Azure
/
helm-charts
зеркало из https://github.com/Azure/helm-charts.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

merge master

This commit is contained in:
Kent Rancourt 2017-11-10 19:34:51 -05:00
Родитель 936db83d3e 48b3aa4f68
Коммит 49e535f4a4
41 изменённых файлов: 2164 добавлений и 76 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

21
.circleci/config.yml
Просмотреть файл

@ -2,7 +2,7 @@ version: 2
jobs:
build:
docker:
- image: ubuntu:14.04
- image: quay.io/deis/go-dev:v1.2.0
steps:
# TODO: save the checked-out code in a working directory.
# do the same with the installed helm and az binaries
@ -19,9 +19,23 @@ jobs:
name: Helm Lint
command: ./helm-lint.sh
working_directory: scripts
# this step tests the install script for the Azure CLI
test-install-az-cli:
docker:
- image: quay.io/deis/go-dev:v1.2.0
steps:
- checkout
- run:
name: Install Basic Utilities
command: ./install-base-prereqs.sh
working_directory: scripts
- run:
name: Install the Azure CLI
command: ./install-azure-cli.sh
working_directory: scripts
helm-sync:
docker:
- image: ubuntu:14.04
- image: quay.io/deis/go-dev:v1.2.0
steps:
- checkout
- run:
@ -48,6 +62,9 @@ workflows:
build:
jobs:
- build
test-install-az-cli:
jobs:
- test-install-az-cli
build-and-deploy:
jobs:
- build

34
LICENSE
Просмотреть файл

@ -1,21 +1,21 @@
MIT License
MIT License
Copyright (c) 2017 Deis
Copyright (c) Microsoft Corporation. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE

39
README.md
Просмотреть файл

@ -1,6 +1,6 @@
# Helm Charts for Kubernetes Service Catalog on Azure
[![CircleCI](https://circleci.com/gh/deis/service-catalog-charts.svg?style=svg&circle-token=e4d53fc2f20c9a1980668f69e314232a479a562c)](https://circleci.com/gh/deis/service-catalog-charts)
[![CircleCI](https://circleci.com/gh/Azure/helm-charts.svg?style=svg&circle-token=e8c9c6863d2aac35c678888ca7346618be17aeb8)](https://circleci.com/gh/Azure/helm-charts)
# Overview
@ -9,10 +9,24 @@ This repository contains [Helm](https://helm.sh/) charts for use with the
and the Microsoft Azure Service Broker.
Each chart has one or more dependencies on Azure services (e.g. Azure SQL, CosmosDB, ...)
which are fulfilled by the [Azure Service Broker](https://github.com/deis/azure-service-broker) and
which are fulfilled by the [Azure Service Broker](https://github.com/Azure/azure-service-broker) and
the [Kubernetes Service Catalog](https://github.com/kubernetes-incubator/service-catalog) working
in tandem.
# Prerequisites
In order to install any of these charts, you'll need the following:
- A [Kubernetes](https://kubernetes.io) cluster, version 1.7 or above with support for
Service Catalog
- See
[service-catalog](https://github.com/Azure/helm-charts/tree/master/service-catalog) for
more information on how to turn on support for service-catalog
- [Service Catalog](https://github.com/kubernetes-incubator/service-catalog), version 0.1.0 or above
- [Installation documentation](https://github.com/kubernetes-incubator/service-catalog/blob/master/docs/install.md)
- [Azure Service Broker](https://github.com/Azure/azure-service-broker)
- [Installation documentation](https://github.com/Azure/azure-service-broker/blob/master/contrib/k8s/charts/azure-service-broker/README.md)
# Installing Charts
All of the charts herein are stored in a
@ -41,6 +55,21 @@ Github repository.
# Creating a New Chart
If you are looking to create a chart, please see
[our Github Project](https://github.com/deis/service-catalog-charts/projects/1) for a
prioritized list of charts to create.
If you are looking to create a chart, please see the list of with the `Help Wanted`
label [here](https://github.com/Azure/helm-charts/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22).
# Contributing
For details on how to contribute to this project, please see [contributing.md](./docs/contributing.md).
This project welcomes contributions and suggestions. All contributions require you to agree to a
Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide
a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions
provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

21
concourse/.helmignore Normal file
Просмотреть файл

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

17
concourse/Chart.yaml Normal file
Просмотреть файл

@ -0,0 +1,17 @@
name: concourse
version: 0.1.0
appVersion: 3.5.0
description: Concourse is a simple and scalable CI system.
icon: https://avatars1.githubusercontent.com/u/7809479
keywords:
- ci
- concourse
- concourse.ci
home: https://concourse.ci/
sources:
- https://github.com/concourse/bin
- https://github.com/kubernetes/charts
maintainers:
- name: seanmck
email: seanmck@microsoft.com
engine: gotpl

285
concourse/README.md Normal file
Просмотреть файл

@ -0,0 +1,285 @@
# Concourse Helm Chart
[Concourse](https://concourse.ci/) is a simple and scalable CI system.
This chart bootstraps a [Concourse](https://concourse.ci/) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
It is inspired by the [upstream Concourse chart](https://github.com/kubernetes/charts/tree/master/stable/concourse) but, by default, uses the [Azure Service Broker](https://github.com/Azure/azure-service-broker) to provision an [Azure Database for PostgreSQL](https://azure.microsoft.com/services/postgresql/) for Concourse to use.
## Basic Installation
Installation of this chart is simple. First, ensure that you've [added the
`azure` repository](../README.md#installing-charts). Then, install from the
`azure` repo:
```console
$ helm install azure/concourse
```
## Prerequisites
* Kubernetes 1.7+ with beta APIs enabled
- [Service-Catalog](https://github.com/kubernetes-incubator/service-catalog) installed
- [Azure Service Broker](https://github.com/azure/azure-service-broker) installed
* PV support on underlying infrastructure (if persistence is required)
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm install --name my-release azure/concourse --namespace concourse
```
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
The command removes nearly all the Kubernetes components associated with the chart and deletes the release.
### Cleanup orphaned Persistent Volumes
This chart uses `StatefulSets` for Concourse Workers. Deleting a `StatefulSet` will not delete associated Persistent Volumes.
Do the following after deleting the chart release to clean up orphaned Persistent Volumes.
```console
$ kubectl delete pvc -l app=${RELEASE-NAME}-worker
```
## Scaling the Chart
Scaling should typically be managed via the `helm upgrade` command, but `StatefulSets` don't yet work with `helm upgrade`. In the meantime, until `helm upgrade` works, if you want to change the number of replicas, you can use the kubectl scale as shown below:
```console
$ kubectl scale statefulset my-release-worker --replicas=3
```
### Restarting workers
If a worker isn't taking on work, you can restart the worker with `kubectl delete pod`. This will initiate a graceful shutdown by "retiring" the worker, with some waiting time before the worker starts up again to ensure concourse doesn't try looking for old volumes on the new worker. The values `worker.postStopDelaySeconds` and `worker.terminationGracePeriodSeconds` can be used to tune this.
### Worker Liveness Probe
The worker's Liveness Probe will trigger a restart of the worker if it detects unrecoverable errors, by looking at the worker's logs. The set of strings used to identify such errors could change in the future, but can be tuned with `worker.fatalErrors`. See [values.yaml](values.yaml) for the defaults.
## Configuration
The following tables lists the configurable parameters of the Concourse chart and their default values.
| Parameter | Description | Default |
| ----------------------- | ---------------------------------- | ---------------------------------------------------------- |
| `image` | Concourse image | `concourse/concourse` |
| `imageTag` | Concourse image version | `3.3.2` |
| `imagePullPolicy` |Concourse image pull policy | `Always` if `imageTag` is `latest`, else `IfNotPresent` |
| `concourse.username` | Concourse Basic Authentication Username | `concourse` |
| `concourse.password` | Concourse Basic Authentication Password | `concourse` |
| `concourse.hostKey` | Concourse Host Private Key | *See [#ssh-keys](#ssh-keys)* |
| `concourse.hostKeyPub` | Concourse Host Public Key | *See [#ssh-keys](#ssh-keys)* |
| `concourse.sessionSigningKey` | Concourse Session Signing Private Key | *See [#ssh-keys](#ssh-keys)* |
| `concourse.workerKey` | Concourse Worker Private Key | *See [#ssh-keys](#ssh-keys)* |
| `concourse.workerKeyPub` | Concourse Worker Public Key | *See [#ssh-keys](#ssh-keys)* |
| `concourse.atcPort` | Concourse ATC listen port | `8080` |
| `concourse.tsaPort` | Concourse TSA listen port | `2222` |
| `concourse.allowSelfSignedCertificates` | Allow self signed certificates | `true` |
| `concourse.authDuration` | Length of time for which tokens are valid | `24h` |
| `concourse.resourceCheckingInterval` | Interval on which to check for new versions of resources | `1m` |
| `concourse.oldResourceGracePeriod` | How long to cache the result of a get step after a newer version of the resource is found | `5m` |
| `concourse.resourceCacheCleanupInterval` | The interval on which to check for and release old caches of resource versions | `30s` |
| `concourse.baggageclaimDriver` | The filesystem driver used by baggageclaim | `naive` |
| `concourse.externalURL` | URL used to reach any ATC from the outside world | `nil` |
| `concourse.dockerRegistry` | An URL pointing to the Docker registry to use to fetch Docker images | `nil` |
| `concourse.insecureDockerRegistry` | Docker registry(ies) (comma separated) to allow connecting to even if not secure | `nil` |
| `concourse.githubAuthClientId` | Application client ID for enabling GitHub OAuth | `nil` |
| `concourse.githubAuthClientSecret` | Application client secret for enabling GitHub OAuth | `nil` |
| `concourse.githubAuthOrganization` | GitHub organizations (comma separated) whose members will have access | `nil` |
| `concourse.githubAuthTeam` | GitHub teams (comma separated) whose members will have access | `nil` |
| `concourse.githubAuthUser` | GitHub users (comma separated) to permit access | `nil` |
| `concourse.githubAuthAuthUrl` | Override default endpoint AuthURL for Github Enterprise | `nil` |
| `concourse.githubAuthTokenUrl` | Override default endpoint TokenURL for Github Enterprise | `nil` |
| `concourse.githubAuthApiUrl` | Override default API endpoint URL for Github Enterprise | `nil` |
| `concourse.gitlabAuthClientId` | Application client ID for enabling GitLab OAuth | `nil` |
| `concourse.gitlabAuthClientSecret` | Application client secret for enabling GitLab OAuth | `nil` |
| `concourse.gitlabAuthGroup` | GitLab groups (comma separated) whose members will have access | `nil` |
| `concourse.gitlabAuthAuthUrl` | Endpoint AuthURL for GitLab server | `nil` |
| `concourse.gitlabAuthTokenUrl` | Endpoint TokenURL for GitLab server | `nil` |
| `concourse.gitlabAuthApiUrl` | API endpoint URL for GitLab server | `nil` |
| `concourse.genericOauthDisplayName` | Name for this auth method on the web UI | `nil` |
| `concourse.genericOauthClientId` | Application client ID for enabling generic OAuth | `nil` |
| `concourse.genericOauthClientSecret` | Application client secret for enabling generic OAuth | `nil` |
| `concourse.genericOauthAuthUrl` | Generic OAuth provider AuthURL endpoint | `nil` |
| `concourse.genericOauthAuthUrlParam` | Parameters (comma separated) to pass to the authentication server AuthURL | `nil` |
| `concourse.genericOauthScope` | Optional scope required to authorize user | `nil` |
| `concourse.genericOauthTokenUrl` | Generic OAuth provider TokenURL endpoint | `nil` |
| `web.nameOverride` | Override the Concourse Web components name | `web` |
| `web.replicas` | Number of Concourse Web replicas | `1` |
| `web.resources` | Concourse Web resource requests and limits | `{requests: {cpu: "100m", memory: "128Mi"}}` |
| `web.service.type` | Concourse Web service type | `ClusterIP` |
| `web.ingress.enabled` | Enable Concourse Web Ingress | `false` |
| `web.ingress.annotations` | Concourse Web Ingress annotations | `{}` |
| `web.ingress.hosts` | Concourse Web Ingress Hostnames | `[]` |
| `web.ingress.tls` | Concourse Web Ingress TLS configuration | `[]` |
| `web.additionalAffinities` | Additional affinities to apply to web pods. E.g: node affinity | `nil` |
| `worker.nameOverride` | Override the Concourse Worker components name| `worker` |
| `worker.replicas` | Number of Concourse Worker replicas | `2` |
| `worker.minAvailable` | Minimum number of workers available after an eviction | `1` |
| `worker.resources` | Concourse Worker resource requests and limits | `{requests: {cpu: "100m", memory: "512Mi"}}` |
| `worker.additionalAffinities` | Additional affinities to apply to worker pods. E.g: node affinity | `nil` |
| `worker.postStopDelaySeconds` | Time to wait after graceful shutdown of worker before starting up again | `60` |
| `worker.terminationGracePeriodSeconds` | Upper bound for graceful shutdown, including `worker.postStopDelaySeconds` | `120` |
| `worker.fatalErrors` | Newline delimited strings which, when logged, should trigger a restart of the worker | *See [values.yaml](values.yaml)* |
| `worker.updateStrategy` | `OnDelete` or `RollingUpdate` (requires Kubernetes >= 1.6) | `RollingUpdate` |
| `persistence.enabled` | Enable Concourse persistence using Persistent Volume Claims | `true` |
| `persistence.worker.class` | Concourse Worker Persistent Volume Storage Class | `generic` |
| `persistence.worker.accessMode` | Concourse Worker Persistent Volume Access Mode | `ReadWriteOnce` |
| `persistence.worker.size` | Concourse Worker Persistent Volume Storage Size | `20Gi` |
The following configuration options are utilized only if `postgresql.embedded` is set to `false` (the default):
| Parameter | Description | Default |
| ----------------------- | ---------------------------------- | ---------------------------------------------------------- |
| `postgresql.azure.servicePlan` | The service plan to use | `basic100` |
| `postgresql.azure.location` | The Azure region to deploy the PostgreSQL service to | `westus2` |
The following configuration options are utilized only if `postgresql.embedded` is set to `true`:
| Parameter | Description | Default |
| ----------------------- | ---------------------------------- | ---------------------------------------------------------- |
| `postgresql.postgresUser` | PostgreSQL User to create | `concourse` |
| `postgresql.postgresPassword` | PostgreSQL Password for the new user | `concourse` |
| `postgresql.postgresDatabase` | PostgreSQL Database to create | `concourse` |
| `postgresql.persistence.enabled` | Enable PostgreSQL persistence using Persistent Volume Claims | `true` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
$ helm install --name my-release -f values.yaml stable/concourse
```
> **Tip**: You can use the default [values.yaml](values.yaml)
### SSH Keys
To run Concourse securely you'll need [3 private keys](https://concourse.ci/binaries.html#generating-keys). For your convenience, this chart provides some [default keys](concourse-keys), but it is recommended that you generate your own keys by running:
```console
$ mkdir -p concourse-keys
$ ssh-keygen -t rsa -f concourse-keys/host_key -N '' -C concourse
$ ssh-keygen -t rsa -f concourse-keys/session_signing_key -N '' -C concourse
$ ssh-keygen -t rsa -f concourse-keys/worker_key -N '' -C concourse
```
And update the `values.yaml` file with the generated keys:
```yaml
## Configuration values for Concourse.
## ref: https://concourse.ci/setting-up.html
##
concourse:
## Concourse Host Keys.
## ref: https://concourse.ci/binaries.html#generating-keys
##
hostKey: |-
< Insert the contents of your concourse-keys/host_key file >
hostKeyPub: |-
< Insert the contents of your concourse-keys/host_key.pub file >
## Concourse Session Signing Keys.
## ref: https://concourse.ci/binaries.html#generating-keys
##
sessionSigningKey: |-
< Insert the contents of your concourse-keys/session_signing_key file >
## Concourse Worker Keys.
## ref: https://concourse.ci/binaries.html#generating-keys
##
workerKey: |-
< Insert the contents of your concourse-keys/worker_key file >
workerKeyPub: |-
< Insert the contents of your concourse-keys/worker_key.pub file >
```
Alternativelly, you can provide those keys to `helm install` via parameters:
```console
$ helm install --name my-release \
--set "concourse.hostKey=`cat concourse-keys/host_key`,concourse.hostKeyPub=`cat concourse-keys/host_key.pub`,concourse.sessionSigningKey=`cat concourse-keys/session_signing_key`,concourse.workerKey=`cat concourse-keys/worker_key`,concourse.workerKeyPub=`cat concourse-keys/worker_key.pub`" \
azure/concourse
```
### Persistence
This chart mounts a Persistent Volume volume for each Concourse Worker. The volume is created using dynamic volume provisioning. If you want to disable it or change the persistence properties, update the `persistence` section of your custom `values.yaml` file:
```yaml
## Persistent Volume Storage configuration.
## ref: https://kubernetes.io/docs/user-guide/persistent-volumes
##
persistence:
## Enable persistence using Persistent Volume Claims.
##
enabled: true
## Worker Persistence configuration.
##
worker:
## Persistent Volume Storage Class.
##
class: generic
## Persistent Volume Access Mode.
##
accessMode: ReadWriteOnce
## Persistent Volume Storage Size.
##
size: "20Gi"
```
### Ingress TLS
If your cluster allows automatic creation/retrieval of TLS certificates (e.g. [kube-lego](https://github.com/jetstack/kube-lego)), please refer to the documentation for that mechanism.
To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace:
```console
kubectl create secret tls concourse-web-tls --cert=path/to/tls.cert --key=path/to/tls.key
```
Include the secret's name, along with the desired hostnames, in the `web.ingress.tls` section of your custom `values.yaml` file:
```yaml
## Configuration values for Concourse Web components.
##
web:
## Ingress configuration.
## ref: https://kubernetes.io/docs/user-guide/ingress/
##
ingress:
## Enable ingress.
##
enabled: true
## Hostnames.
## Must be provided if Ingress is enabled.
##
hosts:
- concourse.domain.com
## TLS configuration.
## Secrets must be manually created in the namespace.
##
tls:
- secretName: concourse-web-tls
hosts:
- concourse.domain.com
```

