + + # Specific parameters + - name: providerconfig_name + ## As of today, one among `azure`, `aws` or `gcp` + - name: provider_type + ## Final secret to reference from the `ProviderConfig` + - name: cred_secret_name + ## Temporary secret with secret contents for the workflow + ## - If `temp_cred_secret_name` is empty, assumes that the final secret already exists + - name: temp_cred_secret_name + value: "" + - name: temp_cred_secret_key + value: "creds" + - name: age_public_key_mgmt + - name: osm_project_name + value: "osm_admin" + ## Specific parameters - GCP only + - name: target_gcp_project + value: "" + # Debug? + - name: debug + value: "false" + + # Other parameters - Do not touch + - name: cred_secret_key + value: "creds" + - name: mgmt_cluster_name + value: "_management" + - name: cred_secret_ns + value: "crossplane-system" + - name: base_templates_path + value: "infra-configs/crossplane/providers" + - name: cloned_fleet_folder_name + value: "fleet-osm" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: CRED_SECRET_CONTENT + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.temp_cred_secret_name}}" + key: "{{inputs.parameters.temp_cred_secret_key}}" + default: "" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - create_crossplane_providerconfig + - "{{inputs.parameters.providerconfig_name}}" + - "{{inputs.parameters.provider_type}}" + - "{{inputs.parameters.cred_secret_name}}" + - "{{inputs.parameters.cred_secret_key}}" + - "{{inputs.parameters.cred_secret_ns}}" + - '' + - "{{inputs.parameters.age_public_key_mgmt}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - "{{inputs.parameters.sw_catalogs_mount_path}}/{{inputs.parameters.cloned_sw_catalogs_folder_name}}" + - "{{inputs.parameters.target_gcp_project}}" + - "{{inputs.parameters.base_templates_path}}" + - "{{inputs.parameters.osm_project_name}}" + - "{{inputs.parameters.mgmt_cluster_name}}" + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Update a `ProviderConfig` for CrossPlane + - name: update-crossplane-providerconfig + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + + # Specific parameters + - name: providerconfig_name + ## As of today, one among `azure`, `aws` or `gcp` + - name: provider_type + ## Final secret to reference from the `ProviderConfig` + - name: cred_secret_name + ## Temporary secret with secret contents for the workflow + ## - If `temp_cred_secret_name` is empty, assumes that the final secret already exists + - name: temp_cred_secret_name + value: "" + - name: temp_cred_secret_key + value: "creds" + - name: age_public_key_mgmt + - name: osm_project_name + value: "osm_admin" + ## Specific parameters - GCP only + - name: target_gcp_project + value: "" + # Debug? + - name: debug + value: "false" + + # Other parameters - Do not touch + - name: cred_secret_key + value: "creds" + - name: mgmt_cluster_name + value: "_management" + - name: cred_secret_ns + value: "crossplane-system" + - name: base_templates_path + value: "infra-configs/crossplane/providers" + - name: cloned_fleet_folder_name + value: "fleet-osm" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: CRED_SECRET_CONTENT + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.temp_cred_secret_name}}" + key: "{{inputs.parameters.temp_cred_secret_key}}" + default: "" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - update_crossplane_providerconfig + - "{{inputs.parameters.providerconfig_name}}" + - "{{inputs.parameters.provider_type}}" + - "{{inputs.parameters.cred_secret_name}}" + - "{{inputs.parameters.cred_secret_key}}" + - "{{inputs.parameters.cred_secret_ns}}" + - '' + - "{{inputs.parameters.age_public_key_mgmt}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - "{{inputs.parameters.sw_catalogs_mount_path}}/{{inputs.parameters.cloned_sw_catalogs_folder_name}}" + - "{{inputs.parameters.target_gcp_project}}" + - "{{inputs.parameters.base_templates_path}}" + - "{{inputs.parameters.osm_project_name}}" + - "{{inputs.parameters.mgmt_cluster_name}}" + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + + # Delete a `ProviderConfig` for CrossPlane + - name: delete-crossplane-providerconfig + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + + # Specific parameters + - name: providerconfig_name + ## As of today, one among `azure`, `aws` or `gcp` + - name: provider_type + - name: osm_project_name + value: "osm_admin" + # Debug? + - name: debug + value: "false" + + # Other parameters - Do not touch + - name: mgmt_cluster_name + value: "_management" + - name: cloned_fleet_folder_name + value: "fleet-osm" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - delete_crossplane_providerconfig + - "{{inputs.parameters.providerconfig_name}}" + - "{{inputs.parameters.provider_type}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - "{{inputs.parameters.osm_project_name}}" + - "{{inputs.parameters.mgmt_cluster_name}}" + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/cluster-management-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/cluster-management-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b02277e393dd40c33905e0101539702779dcb191 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/cluster-management-wft.yaml @@ -0,0 +1,406 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: cluster-management-wft + namespace: osm-workflows +spec: + templates: + + # Create a PaaS cluster using CrossPlane (any cloud) + - name: create-crossplane-cluster + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + + # Specific parameters + - name: cluster_kustomization_name + - name: cluster_name + ## As of today, one among `aks`, `eks` or `gke`: + - name: cluster_type + - name: providerconfig_name + - name: vm_size + - name: node_count + - name: cluster_location + - name: k8s_version + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + value: "agekey" + - name: fleet_repo_url + - name: sw_catalogs_repo_url + - name: mgmt_project_name + value: "osm_admin" + ## Do we want to skip OSM's bootstrap? + - name: skip_bootstrap + value: "false" + ## AKS only (otherwise, empty) + - name: rg_name + values: "" + ## GKE only (otherwise, empty) + - name: preemptible_nodes + values: "false" + # Other parameters - Recommended to keep defaults + - name: mgmt_cluster_name + value: "_management" + - name: base_templates_path + value: "cloud-resources" + - name: cloned_fleet_folder_name + value: "fleet-osm" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + # Debug? + - name: debug + value: "false" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: PRIVATE_KEY_NEW_CLUSTER + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.secret_name_private_age_key_for_new_cluster}}" + key: "{{inputs.parameters.key_name_in_secret}}" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - create_crossplane_cluster + - "{{inputs.parameters.cluster_kustomization_name}}" + - "{{inputs.parameters.cluster_name}}" + - "{{inputs.parameters.cluster_type}}" + - "{{inputs.parameters.providerconfig_name}}" + - "{{inputs.parameters.vm_size}}" + - "{{inputs.parameters.node_count}}" + - "{{inputs.parameters.cluster_location}}" + - "{{inputs.parameters.k8s_version}}" + - "{{inputs.parameters.public_key_mgmt}}" + - "{{inputs.parameters.public_key_new_cluster}}" + - '' + - "{{inputs.parameters.rg_name}}" + - "{{inputs.parameters.preemptible_nodes}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - "{{inputs.parameters.fleet_repo_url}}" + - "{{inputs.parameters.sw_catalogs_mount_path}}/{{inputs.parameters.cloned_sw_catalogs_folder_name}}" + - "{{inputs.parameters.sw_catalogs_repo_url}}" + - "{{inputs.parameters.skip_bootstrap}}" + - "{{inputs.parameters.mgmt_project_name}}" + - "{{inputs.parameters.mgmt_cluster_name}}" + - "{{inputs.parameters.base_templates_path}}" + + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Update a PaaS cluster created using CrossPlane (any cloud) + - name: update-crossplane-cluster + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + + # Specific parameters + - name: cluster_kustomization_name + - name: cluster_name + ## As of today, one among `aks`, `eks` or `gke`: + - name: cluster_type + - name: providerconfig_name + - name: vm_size + - name: node_count + - name: cluster_location + - name: k8s_version + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + value: "agekey" + - name: fleet_repo_url + - name: sw_catalogs_repo_url + - name: mgmt_project_name + value: "osm_admin" + ## AKS only (otherwise, empty) + - name: rg_name + values: "" + ## GKE only (otherwise, empty) + - name: preemptible_nodes + values: "false" + # Other parameters - Recommended to keep defaults + - name: mgmt_cluster_name + value: "_management" + - name: base_templates_path + value: "cloud-resources" + - name: cloned_fleet_folder_name + value: "fleet-osm" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + # Debug? + - name: debug + value: "false" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: PRIVATE_KEY_NEW_CLUSTER + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.secret_name_private_age_key_for_new_cluster}}" + key: "{{inputs.parameters.key_name_in_secret}}" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - update_crossplane_cluster + - "{{inputs.parameters.cluster_kustomization_name}}" + - "{{inputs.parameters.cluster_name}}" + - "{{inputs.parameters.cluster_type}}" + - "{{inputs.parameters.providerconfig_name}}" + - "{{inputs.parameters.vm_size}}" + - "{{inputs.parameters.node_count}}" + - "{{inputs.parameters.cluster_location}}" + - "{{inputs.parameters.k8s_version}}" + - "{{inputs.parameters.public_key_mgmt}}" + - "{{inputs.parameters.public_key_new_cluster}}" + - '' + - "{{inputs.parameters.rg_name}}" + - "{{inputs.parameters.preemptible_nodes}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - "{{inputs.parameters.fleet_repo_url}}" + - "{{inputs.parameters.sw_catalogs_mount_path}}/{{inputs.parameters.cloned_sw_catalogs_folder_name}}" + - "{{inputs.parameters.sw_catalogs_repo_url}}" + ## Note that during upgrades, OSM's bootstrap is avoided: + - "true" + - "{{inputs.parameters.mgmt_project_name}}" + - "{{inputs.parameters.mgmt_cluster_name}}" + - "{{inputs.parameters.base_templates_path}}" + + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Bootstrap remote cluster running in **ANY cloud** + - name: bootstrap-remote-cluster + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + + # Specific parameters + - name: cluster_name + - name: cluster_kustomization_name + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + value: "agekey" + - name: fleet_repo_url + - name: sw_catalogs_repo_url + + # Other parameters - Recommended to keep defaults + - name: mgmt_project_name + value: "osm_admin" + - name: imported_cluster + value: "false" + - name: fleet_repo_dir + value: "/fleet/fleet-osm/" + - name: sw_catalogs_repo_dir + value: "/sw-catalogs/sw-catalogs-osm/" + + # Debug/dry run? + - name: debug + value: "false" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: PRIVATE_KEY_NEW_CLUSTER + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.secret_name_private_age_key_for_new_cluster}}" + key: "{{inputs.parameters.key_name_in_secret}}" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - create_bootstrap_for_remote_cluster + - "{{inputs.parameters.cluster_name}}" + - "{{inputs.parameters.cluster_kustomization_name}}" + - "{{inputs.parameters.fleet_repo_dir}}" + - "{{inputs.parameters.sw_catalogs_repo_dir}}" + - "{{inputs.parameters.fleet_repo_url}}" + - "{{inputs.parameters.sw_catalogs_repo_url}}" + - "{{inputs.parameters.mgmt_project_name}}" + - "{{inputs.parameters.public_key_mgmt}}" + - "{{inputs.parameters.public_key_new_cluster}}" + - '' + - "{{inputs.parameters.imported_cluster}}" + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Disconnect Flux in remote cluster running in **ANY cloud** + - name: disconnect-flux-remote-cluster + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + + # Specific parameters + - name: cluster_kustomization_name + - name: mgmt_project_name + value: "osm_admin" + + # Other parameters - Recommended to keep defaults + - name: fleet_repo_dir + value: "/fleet/fleet-osm/" + + # Debug/dry run? + - name: debug + value: "false" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - disconnect_flux_remote_cluster + - "{{inputs.parameters.cluster_kustomization_name}}" + - "{{inputs.parameters.fleet_repo_dir}}" + - "{{inputs.parameters.mgmt_project_name}}" + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Delete cluster from **ANY** cloud + - name: delete-cluster + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + + # Specific parameters + - name: cluster_kustomization_name + - name: project_name + value: "osm_admin" + + # Other parameters - Recommended to keep defaults + - name: fleet_repo_dir + value: "/fleet/fleet-osm/" + - name: mgmt_resources_dir + value: "{{inputs.parameters.fleet_repo_dir}}/{{inputs.parameters.project_name}}/managed-resources/_management" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + command: ["/app/scripts/entrypoint.sh"] + args: + - delete_remote_cluster + - "{{inputs.parameters.cluster_kustomization_name}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.fleet_repo_dir}}" + - "{{inputs.parameters.mgmt_resources_dir}}" + + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/debugging-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/debugging-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5d4d1644c6df88c85df51472c33af2781e2a2fd2 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/debugging-wft.yaml @@ -0,0 +1,107 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: debugging-wft + namespace: osm-workflows + +spec: + templates: + # Leaf templates + - name: ls-command + inputs: + parameters: + - name: volume_name + - name: folder + - name: mount_path + volumes: + - name: shared-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.volume_name}}' + script: + image: alpine:3.20 + volumeMounts: + - name: shared-volume + mountPath: "{{inputs.parameters.mount_path}}" + command: ["sh"] + source: | + ls -laR "{{inputs.parameters.folder}}" + - name: find-command + inputs: + parameters: + - name: volume_name + - name: folder + - name: mount_path + volumes: + - name: shared-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.volume_name}}' + script: + image: alpine:3.20 + volumeMounts: + - name: shared-volume + mountPath: "{{inputs.parameters.mount_path}}" + command: ["sh"] + source: | + find "{{inputs.parameters.folder}}" + - name: echo-command + inputs: + parameters: + - name: message + script: + image: alpine:3.20 + command: ["sh"] + source: | + echo "{{inputs.parameters.message}}" + - name: cat-command + inputs: + parameters: + - name: volume_name + - name: mount_path + - name: filename + volumes: + - name: shared-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.volume_name}}' + script: + image: alpine:3.20 + volumeMounts: + - name: shared-volume + mountPath: "{{inputs.parameters.mount_path}}" + command: ["sh"] + source: | + cat '{{inputs.parameters.filename}}' + - name: touch-command + inputs: + parameters: + - name: volume_name + - name: mount_path + - name: filename + volumes: + - name: shared-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.volume_name}}' + script: + image: alpine:3.20 + volumeMounts: + - name: shared-volume + mountPath: "{{inputs.parameters.mount_path}}" + command: ["sh"] + source: | + touch "{{inputs.parameters.filename}}" diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/git-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/git-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..568a2dd9da454131f89ab25f8ff0bc69e2be744e --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/git-wft.yaml @@ -0,0 +1,173 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: git-wft + namespace: osm-workflows +spec: + templates: + + - name: git-clone + inputs: + parameters: + - name: repo_url + - name: destination_folder + - name: git_cred_secret + - name: git_volume_name + - name: mount_path + volumes: + - name: repos-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.git_volume_name}}' + script: + image: alpine/git:2.45.1 + env: + - name: GIT_USER + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.git_cred_secret}}" + key: username + - name: GIT_PASS + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.git_cred_secret}}" + key: password + volumeMounts: + - name: repos-volume + mountPath: '{{inputs.parameters.mount_path}}' + command: ["sh"] + source: | + FULL_URL="{{inputs.parameters.repo_url}}" + DESTINATION="{{inputs.parameters.destination_folder}}" + CLONE_URL="" + + echo "Cloning: ${FULL_URL} . . ." + + [[ -n "${DESTINATION}" ]] && mkdir -p "${DESTINATION}" + + # Determine final clone URL + if [[ -z "${GIT_USER}" ]]; then + CLONE_URL="${FULL_URL}" + elif [[ -n "${GIT_PASS}" ]]; then + PROTOCOL=$(echo "${FULL_URL}" | awk -F '://' '{print $1}') + BASE_URL=$(echo "${FULL_URL}" | awk -F '://' '{print $2}') + CLONE_URL="${PROTOCOL}://${GIT_USER}@${BASE_URL}" + else + echo "ERROR: Malformed invocation." + echo " FULL_URL=${FULL_URL}" + echo " GIT_USER=${GIT_USER}" + echo " DESTINATION=${DESTINATION}" + exit 1 + fi + + # Clone + mkdir -p /repos + cd /repos + if [[ -z "${DESTINATION}" ]]; then + echo -e "${GIT_PASS}\n" | git clone "${CLONE_URL}" + else + echo -e "${GIT_PASS}\n" | git clone "${CLONE_URL}" "${DESTINATION}" + fi + + - name: git-commit-merge-push + inputs: + parameters: + - name: repo_folder + - name: git_cred_secret + - name: git_volume_name + - name: mount_path + - name: commit_message + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: false + volumes: + - name: repos-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.git_volume_name}}' + script: + image: alpine/git:2.45.1 + env: + - name: GIT_USER + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.git_cred_secret}}" + key: username + - name: GIT_PASS + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.git_cred_secret}}" + key: password + volumeMounts: + - name: repos-volume + mountPath: '{{inputs.parameters.mount_path}}' + command: ["sh"] + source: | + DESTINATION="{{inputs.parameters.repo_folder}}" + COMMIT_MESSAGE="{{inputs.parameters.commit_message}}" + CONTRIB_BRANCH="{{inputs.parameters.contrib_branch}}" + MAIN_BRANCH="{{inputs.parameters.main_branch}}" + DRY_RUN="{{inputs.parameters.dry_run}}" + + # Go to the repo folder + cd "${DESTINATION}" + + # Setup global Git user and email + echo "Setting up global Git user and e-mail..." + git config --global user.name "${GIT_USER}" + git config --global user.email "${GIT_USER}@${GIT_USER}.local" + + # Create contrib branch + echo "Creating ${CONTRIB_BRANCH} branch into ${DESTINATION}..." + git checkout -b ${CONTRIB_BRANCH} + + # Creating commit + git status + git add -A + git commit -m "Operation ${CONTRIB_BRANCH}: ${COMMIT_MESSAGE}" + + # Pull and merge branch + git checkout ${MAIN_BRANCH} + echo "Pulling latest commits from ${MAIN_BRANCH} branch (if any)..." + echo -e "${GIT_PASS}\n" | git pull + + echo "Merging branch ${CONTRIB_BRANCH} onto ${MAIN_BRANCH}..." + git merge --no-ff "${CONTRIB_BRANCH}" + + if [[ "${DRY_RUN}" != "true" ]] + then + echo "Pushing..." + cat << "EOF" > "${HOME}/git-creds.sh" + #!/bin/sh + if echo "$1" | grep -q '^Password'; then + echo "${GIT_PASS}" + else + echo "${GIT_USER}" + fi + exit 0 + EOF + + chmod +x "${HOME}/git-creds.sh" + TTY=$(tty) GIT_USERNAME="${GIT_USER}" GIT_ASKPASS=~/git-creds.sh git push origin "${MAIN_BRANCH}" + + else + echo "DRY RUN - NO PUSH" + fi diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/k8s-resources-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/k8s-resources-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1c0dfeb1298e5a1ab8f90b214bd96bff6bd33653 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/k8s-resources-wft.yaml @@ -0,0 +1,48 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: k8s-resources-wft + namespace: osm-workflows +spec: + templates: + + - name: generate-volume + serviceAccountName: argo + inputs: + parameters: + - name: pvc-size + resource: + action: create + setOwnerReference: true + manifest: | + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + generateName: pvc-osm- + spec: + accessModes: ['ReadWriteOnce'] + resources: + requests: + storage: '{{inputs.parameters.pvc-size}}' + outputs: + parameters: + - name: pvc-name + valueFrom: + jsonPath: '{.metadata.name}' diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/ksu-management-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/ksu-management-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..71dc58b97ce7b9fa794edbc34476cd8fdfe85326 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/ksu-management-wft.yaml @@ -0,0 +1,1194 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: ksu-management-wft + namespace: osm-workflows +spec: + templates: + +# Create a KSU based on an OKA Package which includes a `HelmRelease` + - name: create-ksu-oka-hr + inputs: + parameters: + # References to required external resources + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + # Specific parameters - Base KSU generation from template + - name: templates_path + ## Should substitute environment variables in the template? + - name: substitute_environment + value: "false" + ## Filter for substitution of environment variables + - name: substitution_filter + value: "" + ## Custom environment variables (formatted as .env), to be used for template parametrization + - name: custom_env_vars + value: "" + ## Root folder of the cloned SW Catalogs repo - Do not touch + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + # Specific parameters - Patch HelmRelease in KSU with inline values + - name: kustomization_name + - name: helmrelease_name + - name: inline_values + value: "" + # Specific parameters - Secret generation + - name: is_preexisting_secret + value: "false" + - name: target_ns + - name: age_public_key + - name: values_secret_name + - name: reference_secret_for_values + - name: reference_key_for_values + - name: secret_key + value: "values.yaml" + # Specific parameters - Configmap generation + - name: is_preexisting_cm + value: "false" + - name: values_cm_name + - name: cm_key + value: "values.yaml" + - name: cm_values + value: "" + # Specific parameters - KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + - name: sync + value: "true" + ## Root folder of the cloned Fleet repo - Do not touch + - name: cloned_fleet_folder_name + value: "fleet-osm" + # Debug? + - name: debug + value: "false" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: SECRET_VALUES + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.reference_secret_for_values}}" + key: "{{inputs.parameters.reference_key_for_values}}" + optional: true + default: "" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - create_hr_ksu_into_profile + - "{{inputs.parameters.sw_catalogs_mount_path}}/{{inputs.parameters.cloned_sw_catalogs_folder_name}}/{{inputs.parameters.templates_path}}" + - "{{inputs.parameters.substitute_environment}}" + - "{{inputs.parameters.substitution_filter}}" + - "{{inputs.parameters.custom_env_vars}}" + - "{{inputs.parameters.kustomization_name}}" + - "{{inputs.parameters.helmrelease_name}}" + - "{{inputs.parameters.inline_values}}" + - "{{inputs.parameters.is_preexisting_secret}}" + - "{{inputs.parameters.target_ns}}" + - "{{inputs.parameters.values_secret_name}}" + - "{{inputs.parameters.secret_key}}" + - "{{inputs.parameters.age_public_key}}" + - '' + - "{{inputs.parameters.is_preexisting_cm}}" + - "{{inputs.parameters.values_cm_name}}" + - "{{inputs.parameters.cm_key}}" + - "{{inputs.parameters.cm_values}}" + - "{{inputs.parameters.ksu_name}}" + - "{{inputs.parameters.profile_name}}" + - "{{inputs.parameters.profile_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - "{{inputs.parameters.sync}}" + volumeMounts: + - name: fleet-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + volumes: + - name: fleet-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + +# Update a KSU based on an OKA Package which includes a `HelmRelease` + - name: update-ksu-oka-hr + inputs: + parameters: + # References to required external resources + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + # Specific parameters - Base KSU generation from template + - name: templates_path + ## Should substitute environment variables in the template? + - name: substitute_environment + value: "false" + ## Filter for substitution of environment variables + - name: substitution_filter + value: "" + ## Custom environment variables (formatted as .env), to be used for template parametrization + - name: custom_env_vars + value: "" + ## Root folder of the cloned SW Catalogs repo - Do not touch + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + # Specific parameters - Patch HelmRelease in KSU with inline values + - name: kustomization_name + - name: helmrelease_name + - name: inline_values + value: "" + # Specific parameters - Secret generation + - name: is_preexisting_secret + value: "false" + - name: target_ns + - name: age_public_key + - name: values_secret_name + - name: reference_secret_for_values + - name: reference_key_for_values + - name: secret_key + value: "values.yaml" + # Specific parameters - Configmap generation + - name: is_preexisting_cm + value: "false" + - name: values_cm_name + - name: cm_key + value: "values.yaml" + - name: cm_values + value: "" + # Specific parameters - KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + ## Root folder of the cloned Fleet repo - Do not touch + - name: cloned_fleet_folder_name + value: "fleet-osm" + # Debug? + - name: debug + value: "false" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: SECRET_VALUES + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.reference_secret_for_values}}" + key: "{{inputs.parameters.reference_key_for_values}}" + optional: true + default: "" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - update_hr_ksu_into_profile + - "{{inputs.parameters.sw_catalogs_mount_path}}/{{inputs.parameters.cloned_sw_catalogs_folder_name}}/{{inputs.parameters.templates_path}}" + - "{{inputs.parameters.substitute_environment}}" + - "{{inputs.parameters.substitution_filter}}" + - "{{inputs.parameters.custom_env_vars}}" + - "{{inputs.parameters.kustomization_name}}" + - "{{inputs.parameters.helmrelease_name}}" + - "{{inputs.parameters.inline_values}}" + - "{{inputs.parameters.is_preexisting_secret}}" + - "{{inputs.parameters.target_ns}}" + - "{{inputs.parameters.values_secret_name}}" + - "{{inputs.parameters.secret_key}}" + - "{{inputs.parameters.age_public_key}}" + - '' + - "{{inputs.parameters.is_preexisting_cm}}" + - "{{inputs.parameters.values_cm_name}}" + - "{{inputs.parameters.cm_key}}" + - "{{inputs.parameters.cm_values}}" + - "{{inputs.parameters.ksu_name}}" + - "{{inputs.parameters.profile_name}}" + - "{{inputs.parameters.profile_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + volumeMounts: + - name: fleet-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + volumes: + - name: fleet-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + +# Create a "generated" KSU from `HelmRelease` and Source Repo definitions + - name: create-ksu-generated-hr + inputs: + parameters: + # References to required external resources + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + # HelmRelease generation + - name: helmrelease_name + - name: chart_name + - name: chart_version + - name: target_ns + - name: create_ns + # Repo source generation + - name: is_preexisting_repo + value: "false" + - name: helmrepo_name + - name: helmrepo_url + - name: helmrepo_ns + valueFrom: + expression: "{{input.parameters.target_ns}}" + - name: helmrepo_secret_ref + # HelmRelease inline values (if any) + - name: inline_values + value: "" + # Secret reference and generation (if required) + - name: is_preexisting_secret + value: "false" + - name: values_secret_name + - name: secret_key + value: "values.yaml" + - name: age_public_key + ## Secret values will be obtained from the + ## secret named after the input parameter `reference_secret_for_values`, + ## and from the key named after the input parameter `reference_key_for_values` + - name: reference_secret_for_values + - name: reference_key_for_values + # ConfigMap reference and generation (if required) + - name: is_preexisting_cm + value: "false" + - name: values_cm_name + - name: cm_key + value: "values.yaml" + - name: cm_values + value: "" + # KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + # By default, it will not syncronize, so that we can easily accumulate more than + # one Helm chart into the same KSU if desired + - name: sync + value: "false" + ## Root folder of the cloned Fleet repo - Do not touch + ### `FLEET_REPO_DIR` is the result of: + ### "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - name: cloned_fleet_folder_name + value: "fleet-osm" + # Debug? + - name: debug + value: "false" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: SECRET_VALUES + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.reference_secret_for_values}}" + key: "{{inputs.parameters.reference_key_for_values}}" + optional: true + default: "" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - create_generated_ksu_from_helm_into_profile + - "{{inputs.parameters.helmrelease_name}}" + - "{{inputs.parameters.chart_name}}" + - "{{inputs.parameters.chart_version}}" + - "{{inputs.parameters.target_ns}}" + - "{{inputs.parameters.create_ns}}" + - "{{inputs.parameters.is_preexisting_repo}}" + - "{{inputs.parameters.helmrepo_name}}" + - "{{inputs.parameters.helmrepo_url}}" + - "{{inputs.parameters.helmrepo_ns}}" + - "{{inputs.parameters.helmrepo_secret_ref}}" + - "{{inputs.parameters.inline_values}}" + - "{{inputs.parameters.is_preexisting_secret}}" + - "{{inputs.parameters.values_secret_name}}" + - "{{inputs.parameters.secret_key}}" + - "{{inputs.parameters.age_public_key}}" + - '' + - "{{inputs.parameters.is_preexisting_cm}}" + - "{{inputs.parameters.values_cm_name}}" + - "{{inputs.parameters.cm_key}}" + - "{{inputs.parameters.cm_values}}" + - "{{inputs.parameters.ksu_name}}" + - "{{inputs.parameters.profile_name}}" + - "{{inputs.parameters.profile_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - "{{inputs.parameters.sync}}" + volumeMounts: + - name: fleet-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + volumes: + - name: fleet-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + +# Update a "generated" KSU from `HelmRelease` and Source Repo definitions + - name: update-ksu-generated-hr + inputs: + parameters: + # References to required external resources + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + # HelmRelease generation + - name: helmrelease_name + - name: chart_name + - name: chart_version + - name: target_ns + - name: create_ns + # Repo source generation + - name: is_preexisting_repo + value: "false" + - name: helmrepo_name + - name: helmrepo_url + - name: helmrepo_ns + valueFrom: + expression: "{{input.parameters.target_ns}}" + - name: helmrepo_secret_ref + # HelmRelease inline values (if any) + - name: inline_values + value: "" + # Secret reference and generation (if required) + - name: is_preexisting_secret + value: "false" + - name: values_secret_name + - name: secret_key + value: "values.yaml" + - name: age_public_key + ## Secret values will be obtained from the + ## secret named after the input parameter `reference_secret_for_values`, + ## and from the key named after the input parameter `reference_key_for_values` + - name: reference_secret_for_values + - name: reference_key_for_values + # ConfigMap reference and generation (if required) + - name: is_preexisting_cm + value: "false" + - name: values_cm_name + - name: cm_key + value: "values.yaml" + - name: cm_values + value: "" + # KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + ## Root folder of the cloned Fleet repo - Do not touch + ### `FLEET_REPO_DIR` is the result of: + ### "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - name: cloned_fleet_folder_name + value: "fleet-osm" + # Debug? + - name: debug + value: "false" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: SECRET_VALUES + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.reference_secret_for_values}}" + key: "{{inputs.parameters.reference_key_for_values}}" + optional: true + default: "" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - update_generated_ksu_from_helm_into_profile + - "{{inputs.parameters.helmrelease_name}}" + - "{{inputs.parameters.chart_name}}" + - "{{inputs.parameters.chart_version}}" + - "{{inputs.parameters.target_ns}}" + - "{{inputs.parameters.create_ns}}" + - "{{inputs.parameters.is_preexisting_repo}}" + - "{{inputs.parameters.helmrepo_name}}" + - "{{inputs.parameters.helmrepo_url}}" + - "{{inputs.parameters.helmrepo_ns}}" + - "{{inputs.parameters.helmrepo_secret_ref}}" + - "{{inputs.parameters.inline_values}}" + - "{{inputs.parameters.is_preexisting_secret}}" + - "{{inputs.parameters.values_secret_name}}" + - "{{inputs.parameters.secret_key}}" + - "{{inputs.parameters.age_public_key}}" + - '' + - "{{inputs.parameters.is_preexisting_cm}}" + - "{{inputs.parameters.values_cm_name}}" + - "{{inputs.parameters.cm_key}}" + - "{{inputs.parameters.cm_values}}" + - "{{inputs.parameters.ksu_name}}" + - "{{inputs.parameters.profile_name}}" + - "{{inputs.parameters.profile_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + volumeMounts: + - name: fleet-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + volumes: + - name: fleet-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + +# Delete a KSU from a profile + - name: delete-ksu + inputs: + parameters: + # References to required external resources + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + # Specific parameters - KSU id + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + # Other parameters - Do not touch + - name: cloned_fleet_folder_name + value: "fleet-osm" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + # Debug? + - name: debug + value: "false" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - delete_ksu_from_profile + - "{{inputs.parameters.ksu_name}}" + - "{{inputs.parameters.profile_name}}" + - "{{inputs.parameters.profile_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + volumeMounts: + - name: fleet-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + volumes: + - name: fleet-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + +# Clone a KSU from a profile to another + - name: clone-ksu + inputs: + parameters: + # References to required external resources + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + # Specific parameters - Source and destination KSU + ## Source KSU: + - name: source_ksu_name + - name: source_profile_name + - name: source_profile_type + - name: source_project_name + value: "osm_admin" + ## Destination KSU: + ## - If any of the destination parameters are not specified, it will assume + ## they are the same as in source. + ## - It will reject if all are empty or equal to source, to avoid cloning a KSU over itself + - name: destination_ksu_name + value: "" + - name: destination_profile_name + value: "" + - name: destination_profile_type + value: "" + - name: destination_project_name + value: "" + # Other parameters - Do not touch + - name: cloned_fleet_folder_name + value: "fleet-osm" + # Debug? + - name: debug + value: "false" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - clone_ksu + - "{{inputs.parameters.source_ksu_name}}" + - "{{inputs.parameters.source_profile_name}}" + - "{{inputs.parameters.source_profile_type}}" + - "{{inputs.parameters.source_project_name}}" + - "{{inputs.parameters.destination_ksu_name}}" + - "{{inputs.parameters.destination_profile_name}}" + - "{{inputs.parameters.destination_profile_type}}" + - "{{inputs.parameters.destination_project_name}}" + - "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + volumeMounts: + - name: fleet-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + volumes: + - name: fleet-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Read template folder from OKA Package and convert to `ResourceList` + # It can work as KRM generator function, since it accepts an optional input `ResourceList` + - name: folder2list + inputs: + parameters: + # References to required external resources + - name: sw_catalogs_volume_name + - name: temp_volume_name + # Filename for input stream + - name: input_stream_file + value: "/dev/null" + # Specific parameters + ## Relative path from `sw_catalogs_mount_path` + - name: templates_path + ## Should substitute environment variables in the template? + - name: substitute_environment + value: "false" + ## Filter for substitution of environment variables + - name: substitution_filter + value: "" + ## Custom environment variables (formatted as .env), to be used for template parametrization + - name: custom_env_vars + value: "" + # value: | + # KEY1=value1 + # KEY2=value2 + # Debug mode? + - name: debug + value: "false" + # Other parameters - Do not touch + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + - name: rand_str + value: "{{=sprig.randAlphaNum(9)}}" + outputs: + parameters: + - name: output_file + value: "/results/resourcelist.{{inputs.parameters.rand_str}}.yaml" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: INFILE + value: "{{inputs.parameters.input_stream_file}}" + - name: OUTFILE + value: "/results/resourcelist.{{inputs.parameters.rand_str}}.yaml" + - name: CUSTOM_ENV + value: "{{inputs.parameters.custom_env_vars}}" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - folder2list_generator + - "{{inputs.parameters.sw_catalogs_mount_path}}/{{inputs.parameters.cloned_sw_catalogs_folder_name}}/{{inputs.parameters.templates_path}}" + - "{{inputs.parameters.substitute_environment}}" + - "{{inputs.parameters.substitution_filter}}" + volumeMounts: + - name: temp-volume + mountPath: "/results" + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + volumes: + - name: temp-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.temp_volume_name}}' + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Transform `ResourceList`'s main Kustomization to patch `HelmRelease` to use + # inline values + - name: transform-ks-add-values-to-hr + inputs: + parameters: + # References to required external resources + - name: temp_volume_name + # Specific parameters - Generator + ## Filename for input stream + - name: input_stream_file + # Specific parameters + ## Patched objects + - name: kustomization_name + - name: helmrelease_name + ## Input values for the Helm Chart + - name: inline_values + # Debug mode? + - name: debug + value: "false" + # Other parameters - Do not touch + - name: rand_str + value: "{{=sprig.randAlphaNum(9)}}" + outputs: + parameters: + - name: output_file + value: "/results/resourcelist.{{inputs.parameters.rand_str}}.yaml" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: INFILE + value: "{{inputs.parameters.input_stream_file}}" + - name: OUTFILE + value: "/results/resourcelist.{{inputs.parameters.rand_str}}.yaml" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - add_values_to_helmrelease_via_ks + - "{{inputs.parameters.kustomization_name}}" + - "{{inputs.parameters.helmrelease_name}}" + - "{{inputs.parameters.inline_values}}" + volumeMounts: + - name: temp-volume + mountPath: "/results" + volumes: + - name: temp-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.temp_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Transform `ResourceList`'s main Kustomization to patch `HelmRelease` to use + # values from a Secret, a ConfigMap or both. + - name: transform-ks-add-referenced-values-to-hr + inputs: + parameters: + # References to required external resources + - name: temp_volume_name + # Specific parameters - Generator + ## Filename for input stream + - name: input_stream_file + # Specific parameters + - name: kustomization_name + - name: helmrelease_name + ## Source for values (Secret, ConfigMap or both) + - name: values_secret_name + value: "" + - name: values_cm_name + value: "" + # Debug mode? + - name: debug + value: "false" + # Other parameters - Do not touch + - name: rand_str + value: "{{=sprig.randAlphaNum(9)}}" + outputs: + parameters: + - name: output_file + value: "/results/resourcelist.{{inputs.parameters.rand_str}}.yaml" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: INFILE + value: "{{inputs.parameters.input_stream_file}}" + - name: OUTFILE + value: "/results/resourcelist.{{inputs.parameters.rand_str}}.yaml" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - add_ref_values_to_hr_via_ks + - "{{inputs.parameters.kustomization_name}}" + - "{{inputs.parameters.helmrelease_name}}" + - "{{inputs.parameters.values_secret_name}}" + - "{{inputs.parameters.values_cm_name}}" + volumeMounts: + - name: temp-volume + mountPath: "/results" + volumes: + - name: temp-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.temp_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # KRM function to render a ResourceList with a KSU into a target profile + - name: render-ksu-into-profile + inputs: + parameters: + # References to required external resources + - name: fleet_volume_name + - name: temp_volume_name + # Filename for input stream + - name: input_stream_file + # Specific parameters + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + ## Whether the target KSU folder will be fully re-created on render + - name: sync + value: "false" + # Debug mode? + - name: debug + value: "false" + # Other parameters - Do not touch + - name: fleet_mount_path + value: "/fleet" + - name: fleet_repo_dir + value: "/fleet/fleet-osm/" + - name: rand_str + value: "{{=sprig.randAlphaNum(9)}}" + outputs: + parameters: + - name: output_file + value: "/results/resourcelist.{{inputs.parameters.rand_str}}.yaml" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: INFILE + value: "{{inputs.parameters.input_stream_file}}" + - name: OUTFILE + value: "/results/resourcelist.{{inputs.parameters.rand_str}}.yaml" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - render_ksu_into_profile + - "{{inputs.parameters.ksu_name}}" + - "{{inputs.parameters.profile_name}}" + - "{{inputs.parameters.profile_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.fleet_repo_dir}}" + - "{{inputs.parameters.sync}}" + volumeMounts: + - name: temp-volume + mountPath: "/results" + - name: fleet-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + volumes: + - name: temp-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.temp_volume_name}}' + - name: fleet-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # KRM generator to create Secrets suitable to pass values to `HelmReleases` + - name: generator-secret-hr-values + inputs: + parameters: + # References to required external resources + - name: temp_volume_name + # Specific parameters - Generator + ## Filename for input stream + - name: input_stream_file + value: "/dev/null" + ## Name of final manifest filename into generated `ResourceList` object + - name: final_manifest_filename + # Specific parameters - Secret + - name: age_public_key + - name: values_secret_name + - name: target_ns + - name: reference_secret_for_values + - name: reference_key_for_values + - name: secret_key + value: "values.yaml" + # Debug mode? + - name: debug + value: "false" + outputs: + parameters: + - name: output_file + valueFrom: + parameter: '{{steps.generate-resourcelist.outputs.parameters.output_file}}' + steps: + - - name: build-manifest + templateRef: + name: ksu-management-wft + template: manifest-secret-hr-values + arguments: + parameters: + # References to required external resources + - name: temp_volume_name + value: "{{inputs.parameters.temp_volume_name}}" + # Specific parameters + - name: age_public_key + value: "{{inputs.parameters.age_public_key}}" + - name: values_secret_name + value: "{{inputs.parameters.values_secret_name}}" + - name: target_ns + value: "{{inputs.parameters.target_ns}}" + - name: reference_secret_for_values + value: "{{inputs.parameters.reference_secret_for_values}}" + - name: reference_key_for_values + value: "{{inputs.parameters.reference_key_for_values}}" + - name: secret_key + value: "{{inputs.parameters.secret_key}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + - - name: generate-resourcelist + templateRef: + name: ksu-management-wft + template: make-generator + arguments: + parameters: + # References to required external resources + - name: temp_volume_name + value: "{{inputs.parameters.temp_volume_name}}" + # Filename for input stream + - name: input_stream_file + value: "{{inputs.parameters.input_stream_file}}" + # File with raw manifest + - name: input_manifest_file + value: '{{steps.build-manifest.outputs.parameters.output_file}}' + # Name of final manifest filename into generated `ResourceList` object + - name: final_manifest_filename + value: "{{inputs.parameters.final_manifest_filename}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + + + # KRM generator to create ConfigMaps suitable to pass values to `HelmReleases` + - name: generator-cm-hr-values + inputs: + parameters: + # References to required external resources + - name: temp_volume_name + # Specific parameters - Generator + ## Filename for input stream + - name: input_stream_file + value: "/dev/null" + ## Name of final manifest filename into generated `ResourceList` object + - name: final_manifest_filename + # Specific parameters - ConfigMap + - name: values_cm_name + - name: target_ns + - name: cm_key + value: "values.yaml" + - name: cm_values + # Debug mode? + - name: debug + value: "false" + outputs: + parameters: + - name: output_file + valueFrom: + parameter: '{{steps.generate-resourcelist.outputs.parameters.output_file}}' + steps: + - - name: build-manifest + templateRef: + name: ksu-management-wft + template: manifest-cm-hr-values + arguments: + parameters: + # References to required external resources + - name: temp_volume_name + value: "{{inputs.parameters.temp_volume_name}}" + # Specific parameters + - name: values_cm_name + value: "{{inputs.parameters.values_cm_name}}" + - name: target_ns + value: "{{inputs.parameters.target_ns}}" + - name: cm_key + value: "{{inputs.parameters.cm_key}}" + - name: cm_values + value: "{{inputs.parameters.cm_values}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + - - name: generate-resourcelist + templateRef: + name: ksu-management-wft + template: make-generator + arguments: + parameters: + # References to required external resources + - name: temp_volume_name + value: "{{inputs.parameters.temp_volume_name}}" + # Filename for input stream + - name: input_stream_file + value: "{{inputs.parameters.input_stream_file}}" + # File with raw manifest + - name: input_manifest_file + value: '{{steps.build-manifest.outputs.parameters.output_file}}' + # Name of final manifest filename into generated `ResourceList` object + - name: final_manifest_filename + value: "{{inputs.parameters.final_manifest_filename}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + + + # Converts a manifest to a KRM generator + - name: make-generator + inputs: + parameters: + # References to required external resources + - name: temp_volume_name + # Filename for input stream + - name: input_stream_file + value: "/dev/null" + # File with raw manifest + - name: input_manifest_file + # Name of final manifest filename into generated `ResourceList` object + - name: final_manifest_filename + # Debug mode? + - name: debug + value: "false" + # Other parameters - Do not touch + - name: rand_str + value: "{{=sprig.randAlphaNum(9)}}" + outputs: + parameters: + - name: output_file + value: "/results/resourcelist.{{inputs.parameters.rand_str}}.yaml" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: INFILE + value: "{{inputs.parameters.input_stream_file}}" + - name: OUTFILE + value: "/results/resourcelist.{{inputs.parameters.rand_str}}.yaml" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - make_generator + - "{{inputs.parameters.final_manifest_filename}}" + - cat + - "{{inputs.parameters.input_manifest_file}}" + volumeMounts: + - name: temp-volume + mountPath: "/results" + volumes: + - name: temp-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.temp_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Produces a secret manifest and encrypts it with SOPS + - name: manifest-secret-hr-values + inputs: + parameters: + # References to required external resources + - name: temp_volume_name + # Public age key to encrypt secret + - name: age_public_key + # Name of the secret to be created + - name: values_secret_name + # Namespace for the secret + - name: target_ns + # Input secret that contains the values to embed into the new secret + - name: reference_secret_for_values + - name: reference_key_for_values + value: "values.yaml" + # Key in the new secret where the values will be inserted + - name: secret_key + value: "values.yaml" + # Debug mode? + - name: debug + value: "false" + # Other parameters - Do not touch + - name: rand_str + value: "{{=sprig.randAlphaNum(9)}}" + outputs: + parameters: + - name: output_file + value: "/results/manifest.{{inputs.parameters.rand_str}}.yaml" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: INSTREAM + valueFrom: + secretKeyRef: + name: "{{inputs.parameters.reference_secret_for_values}}" + key: "{{inputs.parameters.reference_key_for_values}}" + - name: OUTFILE + value: "/results/manifest.{{inputs.parameters.rand_str}}.yaml" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - kubectl_encrypt + - "{{inputs.parameters.age_public_key}}" + - create + - secret + - generic + - "{{inputs.parameters.values_secret_name}}" + - --namespace={{inputs.parameters.target_ns}} + - --from-file={{inputs.parameters.secret_key}}=/dev/stdin + - -o=yaml + - --dry-run=client + volumeMounts: + - name: temp-volume + mountPath: "/results" + volumes: + - name: temp-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.temp_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Produces a ConfigMap manifest + - name: manifest-cm-hr-values + inputs: + parameters: + # References to required external resources + - name: temp_volume_name + # Specific parameters + - name: values_cm_name + - name: target_ns + - name: cm_key + value: "values.yaml" + - name: cm_values + # Debug mode? + - name: debug + value: "false" + # Other parameters - Do not touch + - name: rand_str + value: "{{=sprig.randAlphaNum(9)}}" + outputs: + parameters: + - name: output_file + value: "/results/manifest.{{inputs.parameters.rand_str}}.yaml" + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: INSTREAM + value: "{{inputs.parameters.cm_values}}" + - name: OUTFILE + value: "/results/manifest.