diff --git a/README.md b/README.md index 029d1271..08a1caeb 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +# Venafi Kubernetes Agent + [![tests](https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml/badge.svg?branch=master&event=push)](https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml) [![Go Reference](https://pkg.go.dev/badge/github.com/jetstack/jetstack-secure.svg)](https://pkg.go.dev/github.com/jetstack/jetstack-secure) [![Go Report Card](https://goreportcard.com/badge/github.com/jetstack/jetstack-secure)](https://goreportcard.com/report/github.com/jetstack/jetstack-secure) @@ -6,8 +8,9 @@ ## Installation -Please [review the documentation](https://platform.jetstack.io/documentation/installation/agent) -for the agent before getting started. +Please [review the documentation](https://docs.venafi.cloud/vaas/k8s-components/c-tlspk-agent-overview/) for the agent. + +Detailed installation instructions are available for a variety of methods. ## Local Execution @@ -17,11 +20,9 @@ To build and run a version from master: go run main.go agent --agent-config-file ./path/to/agent/config/file.yaml -p 0h1m0s ``` -You can find the example agent file -[here](https://github.com/jetstack/preflight/blob/master/agent.yaml). +You can find an example agent file [here](https://github.com/jetstack/preflight/blob/master/agent.yaml). -You might also want to run a local echo server to monitor requests the agent -sends: +You might also want to run a local echo server to monitor requests sent by the agent: ```bash go run main.go echo @@ -29,188 +30,17 @@ go run main.go echo ## Metrics -The Jetstack-Secure agent exposes its metrics through a Prometheus server, on port 8081. +The agent exposes its metrics through a Prometheus server, on port 8081. + The Prometheus server is disabled by default but can be enabled by passing the `--enable-metrics` flag to the agent binary. -If you deploy the agent with Helm, using the venafi-kubernetes-agent Helm chart, the metrics server will be enabled by default, on port 8081. +If you deploy the agent using the venafi-kubernetes-agent Helm chart, the metrics server will be enabled by default, on port 8081. + If you use the Prometheus Operator, you can use `--set metrics.podmonitor.enabled=true` to deploy a `PodMonitor` resource, which will add the venafi-kubernetes-agent metrics to your Prometheus server. The following metrics are collected: -- Go collector: via the [default registry](https://github.com/prometheus/client_golang/blob/34e02e282dc4a3cb55ca6441b489ec182e654d59/prometheus/registry.go#L60-L63) in Prometheus client_golang. -- Process collector: via the [default registry](https://github.com/prometheus/client_golang/blob/34e02e282dc4a3cb55ca6441b489ec182e654d59/prometheus/registry.go#L60-L63) in Prometheus client_golang. -- Agent metrics: -- `data_readings_upload_size`: Data readings upload size (in bytes) sent by the jscp in-cluster agent. - -## Tiers, Images and Helm Charts - -The Docker images are: - -| Image | Access | Tier | Docs | -| --------------------------------------------------------- | ------- | ------------------------------------------- | --------------------------- | -| `quay.io/jetstack/preflight` | Public | Tier 1 and 2 of Jetstack Secure | | -| `quay.io/jetstack/venafi-agent` | Public | Not meant for users, used for mirroring | | -| `registry.venafi.cloud/venafi-agent/venafi-agent` | Public | Tier 1 of Venafi TLS Protect for Kubernetes | | -| `private-registry.venafi.cloud/venafi-agent/venafi-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] | -| `private-registry.venafi.eu/venafi-agent/venafi-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] | - -[Jetstack Enterprise Registry]: https://platform.jetstack.io/documentation/installation/agent#1-obtain-oci-registry-credentials/ -[Venafi Private Registry]: https://docs.venafi.cloud/vaas/k8s-components/th-guide-confg-access-to-tlspk-enterprise-components/ - -The Helm charts are: - -| Helm Chart | Access | Tier | Access Documentation | -| --------------------------------------------------------------------------- | ------- | ------------------------------------------- | -------------------------------- | -| `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Private | Tier 2 of Jetstack Secure | [Jetstack Enterprise Registry][] | -| `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Private | Tier 2 of Jetstack Secure | [Jetstack Enterprise Registry][] | -| `oci://quay.io/jetstack/charts/venafi-kubernetes-agent` | Public | Not meant for users, used for mirroring | | -| `oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Private | Not meant for users, used for mirroring | | -| `oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Private | Not meant for users, used for mirroring | | -| `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent` | Public | Tier 1 of Venafi TLS Protect for Kubernetes | | -| `oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] | -| `oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] | - -## Release Process - -> [!NOTE] -> Before starting, let Michael McLoughlin know that a release is about to be created. - -The release process is semi-automated. - -### Step 1: Git Tag and GitHub Release - -> [!NOTE] -> -> Upon pushing the tag, a GitHub Action will do the following: -> - Build and publish the container image at `quay.io/jetstack/venafi-agent`, -> - Build and publish the Helm chart at `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`, -> - Create a draft GitHub release, -> - Upload the Helm chart tarball to the GitHub release. - -1. Open the [tests GitHub Actions workflow][tests-workflow] - and verify that it succeeds on the master branch. -2. Run govulncheck: - ```bash - go install golang.org/x/vuln/cmd/govulncheck@latest - govulncheck -v ./... - ``` -3. Create a tag for the new release: - ```sh - export VERSION=v1.1.0 - git tag --annotate --message="Release ${VERSION}" "${VERSION}" - git push origin "${VERSION}" - ``` -4. Wait until the GitHub Actions finishes. -5. Navigate to the GitHub Releases page and select the draft release to edit. - 1. Click on “Generate release notes” to automatically compile the changelog. - 2. Review and refine the generated notes to ensure they’re clear and useful - for end users. - 3. Remove any irrelevant entries, such as “update deps,” “update CI,” “update - docs,” or similar internal changes that do not impact user functionality. -6. Publish the release. -7. Inform the `#venctl` channel that a new version of Venafi Kubernetes Agent has been - released. Make sure to share any breaking change that may affect `venctl connect` - or `venctl generate`. -8. Inform Michael McLoughlin of the new release so he can update the - documentation at . - -[tests-workflow]: https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml?query=branch%3Amaster - -> [!NOTE] -> -> For context, the new tag will create the following images: -> -> | Image | Automation | -> | --------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -> | `quay.io/jetstack/preflight` | No longer built. Use `quay.io/jetstack/venafi-agent` instead. | -> | `quay.io/jetstack/venafi-agent` | Automatically built by GitHub Actions [release-master](.github/workflows/release-master.yml) on Git tags | -> | `registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule [public-img-and-chart-replication.tf][] that runs every 30 minutes, all image tags containing `X.X.X` are replicated, including e.g. `1.0.0-alpha.0` | -> | `private-registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `1.0.0-alpha.0` | -> | `private-registry.venafi.eu/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `1.0.0-alpha.0` | -> -> and the following OCI Helm charts: -> -> | Helm Chart | Automation | -> | --------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -> | `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Manually triggered, GitHub Actions workflow [release_venafi-agent_chart.yaml][] | -> | `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Manually triggered, GitHub Actions workflow [release_venafi-agent_chart.yaml][] | -> | `oci://quay.io/jetstack/charts/venafi-kubernetes-agent` | Automatically built by GitHub Actions [release-master](.github/workflows/release-master.yml) on Git tags[] | -> | `oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Automatically built by GitHub Actions [release_enterprise_builds.yaml][] | -> | `oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Automatically built by GitHub Actions [release_enterprise_builds.yaml][] | -> | `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule [public-img-and-chart-replication.tf][] that runs every 30 minutes, all image tags containing `X.X.X` are