27
concourse/concourse-keys/host_key Normal file
Просмотреть файл

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA2AUPXxuiDC/qrBWjIdT5fvNcMlMEYpR3X4SLQIgLC1ULDsCO
fleKZ+Wi4RzwbkUKiKmJm5GeyNVVCDdfvdD1Sd1+5faqmp2/OQBzLS7o8NY/btMw
8h9lx4KVJaJJ1EM1EiyGY41Nx591KP14pBfr0/NdOIrDu2JvF6e7CHEbrzkN57kb
BVQkaIMaS01Rw/5Oe68GFalli2ii8L8dNWVVzquBh5PwVWimvTgwv3TYG2TH8L1V
V7n+/zRRpkjMl2+PUouGqD+Bp+4wF+hp4AW5v24CqjtLJEMv4IEJv2FRfrOauBIZ
XjAS1SSg9VaTOS3iwxaYrv8uG1XfMFHICvkEPQIDAQABAoIBAG87W8jrX6vK2Jm3
ooJ/OeFmymiXWsCwFi+2/kVCR/2T0tfLyxO/W+NX2WD1F9CP+HaaZeMXPp3HS7up
V8FT4ZohVYBwXTS0WYyucKApcYThrVQRpzhldnEfClGQmVeVK7Sp/KEyV4Sc1SVA
L2i/cI142N2Ohm7spquVkLcuFsVINzZ0fXCv25dTqbkEgjTJzNdBzyFXvc4z0Mt9
gW14M7mz+YKYOfsCxIEm438fC9b16C96yIFBdN+/jaP8pmb2RoIE2D0F8bj5K1hR
YyGFKMOU4e6cYq59iWfubKuu2WNJEBk/5aO7x7Xu2S0k8wIYlwxFuu4LfR2Kvizu
+mFVf3kCgYEA9e0+40tJGpOPM8hAB3DwXjYc8lCuyYf3z30T3RqVNCUVSWnlaj/s
3ENi6+Ng3u+Zs8cR2CFou+jAClTyWLuSnI9yACD0eyW9n4bzYMUbgdC6vneLjpzx
wWR9Xv5RmZVly7xWuqcgEeEf8RNcYI3oXby0laF3EObvuAx/4ETIkFcCgYEA4N42
w1UEWGopWBIIXYHkEPHQuF0SxR2CZyh9ExTeSxFphyibkcHRjDW+t91ZLnSm5k1N
TOdYuc0ApBV3U+TexeFvDI94L/Oze6Ht5MatRQz8kRwMFGJL3TrpbgTmWdfG05Ad
oiScJzwY16oJXnKusxik7V+gCCNNE0/2UuMnY4sCgYAEf82pvOPef5qcGOrK+A79
ukG3UTCRcVJgUmp9nhHivVbxW+WdlwPPV9BEfol0KrAGMPsrmBjhbzWsOregVfYt
tRYh2HiAlEUu2Po06AZDzrzL5UYBWu+1WRBOH5sAk1IkcxKnIY2dph++elszTQVW
SbCIGEckYQU7ucbRJJECywKBgBb4vHFx8vKxTa3wkagzx7+vZFohL/SxEgxFx5k2
bYsPqU8kZ9gZC7YeG3CfDShAxHgMd5QeoiLA/YrFop4QaG2gnP6UfXuwkqpTnYDc
hwDh1b9hNR6z9/oOtaAGoh2VfHtKYqyYvtcHPaZyeWiLoKstHlQdi7SpHouVhJ1t
FS4HAoGAGy+56+zvdROjJy9A2Mn/4BvWrsu4RSQILBJ6Hb4TpF46p2fn0rwqyhOj
Occs+xkdEsI9w5phXzIEeOq2LqvWHDPxtdLpxOrrmx4AftAWdM8S1+OqTpzHihK1
y1ZOrWfvON+XjWFFAEej/CpQZkNUkTzjTtSC0dnfAveZlasQHdI=
-----END RSA PRIVATE KEY-----

1
concourse/concourse-keys/host_key.pub Normal file
Просмотреть файл

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYBQ9fG6IML+qsFaMh1Pl+81wyUwRilHdfhItAiAsLVQsOwI5+V4pn5aLhHPBuRQqIqYmbkZ7I1VUIN1+90PVJ3X7l9qqanb85AHMtLujw1j9u0zDyH2XHgpUloknUQzUSLIZjjU3Hn3Uo/XikF+vT8104isO7Ym8Xp7sIcRuvOQ3nuRsFVCRogxpLTVHD/k57rwYVqWWLaKLwvx01ZVXOq4GHk/BVaKa9ODC/dNgbZMfwvVVXuf7/NFGmSMyXb49Si4aoP4Gn7jAX6GngBbm/bgKqO0skQy/ggQm/YVF+s5q4EhleMBLVJKD1VpM5LeLDFpiu/y4bVd8wUcgK+QQ9 Concourse