{{inputs.parameters.rand_str}}.yaml" + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - kubectl + - create + - configmap + - "{{inputs.parameters.values_cm_name}}" + - --namespace={{inputs.parameters.target_ns}} + - --from-file={{inputs.parameters.cm_key}}=/dev/stdin + - -o=yaml + - --dry-run=client + volumeMounts: + - name: temp-volume + mountPath: "/results" + volumes: + - name: temp-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.temp_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/oka-management-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/oka-management-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4a0e841679c2b159c1e0517a4997b4d6062de4c0 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/oka-management-wft.yaml @@ -0,0 +1,192 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: oka-management-wft + namespace: osm-workflows +spec: + templates: + +# Create an OKA based on an OKA Package pre-loaded into a pvc + - name: create-oka + inputs: + parameters: + # References to required external resources + - name: sw_catalogs_volume_name + - name: temp_volume_name + # Specific parameters - OKA + - name: oka_name + ## Choose among `infra-controllers`, `infra-configs`, `cloud-resources`, `apps`: + - name: oka_type + - name: project_name + value: "osm_admin" + - name: tarball_file + value: "true" + # Debug? + - name: debug + value: "false" + # Other parameters - Do not touch + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + - name: temp_volume_mount_path + value: "/oka" + - name: oka_location + value: "/oka" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - create_oka + - "{{inputs.parameters.oka_name}}" + - "{{inputs.parameters.oka_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.sw_catalogs_mount_path}}/{{inputs.parameters.cloned_sw_catalogs_folder_name}}" + - "{{inputs.parameters.oka_location}}" + - "{{inputs.parameters.tarball_file}}" + volumeMounts: + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + - name: temp-volume + mountPath: '{{inputs.parameters.temp_volume_mount_path}}' + volumes: + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + - name: temp-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.temp_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + +# Update an OKA based on an OKA Package pre-loaded into a pvc + - name: update-oka + inputs: + parameters: + # References to required external resources + - name: sw_catalogs_volume_name + - name: temp_volume_name + # Specific parameters - OKA + - name: oka_name + ## Choose among `infra-controllers`, `infra-configs`, `cloud-resources`, `apps`: + - name: oka_type + - name: project_name + value: "osm_admin" + - name: tarball_file + value: "true" + # Debug? + - name: debug + value: "false" + # Other parameters - Do not touch + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + - name: temp_volume_mount_path + value: "/oka" + - name: oka_location + value: "/oka" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - update_oka + - "{{inputs.parameters.oka_name}}" + - "{{inputs.parameters.oka_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.sw_catalogs_mount_path}}/{{inputs.parameters.cloned_sw_catalogs_folder_name}}" + - "{{inputs.parameters.oka_location}}" + - "{{inputs.parameters.tarball_file}}" + volumeMounts: + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + - name: temp-volume + mountPath: '{{inputs.parameters.temp_volume_mount_path}}' + volumes: + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + - name: temp-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.temp_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + +# Delete an OKA + - name: delete-oka + inputs: + parameters: + # References to required external resources + - name: sw_catalogs_volume_name + # Specific parameters - OKA + - name: oka_name + ## Choose among `infra-controllers`, `infra-configs`, `cloud-resources`, `apps`: + - name: oka_type + - name: project_name + value: "osm_admin" + # Debug? + - name: debug + value: "false" + # Other parameters - Do not touch + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + env: + - name: DEBUG + value: "{{inputs.parameters.debug}}" + command: ["/app/scripts/entrypoint.sh"] + args: + - delete_oka + - "{{inputs.parameters.oka_name}}" + - "{{inputs.parameters.oka_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.sw_catalogs_mount_path}}/{{inputs.parameters.cloned_sw_catalogs_folder_name}}" + volumeMounts: + - name: sw-catalogs-repo-volume + mountPath: '{{inputs.parameters.sw_catalogs_mount_path}}' + volumes: + - name: sw-catalogs-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.sw_catalogs_volume_name}}' + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/profile-management-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/profile-management-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..17566d1fdd95312fa66791b3a349be77e967fcf6 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/building-blocks/profile-management-wft.yaml @@ -0,0 +1,195 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: profile-management-wft + namespace: osm-workflows +spec: + templates: + + # Create a profile + - name: create-profile + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + - name: fleet_repo_url + + # Other parameters - Recommended to keep defaults + - name: fleet_repo_dir + value: "/fleet/fleet-osm/" + + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + command: ["/app/scripts/entrypoint.sh"] + args: + - create_profile + - "{{inputs.parameters.profile_name}}" + - "{{inputs.parameters.profile_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.fleet_repo_url}}" + - "{{inputs.parameters.fleet_repo_dir}}" + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Delete a profile + - name: delete-profile + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + + # Other parameters - Recommended to keep defaults + - name: fleet_repo_dir + value: "/fleet/fleet-osm/" + + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + command: ["/app/scripts/entrypoint.sh"] + args: + - delete_profile + - "{{inputs.parameters.profile_name}}" + - "{{inputs.parameters.profile_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.fleet_repo_dir}}" + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Attach a profile to a cluster + - name: attach-profile-to-cluster + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + - name: cluster_kustomization_name + + # Other parameters - Recommended to keep defaults + - name: fleet_repo_dir + value: "/fleet/fleet-osm/" + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + command: ["/app/scripts/entrypoint.sh"] + args: + - attach_profile_to_cluster + - "{{inputs.parameters.profile_name}}" + - "{{inputs.parameters.profile_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.cluster_kustomization_name}}" + - "{{inputs.parameters.fleet_repo_dir}}" + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 + + + # Detach profile from cluster + - name: detach-profile-from-cluster + inputs: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + - name: fleet_mount_path + value: "/fleet" + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + - name: cluster_kustomization_name + + # Other parameters - Recommended to keep defaults + - name: fleet_repo_dir + value: "/fleet/fleet-osm/" + volumes: + - name: fleet-repo-volume + persistentVolumeClaim: + claimName: '{{inputs.parameters.fleet_volume_name}}' + container: + image: ttl.sh/osm-krm-functions:24h + # imagePullPolicy: Always + volumeMounts: + - name: fleet-repo-volume + mountPath: '{{inputs.parameters.fleet_mount_path}}' + command: ["/app/scripts/entrypoint.sh"] + args: + - detach_profile_from_cluster + - "{{inputs.parameters.profile_name}}" + - "{{inputs.parameters.profile_type}}" + - "{{inputs.parameters.project_name}}" + - "{{inputs.parameters.cluster_kustomization_name}}" + - "{{inputs.parameters.fleet_repo_dir}}" + securityContext: + fsGroup: 10000 + # runAsUser: 10000 + # runAsGroup: 10000 diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-attach-profile.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-attach-profile.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5a4bd20450850d37aa0767486256cbd7cfc4bbec --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-attach-profile.yaml @@ -0,0 +1,150 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-attach-profile-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + - name: cluster_kustomization_name + + # Debugging + - name: dry_run + value: false + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: attach-profile + + templates: + + # Main template + - name: attach-profile + inputs: + parameters: + # Git repos + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + - name: cluster_kustomization_name + + # Debugging + - name: dry_run + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + # Attach profile to cluster + - - name: attach-profile + templateRef: + name: profile-management-wft + template: attach-profile-to-cluster + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + # Specific parameters + - name: profile_name + value: "{{inputs.parameters.profile_name}}" + - name: profile_type + value: "{{inputs.parameters.profile_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + - name: fleet_repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: cluster_kustomization_name + value: "{{inputs.parameters.cluster_kustomization_name}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Attach {{inputs.parameters.profile_name}} profile to {{inputs.parameters.cluster_kustomization_name}} cluster" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-bootstrap-cluster-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-bootstrap-cluster-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..54e012f47cb40aa498109e23e69993c985bd4cc3 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-bootstrap-cluster-wft.yaml @@ -0,0 +1,207 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-bootstrap-cluster-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters - Bootstrap + - name: cluster_name + - name: cluster_kustomization_name + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + value: "agekey" + + # Recommended to keep this default + - name: imported_cluster + value: "true" + + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: bootstrap-cluster + + templates: + + # Main template + - name: bootstrap-cluster + inputs: + parameters: + # Git repos + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters - Bootstrap + - name: cluster_name + - name: cluster_kustomization_name + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + - name: imported_cluster + + # Debugging + - name: debug + - name: dry_run + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + # Bootstrap the remote cluster + - - name: bootstrap-cluster + templateRef: + name: cluster-management-wft + template: bootstrap-remote-cluster + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + + # Specific parameters + - name: cluster_name + value: "{{inputs.parameters.cluster_name}}" + - name: cluster_kustomization_name + value: "{{inputs.parameters.cluster_kustomization_name}}" + - name: public_key_mgmt + value: "{{inputs.parameters.public_key_mgmt}}" + - name: public_key_new_cluster + value: "{{inputs.parameters.public_key_new_cluster}}" + - name: secret_name_private_age_key_for_new_cluster + value: "{{inputs.parameters.secret_name_private_age_key_for_new_cluster}}" + - name: key_name_in_secret + value: "{{inputs.parameters.key_name_in_secret}}" + - name: fleet_repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: sw_catalogs_repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: imported_cluster + value: "{{inputs.parameters.imported_cluster}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Bootstrap imported cluster {{inputs.parameters.cluster_kustomization_name}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-clone-ksu.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-clone-ksu.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ac323766079efb1f14e22423ed488b81d49ea48b --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-clone-ksu.yaml @@ -0,0 +1,180 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-clone-ksu-wtf + namespace: osm-workflows +spec: + arguments: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # Specific parameters - Source and destination KSU + ## Source KSU: + - name: source_ksu_name + - name: source_profile_name + - name: source_profile_type + - name: source_project_name + value: "osm_admin" + ## Destination KSU: + ## - If any of the destination parameters are not specified, it will assume + ## they are the same as in source. + ## - It will reject if all are empty or equal to source, to avoid cloning a KSU over itself + - name: destination_ksu_name + value: "" + - name: destination_profile_name + value: "" + - name: destination_profile_type + value: "" + - name: destination_project_name + value: "" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: clone-ksu + + templates: + # Main template + - name: clone-ksu + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # Specific parameters - Source and destination KSU + ## Source KSU: + - name: source_ksu_name + - name: source_profile_name + - name: source_profile_type + - name: source_project_name + ## Destination KSU: + - name: destination_ksu_name + - name: destination_profile_name + - name: destination_profile_type + - name: destination_project_name + # Debug/dry run? + - name: debug + - name: dry_run + + steps: + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: clone-ksu + templateRef: + name: ksu-management-wft + template: clone-ksu + arguments: + parameters: + # References to required external resources + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + # Specific parameters - Source and destination KSU + ## Source KSU: + - name: source_ksu_name + value: "{{inputs.parameters.source_ksu_name}}" + - name: source_profile_name + value: "{{inputs.parameters.source_profile_name}}" + - name: source_profile_type + value: "{{inputs.parameters.source_profile_type}}" + - name: source_project_name + value: "{{inputs.parameters.source_project_name}}" + ## Destination KSU: + - name: destination_ksu_name + value: "{{inputs.parameters.destination_ksu_name}}" + - name: destination_profile_name + value: "{{inputs.parameters.destination_profile_name}}" + - name: destination_profile_type + value: "{{inputs.parameters.destination_profile_type}}" + - name: destination_project_name + value: "{{inputs.parameters.destination_project_name}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Clone KSU {{inputs.parameters.source_ksu_name}} at {{inputs.parameters.source_profile_name}} profile of {{inputs.parameters.source_profile_type}} type @ {{inputs.parameters.source_project_name}} project as {{inputs.parameters.destination_ksu_name}} KSU at {{inputs.parameters.destination_profile_name}} profile of {{inputs.parameters.destination_profile_type}} type @ {{inputs.parameters.destination_project_name}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-aks-cluster-and-bootstrap-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-aks-cluster-and-bootstrap-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..76ac3eb12bb0b8a5bbe9f91ef9fe56fbddcd251d --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-aks-cluster-and-bootstrap-wft.yaml @@ -0,0 +1,251 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-create-aks-cluster-and-bootstrap-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters - AKS cluster + - name: cluster_name + - name: vm_size + - name: node_count + - name: cluster_location + - name: rg_name + - name: k8s_version + - name: providerconfig_name + - name: cluster_kustomization_name + + # Specific parameters - Bootstrap + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + value: "agekey" + - name: fleet_repo_url + - name: sw_catalogs_repo_url + + # Debugging + - name: dry_run + value: false + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: create-aks-cluster-and-bootstrap + + templates: + + # Main template + - name: create-aks-cluster-and-bootstrap + inputs: + parameters: + # Git repos + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters - AKS cluster + - name: cluster_name + - name: vm_size + - name: node_count + - name: cluster_location + - name: rg_name + - name: k8s_version + - name: providerconfig_name + - name: cluster_kustomization_name + + # Specific parameters - Bootstrap + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + - name: fleet_repo_url + - name: sw_catalogs_repo_url + + # Debugging + - name: dry_run + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + # Create cluster in target cloud + - - name: create-cluster-aks + templateRef: + name: cluster-management-wft + template: create-cluster-aks + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + # Specific parameters + - name: cluster_name + value: "{{inputs.parameters.cluster_name}}" + - name: vm_size + value: "{{inputs.parameters.vm_size}}" + - name: node_count + value: "{{inputs.parameters.node_count}}" + - name: cluster_location + value: "{{inputs.parameters.cluster_location}}" + - name: rg_name + value: "{{inputs.parameters.rg_name}}" + - name: k8s_version + value: "{{inputs.parameters.k8s_version}}" + - name: providerconfig_name + value: "{{inputs.parameters.providerconfig_name}}" + - name: cluster_kustomization_name + value: "{{inputs.parameters.cluster_kustomization_name}}" + + # Bootstrap the new remote cluster + - - name: bootstrap-new-cluster + templateRef: + name: cluster-management-wft + template: bootstrap-remote-cluster + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + + # Specific parameters + - name: cluster_name + value: "{{inputs.parameters.cluster_name}}" + - name: cluster_kustomization_name + value: "{{inputs.parameters.cluster_kustomization_name}}" + - name: public_key_mgmt + value: "{{inputs.parameters.public_key_mgmt}}" + - name: public_key_new_cluster + value: "{{inputs.parameters.public_key_new_cluster}}" + - name: secret_name_private_age_key_for_new_cluster + value: "{{inputs.parameters.secret_name_private_age_key_for_new_cluster}}" + - name: key_name_in_secret + value: "{{inputs.parameters.key_name_in_secret}}" + - name: fleet_repo_url + value: "{{inputs.parameters.fleet_repo_url}}" + - name: sw_catalogs_repo_url + value: "{{inputs.parameters.sw_catalogs_repo_url}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Create AKS cluster {{inputs.parameters.cluster_kustomization_name}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-crossplane-cluster-and-bootstrap-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-crossplane-cluster-and-bootstrap-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d5b2ed2aedfb447cfb880b1c8c9b26ad5e826ca6 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-crossplane-cluster-and-bootstrap-wft.yaml @@ -0,0 +1,286 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-create-crossplane-cluster-and-bootstrap-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters - Generic cluster creation + - name: cluster_kustomization_name + - name: cluster_name + - name: cluster_type + - name: providerconfig_name + - name: vm_size + - name: node_count + - name: cluster_location + - name: k8s_version + + # Specific parameters - Bootstrap and credentials + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + value: "agekey" + # Using `git_fleet_url` instead: + # - name: fleet_repo_url + # Using `git_sw_catalogs_url` instead: + # - name: sw_catalogs_repo_url + - name: mgmt_project_name + value: "osm_admin" + + # Specific parameters - AKS only + - name: rg_name + values: "" + + # Specific parameters - GKE only + - name: preemptible_nodes + values: "false" + + # Advanced parameters - Recommended to keep defaults + - name: skip_bootstrap + value: "false" + - name: mgmt_cluster_name + value: "_management" + - name: base_templates_path + value: "cloud-resources" + - name: cloned_fleet_folder_name + value: "fleet-osm" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: create-cluster-and-bootstrap + + templates: + # Main template + - name: create-cluster-and-bootstrap + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters + - name: cluster_kustomization_name + - name: cluster_name + - name: cluster_type + - name: providerconfig_name + - name: vm_size + - name: node_count + - name: cluster_location + - name: k8s_version + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + # - name: fleet_repo_url + # - name: sw_catalogs_repo_url + - name: mgmt_project_name + - name: skip_bootstrap + ## AKS only (otherwise, ignored) + - name: rg_name + ## GKE only (otherwise, ignored) + - name: preemptible_nodes + # Other parameters - Recommended to keep defaults + - name: mgmt_cluster_name + - name: base_templates_path + - name: cloned_fleet_folder_name + - name: cloned_sw_catalogs_folder_name + # Debug/dry run? + - name: debug + - name: dry_run + + steps: + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + # Create cluster in target cloud + - - name: create-cluster + templateRef: + name: cluster-management-wft + template: create-crossplane-cluster + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + # Specific parameters + - name: cluster_kustomization_name + value: "{{inputs.parameters.cluster_kustomization_name}}" + - name: cluster_name + value: "{{inputs.parameters.cluster_name}}" + - name: cluster_type + value: "{{inputs.parameters.cluster_type}}" + - name: providerconfig_name + value: "{{inputs.parameters.providerconfig_name}}" + - name: vm_size + value: "{{inputs.parameters.vm_size}}" + - name: node_count + value: "{{inputs.parameters.node_count}}" + - name: cluster_location + value: "{{inputs.parameters.cluster_location}}" + - name: k8s_version + value: "{{inputs.parameters.k8s_version}}" + - name: public_key_mgmt + value: "{{inputs.parameters.public_key_mgmt}}" + - name: public_key_new_cluster + value: "{{inputs.parameters.public_key_new_cluster}}" + - name: secret_name_private_age_key_for_new_cluster + value: "{{inputs.parameters.secret_name_private_age_key_for_new_cluster}}" + - name: key_name_in_secret + value: "{{inputs.parameters.key_name_in_secret}}" + ## Fed with `git_fleet_url` to avoid duplicates + - name: fleet_repo_url + value: "{{inputs.parameters.git_fleet_url}}" + ## Fed with `git_sw_catalogs_url` to avoid duplicates + - name: sw_catalogs_repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: mgmt_project_name + value: "{{inputs.parameters.mgmt_project_name}}" + - name: skip_bootstrap + value: "{{inputs.parameters.skip_bootstrap}}" + ## AKS only + - name: rg_name + value: "{{inputs.parameters.rg_name}}" + ## GKE only + - name: preemptible_nodes + value: "{{inputs.parameters.preemptible_nodes}}" + # Other parameters - Recommended to keep defaults + - name: mgmt_cluster_name + value: "{{inputs.parameters.mgmt_cluster_name}}" + - name: base_templates_path + value: "{{inputs.parameters.base_templates_path}}" + - name: cloned_fleet_folder_name + value: "{{inputs.parameters.cloned_fleet_folder_name}}" + - name: cloned_sw_catalogs_folder_name + value: "{{inputs.parameters.cloned_sw_catalogs_folder_name}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Create {{inputs.parameters.cluster_type}} cluster {{inputs.parameters.cluster_kustomization_name}} at {{inputs.parameters.cluster_location}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-ksu-generated-hr.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-ksu-generated-hr.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7b74541f2fd52d4ad19b9afd3567f5b6828e472d --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-ksu-generated-hr.yaml @@ -0,0 +1,285 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-create-ksu-generated-hr-wtf + namespace: osm-workflows +spec: + arguments: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # HelmRelease generation + - name: helmrelease_name + - name: chart_name + - name: chart_version + - name: target_ns + - name: create_ns + # Repo source generation + - name: is_preexisting_repo + value: "false" + - name: helmrepo_name + - name: helmrepo_url + - name: helmrepo_ns + valueFrom: + expression: "{{inputs.parameters.target_ns}}" + - name: helmrepo_secret_ref + # HelmRelease inline values (if any) + - name: inline_values + value: "" + # Secret reference and generation (if required) + - name: is_preexisting_secret + value: "false" + - name: values_secret_name + - name: secret_key + value: "values.yaml" + - name: age_public_key + ################################################################ + ## A temporary secret should exist already in the `osm-workflows` + ## namespace containing the desired secret key-values + ## in a well-known key (in the example, `creds`). + ## + ## For instance: + ## + ## creds: | + ## jenkinsUser: admin + ## jenkinsPassword: myJ3nk1n2P2ssw0rd + ## + ## Secret values will be obtained from the + ## secret named after the input parameter `reference_secret_for_values`, + ## and from the key named after the input parameter `reference_key_for_values` + - name: reference_secret_for_values + - name: reference_key_for_values + # ConfigMap reference and generation (if required) + - name: is_preexisting_cm + - name: values_cm_name + - name: cm_key + value: "values.yaml" + - name: cm_values + value: "" + # KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + # By default, it will not syncronize, so that we can easily accumulate more than + # one Helm chart into the same KSU if desired + - name: sync + value: "false" + ## Root folder of the cloned Fleet repo - Do not touch + ### `FLEET_REPO_DIR` is the result of: + ### "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - name: cloned_fleet_folder_name + value: "fleet-osm" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: create-ksu-hr + + templates: + # Main template + - name: create-ksu-hr + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # HelmRelease generation + - name: helmrelease_name + - name: chart_name + - name: chart_version + - name: target_ns + - name: create_ns + # Repo source generation + - name: is_preexisting_repo + - name: helmrepo_name + - name: helmrepo_url + - name: helmrepo_ns + - name: helmrepo_secret_ref + # HelmRelease inline values (if any) + - name: inline_values + # Secret reference and generation (if required) + - name: is_preexisting_secret + - name: values_secret_name + - name: secret_key + - name: age_public_key + - name: reference_secret_for_values + - name: reference_key_for_values + # ConfigMap reference and generation (if required) + - name: is_preexisting_cm + - name: values_cm_name + - name: cm_key + - name: cm_values + # KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + - name: sync + - name: cloned_fleet_folder_name + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + steps: + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: create-ksu-generated-hr + templateRef: + name: ksu-management-wft + template: create-ksu-generated-hr + arguments: + parameters: + # References to required external resources + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + # HelmRelease generation + - name: helmrelease_name + value: "{{inputs.parameters.helmrelease_name}}" + - name: chart_name + value: "{{inputs.parameters.chart_name}}" + - name: chart_version + value: "{{inputs.parameters.chart_version}}" + - name: target_ns + value: "{{inputs.parameters.target_ns}}" + - name: create_ns + value: "{{inputs.parameters.create_ns}}" + # Repo source generation + - name: is_preexisting_repo + value: "{{inputs.parameters.is_preexisting_repo}}" + - name: helmrepo_name + value: "{{inputs.parameters.helmrepo_name}}" + - name: helmrepo_url + value: "{{inputs.parameters.helmrepo_url}}" + - name: helmrepo_ns + value: "{{inputs.parameters.helmrepo_ns}}" + - name: helmrepo_secret_ref + value: "{{inputs.parameters.helmrepo_secret_ref}}" + # HelmRelease inline values (if any) + - name: inline_values + value: "{{inputs.parameters.inline_values}}" + # Secret reference and generation (if required) + - name: is_preexisting_secret + value: "{{inputs.parameters.is_preexisting_secret}}" + - name: values_secret_name + value: "{{inputs.parameters.values_secret_name}}" + - name: secret_key + value: "{{inputs.parameters.secret_key}}" + - name: age_public_key + value: "{{inputs.parameters.age_public_key}}" + ## Secret values will be obtained from this key in this secret + - name: reference_secret_for_values + value: "{{inputs.parameters.reference_secret_for_values}}" + - name: reference_key_for_values + value: "{{inputs.parameters.reference_key_for_values}}" + # ConfigMap reference and generation (if required) + - name: is_preexisting_cm + value: "{{inputs.parameters.is_preexisting_cm}}" + - name: values_cm_name + value: "{{inputs.parameters.values_cm_name}}" + - name: cm_key + value: "{{inputs.parameters.cm_key}}" + - name: cm_values + value: "{{inputs.parameters.cm_values}}" + # KSU rendering + - name: ksu_name + value: "{{inputs.parameters.ksu_name}}" + - name: profile_name + value: "{{inputs.parameters.profile_name}}" + - name: profile_type + value: "{{inputs.parameters.profile_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + - name: sync + value: "{{inputs.parameters.sync}}" + ## Root folder of the cloned Fleet repo - Do not touch + - name: cloned_fleet_folder_name + value: "{{inputs.parameters.cloned_fleet_folder_name}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Create KSU {{inputs.parameters.ksu_name}} into {{inputs.parameters.profile_name}} profile of {{inputs.parameters.profile_type}} type @ {{inputs.parameters.project_name}} project" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-ksu-hr.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-ksu-hr.