27
concourse/concourse-keys/session_signing_key Normal file
Просмотреть файл

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwLql/rUIaI+PX7Tl3FWcTee4sQf8/daakALXx955tPwkhqlY
e4T2V84p/ylFvNWpM4vfcMYKfMY0JLKgAgBvJhCytSkDBhTBoWmN6yE0AB11P9En
lIZRBWNYqaC2cSge2ZD8qOSnwfFhnQAW8+7pE+ElJAVh7dtdF3A478H50lIigq8I
zMWp2EGJpFC7/Uu36oIL/03MNGCmrH1jvtTuJiAMQUZYyL1ReBkvvHOzw9i4HXPy
SMVtcllm4NBs2aVPtwhr2kwSkLt8t1bPdRn6OIyEAw5WktzAKaiZnkTvj6g3xzdp
zKcrdlBr9aznlNvoSinBUfvtwyFmvFN1HHbA9wIDAQABAoIBAE7G/DrUfI9gvtX7
90jMpYsigFe8UCjho2PiBZlo0o6r0bJJXiV+/8J8PqZRlHPPUc4EClzqVjcSPRYS
/VxUGRqSELoD/Xxq14rGvn+xnrO9VsOzFl6bWFq/dOpBCtHN+G4t2VifvgKES8YE
11z19sdta+UBXjn/RFnkQSGfRCI3QqTaYvjxevt0uWlyPmqkFPQQw8bvHIXzoB+B
rzeiMa++nMvbX5pAH9XA0BvhyuH3fHidTUwiVBpkMcpLWtjP0A0JTsecDdbinDDq
un2EIo8zMWRwKQN/JnUxsi8AUEigBTCUqeDgREXtW62uvFkSpcVMXwmVityLYIVy
qnVLUCECgYEA6IwXkP1qnSfcNeoVI/ypDuz1/kdqcjSPhLYe+jdiLLoFkMW9AlDm
lzwNaWlTFD9ygo+NjJCo63/A8HCm55sajws5hZ6r20vdZcKFMk9h0qF5oVA7lkQ2
gvG2WaznuU7KkqhfP+pXhiLgZKoJkst/+g7r6uHpredwDY6hxeBK4vsCgYEA1CqH
8ywC5qUo/36kQg/TU2adN/YEHdJAAbU23EVrGQSVmnXW08H2NLFk0tsxrwoNnbgp
PIk2J7BimbJvbND17ibr4GAklDTsR8aJkDl+0JgNCAK9N07qVt1s7FXzhg95jUL9
EQW55z60GAJpecqNwA4Jsa8P852N0355Obp92TUCgYBkOBvf7JcJ66fHxH4f6D+j
oxPQ5k5Fsck4VJS9GSlCRVkor09ptBvsiYDuMOoRC9b51YwXTDDAbWplNOd5YSrt
AtVjdKJz/BoKRO7KY9Owxs54au+DLxqfDDSeKRokjoRW+CE0lnXp5RX3zCAcF3+r
8MpTi9D9lYSBEzs84BDmCQKBgQCMcH6/K3HcJJVn0fd+tyUGftUw9sswxjySJNbk
pZrH263/qWMDls+Xf5kire9MU1ZCAWZiaN0NFoed/2wcVpGEDAV0548u/30r4bKr
YjOcdhmiJNYFJ1qdF0MDib2CDvpB1IbZXrX46RujDO2urbJ435HxKNVhR/had8xc
tyKYxQKBgCVDhN0MhnlUQJVZfX42APmF4gQg0r3sfL/NGXjEjMIKKFe5a88eZVHr
L8x1+dp0q7czC8a/l1DUuiwDKl8OEpxLsGCq/J/wAfrSMPifu6EUlbUwlJOPdgha
+p/KFAelHXJ2w/8yackAcarh35VP7ixhuvxswHNdgvfsBTFcjn30
-----END RSA PRIVATE KEY-----

27
concourse/concourse-keys/worker_key Normal file
Просмотреть файл

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuPehUmBXAQCoA7TLAQCYhf+vzcZVyj+VGXnMhLHnWLk7dRjo
CU8GgNamdS5h7G3ywxOvKA3YjOLr8XyOMLS4c+e8N7tIzlMWdiXhe0lcBH9Z1ai5
+Bof3/BlDUBksiKdc1A+QcfX6tDwMkOO5re1H4vOK3H/Cype58wCB03HYNgb05ED
fW1Bj2qvz29VtmyjwEMuDs100iMqwCfPUx9oxXmmX8sUBRmw/Y1Rx/8pdKIjKw3m
kWIHHBOSCPimO1qC47Aa8v/UH9hERCykyuFHiBiKlnIvZWm9bYvhsRTz4gt5KzRY
6OI0oVeHlLOHDSK48Da8VWij15lOqO2Nx6WssQIDAQABAoIBADET22UNFOi6MNpS
5S5N5ypezlnOD0NLnZcV3zMyNQ0wkNsgEakuo64Zxi7/cJIYFjq2hVoeWl//cdUw
VFYODYcLbMBo3AeKukH9CRf6PgUfeUmcrENtQxnbIiTi+hTd5GMNXod7rAmtCJ59
mHQVOGS3ZqvWYnKm+mmMktk3RPinynX/A4y3WHPacuAS58HM09Ck43WcHMxbGpsL
/gZpICyFYZ2DviM+AHyWGcmw7LJrpC0QHo6+BAFMs4xlUecNgVIFUpfOoAcfsdtG
K9j4AbuZ47iFisbay+1pyg/7O5eRTdGVQRtc7PBMOjea5jGsfmlDmdn1ZS50ykun
ANfoQ5UCgYEA9Ak73PRy9nLlRkt4OBCF/4fwThUCMedsnWaVjQBMJYim4FB2ivF5
cKdWt3y/RZI85KKYu0EXhLEoSIEAfz057R8t3QdVK4tZx6B47UFjBjCYeVMtwHDQ
prxQiOPHIHCplBNFuGzA5VXL9gQLRD+ek0uOy2GJJ0Wu1xyeouI+SW8CgYEAwgkO
TOtOogqmcAALjWgeeQiZetflSKbJlpQNhmCPAMm0SFI8eF4SpRXLzd41VC2mLIwT
L3tjc7/8ocXoElFM4L0fo9Lx/SHFH4JEn5FT0PXPmvsF2JRhsXJFLJSihxF/91Xs
2aBcQILPFzLcrI6OFUakNwGTU/CIxpkzRvQrG98CgYEAzNVnUuo4CNadzagRK3Xr
E3Yl5VRK+FpY17FAfA6w25xc/dFr/un61e0Po4no/ltmEz7LVfmn5O/ScTEemq5o
jbjrBShfe+JGpIH0nqiQlqR5hvSjZXEMIbfVHWGbRYZrQGgA0HEwZA7k2QXB8zI3
R0lXfSzMM5OQ0uwp12xxfa8CgYBHILq1R6zTicPpWprhg0FobNaWSX4rW7iaEjvC
/rJtP4Nu33Z7SUDcc1j6ZnJ2ISXBPrfpt/mE/OPHCZ1A2bysxadLjpBWkoKIQmCV
fdiTyQgJb+t8sSf+vDzPUs0hZjDaogzo2ff3TfxMLMDoIHnFItgfsdwn8QyygIZj
hC4pUQKBgQDqsxnkI6yXFE5gshnW7H8zqKNlzKd/dZEL6e+lRz4R3UY/KcEkRAfq
Yi3cwo9fE3U3kSmpl5MQwUjWm/BZ7JyueoY/4ndwaFPgc34IKsgJ0wau9pZiQAB1
DxpOSF+BR71Jx3sxvIdCODNTtm645j5yrZVnJAuMPofo5XFmunDoJA==
-----END RSA PRIVATE KEY-----

1
concourse/concourse-keys/worker_key.pub Normal file
Просмотреть файл

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC496FSYFcBAKgDtMsBAJiF/6/NxlXKP5UZecyEsedYuTt1GOgJTwaA1qZ1LmHsbfLDE68oDdiM4uvxfI4wtLhz57w3u0jOUxZ2JeF7SVwEf1nVqLn4Gh/f8GUNQGSyIp1zUD5Bx9fq0PAyQ47mt7Ufi84rcf8LKl7nzAIHTcdg2BvTkQN9bUGPaq/Pb1W2bKPAQy4OzXTSIyrAJ89TH2jFeaZfyxQFGbD9jVHH/yl0oiMrDeaRYgccE5II+KY7WoLjsBry/9Qf2ERELKTK4UeIGIqWci9lab1ti+GxFPPiC3krNFjo4jShV4eUs4cNIrjwNrxVaKPXmU6o7Y3Hpayx Concourse

6
concourse/requirements.lock Normal file
Просмотреть файл

@ -0,0 +1,6 @@
dependencies:
- name: postgresql
repository: https://kubernetes-charts.storage.googleapis.com/
version: 0.8.3
digest: sha256:b45d347725e8cb5aa4b0d97732ffccd1a60927b701126c1e596f7e488395681c
generated: 2017-11-08T11:51:43.770522-05:00

5
concourse/requirements.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
dependencies:
- name: postgresql
version: 0.8.3
repository: https://kubernetes-charts.storage.googleapis.com/
condition: postgresql.embedded

46
concourse/templates/NOTES.txt Normal file
Просмотреть файл

@ -0,0 +1,46 @@
1. Concourse can be accessed:
* Within your cluster, at the following DNS name at port {{ .Values.concourse.atcPort }}:
{{ template "concourse.web.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
{{- if .Values.web.ingress.enabled }}
* From outside the cluster, the URL(s) are:
{{ range .Values.web.ingress.hosts }}
http://{{ . }}
{{- end }}
{{- else }}
* From outside the cluster, run these commands in the same shell:
{{- if contains "NodePort" .Values.web.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "concourse.web.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.web.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "concourse.web.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "concourse.web.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.concourse.atcPort }}
{{- else if contains "ClusterIP" .Values.web.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "concourse.web.fullname" . }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use Concourse"
kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080:{{ .Values.concourse.atcPort }}
{{- end }}
{{- end }}
2. Login with the following credentials
Username: {{ .Values.concourse.username }}
Password: {{ .Values.concourse.password }}
3. If this is your first time using Concourse, follow the tutorial at https://concourse.ci/hello-world.html
{{- if contains "naive" .Values.concourse.baggageclaimDriver }}
4. ***WARNING*** You are using the "naive" baggage claim driver, which is also the default value for this chart. This is the default for compatability reasons, but is very space inefficient, and should be changed to either "btrfs" or "overlay" depending on that filesystem's support in the Linux kernel your cluster is using. Please see https://github.com/concourse/concourse/issues/1230 for background.
{{- end }}

35
concourse/templates/_helpers.tpl Normal file
Просмотреть файл

@ -0,0 +1,35 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "concourse.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified concourse name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "concourse.concourse.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "concourse.web.fullname" -}}
{{- $name := default "web" .Values.web.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "concourse.worker.fullname" -}}
{{- $name := default "worker" .Values.worker.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified postgresql name.
We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "concourse.postgresql.fullname" -}}
{{- $name := default "postgresql" .Values.postgresql.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 24 | trimSuffix "-" -}}
{{- end -}}

44
concourse/templates/configmap.yaml Normal file
Просмотреть файл

@ -0,0 +1,44 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "concourse.concourse.fullname" . }}
labels:
app: {{ template "concourse.concourse.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
data:
{{- if .Values.postgresql.embedded }}
postgresql-host: {{ template "concourse.postgresql.fullname" . }}
postgresql-database: {{ .Values.postgresql.postgresDatabase | quote }}
{{- end }}
concourse-atc-port: {{ .Values.concourse.atcPort | quote }}
concourse-tsa-host: {{ template "concourse.web.fullname" . }}
concourse-tsa-port: {{ .Values.concourse.tsaPort | quote }}
concourse-allow-self-signed-certificates: {{ .Values.concourse.allowSelfSignedCertificates | quote }}
concourse-auth-duration: {{ .Values.concourse.authDuration | quote }}
concourse-resource-checking-interval: {{ .Values.concourse.resourceCheckingInterval | quote }}
concourse-old-resource-grace-period: {{ .Values.concourse.oldResourceGracePeriod | quote }}
concourse-resource-cache-cleanup-interval: {{ .Values.concourse.resourceCacheCleanupInterval | quote }}
concourse-external-url: {{ default "" .Values.concourse.externalURL | quote }}
concourse-baggageclaim-driver: {{ .Values.concourse.baggageclaimDriver | quote }}
garden-docker-registry: {{ default "" .Values.concourse.dockerRegistry | quote }}
garden-insecure-docker-registry: {{ default "" .Values.concourse.insecureDockerRegistry | quote }}
github-auth-organization: {{ default "" .Values.concourse.githubAuthOrganization | quote }}
github-auth-team: {{ default "" .Values.concourse.githubAuthTeam | quote }}
github-auth-user: {{ default "" .Values.concourse.githubAuthUser | quote }}
github-auth-auth-url: {{ default "" .Values.concourse.githubAuthAuthUrl | quote }}
github-auth-token-url: {{ default "" .Values.concourse.githubAuthTokenUrl | quote }}
github-auth-api-url: {{ default "" .Values.concourse.githubAuthApiUrl | quote }}
gitlab-auth-group: {{ default "" .Values.concourse.gitlabAuthGroup | quote }}
gitlab-auth-auth-url: {{ default "" .Values.concourse.gitlabAuthAuthUrl | quote }}
gitlab-auth-token-url: {{ default "" .Values.concourse.gitlabAuthTokenUrl | quote }}
gitlab-auth-api-url: {{ default "" .Values.concourse.gitlabAuthApiUrl | quote }}
generic-oauth-display-name: {{ default "" .Values.concourse.genericOauthDisplayName | quote }}
generic-oauth-auth-url: {{ default "" .Values.concourse.genericOauthAuthUrl | quote }}
generic-oauth-auth-url-param: {{ default "" .Values.concourse.genericOauthAuthUrlParam | quote }}
generic-oauth-scope: {{ default "" .Values.concourse.genericOauthScope | quote }}
generic-oauth-token-url: {{ default "" .Values.concourse.genericOauthTokenUrl | quote }}
worker-post-stop-delay-seconds: {{ .Values.worker.postStopDelaySeconds | quote }}
worker-fatal-errors: {{ default "" .Values.worker.fatalErrors | quote }}

15
concourse/templates/postgresql-binding.yaml Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{{- if not .Values.postgresql.embedded }}
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
name: {{ template "concourse.concourse.fullname" . }}-postgres-binding
labels:
app: {{ template "concourse.concourse.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
instanceRef:
name: {{ template "concourse.concourse.fullname" . }}-postgres-instance
secretName: {{ template "concourse.concourse.fullname" . }}-postgres-secret
{{- end }}

18
concourse/templates/postgresql-instance.yaml Normal file
Просмотреть файл

@ -0,0 +1,18 @@
{{- if not .Values.postgresql.embedded }}
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
name: {{ template "concourse.concourse.fullname" . }}-postgres-instance
labels:
app: {{ template "concourse.concourse.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
clusterServiceClassExternalName: azure-postgresqldb
clusterServicePlanExternalName: {{ .Values.postgresql.azure.servicePlan }}
parameters:
location: {{ .Values.postgresql.azure.location }}
resourceGroup: {{ .Release.Namespace }}
sslEnforcement: disabled
{{- end }}

29
concourse/templates/secrets.yaml Normal file
Просмотреть файл

@ -0,0 +1,29 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ template "concourse.concourse.fullname" . }}
labels:
app: {{ template "concourse.concourse.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
data:
{{ if .Values.postgresql.embedded }}
postgresql-user: {{ .Values.postgresql.postgresUser | b64enc | quote }}
{{- end }}
basic-auth-username: {{ .Values.concourse.username | b64enc | quote }}
basic-auth-password: {{ .Values.concourse.password | b64enc | quote }}
host-key: {{ .Values.concourse.hostKey | b64enc | quote }}
host-key-pub: {{ .Values.concourse.hostKeyPub | b64enc | quote }}
session-signing-key: {{ .Values.concourse.sessionSigningKey | b64enc | quote }}
worker-key: {{ .Values.concourse.workerKey | b64enc | quote }}
worker-key-pub: {{ .Values.concourse.workerKeyPub | b64enc | quote }}
github-auth-client-id: {{ default "" .Values.concourse.githubAuthClientId | b64enc | quote }}
github-auth-client-secret: {{ default "" .Values.concourse.githubAuthClientSecret | b64enc | quote }}
gitlab-auth-client-id: {{ default "" .Values.concourse.gitlabAuthClientId | b64enc | quote }}
gitlab-auth-client-secret: {{ default "" .Values.concourse.gitlabAuthClientSecret | b64enc | quote }}
generic-oauth-client-id: {{ default "" .Values.concourse.genericOauthClientId | b64enc | quote }}
generic-oauth-client-secret: {{ default "" .Values.concourse.genericOauthClientSecret | b64enc | quote }}
encryption-key: {{ default "" .Values.concourse.encryptionKey | b64enc | quote }}
old-encryption-key: {{ default "" .Values.concourse.oldEncryptionKey | b64enc | quote }}

300
concourse/templates/web-deployment.yaml Normal file
Просмотреть файл

@ -0,0 +1,300 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ template "concourse.web.fullname" . }}
labels:
app: {{ template "concourse.web.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
replicas: {{ .Values.web.replicas }}
template:
metadata:
labels:
app: {{ template "concourse.web.fullname" . }}
spec:
containers:
- name: {{ template "concourse.web.fullname" . }}
image: "{{ .Values.image }}:{{ .Values.imageTag }}"
imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
args:
- "web"
env:
{{ if .Values.postgresql.embedded }}
- name: POSTGRES_HOST
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: postgresql-host
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: postgresql-user
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "concourse.postgresql.fullname" . }}
key: postgres-password
- name: POSTGRES_DATABASE
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: postgresql-database
- name: CONCOURSE_POSTGRES_DATA_SOURCE
value: postgres://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@$(POSTGRES_HOST)/$(POSTGRES_DATABASE)?sslmode=disable
{{ else }}
- name: POSTGRES_HOST
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}-postgres-secret
key: host
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}-postgres-secret
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}-postgres-secret
key: password
- name: POSTGRES_DATABASE
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}-postgres-secret
key: database
- name: CONCOURSE_POSTGRES_DATA_SOURCE
value: postgres://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@$(POSTGRES_HOST)/$(POSTGRES_DATABASE)?sslmode=require
{{ end }}
{{ if .Values.encryptionKey }}
- name: CONCOURSE_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: encryption-key
{{ end }}
{{ if .Values.oldEncryptionKey }}
- name: CONCOURSE_OLD_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: old-encryption-key
{{ end }}
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: CONCOURSE_BIND_PORT
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-atc-port
- name: CONCOURSE_PEER_URL
value: "http://$(POD_IP):$(CONCOURSE_BIND_PORT)"
- name: CONCOURSE_BASIC_AUTH_USERNAME
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: basic-auth-username
- name: CONCOURSE_BASIC_AUTH_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: basic-auth-password
- name: CONCOURSE_TSA_BIND_PORT
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-tsa-port
- name: CONCOURSE_ALLOW_SELF_SIGNED_CERTIFICATES
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-allow-self-signed-certificates
- name: CONCOURSE_AUTH_DURATION
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-auth-duration
- name: CONCOURSE_RESOURCE_CHECKING_INTERVAL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-resource-checking-interval
- name: CONCOURSE_OLD_RESOURCE_GRACE_PERIOD
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-old-resource-grace-period
- name: CONCOURSE_RESOURCE_CACHE_CLEANUP_INTERVAL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-resource-cache-cleanup-interval
{{- if .Values.concourse.externalURL }}
- name: CONCOURSE_EXTERNAL_URL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-external-url
{{- end }}
- name: CONCOURSE_GITHUB_AUTH_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: github-auth-client-id
- name: CONCOURSE_GITHUB_AUTH_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: github-auth-client-secret
{{- if .Values.concourse.githubAuthOrganization }}
- name: CONCOURSE_GITHUB_AUTH_ORGANIZATION
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: github-auth-organization
{{- end }}
{{- if .Values.concourse.githubAuthTeam }}
- name: CONCOURSE_GITHUB_AUTH_TEAM
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: github-auth-team
{{- end }}
{{- if .Values.concourse.githubAuthUser }}
- name: CONCOURSE_GITHUB_AUTH_USER
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: github-auth-user
{{- end }}
- name: CONCOURSE_GITHUB_AUTH_AUTH_URL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: github-auth-auth-url
- name: CONCOURSE_GITHUB_AUTH_TOKEN_URL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: github-auth-token-url
- name: CONCOURSE_GITHUB_AUTH_API_URL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: github-auth-api-url
- name: CONCOURSE_GITLAB_AUTH_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: gitlab-auth-client-id
- name: CONCOURSE_GITLAB_AUTH_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: gitlab-auth-client-secret
{{- if .Values.concourse.gitlabAuthGroup }}
- name: CONCOURSE_GITLAB_AUTH_GROUP
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: gitlab-auth-group
{{- end }}
- name: CONCOURSE_GITLAB_AUTH_AUTH_URL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: gitlab-auth-auth-url
- name: CONCOURSE_GITLAB_AUTH_TOKEN_URL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: gitlab-auth-token-url
- name: CONCOURSE_GITLAB_AUTH_API_URL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: gitlab-auth-api-url
- name: CONCOURSE_GENERIC_OAUTH_DISPLAY_NAME
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: generic-oauth-display-name
- name: CONCOURSE_GENERIC_OAUTH_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: generic-oauth-client-id
- name: CONCOURSE_GENERIC_OAUTH_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: generic-oauth-client-secret
- name: CONCOURSE_GENERIC_OAUTH_AUTH_URL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: generic-oauth-auth-url
- name: CONCOURSE_GENERIC_OAUTH_AUTH_URL_PARAM
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: generic-oauth-auth-url-param
- name: CONCOURSE_GENERIC_OAUTH_SCOPE
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: generic-oauth-scope
- name: CONCOURSE_GENERIC_OAUTH_TOKEN_URL
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: generic-oauth-token-url
- name: CONCOURSE_TSA_HOST_KEY
value: "/concourse-keys/host_key"
- name: CONCOURSE_SESSION_SIGNING_KEY
value: "/concourse-keys/session_signing_key"
- name: CONCOURSE_TSA_AUTHORIZED_KEYS
value: "/concourse-keys/worker_key.pub"
ports:
- name: atc
containerPort: {{ .Values.concourse.atcPort }}
- name: tsa
containerPort: {{ .Values.concourse.tsaPort }}
livenessProbe:
httpGet:
path: /
port: atc
initialDelaySeconds: 120
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /
port: atc
initialDelaySeconds: 5
timeoutSeconds: 1
resources:
{{ toYaml .Values.web.resources | indent 12 }}
volumeMounts:
- name: concourse-keys
mountPath: /concourse-keys
readOnly: true
affinity:
{{- if .Values.web.additionalAffinities }}
{{ toYaml .Values.web.additionalAffinities | indent 8 }}
{{- end }}
volumes:
- name: concourse-keys
secret:
secretName: {{ template "concourse.concourse.fullname" . }}
defaultMode: 0400
items:
- key: host-key
path: host_key
- key: session-signing-key
path: session_signing_key
- key: worker-key-pub
path: worker_key.pub

32
concourse/templates/web-ingress.yaml Normal file
Просмотреть файл

@ -0,0 +1,32 @@
{{- if .Values.web.ingress.enabled -}}
{{- $releaseName := .Release.Name -}}
{{- $serviceName := default "web" .Values.web.nameOverride -}}
{{- $servicePort := .Values.concourse.atcPort -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "concourse.web.fullname" . }}
labels:
app: {{ template "concourse.web.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
annotations:
{{- range $key, $value := .Values.web.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range .Values.web.ingress.hosts }}
- host: {{ . }}
http:
paths:
- backend:
serviceName: {{ printf "%s-%s" $releaseName $serviceName | trunc 63 | trimSuffix "-" }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.web.ingress.tls }}
tls:
{{ toYaml .Values.web.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}

26
concourse/templates/web-svc.yaml Normal file
Просмотреть файл

@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "concourse.web.fullname" . }}
labels:
app: {{ template "concourse.web.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
type: {{ .Values.web.service.type }}
ports:
- name: atc
port: {{ .Values.concourse.atcPort }}
targetPort: atc
{{ if and (eq "NodePort" .Values.web.service.type) .Values.web.service.atcNodePort }}
nodePort: {{ .Values.web.service.atcNodePort}}
{{ end }}
- name: tsa
port: {{ .Values.concourse.tsaPort }}
targetPort: tsa
{{ if and (eq "NodePort" .Values.web.service.type) .Values.web.service.tsaNodePort }}
nodePort: {{ .Values.web.service.tsaNodePort}}
{{ end }}
selector:
app: {{ template "concourse.web.fullname" . }}