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b90421820f7c3aab35b48ad68bfa5ccfa0ce5ca9 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-ksu-hr.yaml @@ -0,0 +1,284 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-create-ksu-hr-wtf + namespace: osm-workflows +spec: + arguments: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters - Base KSU generation from template + ## Relative path from "SW Catalogs" repo root + - name: templates_path + ## Should substitute environment variables in the template? + - name: substitute_environment + ## Filter for substitution of environment variables + - name: substitution_filter + ## Custom environment variables (formatted as .env), to be used for template parametrization + - name: custom_env_vars + # Specific parameters - Patch HelmRelease in KSU with inline values + - name: kustomization_name + - name: helmrelease_name + - name: inline_values + # Specific parameters - Secret generation + - name: is_preexisting_secret + - name: target_ns + - name: age_public_key + - name: values_secret_name + - name: secret_key + value: "values.yaml" + ################################################################ + # This temporary secret should exist already in the `osm-workflows` + # namespace and contain the desired secret key-values + # in a well-known key (in the example, `creds`). + # + # For instance: + # + # creds: | + # jenkinsUser: admin + # jenkinsPassword: myJ3nk1n2P2ssw0rd + - name: reference_secret_for_values + - name: reference_key_for_values + # Specific parameters - Configmap generation + - name: is_preexisting_cm + - name: values_cm_name + - name: cm_key + value: "values.yaml" + - name: cm_values + value: "" + # Specific parameters - KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + # By default, it will re-create the full KSU folder + - name: sync + version: "true" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: create-ksu-hr + + templates: + # Main template + - name: create-ksu-hr + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters - Base KSU generation from template + - name: templates_path + - name: substitute_environment + - name: substitution_filter + - name: custom_env_vars + # Specific parameters - Patch HelmRelease in KSU with inline values + - name: kustomization_name + - name: helmrelease_name + - name: inline_values + # Specific parameters - Secret generation + - name: is_preexisting_secret + - name: target_ns + - name: age_public_key + - name: values_secret_name + - name: reference_secret_for_values + - name: reference_key_for_values + - name: secret_key + # Specific parameters - Configmap generation + - name: is_preexisting_cm + - name: values_cm_name + - name: cm_key + - name: cm_values + # Specific parameters - KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + - name: sync + # Debug/dry run? + - name: debug + - name: dry_run + + steps: + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: create-ksu-oka-hr + templateRef: + name: ksu-management-wft + template: create-ksu-oka-hr + arguments: + parameters: + # References to required external resources + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # Specific parameters - Base KSU generation from template + - name: templates_path + value: "{{inputs.parameters.templates_path}}" + - name: substitute_environment + value: "{{inputs.parameters.substitute_environment}}" + - name: substitution_filter + value: "{{inputs.parameters.substitution_filter}}" + - name: custom_env_vars + value: "{{inputs.parameters.custom_env_vars}}" + # Specific parameters - Patch HelmRelease in KSU with inline values + - name: kustomization_name + value: "{{inputs.parameters.kustomization_name}}" + - name: helmrelease_name + value: "{{inputs.parameters.helmrelease_name}}" + - name: inline_values + value: "{{inputs.parameters.inline_values}}" + # Specific parameters - Secret generation + - name: is_preexisting_secret + value: "{{inputs.parameters.is_preexisting_secret}}" + - name: target_ns + value: "{{inputs.parameters.target_ns}}" + - name: age_public_key + value: "{{inputs.parameters.age_public_key}}" + - name: values_secret_name + value: "{{inputs.parameters.values_secret_name}}" + - name: reference_secret_for_values + value: "{{inputs.parameters.reference_secret_for_values}}" + - name: reference_key_for_values + value: "{{inputs.parameters.reference_key_for_values}}" + - name: secret_key + value: "{{inputs.parameters.secret_key}}" + # Specific parameters - Configmap generation + - name: is_preexisting_cm + value: "{{inputs.parameters.is_preexisting_cm}}" + - name: values_cm_name + value: "{{inputs.parameters.values_cm_name}}" + - name: cm_key + value: "{{inputs.parameters.cm_key}}" + - name: cm_values + value: "{{inputs.parameters.cm_values}}" + # Specific parameters - KSU rendering + - name: ksu_name + value: "{{inputs.parameters.ksu_name}}" + - name: profile_name + value: "{{inputs.parameters.profile_name}}" + - name: profile_type + value: "{{inputs.parameters.profile_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + - name: sync + value: "{{inputs.parameters.sync}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Create KSU {{inputs.parameters.ksu_name}} into {{inputs.parameters.profile_name}} profile of {{inputs.parameters.profile_type}} type @ {{inputs.parameters.project_name}} project" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-oka.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-oka.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5b7654314e1980d3029b7c71cfb8307c0519e0db --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-oka.yaml @@ -0,0 +1,146 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-create-oka-wtf + namespace: osm-workflows +spec: + arguments: + parameters: + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Temporary volume with OKA contents + - name: temp_volume_name + # Specific parameters - OKA + - name: oka_name + ## Choose among `infra-controllers`, `infra-configs`, `cloud-resources`, `apps`: + - name: oka_type + - name: project_name + value: "osm_admin" + - name: tarball_file + value: "true" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: create-oka + + templates: + # Main template + - name: create-oka + inputs: + parameters: + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + - name: temp_volume_name + - name: oka_name + - name: oka_type + - name: project_name + - name: tarball_file + - name: debug + - name: dry_run + steps: + # ------ Preparations for transaction + - - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: create-oka + templateRef: + name: oka-management-wft + template: create-oka + arguments: + parameters: + # References to required external resources + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: temp_volume_name + value: "{{inputs.parameters.temp_volume_name}}" + # Specific parameters + - name: oka_name + value: "{{inputs.parameters.oka_name}}" + - name: oka_type + value: "{{inputs.parameters.oka_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + - name: tarball_file + value: "{{inputs.parameters.tarball_file}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-sw-catalogs + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Create OKA {{inputs.parameters.oka_name}} of {{inputs.parameters.oka_type}} type @ {{inputs.parameters.project_name}} project" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-profile.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-profile.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b9b63eace61498feaa7f694bd4d3114b2b3f61e0 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-profile.yaml @@ -0,0 +1,146 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-create-profile-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + + # Debugging + - name: dry_run + value: false + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: create-profile + + templates: + + # Main template + - name: create-profile + inputs: + parameters: + # Git repos + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + + # Debugging + - name: dry_run + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + # Create profile + - - name: create-profile + templateRef: + name: profile-management-wft + template: create-profile + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + # Specific parameters + - name: profile_name + value: "{{inputs.parameters.profile_name}}" + - name: profile_type + value: "{{inputs.parameters.profile_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + - name: fleet_repo_url + value: "{{inputs.parameters.git_fleet_url}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Create profile {{inputs.parameters.profile_name}} of type {{inputs.parameters.profile_type}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-providerconfig-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-providerconfig-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..eb95a9b44f2837770071b6df5394cc66f0bf5fff --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-create-providerconfig-wft.yaml @@ -0,0 +1,207 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-create-crossplane-providerconfig + namespace: osm-workflows + +spec: + arguments: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters + - name: providerconfig_name + ## As of today, one among `azure`, `aws` or `gcp` + - name: provider_type + ## Final secret to reference from the `ProviderConfig` + - name: cred_secret_name + ## Temporary secret with secret contents for the workflow + ## - If `temp_cred_secret_name` is empty, assumes that the final secret already exists + - name: temp_cred_secret_name + value: "" + - name: temp_cred_secret_key + value: "creds" + - name: age_public_key_mgmt + - name: osm_project_name + value: "osm_admin" + ## Specific parameters - GCP only + - name: target_gcp_project + value: "" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: create-crossplane-providerconfig + + templates: + + # Main template + - name: create-crossplane-providerconfig + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters + - name: providerconfig_name + - name: provider_type + - name: cred_secret_name + - name: temp_cred_secret_name + - name: temp_cred_secret_key + - name: age_public_key_mgmt + - name: osm_project_name + - name: target_gcp_project + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: create-crossplane-providerconfig + templateRef: + name: cloud-accounts-wft + template: create-crossplane-providerconfig + arguments: + parameters: + # References to required external resources + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # Specific parameters + - name: providerconfig_name + value: "{{inputs.parameters.providerconfig_name}}" + - name: provider_type + value: "{{inputs.parameters.provider_type}}" + - name: cred_secret_name + value: "{{inputs.parameters.cred_secret_name}}" + - name: temp_cred_secret_name + value: "{{inputs.parameters.temp_cred_secret_name}}" + - name: temp_cred_secret_key + value: "{{inputs.parameters.temp_cred_secret_key}}" + - name: age_public_key_mgmt + value: "{{inputs.parameters.age_public_key_mgmt}}" + - name: osm_project_name + value: "{{inputs.parameters.osm_project_name}}" + - name: target_gcp_project + value: "{{inputs.parameters.target_gcp_project}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Create ProviderConfig {{inputs.parameters.providerconfig_name}} for {{inputs.parameters.provider_type}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-cluster-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-cluster-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7ef0dc220dbc3f3f836e6b738c0b98a43116367e --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-cluster-wft.yaml @@ -0,0 +1,140 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-delete-cluster-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: cluster_kustomization_name + - name: project_name + value: "osm_admin" + + # Debugging + - name: dry_run + value: false + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: delete-cluster + + templates: + + # Main template + - name: delete-cluster + inputs: + parameters: + # Git repos + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: cluster_kustomization_name + - name: project_name + + # Debugging + - name: dry_run + + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: delete-cluster + templateRef: + name: cluster-management-wft + template: delete-cluster + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + # Specific parameters + - name: cluster_kustomization_name + value: "{{inputs.parameters.cluster_kustomization_name}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Delete cluster {{inputs.parameters.cluster_kustomization_name}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-ksu.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-ksu.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b933cc926962a8fdb67a79d1212c2090ccf6276e --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-ksu.yaml @@ -0,0 +1,176 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-delete-ksu-wtf + namespace: osm-workflows +spec: + arguments: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters - KSU id + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: delete-ksu + + templates: + # Main template + - name: delete-ksu + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters - KSU id + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + # Debug/dry run? + - name: debug + - name: dry_run + + steps: + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: delete-ksu + templateRef: + name: ksu-management-wft + template: delete-ksu + arguments: + parameters: + # References to required external resources + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # Specific parameters - KSU id + - name: ksu_name + value: "{{inputs.parameters.ksu_name}}" + - name: profile_name + value: "{{inputs.parameters.profile_name}}" + - name: profile_type + value: "{{inputs.parameters.profile_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Delete KSU {{inputs.parameters.ksu_name}} from {{inputs.parameters.profile_name}} profile of {{inputs.parameters.profile_type}} type @ {{inputs.parameters.project_name}} project" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-oka.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-oka.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c39c595d7739a5354818c377b857b849a3f141f7 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-oka.yaml @@ -0,0 +1,136 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-delete-oka-wtf + namespace: osm-workflows +spec: + arguments: + parameters: + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters - OKA + - name: oka_name + ## Choose among `infra-controllers`, `infra-configs`, `cloud-resources`, `apps`: + - name: oka_type + - name: project_name + value: "osm_admin" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: delete-oka + + templates: + # Main template + - name: delete-oka + inputs: + parameters: + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + - name: oka_name + - name: oka_type + - name: project_name + - name: debug + - name: dry_run + steps: + # ------ Preparations for transaction + - - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: delete-oka + templateRef: + name: oka-management-wft + template: delete-oka + arguments: + parameters: + # References to required external resources + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # Specific parameters + - name: oka_name + value: "{{inputs.parameters.oka_name}}" + - name: oka_type + value: "{{inputs.parameters.oka_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-sw-catalogs + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Delete OKA {{inputs.parameters.oka_name}} of {{inputs.parameters.oka_type}} type @ {{inputs.parameters.project_name}} project" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-profile.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-profile.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8f127d2f77771a372ccf5f0fec1714ee19c569c5 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-profile.yaml @@ -0,0 +1,144 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-delete-profile-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + + # Debugging + - name: dry_run + value: false + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: delete-profile + + templates: + + # Main template + - name: delete-profile + inputs: + parameters: + # Git repos + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + + # Debugging + - name: dry_run + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + # Delete profile + - - name: delete-profile + templateRef: + name: profile-management-wft + template: delete-profile + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + # Specific parameters + - name: profile_name + value: "{{inputs.parameters.profile_name}}" + - name: profile_type + value: "{{inputs.parameters.profile_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Delete profile {{inputs.parameters.profile_name}} of type {{inputs.parameters.profile_type}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-providerconfig-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-providerconfig-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6a59d34ece15a55b6107fe40efd27ab1d6446c16 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-delete-providerconfig-wft.yaml @@ -0,0 +1,180 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-delete-crossplane-providerconfig + namespace: osm-workflows + +spec: + arguments: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters + - name: providerconfig_name + ## As of today, one among `azure`, `aws` or `gcp` + - name: provider_type + - name: osm_project_name + value: "osm_admin" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: delete-crossplane-providerconfig + + templates: + + # Main template + - name: delete-crossplane-providerconfig + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters + - name: providerconfig_name + - name: provider_type + - name: osm_project_name + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: delete-crossplane-providerconfig + templateRef: + name: cloud-accounts-wft + template: delete-crossplane-providerconfig + arguments: + parameters: + # References to required external resources + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # Specific parameters + - name: providerconfig_name + value: "{{inputs.parameters.providerconfig_name}}" + - name: provider_type + value: "{{inputs.parameters.provider_type}}" + - name: osm_project_name + value: "{{inputs.parameters.osm_project_name}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Delete ProviderConfig {{inputs.parameters.providerconfig_name}} for {{inputs.parameters.provider_type}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-detach-profile.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-detach-profile.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9d564898bf9a48ad5bbad6d249a29f9603f0a36e --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-detach-profile.yaml @@ -0,0 +1,150 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-detach-profile-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + - name: cluster_kustomization_name + + # Debugging + - name: dry_run + value: false + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: detach-profile + + templates: + + # Main template + - name: detach-profile + inputs: + parameters: + # Git repos + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: profile_name + - name: profile_type + - name: project_name + - name: cluster_kustomization_name + + # Debugging + - name: dry_run + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + # Detach profile from cluster + - - name: detach-profile + templateRef: + name: profile-management-wft + template: detach-profile-from-cluster + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + # Specific parameters + - name: profile_name + value: "{{inputs.parameters.profile_name}}" + - name: profile_type + value: "{{inputs.parameters.profile_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + - name: fleet_repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: cluster_kustomization_name + value: "{{inputs.parameters.cluster_kustomization_name}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Detach {{inputs.parameters.profile_name}} profile from {{inputs.parameters.cluster_kustomization_name}} cluster" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-disconnect-flux-remote-cluster-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-disconnect-flux-remote-cluster-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d2daa5bce51050fe04248cd7bbc0845a7e067ca7 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-disconnect-flux-remote-cluster-wft.yaml @@ -0,0 +1,142 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-disconnect-flux-remote-cluster-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: cluster_kustomization_name + - name: mgmt_project_name + value: "osm_admin" + + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: disconnect-remote-cluster + + templates: + + # Main template + - name: disconnect-remote-cluster + inputs: + parameters: + # Git repos + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # Specific parameters + - name: cluster_kustomization_name + - name: mgmt_project_name + + # Debugging + - name: debug + - name: dry_run + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + # Disconnect the remote cluster + - - name: disconnect-flux-remote-cluster + templateRef: + name: cluster-management-wft + template: disconnect-flux-remote-cluster + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + + # Specific parameters + - name: cluster_kustomization_name + value: "{{inputs.parameters.cluster_kustomization_name}}" + - name: mgmt_project_name + value: "{{inputs.parameters.mgmt_project_name}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Disconnect imported cluster {{inputs.parameters.cluster_kustomization_name}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-aks-cluster.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-aks-cluster.yaml new file mode 100644 index 0000000000000000000000000000000000000000..711cf4d662b25478fd06bd4c0a09868888bca0d3 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-aks-cluster.yaml @@ -0,0 +1,199 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-update-aks-cluster-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters - AKS cluster + - name: cluster_name + - name: vm_size + - name: node_count + - name: cluster_location + - name: rg_name + - name: k8s_version + - name: providerconfig_name + - name: cluster_kustomization_name + + # Debugging + - name: dry_run + value: false + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: update-aks-cluster + + templates: + + # Main template + - name: update-aks-cluster + inputs: + parameters: + # Git repos + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters - AKS cluster + - name: cluster_name + - name: vm_size + - name: node_count + - name: cluster_location + - name: rg_name + - name: k8s_version + - name: providerconfig_name + - name: cluster_kustomization_name + + # Debugging + - name: dry_run + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + # Update cluster definition + - - name: update-cluster-aks + templateRef: + name: cluster-management-wft + template: create-cluster-aks + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + # Specific parameters + - name: cluster_name + value: "{{inputs.parameters.cluster_name}}" + - name: vm_size + value: "{{inputs.parameters.vm_size}}" + - name: node_count + value: "{{inputs.parameters.node_count}}" + - name: cluster_location + value: "{{inputs.parameters.cluster_location}}" + - name: rg_name + value: "{{inputs.parameters.rg_name}}" + - name: k8s_version + value: "{{inputs.parameters.k8s_version}}" + - name: providerconfig_name + value: "{{inputs.parameters.providerconfig_name}}" + - name: cluster_kustomization_name + value: "{{inputs.parameters.cluster_kustomization_name}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Update AKS cluster {{inputs.parameters.cluster_kustomization_name}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-crossplane-cluster-and-bootstrap-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-crossplane-cluster-and-bootstrap-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3e661c46985703dc3062993f780860be80e121f0 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-crossplane-cluster-and-bootstrap-wft.yaml @@ -0,0 +1,284 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-update-crossplane-cluster-and-bootstrap-wft + namespace: osm-workflows + +spec: + arguments: + parameters: + + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters - Generic cluster creation + - name: cluster_kustomization_name + - name: cluster_name + - name: cluster_type + - name: providerconfig_name + - name: vm_size + - name: node_count + - name: cluster_location + - name: k8s_version + + # Specific parameters - Bootstrap and credentials + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + value: "agekey" + # Using `git_fleet_url` instead: + # - name: fleet_repo_url + # Using `git_sw_catalogs_url` instead: + # - name: sw_catalogs_repo_url + - name: mgmt_project_name + value: "osm_admin" + + # Specific parameters - AKS only + - name: rg_name + values: "" + + # Specific parameters - GKE only + - name: preemptible_nodes + values: "false" + + # Advanced parameters - Recommended to keep defaults + - name: mgmt_cluster_name + value: "_management" + - name: base_templates_path + value: "cloud-resources" + - name: cloned_fleet_folder_name + value: "fleet-osm" + - name: cloned_sw_catalogs_folder_name + value: "sw-catalogs-osm" + + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + + # # Cleanup policy + # ttlStrategy: + # secondsAfterCompletion: 100 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + # secondsAfterSuccess: 50 # Time to live after workflow is successful + # secondsAfterFailure: 50 # Time to live after workflow fails + + entrypoint: update-cluster-and-bootstrap + + templates: + # Main template + - name: update-cluster-and-bootstrap + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters + - name: cluster_kustomization_name + - name: cluster_name + - name: cluster_type + - name: providerconfig_name + - name: vm_size + - name: node_count + - name: cluster_location + - name: k8s_version + - name: public_key_mgmt + - name: public_key_new_cluster + - name: secret_name_private_age_key_for_new_cluster + - name: key_name_in_secret + # - name: fleet_repo_url + # - name: sw_catalogs_repo_url + - name: mgmt_project_name + # - name: skip_bootstrap + ## AKS only (otherwise, ignored) + - name: rg_name + ## GKE only (otherwise, ignored) + - name: preemptible_nodes + # Other parameters - Recommended to keep defaults + - name: mgmt_cluster_name + - name: base_templates_path + - name: cloned_fleet_folder_name + - name: cloned_sw_catalogs_folder_name + # Debug/dry run? + - name: debug + - name: dry_run + + steps: + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + # Create cluster in target cloud + - - name: update-cluster + templateRef: + name: cluster-management-wft + template: update-crossplane-cluster + arguments: + parameters: + # Volumes with cloned repos + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_mount_path + value: "/sw-catalogs" + # Specific parameters + - name: cluster_kustomization_name + value: "{{inputs.parameters.cluster_kustomization_name}}" + - name: cluster_name + value: "{{inputs.parameters.cluster_name}}" + - name: cluster_type + value: "{{inputs.parameters.cluster_type}}" + - name: providerconfig_name + value: "{{inputs.parameters.providerconfig_name}}" + - name: vm_size + value: "{{inputs.parameters.vm_size}}" + - name: node_count + value: "{{inputs.parameters.node_count}}" + - name: cluster_location + value: "{{inputs.parameters.cluster_location}}" + - name: k8s_version + value: "{{inputs.parameters.k8s_version}}" + - name: public_key_mgmt + value: "{{inputs.parameters.public_key_mgmt}}" + - name: public_key_new_cluster + value: "{{inputs.parameters.public_key_new_cluster}}" + - name: secret_name_private_age_key_for_new_cluster + value: "{{inputs.parameters.secret_name_private_age_key_for_new_cluster}}" + - name: key_name_in_secret + value: "{{inputs.parameters.key_name_in_secret}}" + ## Fed with `git_fleet_url` to avoid duplicates + - name: fleet_repo_url + value: "{{inputs.parameters.git_fleet_url}}" + ## Fed with `git_sw_catalogs_url` to avoid duplicates + - name: sw_catalogs_repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: mgmt_project_name + value: "{{inputs.parameters.mgmt_project_name}}" + # - name: skip_bootstrap + # value: "{{inputs.parameters.skip_bootstrap}}" + ## AKS only + - name: rg_name + value: "{{inputs.parameters.rg_name}}" + ## GKE only + - name: preemptible_nodes + value: "{{inputs.parameters.preemptible_nodes}}" + # Other parameters - Recommended to keep defaults + - name: mgmt_cluster_name + value: "{{inputs.parameters.mgmt_cluster_name}}" + - name: base_templates_path + value: "{{inputs.parameters.base_templates_path}}" + - name: cloned_fleet_folder_name + value: "{{inputs.parameters.cloned_fleet_folder_name}}" + - name: cloned_sw_catalogs_folder_name + value: "{{inputs.parameters.cloned_sw_catalogs_folder_name}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Create AKS cluster {{inputs.parameters.cluster_kustomization_name}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-ksu-generated-hr.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-ksu-generated-hr.yaml new file mode 100644 index 0000000000000000000000000000000000000000..35f2ef314aa4ea796aca6e8a51a0a4ccb31f1188 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-ksu-generated-hr.yaml @@ -0,0 +1,278 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-update-ksu-generated-hr-wtf + namespace: osm-workflows +spec: + arguments: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # HelmRelease generation + - name: helmrelease_name + - name: chart_name + - name: chart_version + - name: target_ns + - name: create_ns + # Repo source generation + - name: is_preexisting_repo + value: "false" + - name: helmrepo_name + - name: helmrepo_url + - name: helmrepo_ns + valueFrom: + expression: "{{inputs.parameters.target_ns}}" + - name: helmrepo_secret_ref + # HelmRelease inline values (if any) + - name: inline_values + value: "" + # Secret reference and generation (if required) + - name: is_preexisting_secret + value: "false" + - name: values_secret_name + - name: secret_key + value: "values.yaml" + - name: age_public_key + ################################################################ + ## A temporary secret should exist already in the `osm-workflows` + ## namespace containing the desired secret key-values + ## in a well-known key (in the example, `creds`). + ## + ## For instance: + ## + ## creds: | + ## jenkinsUser: admin + ## jenkinsPassword: myJ3nk1n2P2ssw0rd + ## + ## Secret values will be obtained from the + ## secret named after the input parameter `reference_secret_for_values`, + ## and from the key named after the input parameter `reference_key_for_values` + - name: reference_secret_for_values + - name: reference_key_for_values + # ConfigMap reference and generation (if required) + - name: is_preexisting_cm + - name: values_cm_name + - name: cm_key + value: "values.yaml" + - name: cm_values + value: "" + # KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + ## Root folder of the cloned Fleet repo - Do not touch + ### `FLEET_REPO_DIR` is the result of: + ### "{{inputs.parameters.fleet_mount_path}}/{{inputs.parameters.cloned_fleet_folder_name}}" + - name: cloned_fleet_folder_name + value: "fleet-osm" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: update-ksu-hr + + templates: + # Main template + - name: update-ksu-hr + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # HelmRelease generation + - name: helmrelease_name + - name: chart_name + - name: chart_version + - name: target_ns + - name: create_ns + # Repo source generation + - name: is_preexisting_repo + - name: helmrepo_name + - name: helmrepo_url + - name: helmrepo_ns + - name: helmrepo_secret_ref + # HelmRelease inline values (if any) + - name: inline_values + # Secret reference and generation (if required) + - name: is_preexisting_secret + - name: values_secret_name + - name: secret_key + - name: age_public_key + - name: reference_secret_for_values + - name: reference_key_for_values + # ConfigMap reference and generation (if required) + - name: is_preexisting_cm + - name: values_cm_name + - name: cm_key + - name: cm_values + # KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + - name: cloned_fleet_folder_name + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + steps: + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: update-ksu-generated-hr + templateRef: + name: ksu-management-wft + template: update-ksu-generated-hr + arguments: + parameters: + # References to required external resources + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: fleet_mount_path + value: "/fleet" + # HelmRelease generation + - name: helmrelease_name + value: "{{inputs.parameters.helmrelease_name}}" + - name: chart_name + value: "{{inputs.parameters.chart_name}}" + - name: chart_version + value: "{{inputs.parameters.chart_version}}" + - name: target_ns + value: "{{inputs.parameters.target_ns}}" + - name: create_ns + value: "{{inputs.parameters.create_ns}}" + # Repo source generation + - name: is_preexisting_repo + value: "{{inputs.parameters.is_preexisting_repo}}" + - name: helmrepo_name + value: "{{inputs.parameters.helmrepo_name}}" + - name: helmrepo_url + value: "{{inputs.parameters.helmrepo_url}}" + - name: helmrepo_ns + value: "{{inputs.parameters.helmrepo_ns}}" + - name: helmrepo_secret_ref + value: "{{inputs.parameters.helmrepo_secret_ref}}" + # HelmRelease inline values (if any) + - name: inline_values + value: "{{inputs.parameters.inline_values}}" + # Secret reference and generation (if required) + - name: is_preexisting_secret + value: "{{inputs.parameters.is_preexisting_secret}}" + - name: values_secret_name + value: "{{inputs.parameters.values_secret_name}}" + - name: secret_key + value: "{{inputs.parameters.secret_key}}" + - name: age_public_key + value: "{{inputs.parameters.age_public_key}}" + ## Secret values will be obtained from this key in this secret + - name: reference_secret_for_values + value: "{{inputs.parameters.reference_secret_for_values}}" + - name: reference_key_for_values + value: "{{inputs.parameters.reference_key_for_values}}" + # ConfigMap reference and generation (if required) + - name: is_preexisting_cm + value: "{{inputs.parameters.is_preexisting_cm}}" + - name: values_cm_name + value: "{{inputs.parameters.values_cm_name}}" + - name: cm_key + value: "{{inputs.parameters.cm_key}}" + - name: cm_values + value: "{{inputs.parameters.cm_values}}" + # KSU rendering + - name: ksu_name + value: "{{inputs.parameters.ksu_name}}" + - name: profile_name + value: "{{inputs.parameters.profile_name}}" + - name: profile_type + value: "{{inputs.parameters.profile_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + ## Root folder of the cloned Fleet repo - Do not touch + - name: cloned_fleet_folder_name + value: "{{inputs.parameters.cloned_fleet_folder_name}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Update KSU {{inputs.parameters.ksu_name}} of {{inputs.parameters.profile_name}} profile of {{inputs.parameters.profile_type}} type @ {{inputs.parameters.project_name}} project" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-ksu-hr.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-ksu-hr.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3d35084ec28bcc1ce359c17edbd3f0d8535e1d88 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-ksu-hr.yaml @@ -0,0 +1,278 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-update-ksu-hr-wtf + namespace: osm-workflows +spec: + arguments: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters - Base KSU generation from template + ## Relative path from "SW Catalogs" repo root + - name: templates_path + ## Should substitute environment variables in the template? + - name: substitute_environment + ## Filter for substitution of environment variables + - name: substitution_filter + ## Custom environment variables (formatted as .env), to be used for template parametrization + - name: custom_env_vars + # Specific parameters - Patch HelmRelease in KSU with inline values + - name: kustomization_name + - name: helmrelease_name + - name: inline_values + # Specific parameters - Secret generation + - name: is_preexisting_secret + - name: target_ns + - name: age_public_key + - name: values_secret_name + - name: secret_key + value: "values.yaml" + ################################################################ + # This temporary secret should exist already in the `osm-workflows` + # namespace and contain the desired secret key-values + # in a well-known key (in the example, `creds`). + # + # For instance: + # + # creds: | + # jenkinsUser: admin + # jenkinsPassword: myJ3nk1n2P2ssw0rd + - name: reference_secret_for_values + - name: reference_key_for_values + # Specific parameters - Configmap generation + - name: is_preexisting_cm + - name: values_cm_name + - name: cm_key + value: "values.yaml" + - name: cm_values + value: "" + # Specific parameters - KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + value: "osm_admin" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: update-ksu-hr + + templates: + # Main template + - name: update-ksu-hr + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters - Base KSU generation from template + - name: templates_path + - name: substitute_environment + - name: substitution_filter + - name: custom_env_vars + # Specific parameters - Patch HelmRelease in KSU with inline values + - name: kustomization_name + - name: helmrelease_name + - name: inline_values + # Specific parameters - Secret generation + - name: is_preexisting_secret + - name: target_ns + - name: age_public_key + - name: values_secret_name + - name: reference_secret_for_values + - name: reference_key_for_values + - name: secret_key + # Specific parameters - Configmap generation + - name: is_preexisting_cm + - name: values_cm_name + - name: cm_key + - name: cm_values + # Specific parameters - KSU rendering + - name: ksu_name + - name: profile_name + - name: profile_type + - name: project_name + # Debug/dry run? + - name: debug + - name: dry_run + + steps: + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: update-ksu-oka-hr + templateRef: + name: ksu-management-wft + template: update-ksu-oka-hr + arguments: + parameters: + # References to required external resources + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # Specific parameters - Base KSU generation from template + - name: templates_path + value: "{{inputs.parameters.templates_path}}" + - name: substitute_environment + value: "{{inputs.parameters.substitute_environment}}" + - name: substitution_filter + value: "{{inputs.parameters.substitution_filter}}" + - name: custom_env_vars + value: "{{inputs.parameters.custom_env_vars}}" + # Specific parameters - Patch HelmRelease in KSU with inline values + - name: kustomization_name + value: "{{inputs.parameters.kustomization_name}}" + - name: helmrelease_name + value: "{{inputs.parameters.helmrelease_name}}" + - name: inline_values + value: "{{inputs.parameters.inline_values}}" + # Specific parameters - Secret generation + - name: is_preexisting_secret + value: "{{inputs.parameters.is_preexisting_secret}}" + - name: target_ns + value: "{{inputs.parameters.target_ns}}" + - name: age_public_key + value: "{{inputs.parameters.age_public_key}}" + - name: values_secret_name + value: "{{inputs.parameters.values_secret_name}}" + - name: reference_secret_for_values + value: "{{inputs.parameters.reference_secret_for_values}}" + - name: reference_key_for_values + value: "{{inputs.parameters.reference_key_for_values}}" + - name: secret_key + value: "{{inputs.parameters.secret_key}}" + # Specific parameters - Configmap generation + - name: is_preexisting_cm + value: "{{inputs.parameters.is_preexisting_cm}}" + - name: values_cm_name + value: "{{inputs.parameters.values_cm_name}}" + - name: cm_key + value: "{{inputs.parameters.cm_key}}" + - name: cm_values + value: "{{inputs.parameters.cm_values}}" + # Specific parameters - KSU rendering + - name: ksu_name + value: "{{inputs.parameters.ksu_name}}" + - name: profile_name + value: "{{inputs.parameters.profile_name}}" + - name: profile_type + value: "{{inputs.parameters.profile_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Update KSU {{inputs.parameters.ksu_name}} of {{inputs.parameters.profile_name}} profile of {{inputs.parameters.profile_type}} type @ {{inputs.parameters.project_name}} project" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-oka.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-oka.yaml new file mode 100644 index 0000000000000000000000000000000000000000..dd563d953ac095091e353f2f5fec39eee7e18e71 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-oka.yaml @@ -0,0 +1,146 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-update-oka-wtf + namespace: osm-workflows +spec: + arguments: + parameters: + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Temporary volume with OKA contents + - name: temp_volume_name + # Specific parameters - OKA + - name: oka_name + ## Choose among `infra-controllers`, `infra-configs`, `cloud-resources`, `apps`: + - name: oka_type + - name: project_name + value: "osm_admin" + - name: tarball_file + value: "true" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: update-oka + + templates: + # Main template + - name: update-oka + inputs: + parameters: + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + - name: temp_volume_name + - name: oka_name + - name: oka_type + - name: project_name + - name: tarball_file + - name: debug + - name: dry_run + steps: + # ------ Preparations for transaction + - - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: update-oka + templateRef: + name: oka-management-wft + template: update-oka + arguments: + parameters: + # References to required external resources + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: temp_volume_name + value: "{{inputs.parameters.temp_volume_name}}" + # Specific parameters + - name: oka_name + value: "{{inputs.parameters.oka_name}}" + - name: oka_type + value: "{{inputs.parameters.oka_type}}" + - name: project_name + value: "{{inputs.parameters.project_name}}" + - name: tarball_file + value: "{{inputs.parameters.tarball_file}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-sw-catalogs + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Update OKA {{inputs.parameters.oka_name}} of {{inputs.parameters.oka_type}} type @ {{inputs.parameters.project_name}} project" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-providerconfig-wft.yaml b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-providerconfig-wft.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6e17e9b29658a1251116ace097d3168184d90401 --- /dev/null +++ b/oka/infra-configs/osm-workflows/templates/wf-templates/canned-operations/full-update-providerconfig-wft.yaml @@ -0,0 +1,207 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: argoproj.io/v1alpha1 +kind: WorkflowTemplate +metadata: + name: full-update-crossplane-providerconfig + namespace: osm-workflows + +spec: + arguments: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + + # Specific parameters + - name: providerconfig_name + ## As of today, one among `azure`, `aws` or `gcp` + - name: provider_type + ## Final secret to reference from the `ProviderConfig` + - name: cred_secret_name + ## Temporary secret with secret contents for the workflow + ## - If `temp_cred_secret_name` is empty, assumes that the final secret already exists + - name: temp_cred_secret_name + value: "" + - name: temp_cred_secret_key + value: "creds" + - name: age_public_key_mgmt + - name: osm_project_name + value: "osm_admin" + ## Specific parameters - GCP only + - name: target_gcp_project + value: "" + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + # Cleanup policy + ttlStrategy: + secondsAfterCompletion: 6000 # Time to live after workflow is completed, replaces ttlSecondsAfterFinished + secondsAfterSuccess: 6000 # Time to live after workflow is successful + secondsAfterFailure: 9000 # Time to live after workflow fails + + entrypoint: update-crossplane-providerconfig + + templates: + + # Main template + - name: update-crossplane-providerconfig + inputs: + parameters: + # Fleet repo + - name: git_fleet_url + - name: fleet_destination_folder + - name: git_fleet_cred_secret + # SW-Catalogs repo + - name: git_sw_catalogs_url + - name: sw_catalogs_destination_folder + - name: git_sw_catalogs_cred_secret + # Specific parameters + - name: providerconfig_name + - name: provider_type + - name: cred_secret_name + - name: temp_cred_secret_name + - name: temp_cred_secret_key + - name: age_public_key_mgmt + - name: osm_project_name + - name: target_gcp_project + # Debug/dry run? + - name: debug + value: "false" + - name: dry_run + value: "false" + + steps: + + # ------ Preparations for transaction + - - name: generate-fleet-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - name: generate-sw-catalogs-volume-repo + templateRef: + name: k8s-resources-wft + template: generate-volume + arguments: + parameters: + - name: pvc-size + value: '100Mi' + - - name: clone-fleet + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_url + value: "{{inputs.parameters.git_fleet_url}}" + - name: destination_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: clone-sw-catalogs + templateRef: + name: git-wft + template: git-clone + arguments: + parameters: + - name: mount_path + value: "/sw-catalogs" + - name: repo_url + value: "{{inputs.parameters.git_sw_catalogs_url}}" + - name: destination_folder + value: "{{inputs.parameters.sw_catalogs_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_sw_catalogs_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # ------ end of preparations for transaction + + # ------ Transformations + - - name: update-crossplane-providerconfig + templateRef: + name: cloud-accounts-wft + template: update-crossplane-providerconfig + arguments: + parameters: + # References to required external resources + - name: fleet_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: sw_catalogs_volume_name + value: '{{steps.generate-sw-catalogs-volume-repo.outputs.parameters.pvc-name}}' + # Specific parameters + - name: providerconfig_name + value: "{{inputs.parameters.providerconfig_name}}" + - name: provider_type + value: "{{inputs.parameters.provider_type}}" + - name: cred_secret_name + value: "{{inputs.parameters.cred_secret_name}}" + - name: temp_cred_secret_name + value: "{{inputs.parameters.temp_cred_secret_name}}" + - name: temp_cred_secret_key + value: "{{inputs.parameters.temp_cred_secret_key}}" + - name: age_public_key_mgmt + value: "{{inputs.parameters.age_public_key_mgmt}}" + - name: osm_project_name + value: "{{inputs.parameters.osm_project_name}}" + - name: target_gcp_project + value: "{{inputs.parameters.target_gcp_project}}" + # Debug? + - name: debug + value: "{{inputs.parameters.debug}}" + # ------ end of transformations + + # ------ Commit transaction + - - name: push-to-fleet + templateRef: + name: git-wft + template: git-commit-merge-push + arguments: + parameters: + - name: mount_path + value: "/fleet" + - name: repo_folder + value: "{{inputs.parameters.fleet_destination_folder}}" + - name: git_cred_secret + value: "{{inputs.parameters.git_fleet_cred_secret}}" + - name: git_volume_name + value: '{{steps.generate-fleet-volume-repo.outputs.parameters.pvc-name}}' + - name: commit_message + value: "Update ProviderConfig {{inputs.parameters.providerconfig_name}} for {{inputs.parameters.provider_type}}" + - name: main_branch + value: main + - name: contrib_branch + value: osm_contrib + - name: dry_run + value: "{{inputs.parameters.dry_run}}" +# ------ end of commit transaction diff --git a/oka/infra-controllers/argo-workflows/manifests/argo-namespace.yaml b/oka/infra-controllers/argo-workflows/manifests/argo-namespace.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6dc94f9e50907f4a0a2cd65964bed2267c417c6c --- /dev/null +++ b/oka/infra-controllers/argo-workflows/manifests/argo-namespace.yaml @@ -0,0 +1,23 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Namespace +apiVersion: v1 +kind: Namespace +metadata: + name: argo diff --git a/oka/infra-controllers/argo-workflows/manifests/argo-wf-controller.yaml b/oka/infra-controllers/argo-workflows/manifests/argo-wf-controller.yaml new file mode 100644 index 0000000000000000000000000000000000000000..103ba4b4996592c2a9ba9c46adc7c39b35ea355a --- /dev/null +++ b/oka/infra-controllers/argo-workflows/manifests/argo-wf-controller.yaml @@ -0,0 +1,1369 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +# This is an auto-generated file. DO NOT EDIT +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterworkflowtemplates.argoproj.io +spec: + group: argoproj.io + names: + kind: ClusterWorkflowTemplate + listKind: ClusterWorkflowTemplateList + plural: clusterworkflowtemplates + shortNames: + - clusterwftmpl + - cwft + singular: clusterworkflowtemplate + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: cronworkflows.argoproj.io +spec: + group: argoproj.io + names: + kind: CronWorkflow + listKind: CronWorkflowList + plural: cronworkflows + shortNames: + - cwf + - cronwf + singular: cronworkflow + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflowartifactgctasks.argoproj.io +spec: + group: argoproj.io + names: + kind: WorkflowArtifactGCTask + listKind: WorkflowArtifactGCTaskList + plural: workflowartifactgctasks + shortNames: + - wfat + singular: workflowartifactgctask + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workfloweventbindings.argoproj.io +spec: + group: argoproj.io + names: + kind: WorkflowEventBinding + listKind: WorkflowEventBindingList + plural: workfloweventbindings + shortNames: + - wfeb + singular: workfloweventbinding + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflows.argoproj.io +spec: + group: argoproj.io + names: + kind: Workflow + listKind: WorkflowList + plural: workflows + shortNames: + - wf + singular: workflow + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Status of the workflow + jsonPath: .status.phase + name: Status + type: string + - description: When the workflow was started + format: date-time + jsonPath: .status.startedAt + name: Age + type: date + - description: Human readable message indicating details about why the workflow + is in this condition. + jsonPath: .status.message + name: Message + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflowtaskresults.argoproj.io +spec: + group: argoproj.io + names: + kind: WorkflowTaskResult + listKind: WorkflowTaskResultList + plural: workflowtaskresults + singular: workflowtaskresult + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + message: + type: string + metadata: + type: object + outputs: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactGC: + properties: + podMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + serviceAccountName: + type: string + strategy: + enum: + - "" + - OnWorkflowCompletion + - OnWorkflowDeletion + - Never + type: string + type: object + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - url + type: object + azure: + properties: + accountKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + blob: + type: string + container: + type: string + endpoint: + type: string + useSDKCreds: + type: boolean + required: + - blob + - container + - endpoint + type: object + deleted: + type: boolean + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - key + type: object + git: + properties: + branch: + type: string + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + repo: + type: string + revision: + type: string + singleBranch: + type: boolean + sshPrivateKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbConfigConfigMap: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbKeytabSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + auth: + properties: + basicAuth: + properties: + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + clientCert: + properties: + clientCertSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + clientKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + oauth2: + properties: + clientIDSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + clientSecretSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + endpointParams: + items: + properties: + key: + type: string + value: + type: string + required: + - key + type: object + type: array + scopes: + items: + type: string + type: array + tokenURLSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + type: object + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + securityToken: + type: string + useSDKCreds: + type: boolean + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + caSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + exitCode: + type: string + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: + type: string + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + result: + type: string + type: object + phase: + type: string + progress: + type: string + required: + - metadata + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflowtasksets.argoproj.io +spec: + group: argoproj.io + names: + kind: WorkflowTaskSet + listKind: WorkflowTaskSetList + plural: workflowtasksets + shortNames: + - wfts + singular: workflowtaskset + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflowtemplates.argoproj.io +spec: + group: argoproj.io + names: + kind: WorkflowTemplate + listKind: WorkflowTemplateList + plural: workflowtemplates + shortNames: + - wftmpl + singular: workflowtemplate + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo + namespace: argo +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo-server + namespace: argo +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argo-role + namespace: argo +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: argo-aggregate-to-admin +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: argo-aggregate-to-edit +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: argo-aggregate-to-view +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argo-cluster-role +rules: +- apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/finalizers + verbs: + - create + - update + - delete + - get +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowartifactgctasks + verbs: + - get + - list + - watch + - update + - patch + - delete + - create +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + - workflowtemplates/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - list + - watch + - deletecollection +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: + - argoproj.io + resources: + - cronworkflows + - cronworkflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - get + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argo-server-cluster-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +- apiGroups: + - "" + resources: + - pods + - pods/exec + - pods/log + verbs: + - get + - list + - watch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - watch + - create + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - eventsources + - sensors + - workflows + - workfloweventbindings + - workflowtemplates + - cronworkflows + - clusterworkflowtemplates + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-binding + namespace: argo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argo-role +subjects: +- kind: ServiceAccount + name: argo + namespace: argo +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: argo-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-cluster-role +subjects: +- kind: ServiceAccount + name: argo + namespace: argo +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: argo-server-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-server-cluster-role +subjects: +- kind: ServiceAccount + name: argo-server + namespace: argo +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: workflow-controller-configmap + namespace: argo +--- +apiVersion: v1 +kind: Service +metadata: + name: argo-server + namespace: argo +spec: + ports: + - name: web + port: 2746 + targetPort: 2746 + selector: + app: argo-server +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: workflow-controller +value: 1000000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: argo-server + namespace: argo +spec: + selector: + matchLabels: + app: argo-server + template: + metadata: + labels: + app: argo-server + spec: + containers: + - args: + - server + env: [] + image: quay.io/argoproj/argocli:v3.5.1 + name: argo-server + ports: + - containerPort: 2746 + name: web + readinessProbe: + httpGet: + path: / + port: 2746 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 20 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /tmp + name: tmp + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + serviceAccountName: argo-server + volumes: + - emptyDir: {} + name: tmp +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: workflow-controller + namespace: argo +spec: + selector: + matchLabels: + app: workflow-controller + template: + metadata: + labels: + app: workflow-controller + spec: + containers: + - args: [] + command: + - workflow-controller + env: + - name: LEADER_ELECTION_IDENTITY + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: quay.io/argoproj/workflow-controller:v3.5.1 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 6060 + initialDelaySeconds: 90 + periodSeconds: 60 + timeoutSeconds: 30 + name: workflow-controller + ports: + - containerPort: 9090 + name: metrics + - containerPort: 6060 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: workflow-controller + securityContext: + runAsNonRoot: true + serviceAccountName: argo diff --git a/oka/infra-controllers/argo-workflows/templates/argo-workflows.yaml b/oka/infra-controllers/argo-workflows/templates/argo-workflows.yaml new file mode 100644 index 0000000000000000000000000000000000000000..48f83126664ab8cad0df7fa96c20b81adb2f1786 --- /dev/null +++ b/oka/infra-controllers/argo-workflows/templates/argo-workflows.yaml @@ -0,0 +1,55 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Namespace +apiVersion: v1 +kind: Namespace +metadata: + name: argo + +--- +# Base Kustomization +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: argo-workflows + namespace: argo +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./infra-controllers/argo-workflows/manifests + prune: true + + # (optional - comment otherwise) Set argo-server authentication + patches: + - target: + group: apps + version: v1 + kind: Deployment + name: argo-server + patch: |- + - op: replace + path: /spec/template/spec/containers/0/args + value: + - server + - --auth-mode=server diff --git a/oka/infra-controllers/cert-manager/manifests/cert-manager-chart.yaml b/oka/infra-controllers/cert-manager/manifests/cert-manager-chart.yaml new file mode 100644 index 0000000000000000000000000000000000000000..863fa1c73829848f92195f89be5fb429d766e0f1 --- /dev/null +++ b/oka/infra-controllers/cert-manager/manifests/cert-manager-chart.yaml @@ -0,0 +1,52 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager + +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 24h + url: https://charts.jetstack.io + +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 30m + chart: + spec: + chart: cert-manager + version: "1.x" + sourceRef: + kind: HelmRepository + name: cert-manager + namespace: cert-manager + interval: 12h + values: + installCRDs: true diff --git a/oka/infra-controllers/cert-manager/templates/cert-manager-ks.yaml b/oka/infra-controllers/cert-manager/templates/cert-manager-ks.yaml new file mode 100644 index 0000000000000000000000000000000000000000..68c35811e43ce8b7b6b94f9300a9078823069f49 --- /dev/null +++ b/oka/infra-controllers/cert-manager/templates/cert-manager-ks.yaml @@ -0,0 +1,31 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cert-manager + namespace: flux-system +spec: + interval: 1h0m0s + path: ./infra-controllers/cert-manager/manifests + prune: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system diff --git a/oka/infra-controllers/crossplane/controller/manifests/crossplane-helmrelease.yaml b/oka/infra-controllers/crossplane/controller/manifests/crossplane-helmrelease.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9c49bddc33cb7359cc1607d969c259e327594bb7 --- /dev/null +++ b/oka/infra-controllers/crossplane/controller/manifests/crossplane-helmrelease.yaml @@ -0,0 +1,38 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Helm release for controller +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: crossplane + namespace: crossplane-system +spec: + chart: + spec: + chart: crossplane + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: crossplane-stable + namespace: crossplane-system + install: + createNamespace: true + interval: 30s + releaseName: crossplane + targetNamespace: crossplane-system diff --git a/oka/infra-controllers/crossplane/controller/manifests/crossplane-helmrepo.yaml b/oka/infra-controllers/crossplane/controller/manifests/crossplane-helmrepo.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5e63ea48a117df59a4ef0d1ed891a9fb0fc05e99 --- /dev/null +++ b/oka/infra-controllers/crossplane/controller/manifests/crossplane-helmrepo.yaml @@ -0,0 +1,26 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: crossplane-stable + namespace: crossplane-system +spec: + interval: 30s + url: https://charts.crossplane.io/stable diff --git a/oka/infra-controllers/crossplane/controller/manifests/crossplane-namespace.yaml b/oka/infra-controllers/crossplane/controller/manifests/crossplane-namespace.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ca673b2a4e92c17f2e2a28384c50a12af55cac40 --- /dev/null +++ b/oka/infra-controllers/crossplane/controller/manifests/crossplane-namespace.yaml @@ -0,0 +1,23 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Namespace +apiVersion: v1 +kind: Namespace +metadata: + name: crossplane-system diff --git a/oka/infra-controllers/crossplane/controller/manifests/kustomization.yaml b/oka/infra-controllers/crossplane/controller/manifests/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7fe824703dfba7d12a36e063d1987e8006a1ca8d --- /dev/null +++ b/oka/infra-controllers/crossplane/controller/manifests/kustomization.yaml @@ -0,0 +1,23 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - crossplane-namespace.yaml + - crossplane-helmrepo.yaml + - crossplane-helmrelease.yaml diff --git a/oka/infra-controllers/crossplane/controller/templates/crossplane.yaml b/oka/infra-controllers/crossplane/controller/templates/crossplane.yaml new file mode 100644 index 0000000000000000000000000000000000000000..720202b2dad82d11d484bbbd1c6b28bdb92c5ba1 --- /dev/null +++ b/oka/infra-controllers/crossplane/controller/templates/crossplane.yaml @@ -0,0 +1,41 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Namespace +apiVersion: v1 +kind: Namespace +metadata: + name: crossplane-system + +--- +# Crossplane controller +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: crossplane-controller + namespace: crossplane-system +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./infra-controllers/crossplane/controller/manifests + prune: true diff --git a/oka/infra-controllers/crossplane/providers/aws/manifests/provider-ec2.yaml b/oka/infra-controllers/crossplane/providers/aws/manifests/provider-ec2.yaml new file mode 100644 index 0000000000000000000000000000000000000000..692e39cf9ad70353ef863a0a0b720366623cb272 --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/aws/manifests/provider-ec2.yaml @@ -0,0 +1,27 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# CRDs for general EC2 compute services +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-aws-ec2 +spec: + package: xpkg.upbound.io/upbound/provider-aws-ec2:v1.4.0 + + diff --git a/oka/infra-controllers/crossplane/providers/aws/manifests/provider-eks.yaml b/oka/infra-controllers/crossplane/providers/aws/manifests/provider-eks.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ec3fc557d32de98433c5250d09fc16a1932fc345 --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/aws/manifests/provider-eks.yaml @@ -0,0 +1,26 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# CRDs for EKS service +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-aws-eks +spec: + package: xpkg.upbound.io/upbound/provider-aws-eks:v1.4.0 + diff --git a/oka/infra-controllers/crossplane/providers/aws/manifests/provider-iam.yaml b/oka/infra-controllers/crossplane/providers/aws/manifests/provider-iam.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4aa50e8ce065a07b49fabd189e10c4c788e6f48a --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/aws/manifests/provider-iam.yaml @@ -0,0 +1,27 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# CRDs for IAM service +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-aws-iam +spec: + package: xpkg.upbound.io/upbound/provider-aws-iam:v1.4.0 + + diff --git a/oka/infra-controllers/crossplane/providers/aws/manifests/provider-vpc.yaml b/oka/infra-controllers/crossplane/providers/aws/manifests/provider-vpc.yaml new file mode 100644 index 0000000000000000000000000000000000000000..cfa9a02a523e97a79fab2c1d47a4153782eba12d --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/aws/manifests/provider-vpc.yaml @@ -0,0 +1,26 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# CRDs for VPC service +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-aws-vpc +spec: + package: xpkg.upbound.io/upbound/provider-aws-vpc:v1.4.0 + diff --git a/oka/infra-controllers/crossplane/providers/aws/templates/crossplane-aws-providers.yaml b/oka/infra-controllers/crossplane/providers/aws/templates/crossplane-aws-providers.yaml new file mode 100644 index 0000000000000000000000000000000000000000..19325a2e71eff4c195337cf302fa3bbf33beb056 --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/aws/templates/crossplane-aws-providers.yaml @@ -0,0 +1,35 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# AWS Upbound lightweight provider families +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: aws-providers + namespace: crossplane-system +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./infra-controllers/crossplane/providers/aws/manifests + prune: true + \ No newline at end of file diff --git a/oka/infra-controllers/crossplane/providers/azure/manifests/provider-azure-container.yaml b/oka/infra-controllers/crossplane/providers/azure/manifests/provider-azure-container.yaml new file mode 100644 index 0000000000000000000000000000000000000000..41b1d79f3161d85dc18d34ffbb5983b3e150ff22 --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/azure/manifests/provider-azure-container.yaml @@ -0,0 +1,23 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-azure-containerservice +spec: + package: xpkg.upbound.io/upbound/provider-azure-containerservice:v0.37.1 diff --git a/oka/infra-controllers/crossplane/providers/azure/manifests/provider-azure-dbformysql.yaml b/oka/infra-controllers/crossplane/providers/azure/manifests/provider-azure-dbformysql.yaml new file mode 100644 index 0000000000000000000000000000000000000000..317e70da71549200ad92f1768dc4370051023244 --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/azure/manifests/provider-azure-dbformysql.yaml @@ -0,0 +1,24 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-azure-dbformysql +spec: + package: xpkg.upbound.io/upbound/provider-azure-dbformysql:v0.38.2 diff --git a/oka/infra-controllers/crossplane/providers/azure/templates/crossplane-azure-providers.yaml b/oka/infra-controllers/crossplane/providers/azure/templates/crossplane-azure-providers.yaml new file mode 100644 index 0000000000000000000000000000000000000000..436a9ffe0fa420ada185daba0c8e061006d5d665 --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/azure/templates/crossplane-azure-providers.yaml @@ -0,0 +1,34 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Azure providers +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: azure-providers + namespace: crossplane-system +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./infra-controllers/crossplane/providers/azure/manifests + prune: true diff --git a/oka/infra-controllers/crossplane/providers/gcp/manifests/provider-gcp-cloudplatform.yaml b/oka/infra-controllers/crossplane/providers/gcp/manifests/provider-gcp-cloudplatform.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8f3f708f55999f961d33c95c662d660dd12af51a --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/gcp/manifests/provider-gcp-cloudplatform.yaml @@ -0,0 +1,25 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# CRDs for general CGP management +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-gcp-cloudplatform +spec: + package: xpkg.upbound.io/upbound/provider-gcp-cloudplatform:v1.2.0 diff --git a/oka/infra-controllers/crossplane/providers/gcp/manifests/provider-gcp-container.yaml b/oka/infra-controllers/crossplane/providers/gcp/manifests/provider-gcp-container.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e7b548733375b5b063e87fb2396c2462d5aa3379 --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/gcp/manifests/provider-gcp-container.yaml @@ -0,0 +1,25 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# CRDs for K8s and other container services +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + name: provider-gcp-container +spec: + package: xpkg.upbound.io/upbound/provider-gcp-container:v1.2.0 diff --git a/oka/infra-controllers/crossplane/providers/gcp/templates/crossplane-gcp-providers.yaml b/oka/infra-controllers/crossplane/providers/gcp/templates/crossplane-gcp-providers.yaml new file mode 100644 index 0000000000000000000000000000000000000000..972bc89e0db7c22449160695b19be6f0654c258b --- /dev/null +++ b/oka/infra-controllers/crossplane/providers/gcp/templates/crossplane-gcp-providers.yaml @@ -0,0 +1,34 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# GCP providers +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: gcp-providers + namespace: crossplane-system +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./infra-controllers/crossplane/providers/gcp/manifests + prune: true diff --git a/oka/infra-controllers/ingress-nginx/manifests/ingress-nginx.yaml b/oka/infra-controllers/ingress-nginx/manifests/ingress-nginx.yaml new file mode 100644 index 0000000000000000000000000000000000000000..eb8ed2fb6bedd2922aebca840c566db2a32ddd8f --- /dev/null +++ b/oka/infra-controllers/ingress-nginx/manifests/ingress-nginx.yaml @@ -0,0 +1,56 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: ingress-nginx + namespace: ingress-nginx +spec: + interval: 24h + url: https://kubernetes.github.io/ingress-nginx + +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: ingress-nginx + namespace: ingress-nginx +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: "*" + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: ingress-nginx + interval: 12h + values: + controller: + service: + type: "NodePort" + admissionWebhooks: + enabled: false diff --git a/oka/infra-controllers/ingress-nginx/templates/ingress-nginx-ks.yaml b/oka/infra-controllers/ingress-nginx/templates/ingress-nginx-ks.yaml new file mode 100644 index 0000000000000000000000000000000000000000..dc6c6cf2b484f1f8f11f8e89b895d573f96c855a --- /dev/null +++ b/oka/infra-controllers/ingress-nginx/templates/ingress-nginx-ks.yaml @@ -0,0 +1,31 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: ingress-nginx + namespace: flux-system +spec: + interval: 1h0m0s + path: ./infra-controllers/ingress-nginx/manifests + prune: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system diff --git a/oka/infra-controllers/istio/manifests/addons/grafana.yaml b/oka/infra-controllers/istio/manifests/addons/grafana.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6b49072691043cc06bb8c53a24b18536f9540bdb --- /dev/null +++ b/oka/infra-controllers/istio/manifests/addons/grafana.yaml @@ -0,0 +1,1158 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Source: grafana/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: grafana-6.57.4 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "9.5.5" + app.kubernetes.io/managed-by: Helm + name: grafana + namespace: istio-system +--- +# Source: grafana/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-6.57.4 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "9.5.5" + app.kubernetes.io/managed-by: Helm +data: + grafana.ini: | + [analytics] + check_for_updates = true + [grafana_net] + url = https://grafana.net + [log] + mode = console + [paths] + data = /var/lib/grafana/ + logs = /var/log/grafana + plugins = /var/lib/grafana/plugins + provisioning = /etc/grafana/provisioning + [server] + domain = '' + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: true + isDefault: true + jsonData: + timeInterval: 5s + name: Prometheus + orgId: 1 + type: prometheus + url: http://prometheus:9090 + - access: proxy + editable: true + isDefault: false + jsonData: + timeInterval: 5s + name: Loki + orgId: 1 + type: loki + url: http://loki:3100 + dashboardproviders.yaml: | + apiVersion: 1 + providers: + - disableDeletion: false + folder: istio + name: istio + options: + path: /var/lib/grafana/dashboards/istio + orgId: 1 + type: file + - disableDeletion: false + folder: istio + name: istio-services + options: + path: /var/lib/grafana/dashboards/istio-services + orgId: 1 + type: file +--- +# Source: grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-6.57.4 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "9.5.5" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: service + port: 3000 + protocol: TCP + targetPort: 3000 + selector: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana +--- +# Source: grafana/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-6.57.4 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "9.5.5" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + strategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app: grafana + sidecar.istio.io/inject: "false" + annotations: + checksum/config: aec3d18ca2ea82d1d48f8965db1440aba0680ed2f32c5a29e6cdb5e7afc8b395 + checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/sc-dashboard-provider-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + kubectl.kubernetes.io/default-container: grafana + spec: + + serviceAccountName: grafana + automountServiceAccountToken: true + securityContext: + fsGroup: 472 + runAsGroup: 472 + runAsNonRoot: true + runAsUser: 472 + enableServiceLinks: true + containers: + - name: grafana + image: "docker.io/grafana/grafana:9.5.5" + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: config + mountPath: "/etc/grafana/grafana.ini" + subPath: grafana.ini + - name: storage + mountPath: "/var/lib/grafana" + - name: dashboards-istio + mountPath: "/var/lib/grafana/dashboards/istio" + - name: dashboards-istio-services + mountPath: "/var/lib/grafana/dashboards/istio-services" + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: "datasources.yaml" + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: "dashboardproviders.yaml" + ports: + - name: grafana + containerPort: 3000 + protocol: TCP + - name: gossip-tcp + containerPort: 9094 + protocol: TCP + - name: gossip-udp + containerPort: 9094 + protocol: UDP + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: GF_PATHS_DATA + value: /var/lib/grafana/ + - name: GF_PATHS_LOGS + value: /var/log/grafana + - name: GF_PATHS_PLUGINS + value: /var/lib/grafana/plugins + - name: GF_PATHS_PROVISIONING + value: /etc/grafana/provisioning + - name: "GF_AUTH_ANONYMOUS_ENABLED" + value: "true" + - name: "GF_AUTH_ANONYMOUS_ORG_ROLE" + value: "Admin" + - name: "GF_AUTH_BASIC_ENABLED" + value: "false" + - name: "GF_SECURITY_ADMIN_PASSWORD" + value: "admin" + - name: "GF_SECURITY_ADMIN_USER" + value: "admin" + livenessProbe: + failureThreshold: 10 + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + readinessProbe: + httpGet: + path: /api/health + port: 3000 + volumes: + - name: config + configMap: + name: grafana + - name: dashboards-istio + configMap: + name: istio-grafana-dashboards + - name: dashboards-istio-services + configMap: + name: istio-services-grafana-dashboards + - name: storage + emptyDir: {} + +--- + +apiVersion: v1 +data: + istio-performance-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":true,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":21,"panels":[{"content":"The charts on this dashboard are intended to show Istio main components cost in terms of resources utilization under steady load.\n\n- **vCPU / 1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred / sec:** shows the number of bytes flowing through each Istio component.\n\n\n","gridPos":{"h":6,"w":24,"x":0,"y":1},"id":19,"links":[],"mode":"markdown","timeFrom":null,"timeShift":null,"title":"Performance Dashboard README","transparent":true,"type":"text"}],"title":"Performance Dashboard Notes","type":"row"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":1},"id":6,"panels":[],"title":"vCPU Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":2},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"(sum(irate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"(sum(irate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU / 1k rps","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":2},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":10},"id":13,"panels":[],"title":"Memory and Data Rates","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":11},"id":902,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\"}) / count(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\",container!=\"POD\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio-ingressgateway","refId":"A"},{"expr":"sum(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"}) / count(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory Usage","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":11},"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Bytes transferred / sec","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":19},"id":17,"panels":[],"title":"Istio Component Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":24,"x":0,"y":20},"id":15,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":32},"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":32},"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":32},"id":702,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_fs_usage_bytes{container=\"istio-proxy\"})","format":"time_series","intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":39},"id":69,"panels":[],"title":"Istiod Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":40},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"sum(container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"C","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":40},"id":602,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2},{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m])) by (container)","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"pilot (self-reported)","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":40},"id":74,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_open_fds{app=\"istiod\"}","format":"time_series","hide":true,"instant":false,"interval":"","intervalFactor":2,"legendFormat":"Open FDs (pilot)","refId":"A"},{"expr":"container_fs_usage_bytes{ container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"{{ container }}","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":40},"id":402,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"10s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Istio Performance Dashboard","uid":"vu8e0VWZk","version":22} + pilot-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":1,"links":[],"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":60,"panels":[],"title":"Deployed Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":5,"w":24,"x":0,"y":1},"id":56,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build{component=\"pilot\"}) by (tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Versions","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":6},"id":62,"panels":[],"title":"Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":7},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (container)","refId":"B","step":2},{"expr":"container_memory_working_set_bytes{container=~\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar (container)","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":7},"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Discovery (container)","refId":"A"},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (process)","refId":"C","step":2},{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Sidecar (container)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"CPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":7},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"container_fs_usage_bytes{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"Discovery","refId":"B","step":2},{"expr":"container_fs_usage_bytes{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":7},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":14},"id":58,"panels":[],"title":"Pilot Push Information","type":"row"},{"aliasColors":{},"bars":true,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the rate of pilot pushes","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":15},"id":622,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":false,"linewidth":1,"links":[],"nullPointMode":"null as zero","paceLength":10,"percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":true,"steppedLine":false,"targets":[{"expr":"sum(irate(pilot_xds_pushes{type=\"cds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Cluster","refId":"C"},{"expr":"sum(irate(pilot_xds_pushes{type=\"eds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Endpoints","refId":"D"},{"expr":"sum(irate(pilot_xds_pushes{type=\"lds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Listeners","refId":"A"},{"expr":"sum(irate(pilot_xds_pushes{type=\"rds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Routes","refId":"E"},{"expr":"sum(irate(pilot_xds_pushes{type=\"sds\"}[1m]))","interval":"","legendFormat":"Secrets","refId":"B"},{"expr":"sum(irate(pilot_xds_pushes{type=\"nds\"}[1m]))","interval":"","legendFormat":"Nametables","refId":"F"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Pushes","tooltip":{"shared":false,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":["total"]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":"0","show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Captures a variety of pilot errors","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":15},"id":67,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(pilot_xds_cds_reject{app=\"istiod\"}) or (absent(pilot_xds_cds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected CDS Configs","refId":"C"},{"expr":"sum(pilot_xds_eds_reject{app=\"istiod\"}) or (absent(pilot_xds_eds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected EDS