14
concourse/templates/worker-policy.yaml Normal file
Просмотреть файл

@ -0,0 +1,14 @@
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ template "concourse.worker.fullname" . }}
labels:
app: {{ template "concourse.worker.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
minAvailable: {{ .Values.worker.minAvailable }}
selector:
matchLabels:
app: {{ template "concourse.worker.fullname" . }}

160
concourse/templates/worker-statefulset.yaml Normal file
Просмотреть файл

@ -0,0 +1,160 @@
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: {{ template "concourse.worker.fullname" . }}
labels:
app: {{ template "concourse.worker.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
serviceName: {{ template "concourse.worker.fullname" . }}
replicas: {{ .Values.worker.replicas }}
template:
metadata:
labels:
app: {{ template "concourse.worker.fullname" . }}
annotations:
{{- range $key, $value := .Values.worker.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
terminationGracePeriodSeconds: {{ .Values.worker.terminationGracePeriodSeconds }}
containers:
- name: {{ template "concourse.worker.fullname" . }}
image: "{{ .Values.image }}:{{ .Values.imageTag }}"
imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
command:
- /bin/sh
args:
- -c
- |-
cp /dev/null /concourse-work-dir/.liveness_probe
concourse worker --name=${HOSTNAME} | tee -a /concourse-work-dir/.liveness_probe
sleep ${POST_STOP_DELAY_SECONDS}
livenessProbe:
exec:
command:
- /bin/sh
- -c
- |-
FATAL_ERRORS=$( echo "${LIVENESS_PROBE_FATAL_ERRORS}" | grep -q '\S' && \
grep -F "${LIVENESS_PROBE_FATAL_ERRORS}" /concourse-work-dir/.liveness_probe )
cp /dev/null /concourse-work-dir/.liveness_probe
if [ ! -z "${FATAL_ERRORS}" ]; then
>&2 echo "Fatal error detected: ${FATAL_ERRORS}"
exit 1
fi
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
lifecycle:
preStop:
exec:
command:
- "/bin/sh"
- "-c"
- "concourse retire-worker --name=${HOSTNAME}"
env:
- name: CONCOURSE_TSA_HOST
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-tsa-host
- name: CONCOURSE_TSA_PORT
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-tsa-port
- name: CONCOURSE_GARDEN_DOCKER_REGISTRY
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: garden-docker-registry
- name: CONCOURSE_GARDEN_INSECURE_DOCKER_REGISTRY
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: garden-insecure-docker-registry
- name: CONCOURSE_TSA_PUBLIC_KEY
value: "/concourse-keys/host_key.pub"
- name: CONCOURSE_TSA_WORKER_PRIVATE_KEY
value: "/concourse-keys/worker_key"
- name: CONCOURSE_WORK_DIR
value: "/concourse-work-dir"
- name: CONCOURSE_BAGGAGECLAIM_DRIVER
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: concourse-baggageclaim-driver
- name: POST_STOP_DELAY_SECONDS
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: worker-post-stop-delay-seconds
- name: LIVENESS_PROBE_FATAL_ERRORS
valueFrom:
configMapKeyRef:
name: {{ template "concourse.concourse.fullname" . }}
key: worker-fatal-errors
resources:
{{ toYaml .Values.worker.resources | indent 12 }}
securityContext:
privileged: true
volumeMounts:
- name: concourse-keys
mountPath: /concourse-keys
readOnly: true
- name: concourse-work-dir
mountPath: /concourse-work-dir
affinity:
{{- if .Values.worker.additionalAffinities }}
{{ toYaml .Values.worker.additionalAffinities | indent 8 }}
{{- end }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app: {{ template "concourse.worker.fullname" . }}
release: {{ .Release.Name | quote }}
volumes:
- name: concourse-keys
secret:
secretName: {{ template "concourse.concourse.fullname" . }}
defaultMode: 0400
items:
- key: host-key-pub
path: host_key.pub
- key: worker-key
path: worker_key
- key: worker-key-pub
path: worker_key.pub
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: concourse-work-dir
spec:
accessModes:
- {{ .Values.persistence.worker.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.worker.size | quote }}
{{- if .Values.persistence.worker.storageClass }}
{{- if (eq "-" .Values.persistence.worker.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.worker.storageClass }}"
{{- end }}
{{- end }}
{{- else }}
- name: concourse-work-dir
emptyDir: {}
{{- end }}
{{- if and (eq .Capabilities.KubeVersion.Major "1") (gt .Capabilities.KubeVersion.Minor "5") }}
updateStrategy:
type: {{ .Values.worker.updateStrategy }}
{{- end }}

21
concourse/templates/worker-svc.yaml Normal file
Просмотреть файл

@ -0,0 +1,21 @@
## A Headless Service is required when using a StatefulSet
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/
##
apiVersion: v1
kind: Service
metadata:
name: {{ template "concourse.worker.fullname" . }}
labels:
app: {{ template "concourse.worker.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
type: ClusterIP
clusterIP: None
## We do NOT expose any port as workers will forward connections with the ATC through a TSA reverse-tunnel
## ref: https://concourse.ci/architecture.html#architecture-worker
##
ports: []
selector:
app: {{ template "concourse.worker.fullname" . }}

494
concourse/values.yaml Normal file
Просмотреть файл

@ -0,0 +1,494 @@
## Default values for Concourse Helm Chart.
## This is a YAML-formatted file.
## Declare variables to be passed into your templates.
## Override the name of the Chart.
##
# nameOverride:
## Concourse image.
##
image: concourse/concourse
## Concourse image version.
## ref: https://hub.docker.com/r/concourse/concourse/tags/
##
imageTag: "3.5.0"
## Specify a imagePullPolicy: 'Always' if imageTag is 'latest', else set to 'IfNotPresent'.
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
# imagePullPolicy:
## Configuration values for Concourse.
## ref: https://concourse.ci/setting-up.html
##
concourse:
## Concourse Basic Authentication Username.
## ref: https://concourse.ci/teams.html#authentication
##
username: concourse
## Concourse Basic Authentication Password.
## ref: https://concourse.ci/teams.html#authentication
##
password: concourse
## Concourse Host Keys.
## ref: https://concourse.ci/binaries.html#generating-keys
##
hostKey: |-
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA2AUPXxuiDC/qrBWjIdT5fvNcMlMEYpR3X4SLQIgLC1ULDsCO
fleKZ+Wi4RzwbkUKiKmJm5GeyNVVCDdfvdD1Sd1+5faqmp2/OQBzLS7o8NY/btMw
8h9lx4KVJaJJ1EM1EiyGY41Nx591KP14pBfr0/NdOIrDu2JvF6e7CHEbrzkN57kb
BVQkaIMaS01Rw/5Oe68GFalli2ii8L8dNWVVzquBh5PwVWimvTgwv3TYG2TH8L1V
V7n+/zRRpkjMl2+PUouGqD+Bp+4wF+hp4AW5v24CqjtLJEMv4IEJv2FRfrOauBIZ
XjAS1SSg9VaTOS3iwxaYrv8uG1XfMFHICvkEPQIDAQABAoIBAG87W8jrX6vK2Jm3
ooJ/OeFmymiXWsCwFi+2/kVCR/2T0tfLyxO/W+NX2WD1F9CP+HaaZeMXPp3HS7up
V8FT4ZohVYBwXTS0WYyucKApcYThrVQRpzhldnEfClGQmVeVK7Sp/KEyV4Sc1SVA
L2i/cI142N2Ohm7spquVkLcuFsVINzZ0fXCv25dTqbkEgjTJzNdBzyFXvc4z0Mt9
gW14M7mz+YKYOfsCxIEm438fC9b16C96yIFBdN+/jaP8pmb2RoIE2D0F8bj5K1hR
YyGFKMOU4e6cYq59iWfubKuu2WNJEBk/5aO7x7Xu2S0k8wIYlwxFuu4LfR2Kvizu
+mFVf3kCgYEA9e0+40tJGpOPM8hAB3DwXjYc8lCuyYf3z30T3RqVNCUVSWnlaj/s
3ENi6+Ng3u+Zs8cR2CFou+jAClTyWLuSnI9yACD0eyW9n4bzYMUbgdC6vneLjpzx
wWR9Xv5RmZVly7xWuqcgEeEf8RNcYI3oXby0laF3EObvuAx/4ETIkFcCgYEA4N42
w1UEWGopWBIIXYHkEPHQuF0SxR2CZyh9ExTeSxFphyibkcHRjDW+t91ZLnSm5k1N
TOdYuc0ApBV3U+TexeFvDI94L/Oze6Ht5MatRQz8kRwMFGJL3TrpbgTmWdfG05Ad
oiScJzwY16oJXnKusxik7V+gCCNNE0/2UuMnY4sCgYAEf82pvOPef5qcGOrK+A79
ukG3UTCRcVJgUmp9nhHivVbxW+WdlwPPV9BEfol0KrAGMPsrmBjhbzWsOregVfYt
tRYh2HiAlEUu2Po06AZDzrzL5UYBWu+1WRBOH5sAk1IkcxKnIY2dph++elszTQVW
SbCIGEckYQU7ucbRJJECywKBgBb4vHFx8vKxTa3wkagzx7+vZFohL/SxEgxFx5k2
bYsPqU8kZ9gZC7YeG3CfDShAxHgMd5QeoiLA/YrFop4QaG2gnP6UfXuwkqpTnYDc
hwDh1b9hNR6z9/oOtaAGoh2VfHtKYqyYvtcHPaZyeWiLoKstHlQdi7SpHouVhJ1t
FS4HAoGAGy+56+zvdROjJy9A2Mn/4BvWrsu4RSQILBJ6Hb4TpF46p2fn0rwqyhOj
Occs+xkdEsI9w5phXzIEeOq2LqvWHDPxtdLpxOrrmx4AftAWdM8S1+OqTpzHihK1
y1ZOrWfvON+XjWFFAEej/CpQZkNUkTzjTtSC0dnfAveZlasQHdI=
-----END RSA PRIVATE KEY-----
hostKeyPub: |-
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYBQ9fG6IML+qsFaMh1Pl+81wyUwRilHdfhItAiAsLVQsOwI5+V4pn5aLhHPBuRQqIqYmbkZ7I1VUIN1+90PVJ3X7l9qqanb85AHMtLujw1j9u0zDyH2XHgpUloknUQzUSLIZjjU3Hn3Uo/XikF+vT8104isO7Ym8Xp7sIcRuvOQ3nuRsFVCRogxpLTVHD/k57rwYVqWWLaKLwvx01ZVXOq4GHk/BVaKa9ODC/dNgbZMfwvVVXuf7/NFGmSMyXb49Si4aoP4Gn7jAX6GngBbm/bgKqO0skQy/ggQm/YVF+s5q4EhleMBLVJKD1VpM5LeLDFpiu/y4bVd8wUcgK+QQ9 Concourse
## Concourse Session Signing Keys.
## ref: https://concourse.ci/binaries.html#generating-keys
##
sessionSigningKey: |-
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwLql/rUIaI+PX7Tl3FWcTee4sQf8/daakALXx955tPwkhqlY
e4T2V84p/ylFvNWpM4vfcMYKfMY0JLKgAgBvJhCytSkDBhTBoWmN6yE0AB11P9En
lIZRBWNYqaC2cSge2ZD8qOSnwfFhnQAW8+7pE+ElJAVh7dtdF3A478H50lIigq8I
zMWp2EGJpFC7/Uu36oIL/03MNGCmrH1jvtTuJiAMQUZYyL1ReBkvvHOzw9i4HXPy
SMVtcllm4NBs2aVPtwhr2kwSkLt8t1bPdRn6OIyEAw5WktzAKaiZnkTvj6g3xzdp
zKcrdlBr9aznlNvoSinBUfvtwyFmvFN1HHbA9wIDAQABAoIBAE7G/DrUfI9gvtX7
90jMpYsigFe8UCjho2PiBZlo0o6r0bJJXiV+/8J8PqZRlHPPUc4EClzqVjcSPRYS
/VxUGRqSELoD/Xxq14rGvn+xnrO9VsOzFl6bWFq/dOpBCtHN+G4t2VifvgKES8YE
11z19sdta+UBXjn/RFnkQSGfRCI3QqTaYvjxevt0uWlyPmqkFPQQw8bvHIXzoB+B
rzeiMa++nMvbX5pAH9XA0BvhyuH3fHidTUwiVBpkMcpLWtjP0A0JTsecDdbinDDq
un2EIo8zMWRwKQN/JnUxsi8AUEigBTCUqeDgREXtW62uvFkSpcVMXwmVityLYIVy
qnVLUCECgYEA6IwXkP1qnSfcNeoVI/ypDuz1/kdqcjSPhLYe+jdiLLoFkMW9AlDm
lzwNaWlTFD9ygo+NjJCo63/A8HCm55sajws5hZ6r20vdZcKFMk9h0qF5oVA7lkQ2
gvG2WaznuU7KkqhfP+pXhiLgZKoJkst/+g7r6uHpredwDY6hxeBK4vsCgYEA1CqH
8ywC5qUo/36kQg/TU2adN/YEHdJAAbU23EVrGQSVmnXW08H2NLFk0tsxrwoNnbgp
PIk2J7BimbJvbND17ibr4GAklDTsR8aJkDl+0JgNCAK9N07qVt1s7FXzhg95jUL9
EQW55z60GAJpecqNwA4Jsa8P852N0355Obp92TUCgYBkOBvf7JcJ66fHxH4f6D+j
oxPQ5k5Fsck4VJS9GSlCRVkor09ptBvsiYDuMOoRC9b51YwXTDDAbWplNOd5YSrt
AtVjdKJz/BoKRO7KY9Owxs54au+DLxqfDDSeKRokjoRW+CE0lnXp5RX3zCAcF3+r
8MpTi9D9lYSBEzs84BDmCQKBgQCMcH6/K3HcJJVn0fd+tyUGftUw9sswxjySJNbk
pZrH263/qWMDls+Xf5kire9MU1ZCAWZiaN0NFoed/2wcVpGEDAV0548u/30r4bKr
YjOcdhmiJNYFJ1qdF0MDib2CDvpB1IbZXrX46RujDO2urbJ435HxKNVhR/had8xc
tyKYxQKBgCVDhN0MhnlUQJVZfX42APmF4gQg0r3sfL/NGXjEjMIKKFe5a88eZVHr
L8x1+dp0q7czC8a/l1DUuiwDKl8OEpxLsGCq/J/wAfrSMPifu6EUlbUwlJOPdgha
+p/KFAelHXJ2w/8yackAcarh35VP7ixhuvxswHNdgvfsBTFcjn30
-----END RSA PRIVATE KEY-----
## Concourse Worker Keys.
## ref: https://concourse.ci/binaries.html#generating-keys
##
workerKey: |-
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuPehUmBXAQCoA7TLAQCYhf+vzcZVyj+VGXnMhLHnWLk7dRjo
CU8GgNamdS5h7G3ywxOvKA3YjOLr8XyOMLS4c+e8N7tIzlMWdiXhe0lcBH9Z1ai5
+Bof3/BlDUBksiKdc1A+QcfX6tDwMkOO5re1H4vOK3H/Cype58wCB03HYNgb05ED
fW1Bj2qvz29VtmyjwEMuDs100iMqwCfPUx9oxXmmX8sUBRmw/Y1Rx/8pdKIjKw3m
kWIHHBOSCPimO1qC47Aa8v/UH9hERCykyuFHiBiKlnIvZWm9bYvhsRTz4gt5KzRY
6OI0oVeHlLOHDSK48Da8VWij15lOqO2Nx6WssQIDAQABAoIBADET22UNFOi6MNpS
5S5N5ypezlnOD0NLnZcV3zMyNQ0wkNsgEakuo64Zxi7/cJIYFjq2hVoeWl//cdUw
VFYODYcLbMBo3AeKukH9CRf6PgUfeUmcrENtQxnbIiTi+hTd5GMNXod7rAmtCJ59
mHQVOGS3ZqvWYnKm+mmMktk3RPinynX/A4y3WHPacuAS58HM09Ck43WcHMxbGpsL
/gZpICyFYZ2DviM+AHyWGcmw7LJrpC0QHo6+BAFMs4xlUecNgVIFUpfOoAcfsdtG
K9j4AbuZ47iFisbay+1pyg/7O5eRTdGVQRtc7PBMOjea5jGsfmlDmdn1ZS50ykun
ANfoQ5UCgYEA9Ak73PRy9nLlRkt4OBCF/4fwThUCMedsnWaVjQBMJYim4FB2ivF5
cKdWt3y/RZI85KKYu0EXhLEoSIEAfz057R8t3QdVK4tZx6B47UFjBjCYeVMtwHDQ
prxQiOPHIHCplBNFuGzA5VXL9gQLRD+ek0uOy2GJJ0Wu1xyeouI+SW8CgYEAwgkO
TOtOogqmcAALjWgeeQiZetflSKbJlpQNhmCPAMm0SFI8eF4SpRXLzd41VC2mLIwT
L3tjc7/8ocXoElFM4L0fo9Lx/SHFH4JEn5FT0PXPmvsF2JRhsXJFLJSihxF/91Xs
2aBcQILPFzLcrI6OFUakNwGTU/CIxpkzRvQrG98CgYEAzNVnUuo4CNadzagRK3Xr
E3Yl5VRK+FpY17FAfA6w25xc/dFr/un61e0Po4no/ltmEz7LVfmn5O/ScTEemq5o
jbjrBShfe+JGpIH0nqiQlqR5hvSjZXEMIbfVHWGbRYZrQGgA0HEwZA7k2QXB8zI3
R0lXfSzMM5OQ0uwp12xxfa8CgYBHILq1R6zTicPpWprhg0FobNaWSX4rW7iaEjvC
/rJtP4Nu33Z7SUDcc1j6ZnJ2ISXBPrfpt/mE/OPHCZ1A2bysxadLjpBWkoKIQmCV
fdiTyQgJb+t8sSf+vDzPUs0hZjDaogzo2ff3TfxMLMDoIHnFItgfsdwn8QyygIZj
hC4pUQKBgQDqsxnkI6yXFE5gshnW7H8zqKNlzKd/dZEL6e+lRz4R3UY/KcEkRAfq
Yi3cwo9fE3U3kSmpl5MQwUjWm/BZ7JyueoY/4ndwaFPgc34IKsgJ0wau9pZiQAB1
DxpOSF+BR71Jx3sxvIdCODNTtm645j5yrZVnJAuMPofo5XFmunDoJA==
-----END RSA PRIVATE KEY-----
workerKeyPub: |-
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC496FSYFcBAKgDtMsBAJiF/6/NxlXKP5UZecyEsedYuTt1GOgJTwaA1qZ1LmHsbfLDE68oDdiM4uvxfI4wtLhz57w3u0jOUxZ2JeF7SVwEf1nVqLn4Gh/f8GUNQGSyIp1zUD5Bx9fq0PAyQ47mt7Ufi84rcf8LKl7nzAIHTcdg2BvTkQN9bUGPaq/Pb1W2bKPAQy4OzXTSIyrAJ89TH2jFeaZfyxQFGbD9jVHH/yl0oiMrDeaRYgccE5II+KY7WoLjsBry/9Qf2ERELKTK4UeIGIqWci9lab1ti+GxFPPiC3krNFjo4jShV4eUs4cNIrjwNrxVaKPXmU6o7Y3Hpayx Concourse
oldEncryptionKey:
encryptionKey:
## ATC listen port.
## ref: https://concourse.ci/architecture.html
##
atcPort: 8080
## TSA listen port.
## ref: https://concourse.ci/architecture.html
##
tsaPort: 2222
## Allow self signed certificates.
##
allowSelfSignedCertificates: false
## Length of time for which tokens are valid. Afterwards, users will have to log back in.
## Use Go duration format (48h = 48 hours).
##
authDuration: 24h
## Interval on which to check for new versions of resources.
## Use Go duration format (1m = 1 minute).
##
resourceCheckingInterval: 1m
## How long to cache the result of a get step after a newer version of the resource is found.
## Use Go duration format (1m = 1 minute).
##
oldResourceGracePeriod: 5m
## The interval on which to check for and release old caches of resource versions.
## Use Go duration format (1m = 1 minute),
##
resourceCacheCleanupInterval: 30s
## URL used to reach any ATC from the outside world.
##
# externalURL:
## The filesystem driver used by baggageclaim on workers, as of Concourse 3.1 can be values
## "overlay", "btrfs", or "naive". "overlay" is more stable than "btrfs" but is not supported
## on some Linux kernels, while "naive" is most supported but least space efficient. For background see
## https://github.com/concourse/concourse/issues/1230.
##
baggageclaimDriver: naive
## An URL pointing to the Docker registry to use to fetch Docker images.
## If unset, this will default to the Docker default
##
# dockerRegistry:
## Docker registry(ies) (comma separated) to allow connecting to even if not secure.
##
# insecureDockerRegistry:
## Application client ID for enabling GitHub OAuth.
##
# githubAuthClientId:
## Application client secret for enabling GitHub OAuth.
##
# githubAuthClientSecret:
## GitHub organizations (comma separated) whose members will have access.
##
# githubAuthOrganization:
## GitHub teams (comma separated) whose members will have access.
##
# githubAuthTeam:
## GitHub users (comma separated) to permit access.
##
# githubAuthUser:
## Override default endpoint AuthURL for Github Enterprise.
##
# githubAuthAuthUrl:
## Override default endpoint TokenURL for Github Enterprise.
##
# githubAuthTokenUrl:
## Override default API endpoint URL for Github Enterprise.
##
# githubAuthApiUrl:
## Application client ID for enabling GitLab OAuth.
##
# gitlabAuthClientId:
## Application client secret for enabling GitLab OAuth.
##
# gitlabAuthClientSecret:
## GitLab Group (comma separated) whose members will have access.
##
# gitlabAuthGroup:
## Endpoint AuthURL for Gitlab server.
##
# gitlabAuthAuthUrl:
## Endpoint TokenURL for Gitlab server.
##
# gitlabAuthTokenUrl:
## API endpoint URL for Github server.
##
# gitlabAuthApiUrl:
## Name for this auth method on the web UI.
##
# genericOauthDisplayName:
## Application client ID for enabling generic OAuth.
##
# genericOauthClientId:
## Application client secret for enabling generic OAuth.
##
# genericOauthClientSecret:
## Generic OAuth provider AuthURL endpoint.
##
# genericOauthAuthUrl:
## Parameters (comma separated) to pass to the authentication server AuthURL.
##
# genericOauthAuthUrlParam:
## Optional scope required to authorize user.
##
# genericOauthScope:
## Generic OAuth provider TokenURL endpoint.
##
# genericOauthTokenUrl:
## Configuration values for Concourse Web components.
##
web:
## Override the components name (defaults to web).
##
# nameOverride:
## Number of replicas.
##
replicas: 1
## Additional affinities to add to the web pods.
## Useful if you prefer to run workers on non-spot instances, for example
##
# additionalAffinities:
# nodeAffinity:
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 50
# preference:
# matchExpressions:
# - key: spot
# operator: NotIn
# values:
# - "true"
## Configure resource requests and limits.
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
requests:
cpu: "100m"
memory: "128Mi"
## Service configuration.
## ref: https://kubernetes.io/docs/user-guide/services/
##
service:
## For minikube, set this to ClusterIP, elsewhere use LoadBalancer.
## ref: https://kubernetes.io/docs/user-guide/services/#publishing-services---service-types
##
type: ClusterIP
# If you fix atc nodeport, this parameter set(web.service.atcNodePort)
# atcNodePort: 30150
#
# If you fix tsa nodeport, this parameter set(web.service.tsaNodePort)
# tsaNodePort: 30151
## Ingress configuration.
## ref: https://kubernetes.io/docs/user-guide/ingress/
##
ingress:
## Enable Ingress.
##
enabled: false
## Annotations to be added to the web ingress.
##
# annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: 'true'
## Hostnames.
## Must be provided if Ingress is enabled.
##
# hosts:
# - concourse.domain.com
## TLS configuration.
## Secrets must be manually created in the namespace.
##
# tls:
# - secretName: concourse-web-tls
# hosts:
# - concourse.domain.com
#
#
## Configuration values for Concourse Worker components.
##
worker:
## Override the components name (defaults to worker).
##
# nameOverride:
## Number of replicas.
##
replicas: 2
## Minimun number of workers available after an eviction
## ref: https://kubernetes.io/docs/admin/disruptions/
##
minAvailable: 1
## Configure resource requests and limits.
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
requests:
cpu: "100m"
memory: "512Mi"
## Annotations to be added to the worker pods.
##
# annotations:
# iam.amazonaws.com/role: arn:aws:iam::123456789012:role/concourse
#
## Additional affinities to add to the worker pods.
## Useful if you prefer to run workers on non-spot instances, for example
##
# additionalAffinities:
# nodeAffinity:
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 50
# preference:
# matchExpressions:
# - key: spot
# operator: NotIn
# values:
# - "true"
## Time to delay after the worker process shuts down. This inserts time between shutdown and startup
## to avoid errors caused by a worker restart.
postStopDelaySeconds: 60
## Time to allow the pod to terminate before being forcefully terminated. This should include
## postStopDelaySeconds, and should additionally provide time for the worker to retire, e.g.
## = postStopDelaySeconds + max time to allow the worker to drain its tasks. See
## https://concourse.ci/worker-internals.html for worker lifecycle semantics.
terminationGracePeriodSeconds: 120
## If any of the strings are found in logs, the worker's livenessProbe will fail and trigger a pod restart.
## Specify one string per line, exact matching is used.
##
## "guardian.api.garden-server.create.failed" appears when the worker's filesystem has issues.
## "unknown handle" appears if a worker didn't cleanly restart.
fatalErrors: |-
guardian.api.garden-server.create.failed
unknown handle
## Strategy for StatefulSet updates (requires Kubernetes 1.6+)
## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset
##
updateStrategy: RollingUpdate
## Persistent Volume Storage configuration.
## ref: https://kubernetes.io/docs/user-guide/persistent-volumes
##
persistence:
## Enable persistence using Persistent Volume Claims.
##
enabled: true
## Worker Persistence configuration.
##
worker:
## concourse data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
## Persistent Volume Access Mode.
##
accessMode: ReadWriteOnce
## Persistent Volume Storage Size.
##
size: 20Gi
## Configuration values for the postgresql dependency.
## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md
##
postgresql:
## Use the PostgreSQL chart dependency.
##
embedded: false
## ALL OF THE FOLLOWING CONFIGURATION IS APPLICABLE ONLY IF
## postgresql.embedded is set to false
##
azure:
servicePlan: basic100
location: eastus
## ALL OF THE FOLLOWING CONFIGURATION IS APPLICABLE ONLY IF
## postgresql.embedded is set to true
##
### PostgreSQL User to create.
##
postgresUser: concourse
## PostgreSQL Password for the new user.
## If not set, a random 10 characters password will be used.
##
postgresPassword: concourse
## PostgreSQL Database to create.
##
postgresDatabase: concourse
## Persistent Volume Storage configuration.
## ref: https://kubernetes.io/docs/user-guide/persistent-volumes
##
persistence:
## Enable PostgreSQL persistence using Persistent Volume Claims.
##
enabled: true