Configs","refId":"D"},{"expr":"sum(pilot_xds_rds_reject{app=\"istiod\"}) or (absent(pilot_xds_rds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected RDS Configs","refId":"A"},{"expr":"sum(pilot_xds_lds_reject{app=\"istiod\"}) or (absent(pilot_xds_lds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected LDS Configs","refId":"B"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Write Timeouts","refId":"F"},{"expr":"sum(rate(pilot_total_xds_internal_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Internal Errors","refId":"H"},{"expr":"sum(rate(pilot_total_xds_rejects{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Config Rejection Rate","refId":"E"},{"expr":"sum(rate(pilot_xds_push_context_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Push Context Errors","refId":"K"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Push Timeouts","refId":"G"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Errors","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the total time it takes to push a config update to a proxy","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":15},"id":624,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"histogram_quantile(0.5, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p50 ","refId":"A"},{"expr":"histogram_quantile(0.9, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p90","refId":"B"},{"expr":"histogram_quantile(0.99, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99","refId":"C"},{"expr":"histogram_quantile(0.999, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99.9","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Proxy Push Time","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"s","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":23},"id":45,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null as zero","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"pilot_conflict_inbound_listener{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Inbound Listeners","refId":"B"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current tcp)","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Conflicts","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":23},"id":47,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(pilot_virt_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Virtual Services","refId":"A"},{"expr":"avg(pilot_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Services","refId":"B"},{"expr":"sum(pilot_xds{app=\"istiod\"}) by (pod)","format":"time_series","intervalFactor":1,"legendFormat":"Connected Endpoints {{pod}}","refId":"E"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"ADS Monitoring","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":64,"panels":[],"title":"Envoy Information","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows details about Envoy proxies in the mesh","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":32},"id":40,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(envoy_cluster_upstream_cx_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connections","refId":"C"},{"expr":"sum(irate(envoy_cluster_upstream_cx_connect_fail{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connection Failures","refId":"A"},{"expr":"sum(increase(envoy_server_hot_restart_epoch[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Envoy Restarts","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Envoy Details","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":32},"id":41,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})","format":"time_series","intervalFactor":2,"legendFormat":"XDS Active Connections","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Active Connections","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the size of XDS requests and responses","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":32},"id":42,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"max(rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Max","refId":"D"},{"expr":"quantile(0.5, rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Average","refId":"B"},{"expr":"max(rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Max","refId":"A"},{"expr":"quantile(.5, rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Average","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Requests Size","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":null,"gridPos":{"h":1,"w":24,"x":0,"y":40},"id":626,"panels":[],"title":"Webhooks","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":41},"hiddenSeries":false,"id":629,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(galley_validation_passed[1m]))","interval":"","legendFormat":"Validations (Success)","refId":"A"},{"expr":"sum(rate(galley_validation_failed[1m]))","interval":"","legendFormat":"Validation (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Configuration Validation","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"description":"","fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":41},"hiddenSeries":false,"id":630,"legend":{"avg":false,"current":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(sidecar_injection_success_total[1m]))","interval":"","legendFormat":"Injections (Success)","refId":"A"},{"expr":"sum(rate(sidecar_injection_failure_total[1m]))","interval":"","legendFormat":"Injections (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Sidecar Injection","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Control Plane Dashboard","uid":"3--MLVZZk","version":11} +kind: ConfigMap +metadata: + creationTimestamp: null + name: istio-grafana-dashboards + namespace: istio-system + +--- + +apiVersion: v1 +data: + istio-extension-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":0},"id":3,"panels":[],"title":"Wasm VMs","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"","fieldConfig":{"defaults":{"custom":{"align":null},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":1},"hiddenSeries":false,"id":2,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_active)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_active)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Active","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:123","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:124","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":1},"hiddenSeries":false,"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_created)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_created)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Created","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:68","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:69","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":9},"id":7,"panels":[],"title":"Wasm Module Remote Load","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":0,"y":10},"hiddenSeries":false,"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_entries)","interval":"","legendFormat":"entries","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Entry","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:178","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:179","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":8,"y":10},"hiddenSeries":false,"id":8,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_hits)","interval":"","legendFormat":"hits","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_cache_misses)","interval":"","legendFormat":"misses","refId":"B"},{"expr":"avg(envoy_wasm_remote_load_cache_negative_hits)","interval":"","legendFormat":"negative hits","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Visit","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:233","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:234","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":16,"y":10},"hiddenSeries":false,"id":10,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_fetch_failures)","interval":"","legendFormat":"failures","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_fetch_successes)","interval":"","legendFormat":"successes","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Remote Fetch","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:288","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:289","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":18},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":19},"hiddenSeries":false,"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:396","format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:397","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":19},"hiddenSeries":false,"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:447","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:448","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":false,"schemaVersion":26,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["10s","30s","1m","5m","15m","30m","1h","2h","1d"]},"timezone":"","title":"Istio Wasm Extension Dashboard","uid":"7PAV7ctGz","version":17} + istio-mesh-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[{"content":"
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to secure,\n connect, and \n monitor microservices.\n
\n Need help? Join the Istio community.\n
\n
","gridPos":{"h":3,"w":24,"x":0,"y":0},"height":"50px","id":13,"links":[],"mode":"html","style":{"font-size":"18pt"},"title":"","transparent":true,"type":"text"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":3},"id":20,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"round(sum(irate(istio_requests_total{reporter=\"source\"}[1m])), 0.001)","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"Global Request Volume","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"percentunit","gauge":{"maxValue":100,"minValue":80,"show":false,"thresholdLabels":false,"thresholdMarkers":false},"gridPos":{"h":3,"w":6,"x":6,"y":3},"id":21,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"95, 99, 99.5","title":"Global Success Rate (non-5xx responses)","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":3},"id":22,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"4.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"4xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":3},"id":23,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"5.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"5xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":113,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Virtual Services","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":114,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Destination Rules","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":115,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Gateways","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":116,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Workload Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":117,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Service Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":90,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"PeerAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":91,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"RequestAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":92,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Authorization Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":21,"w":24,"x":0,"y":9},"hideTimeOverride":false,"id":73,"links":[],"pageSize":null,"repeat":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"Workload dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Requests","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[],"type":"number","unit":"ops"},{"alias":"P50 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"s"},{"alias":"P90 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #C","thresholds":[],"type":"number","unit":"s"},{"alias":"P99 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #D","thresholds":[],"type":"number","unit":"s"},{"alias":"Success Rate","colorMode":"cell","colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #E","thresholds":[".95"," 1.00"],"type":"number","unit":"percentunit"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-workload=${__cell_2:raw}&var-namespace=${__cell_3:raw}","pattern":"destination_workload_var","thresholds":[],"type":"number","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_requests_total{reporter=\"source\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"A"},{"expr":"label_join((histogram_quantile(0.50, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"B"},{"expr":"label_join((histogram_quantile(0.90, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"C"},{"expr":"label_join((histogram_quantile(0.99, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"D"},{"expr":"label_join((sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"interval":"","intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"E"}],"timeFrom":null,"title":"HTTP/GRPC Workloads","transform":"table","type":"table"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":18,"w":24,"x":0,"y":30},"hideTimeOverride":false,"id":109,"links":[],"pageSize":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"Bytes Sent","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[""],"type":"number","unit":"Bps"},{"alias":"Bytes Received","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"Bps"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload_var","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"number","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"A"},{"expr":"label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"B"}],"timeFrom":null,"title":"TCP Workloads","transform":"table","type":"table"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":9,"w":24,"x":0,"y":48},"id":111,"legend":{"alignAsTable":false,"avg":false,"current":false,"max":false,"min":false,"rightSide":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Mesh Dashboard","uid":"G8wLrJIZk","version":5} + istio-service-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"-- + Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations + & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1595591291797,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":106,\"panels\":[{\"content\":\"
\\nSERVICE: $service\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nSERVICE: $service\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, + 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Client + Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, + 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, + 99, 99.5\",\"title\":\"Client Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Client + Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":4},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Received Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, + 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":8},\"id\":97,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Server + Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, + 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":8},\"id\":98,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) + / sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, + 99, 99.5\",\"title\":\"Server Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":8},\"hiddenSeries\":false,\"id\":99,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Server + Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":8},\"id\":100,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Sent Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":104,\"panels\":[{\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":2},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":5},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=~\\\"$qrep\\\",source_workload=~\\\"$srcwl\\\",source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace, + response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":5},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":11},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":11},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":11},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Client + Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":102,\"panels\":[{\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":3},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":6},\"hiddenSeries\":false,\"id\":90,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=\\\"destination\\\",destination_workload=~\\\"$dstwl\\\",destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} : {{ response_code + }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", reporter=\\\"destination\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[5m])) by (destination_workload, + destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} : {{ response_code + }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Requests By Destination Workload And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":6},\"hiddenSeries\":false,\"id\":91,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Success Rate (non-5xx responses) By Destination Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":12},\"hiddenSeries\":false,\"id\":94,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Duration By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":12},\"hiddenSeries\":false,\"id\":95,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":12},\"hiddenSeries\":false,\"id\":96,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":18},\"hiddenSeries\":false,\"id\":92,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":18},\"hiddenSeries\":false,\"id\":93,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, + destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, + destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Service + Workloads\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Service\",\"multi\":false,\"name\":\"service\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{}) + by (destination_service) or sum(istio_tcp_sent_bytes_total{}) by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Cluster\",\"multi\":true,\"name\":\"srccluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=\\\"$service\\\"}) by (source_cluster) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}) by (source_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=\\\"$service\\\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}) by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) + by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) + by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload Cluster\",\"multi\":true,\"name\":\"dstcluster\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", + destination_service=\\\"$service\\\"}) by (destination_cluster) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", + destination_service=~\\\"$service\\\"}) by (destination_cluster))\",\"refresh\":1,\"regex\":\"/.*cluster=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload Namespace\",\"multi\":true,\"name\":\"dstns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", + destination_service=\\\"$service\\\"}) by (destination_workload_namespace) or + sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\"}) + by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload\",\"multi\":true,\"name\":\"dstwl\",\"options\":[],\"query\":\"query_result( + sum(istio_requests_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", + destination_cluster=~\\\"$dstcluster\\\", destination_workload_namespace=~\\\"$dstns\\\"}) + by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", + destination_service=~\\\"$service\\\", destination_cluster=~\\\"$dstcluster\\\", + destination_workload_namespace=~\\\"$dstns\\\"}) by (destination_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio + Service Dashboard\",\"uid\":\"LJ_uJAvmk\",\"version\":1}\n" + istio-workload-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"-- + Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations + & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1531345461465,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":95,\"panels\":[{\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, + 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":8,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Incoming + Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, + 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":8,\"x\":8,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\"}[5m])) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, + 99, 99.5\",\"title\":\"Incoming Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":8,\"x\":16,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Request + Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":0,\"y\":8},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\"}[1m])) + + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Server Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":12,\"y\":8},\"id\":85,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\"}[1m])) + + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Client Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":93,\"panels\":[{\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":13},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":16},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":16},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":22},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":22},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":22},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":28},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":28},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Inbound + Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":91,\"panels\":[{\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":14},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":70,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal=~\\\"spiffe.*\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, + response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal!~\\\"spiffe.*\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, + response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Requests By Destination And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":71,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Success Rate (non-5xx responses) By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":23},\"hiddenSeries\":false,\"id\":72,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Request Duration By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":23},\"hiddenSeries\":false,\"id\":73,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Request Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":23},\"hiddenSeries\":false,\"id\":74,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":29},\"hiddenSeries\":false,\"id\":76,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent on Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":29},\"hiddenSeries\":false,\"id\":78,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Outbound + Services\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Namespace\",\"multi\":false,\"name\":\"namespace\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total) + by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*_namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Workload\",\"multi\":false,\"name\":\"workload\",\"options\":[],\"query\":\"query_result((sum(istio_requests_total{destination_workload_namespace=~\\\"$namespace\\\"}) + by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\\\"$namespace\\\"}) + by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload)))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"query\":\"source,destination\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"custom\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound + Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound + Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Destination + Service\",\"multi\":true,\"name\":\"dstsvc\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"source\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) + by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) + by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio + Workload Dashboard\",\"uid\":\"UbsSZTDik\",\"version\":1}\n" +kind: ConfigMap +metadata: + creationTimestamp: null + name: istio-services-grafana-dashboards + namespace: istio-system diff --git a/oka/infra-controllers/istio/manifests/addons/jaeger.yaml b/oka/infra-controllers/istio/manifests/addons/jaeger.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b752e684e831eb8cd67ceb1ab010d4869dde4da0 --- /dev/null +++ b/oka/infra-controllers/istio/manifests/addons/jaeger.yaml @@ -0,0 +1,138 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jaeger + namespace: istio-system + labels: + app: jaeger +spec: + selector: + matchLabels: + app: jaeger + template: + metadata: + labels: + app: jaeger + sidecar.istio.io/inject: "false" + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "14269" + spec: + containers: + - name: jaeger + image: "docker.io/jaegertracing/all-in-one:1.46" + env: + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: ":9411" + - name: MEMORY_MAX_TRACES + value: "50000" + - name: QUERY_BASE_PATH + value: /jaeger + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 + volumeMounts: + - name: data + mountPath: /badger + resources: + requests: + cpu: 10m + volumes: + - name: data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: istio-system + labels: + app: jaeger +spec: + type: ClusterIP + ports: + - name: http-query + port: 80 + protocol: TCP + targetPort: 16686 + # Note: Change port name if you add '--query.grpc.tls.enabled=true' + - name: grpc-query + port: 16685 + protocol: TCP + targetPort: 16685 + selector: + app: jaeger +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + labels: + name: zipkin + name: zipkin + namespace: istio-system +spec: + ports: + - port: 9411 + targetPort: 9411 + name: http-query + selector: + app: jaeger +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: istio-system + labels: + app: jaeger +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + - port: 4317 + name: grpc-otel + - port: 4318 + name: http-otel + selector: + app: jaeger diff --git a/oka/infra-controllers/istio/manifests/addons/kiali.yaml b/oka/infra-controllers/istio/manifests/addons/kiali.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1e74f84b432647cd6e0448f6ed4e7547f8755647 --- /dev/null +++ b/oka/infra-controllers/istio/manifests/addons/kiali.yaml @@ -0,0 +1,568 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Source: kiali-server/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.76.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.76.0" + app.kubernetes.io/version: "v1.76.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +... +--- +# Source: kiali-server/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.76.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.76.0" + app.kubernetes.io/version: "v1.76.