79
docs/contributing.md Normal file
Просмотреть файл

@ -0,0 +1,79 @@
# Contributing Guidelines
The Microsoft Azure Helm Charts project accepts contributions via GitHub pull
requests. This document outlines the process to help get your contribution
accepted.
## Contributor License Agreements
We'd love to accept your patches! Before we can take them, we have to jump a
couple of legal hurdles.
The [Microsoft CLA](https://cla.microsoft.com/) must be signed by all
contributors. Please fill out either the individual or corporate Contributor
License Agreement (CLA). Once you are CLA'ed, we'll be able to accept your pull
requests.
***NOTE***: Only original source code from you and other people that have
signed the CLA can be accepted into the repository.
## Support Channels
This is an open source project and as such no formal support is available.
However, like all good open source projects we do offer "best effort" support
through [github issues](https://github.com/Azure/helm-charts/issues).
Before opening a new issue or submitting a new pull request, it's helpful to
search the project - it's likely that another user has already reported the
issue you're facing, or it's a known issue that we're already aware of.
## Issues
Issues are used as the primary method for tracking anything to do with the
Helm Charts project.
### Issue Lifecycle
The issue lifecycle is mainly driven by the core maintainers, but is good
information for those contributing to Helm Charts. All issue types
follow the same general lifecycle. Differences are noted below.
1. Issue creation
1. Triage
- The maintainer in charge of triaging will apply the proper labels for the
issue. This includes labels for priority, type, and metadata. If additional
labels are needed in the future, we will add them.
- If needed, clean up the title to succinctly and clearly state the issue.
Also ensure that proposals are prefaced with "Proposal".
- Add the issue to the correct milestone. If any questions come up, don't
worry about adding the issue to a milestone until the questions are
answered.
- We attempt to do this process at least once per work day.
1. Discussion
- "Feature" and "Bug" issues should be connected to the PR that resolves it.
- Whoever is working on a "Feature" or "Bug" issue (whether a maintainer or
someone from the community), should either assign the issue to themself or
make a comment in the issue saying that they are taking it.
- "Proposal" and "Question" issues should remain open until they are
either resolved or have remained inactive for more than 30 days. This will
help keep the issue queue to a manageable size and reduce noise. Should the
issue need to stay open, the `keep open` label can be added.
1. Issue closure
## How to Contribute a Patch
1. If you haven't already done so, sign a Contributor License Agreement
(see details above).
2. Fork the repository, develop and test your code changes.
3. Submit a pull request.
Your pull request will be reviewed according to the process defined in [reviewing.md](./reviewing.md).
## Code of conduct
This project has adopted the
[Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
For more information see the
[Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq) or
contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any
additional questions or comments.

56
docs/reviewing.md Normal file
Просмотреть файл

@ -0,0 +1,56 @@
# Reviewing Azure Helm Charts Code
This is a guide for reviewers of pull requests (PRs) and code in this repository.
When a pull request is submitted (see
[the contributing document](./contributing.md) for more details on the PR process),
the maintainers of this repository ("reviewers" hereafter) are responsible
for reviewing and merging it.
# General Responsibilities
Reviewers have the following general responsibilities:
- Ensuring that the code is easy to read and of generally good quality
- Ensuring that tests pass
- Ensuring that documentation (in YAML or otherwise) is clear and complete
- Ensuring that no harmful changes are made to the charts
Above everything else, reviewers should provide their feedback in a constructive, respectful
manner that encourages future contributions and provides a safe, comfortable and efficient
community.
# Review Process
Azure Helm Charts Broker have not yet reached a 1.0 release, so we, the maintainers, believe
that quality, efficiency, and velocity are important (in that order of importance).
As such, we've defined a few categories of PRs and their review requirements:
- Documentation only: These require a single review. Special care should be taken
for documentation clarity, accuracy and grammar. If the reviewer is unsure of
some part of the documentation, they should reach out to either the contributor
or someone else they know has knowledge on the subject
- Small: While we don't have exact measurements to determine whether a PR is small,
these PRs generally span no more than a few files or represent a mechanical change
(even if it may be across many files, like a rename). These require a single review
- Medium: While we don't have exact measurements to determine whether a PR is medium,
these PRs generally span a only a single chart. Medium PRs require a
single review by a reviewer familiar with the areas of concern
- Large: Large PRs generally span a large portion of the project, or add or remove
a chart. These generally require two reviews, but the first reviewer may
decide that they can review it without a second review if they are familiar with
the changes.
A few additional notes:
- We do not make a distinction between modified, deleted or added lines
- Maintainers sometimes submit small PRs, often for administrative purposes
(i.e. fixing a typo in a document or modifying a script for CI). In these cases,
a maintainer may merge these PRs without review. Maintainers must use their best
judgement to decide whether these kinds of PRs need a separate review or not.
- Maintainers may merge their own PRs after reviews are completed and "green"
All reviewers will use
[GitHub Pull Request Reviews](https://help.github.com/articles/about-pull-request-reviews/)
to deliver feedback, request changes, or approve a PR.

4
scripts/helm-repo-sync.sh
Просмотреть файл

@ -29,8 +29,8 @@ done
#####
# index the charts, merging with the old index.yaml so charts are versioned
#####
REPO_URL=https://kubernetescharts.blob.core.windows.net/
helm repo index --url $REPO_URL --merge index.yaml .
REPO_ROOT=https://kubernetescharts.blob.core.windows.net
helm repo index --url "$REPO_ROOT/$AZURE_STORAGE_CONTAINER" --merge index.yaml .
#####
# upload to Azure blob storage

19
scripts/install-azure-cli.sh
Просмотреть файл

@ -1,8 +1,21 @@
#!/bin/bash
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ wheezy main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
apt-key adv --keyserver packages.microsoft.com --recv-keys 417A0893
# About
#
# This script installs the Azure CLI. It copies the steps from the following link:
#
# https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
#
# under the "Install with apt package manager" section
# first do an update and install apt-transport-https
apt-get update
apt-get install -y apt-transport-https
# update package lists so we get the Microsoft packages (including azure-cli)
# the add keys for the MSFT apt repo
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ wheezy main" | tee /etc/apt/sources.list.d/azure-cli.list
apt-key adv --keyserver packages.microsoft.com --recv-keys 52E16F86FEE04B979B07E28DB02C46DF417A0893
# then update again and install azure-cli
apt-get update
apt-get install -y azure-cli

34
service-catalog/README.md
Просмотреть файл

@ -9,8 +9,14 @@ storage, message-oriented middleware, and more.
For more information,
[visit the project on github](https://github.com/kubernetes-incubator/service-catalog).
To install, you must have a Kubernetes 1.7 cluster. If you are using
[acs-engine](https://github.com/Azure/acs-engine) to install a cluster, run
To install, you must have a Kubernetes 1.7 cluster with support for
[aggregated APIs](https://kubernetes.io/docs/concepts/api-extension/apiserver-aggregation/)
turned on. See below for instructions for configuring your Kubernetes cluster via
various tools.
# ACS Engine
If you are using [acs-engine](https://github.com/Azure/acs-engine) to install a cluster, run
the following command from this directory:
```console
@ -22,5 +28,25 @@ acs-engine deploy \
--api-model acs-engine-kubernetes-config.json
```
When your cluster becomes available, see the
[service-catalog installation documentation](https://github.com/kubernetes-incubator/service-catalog/blob/master/docs/install-1.7.md).
When your cluster becomes available, and you've installed the Kube Config properly,
install Service Catalog according to the
[installation documentation](https://github.com/kubernetes-incubator/service-catalog/blob/master/docs/install.md).
# Minikube
If you are using [Minikube](https://github.com/kubernetes/minikube), ensure that you
are using version [v0.22.0](https://github.com/kubernetes/minikube/releases/tag/v0.22.0) or
above, and simply execute the following to start your Kubernetes cluster:
```console
minikube start --extra-config=apiserver.Authorization.Mode=RBAC
```
After the command exits successfully, install Service Catalog according to the
[installation documentation](https://github.com/kubernetes-incubator/service-catalog/blob/master/docs/install.md).
# Azure Container Service (AKS)
Currently, AKS does not fully support aggregated APIs. Support is forthcoming, and this
document will be updated when aggregated APIs are supported.

6
wordpress/Chart.yaml
Просмотреть файл

@ -1,5 +1,5 @@
name: wordpress
version: 0.6.12
version: 0.1.0
appVersion: 4.8.1
description: Web publishing platform for building blogs and websites.
icon: https://bitnami.com/assets/stacks/wordpress/img/wordpress-stack-220x234.png
@ -15,6 +15,6 @@ home: http://www.wordpress.com/
sources:
- https://github.com/bitnami/bitnami-docker-wordpress
maintainers:
- name: bitnami-bot
email: containers@bitnami.com
- name: Kent Rancourt
email: kent.rancourt@microsoft.com
engine: gotpl

96
wordpress/README.md
Просмотреть файл

@ -11,7 +11,7 @@ a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh)
It is inspired by the
[upstream wordpress chart](https://github.com/kubernetes/charts/tree/master/stable/wordpress),
but utilizes the Azure Service Broker to provision an
but, by default, utilizes the Azure Service Broker to provision an
[Azure Database for MySQL](https://azure.microsoft.com/en-us/services/mysql/)
database for the Wordpress server to use.
@ -81,15 +81,31 @@ The following tables lists the configurable parameters of the WordPress chart an
| `smtpPassword` | SMTP password | `nil` |
| `smtpUsername` | User name for SMTP emails | `nil` |
| `smtpProtocol` | SMTP protocol [`tls`, `ssl`] | `nil` |
| `mysql.embeddedMaria` | Whether to fulfill the dependency on MySQL using an embedded (on-cluster) MariaDB database _instead of Aure Database for MySQL. This option is available to enable local or no-cost evaluation of this chart. | `false` |
| `serviceType` | Kubernetes Service type | `LoadBalancer` |
| `healthcheckHttps` | Use https for liveliness and readiness | `false` |
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.hostname` | URL to address your WordPress installation | `wordpress.local` |
| `ingress.tls` | Ingress TLS configuration | `[]` |
| `ingress.hosts[0].name` | Hostname to your WordPress installation | `wordpress.local` |
| `ingress.hosts[0].tls` | Utilize TLS backend in ingress | `false` |
| `ingress.hosts[0].tlsSecret` | TLS Secret (certificates) | `wordpress.local-tls-secret` |
| `ingress.hosts[0].annotations` | Annotations for this host's ingress record | `[]` |
| `ingress.secrets[0].name` | TLS Secret Name | `nil` |
| `ingress.secrets[0].certificate` | TLS Secret Certificate | `nil` |
| `ingress.secrets[0].key` | TLS Secret Key | `nil` |
| `persistence.enabled` | Enable persistence using PVC | `true` |
| `persistence.storageClass` | PVC Storage Class | `nil` (uses alpha storage class annotation) |
| `persistence.accessMode` | PVC Access Mode | `ReadWriteOnce` |
| `persistence.size` | PVC Storage Request | `10Gi` | |
| `persistence.size` | PVC Storage Request | `10Gi` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
The following configuration options are utilized only if `mysql.embeddedMaria` is set to `true`:
| Parameter | Description | Default |
| ------------------------------- | ------------------------------- | ---------------------------------------------------------- |
| `mariadb.mariadbRootPassword` | MariaDB admin password | `nil` |
| `mariadb.mariadbDatabase` | Database name to create | `bitnami_wordpress` |
| `mariadb.mariadbUser` | Database user to create | `bn_wordpress` |
| `mariadb.mariadbPassword` | Password for the database | _random 10 character long alphanumeric string_ |
The above parameters map to the env variables defined in [bitnami/wordpress](http://github.com/bitnami/bitnami-docker-wordpress). For more information please refer to the [bitnami/wordpress](http://github.com/bitnami/bitnami-docker-wordpress) image documentation.
@ -121,4 +137,74 @@ See the [Configuration](#configuration) section to configure the PVC or to disab
## Ingress
This chart provides support for Ingress resource. If you have available an Ingress Controller such as Nginx or Traefik you maybe want to set up `ingress.enabled` to true and choose a `ingress.hostname` for the URL. Then, you should be able to access the installation using that address.
This chart provides support for ingress resources. If you have an
ingress controller installed on your cluster, such as [nginx-ingress](https://kubeapps.com/charts/stable/nginx-ingress)
or [traefik](https://kubeapps.com/charts/stable/traefik) you can utilize
the ingress controller to service your WordPress application.
To enable ingress integration, please set `ingress.enabled` to `true`
### Hosts
Most likely you will only want to have one hostname that maps to this
WordPress installation, however it is possible to have more than one
host. To facilitate this, the `ingress.hosts` object is an array.
For each item, please indicate a `name`, `tls`, `tlsSecret`, and any
`annotations` that you may want the ingress controller to know about.
Indicating TLS will cause WordPress to generate HTTPS urls, and
WordPress will be connected to at port 443. The actual secret that
`tlsSecret` references does not have to be generated by this chart.
However, please note that if TLS is enabled, the ingress record will not
work until this secret exists.
For annotations, please see [this document](https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md).
Not all annotations are supported by all ingress controllers, but this
document does a good job of indicating which annotation is supported by
many popular ingress controllers.
### TLS Secrets
This chart will facilitate the creation of TLS secrets for use with the
ingress controller, however this is not required. There are three
common use cases:
* helm generates / manages certificate secrets
* user generates / manages certificates separately
* an additional tool (like [kube-lego](https://kubeapps.com/charts/stable/kube-lego))
manages the secrets for the application
In the first two cases, one will need a certificate and a key. We would
expect them to look like this:
* certificate files should look like (and there can be more than one
certificate if there is a certificate chain)
```
-----BEGIN CERTIFICATE-----
MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
...
jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7
-----END CERTIFICATE-----
```
* keys should look like:
```
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4
...
wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc=
-----END RSA PRIVATE KEY-----
````
If you are going to use helm to manage the certificates, please copy
these values into the `certificate` and `key` values for a given
`ingress.secrets` entry.
If you are going are going to manage TLS secrets outside of helm, please
know that you can create a TLS secret by doing the following:
```
kubectl create secret tls wordpress.local-tls --key /path/to/key.key --cert /path/to/cert.crt
```
Please see [this example](https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tls)
for more information.

6
wordpress/requirements.lock Normal file
Просмотреть файл

@ -0,0 +1,6 @@
dependencies:
- name: mariadb
repository: https://kubernetes-charts.storage.googleapis.com/
version: 0.7.0
digest: sha256:073dd4c28e65aafb52fdbce9153c8fa63c171ec7a1f49563ae6328230392f3c7
generated: 2017-11-07T10:31:11.129329-05:00

5
wordpress/requirements.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
dependencies:
- name: mariadb
version: 0.7.0
repository: https://kubernetes-charts.storage.googleapis.com/
condition: mysql.embeddedMaria

8
wordpress/templates/_helpers.tpl
Просмотреть файл

@ -14,3 +14,11 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "mariadb.fullname" -}}
{{- printf "%s-%s" .Release.Name "mariadb" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

25
wordpress/templates/deployment.yaml
Просмотреть файл

@ -25,6 +25,26 @@ spec:
{{- else }}
value: "no"
{{- end }}
{{- if .Values.mysql.embeddedMaria }}
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mariadb.fullname" . }}
key: mariadb-root-password
- name: MARIADB_HOST
value: {{ template "mariadb.fullname" . }}
- name: MARIADB_PORT_NUMBER
value: "3306"
- name: WORDPRESS_DATABASE_NAME
value: {{ default "" .Values.mariadb.mariadbDatabase | quote }}
- name: WORDPRESS_DATABASE_USER
value: {{ default "" .Values.mariadb.mariadbUser | quote }}
- name: WORDPRESS_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "mariadb.fullname" . }}
key: mariadb-password
{{- else }}
- name: MARIADB_HOST
valueFrom:
secretKeyRef:
@ -50,6 +70,7 @@ spec:
secretKeyRef:
name: {{ template "fullname" . }}-mysql-secret
key: password
{{- end }}
- name: WORDPRESS_USERNAME
value: {{ default "" .Values.wordpressUsername | quote }}
- name: WORDPRESS_PASSWORD
@ -129,3 +150,7 @@ spec:
{{- else }}
emptyDir: {}
{{ end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end -}}

52
wordpress/templates/ingress.yaml
Просмотреть файл

@ -1,28 +1,36 @@
{{- if .Values.ingress.enabled -}}
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "fullname" . }}
labels:
app: {{ template "fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
name: "{{- printf "%s-%s" .name $.Release.Name | trunc 63 | trimSuffix "-" -}}"
labels:
app: {{ template "fullname" $ }}
chart: "{{ $.Chart.Name }}-{{ $.Chart.Version }}"
release: "{{ $.Release.Name }}"
heritage: "{{ $.Release.Service }}"
annotations:
{{- if .tls }}
ingress.kubernetes.io/secure-backends: "true"
{{- end }}
{{- range $key, $value := .annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
- host: {{ .Values.ingress.hostname }}
http:
paths:
- path: /
backend:
serviceName: {{ template "fullname" . }}
servicePort: 80
{{- if .Values.ingress.tls }}
- host: {{ .name }}
http:
paths:
- path: /
backend:
serviceName: {{ template "fullname" $ }}
servicePort: {{ if .tls }}443{{ else }}80{{end}}
{{- if .tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
- hosts:
- {{ .name }}
secretName: {{ .tlsSecret }}
{{- end }}
---
{{- end }}
{{- end }}

2
wordpress/templates/mysql-binding.yaml
Просмотреть файл

@ -1,3 +1,4 @@
{{- if not .Values.mysql.embeddedMaria }}
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
@ -11,3 +12,4 @@ spec:
instanceRef:
name: {{ template "fullname" . }}-mysql-instance
secretName: {{ template "fullname" . }}-mysql-secret
{{- end }}

2
wordpress/templates/mysql-instance.yaml
Просмотреть файл

@ -1,3 +1,4 @@
{{- if not .Values.mysql.embeddedMaria }}
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
@ -14,3 +15,4 @@ spec:
location: eastus
resourceGroup: {{ .Release.Namespace }}
sslEnforcement: disabled
{{- end }}

101
wordpress/values.yaml
Просмотреть файл

@ -1,7 +1,7 @@
## Bitnami WordPress image version
## ref: https://hub.docker.com/r/bitnami/wordpress/tags/
##
image: bitnami/wordpress:4.8.1-r1
image: bitnami/wordpress:4.8.3-r0
## Specify a imagePullPolicy
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@ -53,6 +53,51 @@ allowEmptyPassword: yes
# smtpUsername:
# smtpProtocol:
mysql:
embeddedMaria: false
##
## MariaDB chart configuration
## ALL OF THE FOLLOWING CONFIGURATION IS APPLICABLE ONLY IF mysql.embeddedMaria
## is set to true
##
mariadb:
## MariaDB admin password
## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#setting-the-root-password-on-first-run
##
# mariadbRootPassword:
## Create a database
## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-on-first-run
##
mariadbDatabase: bitnami_wordpress
## Create a database user
## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-user-on-first-run
##
mariadbUser: bn_wordpress
## Password for mariadbUser
## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-user-on-first-run
##
# mariadbPassword:
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
enabled: true
## mariadb data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
accessMode: ReadWriteOnce
size: 8Gi
## Kubernetes configuration
## For minikube, set this to NodePort, elsewhere use LoadBalancer
##
@ -66,21 +111,46 @@ healthcheckHttps: false
## ref: http://kubernetes.io/docs/user-guide/ingress/
##
ingress:
enabled: false
hostname: wordpress.local
## Set to true to enable ingress record generation
enabled: false
## Ingress annotations
##
# annotations:
# kubernetes.io/ingress.class: nginx
## The list of hostnames to be covered with this ingress record.
## Most likely this will be just one host, but in the event more hosts are needed, this is an array
hosts:
- name: wordpress.local
## Ingress TLS configuration
## Secrets must be manually created in the namespace
## Set this to true in order to enable TLS on the ingress record
## A side effect of this will be that the backend wordpress service will be connected at port 443
tls: false
## If TLS is set to true, you must declare what secret will store the key/certificate for TLS
tlsSecret: wordpress.local-tls
## Ingress annotations done as key:value pairs
## If you're using kube-lego, you will want to add:
## kubernetes.io/tls-acme: true
##
# tls:
# - secretName: wordpress.local-tls
# hosts:
# - wordpress.local
## For a full list of possible ingress annotations, please see
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md
##
## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: true
secrets:
## If you're providing your own certificates, please use this to add the certificates as secrets
## key and certificate should start with -----BEGIN CERTIFICATE----- or
## -----BEGIN RSA PRIVATE KEY-----
##
## name should line up with a tlsSecret set further up
## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set
##
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
# - name: wordpress.local-tls
# key:
# certificate:
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
@ -105,3 +175,8 @@ resources:
requests:
memory: 512Mi
cpu: 300m
## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}