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +data: + config.yaml: | + auth: + openid: {} + openshift: + client_id_prefix: kiali + strategy: anonymous + deployment: + accessible_namespaces: + - '**' + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + configmap_annotations: {} + custom_secrets: [] + host_aliases: [] + hpa: + api_version: autoscaling/v2beta2 + spec: {} + image_digest: "" + image_name: quay.io/kiali/kiali + image_pull_policy: Always + image_pull_secrets: [] + image_version: v1.76 + ingress: + additional_labels: {} + class_name: nginx + override_yaml: + metadata: {} + ingress_enabled: false + instance_name: kiali + logger: + log_format: text + log_level: info + sampler_rate: "1" + time_field_format: 2006-01-02T15:04:05Z07:00 + namespace: istio-system + node_selector: {} + pod_annotations: {} + pod_labels: + sidecar.istio.io/inject: "false" + priority_class_name: "" + replicas: 1 + resources: + limits: + memory: 1Gi + requests: + cpu: 10m + memory: 64Mi + secret_name: kiali + security_context: {} + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v1.76.0 + view_only_mode: false + external_services: + custom_dashboards: + enabled: true + istio: + root_namespace: istio-system + identity: + cert_file: "" + private_key_file: "" + istio_namespace: istio-system + kiali_feature_flags: + certificates_information_indicators: + enabled: true + secrets: + - cacerts + - istio-ca-secret + clustering: + autodetect_secrets: + enabled: true + label: kiali.io/multiCluster=true + clusters: [] + disabled_features: [] + validations: + ignore: + - KIA1301 + login_token: + signing_key: CHANGEME00000000 + server: + metrics_enabled: true + metrics_port: 9090 + port: 20001 + web_root: /kiali +... +--- +# Source: kiali-server/templates/role-viewer.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali-viewer + labels: + helm.sh/chart: kiali-server-1.76.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.76.0" + app.kubernetes.io/version: "v1.76.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - pods/log + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +... +--- +# Source: kiali-server/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-1.76.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.76.0" + app.kubernetes.io/version: "v1.76.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - pods/log + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + - extensions.istio.io + - telemetry.istio.io + - gateway.networking.k8s.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +... +--- +# Source: kiali-server/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-1.76.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.76.0" + app.kubernetes.io/version: "v1.76.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiali +subjects: +- kind: ServiceAccount + name: kiali + namespace: istio-system +... +--- +# Source: kiali-server/templates/role-controlplane.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kiali-controlplane + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.76.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.76.0" + app.kubernetes.io/version: "v1.76.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +rules: +- apiGroups: [""] + resourceNames: + - cacerts + - istio-ca-secret + resources: + - secrets + verbs: + - get + - list + - watch +... +--- +# Source: kiali-server/templates/rolebinding-controlplane.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kiali-controlplane + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.76.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.76.0" + app.kubernetes.io/version: "v1.76.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kiali-controlplane +subjects: +- kind: ServiceAccount + name: kiali + namespace: istio-system +... +--- +# Source: kiali-server/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.76.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.76.0" + app.kubernetes.io/version: "v1.76.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" + annotations: +spec: + ports: + - name: http + appProtocol: http + protocol: TCP + port: 20001 + - name: http-metrics + appProtocol: http + protocol: TCP + port: 9090 + selector: + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali +... +--- +# Source: kiali-server/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.76.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.76.0" + app.kubernetes.io/version: "v1.76.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-1.76.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.76.0" + app.kubernetes.io/version: "v1.76.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" + sidecar.istio.io/inject: "false" + annotations: + checksum/config: aebd819b94172ef9b148702b7bb438ac35bd1eb284bbb9b13769d8576374fbda + prometheus.io/scrape: "true" + prometheus.io/port: "9090" + kiali.io/dashboards: go,kiali + spec: + serviceAccountName: kiali + containers: + - image: "quay.io/kiali/kiali:v1.76" + imagePullPolicy: Always + name: kiali + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + ports: + - name: api-port + containerPort: 20001 + - name: http-metrics + containerPort: 9090 + readinessProbe: + httpGet: + path: /kiali/healthz + port: api-port + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: /kiali/healthz + port: api-port + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "info" + - name: LOG_FORMAT + value: "text" + - name: LOG_TIME_FIELD_FORMAT + value: "2006-01-02T15:04:05Z07:00" + - name: LOG_SAMPLER_RATE + value: "1" + volumeMounts: + - name: kiali-configuration + mountPath: "/kiali-configuration" + - name: kiali-cert + mountPath: "/kiali-cert" + - name: kiali-secret + mountPath: "/kiali-secret" + - name: kiali-cabundle + mountPath: "/kiali-cabundle" + resources: + limits: + memory: 1Gi + requests: + cpu: 10m + memory: 64Mi + volumes: + - name: kiali-configuration + configMap: + name: kiali + - name: kiali-cert + secret: + secretName: istio.kiali-service-account + optional: true + - name: kiali-secret + secret: + secretName: kiali + optional: true + - name: kiali-cabundle + configMap: + name: kiali-cabundle + optional: true +... diff --git a/oka/infra-controllers/istio/manifests/addons/loki.yaml b/oka/infra-controllers/istio/manifests/addons/loki.yaml new file mode 100644 index 0000000000000000000000000000000000000000..234581d01c08fce3ba7a3ccf68929824e8f4e6bc --- /dev/null +++ b/oka/infra-controllers/istio/manifests/addons/loki.yaml @@ -0,0 +1,302 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Source: loki/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: loki + namespace: istio-system + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +--- +# Source: loki/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: loki + namespace: istio-system + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm +data: + config.yaml: | + auth_enabled: false + common: + compactor_address: 'loki' + path_prefix: /var/loki + replication_factor: 1 + storage: + filesystem: + chunks_directory: /var/loki/chunks + rules_directory: /var/loki/rules + limits_config: + enforce_metric_name: false + max_cache_freshness_per_query: 10m + reject_old_samples: true + reject_old_samples_max_age: 168h + split_queries_by_interval: 15m + memberlist: + join_members: + - loki-memberlist + query_range: + align_queries_with_step: true + ruler: + storage: + type: local + runtime_config: + file: /etc/loki/runtime-config/runtime-config.yaml + schema_config: + configs: + - from: "2022-01-11" + index: + period: 24h + prefix: loki_index_ + object_store: filesystem + schema: v12 + store: boltdb-shipper + server: + grpc_listen_port: 9095 + http_listen_port: 3100 + storage_config: + hedging: + at: 250ms + max_per_second: 20 + up_to: 3 + table_manager: + retention_deletes_enabled: false + retention_period: 0 +--- +# Source: loki/templates/runtime-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: loki-runtime + namespace: istio-system + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm +data: + runtime-config.yaml: | + {} +--- +# Source: loki/templates/service-memberlist.yaml +apiVersion: v1 +kind: Service +metadata: + name: loki-memberlist + namespace: istio-system + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp + port: 7946 + targetPort: http-memberlist + protocol: TCP + selector: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/part-of: memberlist +--- +# Source: loki/templates/single-binary/service-headless.yaml +apiVersion: v1 +kind: Service +metadata: + name: loki-headless + namespace: istio-system + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm + variant: headless + prometheus.io/service-monitor: "false" +spec: + clusterIP: None + ports: + - name: http-metrics + port: 3100 + targetPort: http-metrics + protocol: TCP + selector: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki +--- +# Source: loki/templates/single-binary/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: loki + namespace: istio-system + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: http-metrics + port: 3100 + targetPort: http-metrics + protocol: TCP + - name: grpc + port: 9095 + targetPort: grpc + protocol: TCP + selector: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary +--- +# Source: loki/templates/single-binary/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: loki + namespace: istio-system + labels: + helm.sh/chart: loki-4.8.0 + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/version: "2.7.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: single-binary + app.kubernetes.io/part-of: memberlist +spec: + replicas: 1 + podManagementPolicy: Parallel + updateStrategy: + rollingUpdate: + partition: 0 + serviceName: loki-headless + revisionHistoryLimit: 10 + persistentVolumeClaimRetentionPolicy: + whenDeleted: Delete + whenScaled: Delete + selector: + matchLabels: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary + template: + metadata: + annotations: + checksum/config: a9239b6352e34bbfc748669ed46cb24211fc3491ee7f2c6381af805f8f08fe29 + labels: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary + app.kubernetes.io/part-of: memberlist + spec: + serviceAccountName: loki + automountServiceAccountToken: true + enableServiceLinks: true + securityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + terminationGracePeriodSeconds: 30 + containers: + - name: loki + image: docker.io/grafana/loki:2.7.3 + imagePullPolicy: IfNotPresent + args: + - -config.file=/etc/loki/config/config.yaml + - -target=all + ports: + - name: http-metrics + containerPort: 3100 + protocol: TCP + - name: grpc + containerPort: 9095 + protocol: TCP + - name: http-memberlist + containerPort: 7946 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 30 + timeoutSeconds: 1 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: config + mountPath: /etc/loki/config + - name: runtime-config + mountPath: /etc/loki/runtime-config + - name: storage + mountPath: /var/loki + resources: + {} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: loki + app.kubernetes.io/instance: loki + app.kubernetes.io/component: single-binary + topologyKey: kubernetes.io/hostname + volumes: + - name: tmp + emptyDir: {} + - name: config + configMap: + name: loki + - name: runtime-config + configMap: + name: loki-runtime + volumeClaimTemplates: + - metadata: + name: storage + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "10Gi" diff --git a/oka/infra-controllers/istio/manifests/addons/prometheus.yaml b/oka/infra-controllers/istio/manifests/addons/prometheus.yaml new file mode 100644 index 0000000000000000000000000000000000000000..63ee77b2599f7af58e338aeef850460b58576caa --- /dev/null +++ b/oka/infra-controllers/istio/manifests/addons/prometheus.yaml @@ -0,0 +1,548 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Source: prometheus/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus + namespace: istio-system + annotations: + {} +--- +# Source: prometheus/templates/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus + namespace: istio-system +data: + allow-snippet-annotations: "false" + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - honor_labels: true + job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: drop + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: service + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node + - honor_labels: true + job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: service + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - honor_labels: true + job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: service + - honor_labels: true + job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: drop + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) + replacement: '[$2]:$1' + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: replace + regex: (\d+);((([0-9]+?)(\.|$)){4}) + replacement: $2:$1 + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: drop + regex: Pending|Succeeded|Failed|Completed + source_labels: + - __meta_kubernetes_pod_phase + - honor_labels: true + job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) + replacement: '[$2]:$1' + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: replace + regex: (\d+);((([0-9]+?)(\.|$)){4}) + replacement: $2:$1 + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_port + - __meta_kubernetes_pod_ip + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: drop + regex: Pending|Succeeded|Failed|Completed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus +subjects: + - kind: ServiceAccount + name: prometheus + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +--- +# Source: prometheus/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + ports: + - name: http + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + strategy: + type: Recreate + rollingUpdate: null + template: + metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-19.6.1 + heritage: Helm + + sidecar.istio.io/inject: "false" + spec: + enableServiceLinks: true + serviceAccountName: prometheus + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.8.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "prom/prometheus:v2.41.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + dnsPolicy: ClusterFirst + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus + - name: storage-volume + emptyDir: + {} diff --git a/oka/infra-controllers/istio/manifests/core/istio-hr.yaml b/oka/infra-controllers/istio/manifests/core/istio-hr.yaml new file mode 100644 index 0000000000000000000000000000000000000000..384cc2513acf1d9ee2ac396e5841482d1a11e3b5 --- /dev/null +++ b/oka/infra-controllers/istio/manifests/core/istio-hr.yaml @@ -0,0 +1,61 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Istio base: CRDs: +# helm install istio-base istio/base -n istio-system --set defaultRevision=default +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: istio-base + namespace: istio-system +spec: + chart: + spec: + chart: base + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: istio + namespace: istio-system + values: + defaultRevision: default + interval: 30s + +--- +# Istio discovery: +# helm install istiod istio/istiod -n istio-system --wait +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: istiod + namespace: istio-system +spec: + targetNamespace: istio-system + dependsOn: + - name: istio-base + chart: + spec: + chart: istiod + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: istio + namespace: istio-system + values: + defaultRevision: default + interval: 30s diff --git a/oka/infra-controllers/istio/manifests/core/istio-namespace.yaml b/oka/infra-controllers/istio/manifests/core/istio-namespace.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d458626148e268adfdfcf6f2895198e6ca17e745 --- /dev/null +++ b/oka/infra-controllers/istio/manifests/core/istio-namespace.yaml @@ -0,0 +1,23 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# Namespace +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system diff --git a/oka/infra-controllers/istio/manifests/core/istio-repo.yaml b/oka/infra-controllers/istio/manifests/core/istio-repo.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1b99e5f46eb756696e5f7b53acf11da3351ed185 --- /dev/null +++ b/oka/infra-controllers/istio/manifests/core/istio-repo.yaml @@ -0,0 +1,27 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +# helm repo add istio https://istio-release.storage.googleapis.com/charts +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: istio + namespace: istio-system +spec: + interval: 30s + url: https://istio-release.storage.googleapis.com/charts diff --git a/oka/infra-controllers/istio/templates/istio-addons-ks.yaml b/oka/infra-controllers/istio/templates/istio-addons-ks.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2704381b1d069db60b29ac04df3ad2f84d9c0474 --- /dev/null +++ b/oka/infra-controllers/istio/templates/istio-addons-ks.yaml @@ -0,0 +1,33 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: istio-addons + namespace: flux-system +spec: + dependsOn: + - name: istio-core + interval: 1h0m0s + path: ./infra-controllers/istio/manifests/addons + prune: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system diff --git a/oka/infra-controllers/istio/templates/istio-core-ks.yaml b/oka/infra-controllers/istio/templates/istio-core-ks.yaml new file mode 100644 index 0000000000000000000000000000000000000000..20afba892483041e6089e6569c1c3bef6e2edacb --- /dev/null +++ b/oka/infra-controllers/istio/templates/istio-core-ks.yaml @@ -0,0 +1,31 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: istio-core + namespace: flux-system +spec: + interval: 1h0m0s + path: ./infra-controllers/istio/manifests/core + prune: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system diff --git a/oka/infra-controllers/keda/manifests/keda-hr.yaml b/oka/infra-controllers/keda/manifests/keda-hr.yaml new file mode 100644 index 0000000000000000000000000000000000000000..fc6921493c72a94af48549190281c856694b3b4b --- /dev/null +++ b/oka/infra-controllers/keda/manifests/keda-hr.yaml @@ -0,0 +1,19 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: keda + namespace: keda +spec: + chart: + spec: + chart: keda + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: keda-core + namespace: keda + install: + createNamespace: true + interval: 30s + releaseName: keda + targetNamespace: keda \ No newline at end of file diff --git a/oka/infra-controllers/keda/manifests/keda-repo.yaml b/oka/infra-controllers/keda/manifests/keda-repo.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d5f4530f9dc9dfbb0a21c32594ef174361641dc7 --- /dev/null +++ b/oka/infra-controllers/keda/manifests/keda-repo.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: keda-core + namespace: keda +spec: + interval: 30s + url: https://kedacore.github.io/charts \ No newline at end of file diff --git a/oka/infra-controllers/keda/templates/keda-contoller.yaml b/oka/infra-controllers/keda/templates/keda-contoller.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c2797038fb4ec547cf956ab22d341cac4c19d209 --- /dev/null +++ b/oka/infra-controllers/keda/templates/keda-contoller.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: keda + namespace: keda +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./infra-controllers/keda/controller/manifests + prune: true \ No newline at end of file diff --git a/oka/infra-controllers/keda/templates/namespace.yaml b/oka/infra-controllers/keda/templates/namespace.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f6b55ea2b2c9c454b935e581b5f99403d8053bda --- /dev/null +++ b/oka/infra-controllers/keda/templates/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: keda \ No newline at end of file diff --git a/oka/infra-controllers/komoplane/manifests/komodorio-repo.yaml b/oka/infra-controllers/komoplane/manifests/komodorio-repo.yaml new file mode 100644 index 0000000000000000000000000000000000000000..42bd4f83e4d243ce9cd8da3a73c9c885c8920252 --- /dev/null +++ b/oka/infra-controllers/komoplane/manifests/komodorio-repo.yaml @@ -0,0 +1,26 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: komodorio + namespace: crossplane-system +spec: + interval: 30s + url: https://helm-charts.komodor.io diff --git a/oka/infra-controllers/komoplane/manifests/komoplane-hr.yaml b/oka/infra-controllers/komoplane/manifests/komoplane-hr.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8ad8ddf7655df9a0318d39be362bd6f99e05d3f5 --- /dev/null +++ b/oka/infra-controllers/komoplane/manifests/komoplane-hr.yaml @@ -0,0 +1,33 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: komoplane + namespace: crossplane-system +spec: + chart: + spec: + chart: komoplane + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: komodorio + namespace: crossplane-system + interval: 30s diff --git a/oka/infra-controllers/komoplane/templates/komoplane-ks.yaml b/oka/infra-controllers/komoplane/templates/komoplane-ks.yaml new file mode 100644 index 0000000000000000000000000000000000000000..674bf84fe4ea462f808deaf429cb87862907fa04 --- /dev/null +++ b/oka/infra-controllers/komoplane/templates/komoplane-ks.yaml @@ -0,0 +1,31 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: komoplane + namespace: flux-system +spec: + interval: 1h0m0s + path: ./infra-controllers/komoplane/manifests + prune: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system diff --git a/oka/infra-controllers/kubernetes-dashboard/manifests/kubernetes-dashboard-hr.yaml b/oka/infra-controllers/kubernetes-dashboard/manifests/kubernetes-dashboard-hr.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7a82e5d500c4d9d88ee2f18ff919800277f50e38 --- /dev/null +++ b/oka/infra-controllers/kubernetes-dashboard/manifests/kubernetes-dashboard-hr.yaml @@ -0,0 +1,37 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: kubernetes-dashboard + namespace: flux-system +spec: + chart: + spec: + chart: kubernetes-dashboard + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: kubernetes-dashboard + namespace: flux-system + install: + createNamespace: true + interval: 10m0s + targetNamespace: kubernetes-dashboard + values: {} diff --git a/oka/infra-controllers/kubernetes-dashboard/manifests/kubernetes-dashboard-repo.yaml b/oka/infra-controllers/kubernetes-dashboard/manifests/kubernetes-dashboard-repo.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b07a4e96668dd4997f437b92a9d11a4c34e110bb --- /dev/null +++ b/oka/infra-controllers/kubernetes-dashboard/manifests/kubernetes-dashboard-repo.yaml @@ -0,0 +1,26 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: kubernetes-dashboard + namespace: flux-system +spec: + interval: 10m0s + url: https://kubernetes.github.io/dashboard/ diff --git a/oka/infra-controllers/kubernetes-dashboard/templates/kubernetes-dashboard-ks.yaml b/oka/infra-controllers/kubernetes-dashboard/templates/kubernetes-dashboard-ks.yaml new file mode 100644 index 0000000000000000000000000000000000000000..087252b4269d7b6b9ad2a27ff6bad9562e603c5b --- /dev/null +++ b/oka/infra-controllers/kubernetes-dashboard/templates/kubernetes-dashboard-ks.yaml @@ -0,0 +1,31 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubernetes-dashboard + namespace: flux-system +spec: + interval: 1h0m0s + path: ./infra-controllers/kubernetes-dashboard/manifests + prune: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system diff --git a/oka/infra-controllers/multus/manifests/multus-cni-hr.yaml b/oka/infra-controllers/multus/manifests/multus-cni-hr.yaml new file mode 100644 index 0000000000000000000000000000000000000000..14b082571e0df3e0a10ca61b249ff9c0f0e8e3a2 --- /dev/null +++ b/oka/infra-controllers/multus/manifests/multus-cni-hr.yaml @@ -0,0 +1,19 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: multus-cni + namespace: multus-cni +spec: + chart: + spec: + chart: multus-cni + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: multus-cni + namespace: multus-cni + install: + createNamespace: true + interval: 30s + releaseName: multus-cni + targetNamespace: multus-cni \ No newline at end of file diff --git a/oka/infra-controllers/multus/manifests/multus-cni-repo.yaml b/oka/infra-controllers/multus/manifests/multus-cni-repo.yaml new file mode 100644 index 0000000000000000000000000000000000000000..36da73d6e734fd480e5243e0f5fd18f5884ddc48 --- /dev/null +++ b/oka/infra-controllers/multus/manifests/multus-cni-repo.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: multus-cni + namespace: multus-cni +spec: + interval: 30s + url: https://artifacthub.io/packages/helm/bitnami/multus-cni \ No newline at end of file diff --git a/oka/infra-controllers/multus/templates/multus-cni.yaml b/oka/infra-controllers/multus/templates/multus-cni.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a1ee55e84b95b43cc6672dc3f1993d43cbbe1053 --- /dev/null +++ b/oka/infra-controllers/multus/templates/multus-cni.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: multus-cni + namespace: multus-cni +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system + path: ./infra-controllers/multus-cni/controller/manifests + prune: true \ No newline at end of file diff --git a/oka/infra-controllers/multus/templates/namespace.yaml b/oka/infra-controllers/multus/templates/namespace.yaml new file mode 100644 index 0000000000000000000000000000000000000000..eabd06689915f1fcd0d6275e3e93b37d03ffb849 --- /dev/null +++ b/oka/infra-controllers/multus/templates/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: multus-cni \ No newline at end of file diff --git a/oka/infra-controllers/weave-gitops/manifests/weave-gitops-dashboard.yaml b/oka/infra-controllers/weave-gitops/manifests/weave-gitops-dashboard.yaml new file mode 100644 index 0000000000000000000000000000000000000000..abbdc2fda5b42710f4802be3c0766e5eaa3a63c6 --- /dev/null +++ b/oka/infra-controllers/weave-gitops/manifests/weave-gitops-dashboard.yaml @@ -0,0 +1,58 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + annotations: + metadata.weave.works/description: This is the source location for the Weave GitOps + Dashboard's helm chart. + labels: + app.kubernetes.io/component: ui + app.kubernetes.io/created-by: weave-gitops-cli + app.kubernetes.io/name: weave-gitops-dashboard + app.kubernetes.io/part-of: weave-gitops + name: ww-gitops + namespace: flux-system +spec: + interval: 1h0m0s + type: oci + url: oci://ghcr.io/weaveworks/charts +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + annotations: + metadata.weave.works/description: This is the Weave GitOps Dashboard. It provides + a simple way to get insights into your GitOps workloads. + name: ww-gitops + namespace: flux-system +spec: + chart: + spec: + chart: weave-gitops + sourceRef: + kind: HelmRepository + name: ww-gitops + interval: 1h0m0s + values: + adminUser: + create: true + passwordHash: $2a$10$M5y6e9EzHvYOykBF7SqxEeI1Hm.yCTaZfaLJMdD5RXZNDRGBeETEG + username: admin + diff --git a/oka/infra-controllers/weave-gitops/templates/weave-gitops-ks.yaml b/oka/infra-controllers/weave-gitops/templates/weave-gitops-ks.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0f5f1353a2621b12aa6d6b5585a977ad4e973164 --- /dev/null +++ b/oka/infra-controllers/weave-gitops/templates/weave-gitops-ks.yaml @@ -0,0 +1,31 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: weave-gitops + namespace: flux-system +spec: + interval: 1h0m0s + path: ./infra-controllers/weave-gitops/manifests + prune: true + sourceRef: + kind: GitRepository + name: sw-catalogs + namespace: flux-system