replicated, including e.g. `v1.0.0-alpha.0` | -> | `oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `v1.0.0-alpha.0` | -> | `oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `v1.0.0-alpha.0` | -> -> Here is replication flow for OCI Helm charts: -> -> ```text -> v1.1.0 (Git tag in the jetstack-secure repo) -> └── oci://quay.io/jetstack/charts/venafi-kubernetes-agent --version 1.1.0 (GitHub Actions in the jetstack-secure repo) -> ├── oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions) -> └── oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions) -> ├── oci://registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) -> └── oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) -> └── oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) -> ``` -> -> And the replication flow for Docker images: -> -> ```text -> v1.1.0 (Git tag in the jetstack-secure repo) -> └── quay.io/jetstack/venafi-agent:v1.1.0 (GitHub Actions in the jetstack-secure repo) -> ├── us.gcr.io/jetstack-secure-enterprise/venafi-agent:v1.1.0 (Enterprise Builds's GitHub Actions) -> └── eu.gcr.io/jetstack-secure-enterprise/venafi-agent:v1.1.0 (Enterprise Builds's GitHub Actions) -> ├── registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) -> ├── private-registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) -> └── private-registry.venafi.eu/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) -> ``` - -[public-img-and-chart-replication.tf]: https://gitlab.com/venafi/vaas/delivery/harbor/-/blob/3d114f54092eb44a1deb0edc7c4e8a2d4f855aa2/public-registry/module/subsystems/tlspk/replication.tf -[private-img-and-chart-replication.tf]: https://gitlab.com/venafi/vaas/delivery/harbor/-/blob/3d114f54092eb44a1deb0edc7c4e8a2d4f855aa2/private-registry/module/subsystems/tlspk/replication.tf -[release_venafi-agent_chart.yaml]: https://github.com/jetstack/enterprise-builds/blob/main/.github/workflows/release_venafi-agent_chart.yaml -[release_enterprise_builds.yaml]: https://github.com/jetstack/enterprise-builds/actions/workflows/release_enterprise_builds.yaml - -### Step 2: Test the Helm chart "venafi-kubernetes-agent" with venctl connect - -NOTE(mael): TBD - -### (Optional) Step 3: Release the Helm Chart "jetstack-secure" - -This step is performed by Peter Fiddes and Adrian Lai separately from the main -release process. - -The `jetstack-secure` chart is for [Jetstack -Secure](https://platform.jetstack.io/documentation/installation/agent#jetstack-agent-helm-chart-installation). -It is composed of two OCI Helm charts: - -- `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` -- `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` - -> [!NOTE] -> -> The [jetstack-agent](deploy/charts/jetstack-agent/README.md) chart has a -> different version number to the agent. This is because the first version of -> _this_ chart was given version `0.1.0`, while the app version at the time was -> `0.1.38`. And this allows the chart to be updated and released more frequently -> than the Docker image if necessary. - -The process is as follows: - -1. Create a branch. -2. Increment version numbers. - 1. Increment the `version` value in [Chart.yaml](deploy/charts/jetstack-agent/Chart.yaml). - DO NOT use a `v` prefix. - The `v` prefix [breaks Helm OCI operations](https://github.com/helm/helm/issues/11107). - 2. Increment the `appVersion` value in [Chart.yaml](deploy/charts/jetstack-agent/Chart.yaml). - Use a `v` prefix, to match the Docker image tag. - 3. Increment the `image.tag` value in [values.yaml](deploy/charts/jetstack-agent/values.yaml). - Use a `v` prefix, to match the Docker image tag. - 4. Update the Helm unit test snapshots: - ```sh - helm unittest ./deploy/charts/jetstack-agent --update-snapshot - ``` -3. Create a pull request and wait for it to be approved. -4. Merge the branch -5. Manually trigger the Helm Chart workflow: - [release_js-agent_chart.yaml](https://github.com/jetstack/enterprise-builds/actions/workflows/release_js-agent_chart.yaml). +- Go collector: via the [default registry](https://github.com/prometheus/client_golang/blob/34e02e282dc4a3cb55ca6441b489ec182e654d59/prometheus/registry.go#L60-L63) in Prometheus `client_golang`. +- Process collector: via the [default registry](https://github.com/prometheus/client_golang/blob/34e02e282dc4a3cb55ca6441b489ec182e654d59/prometheus/registry.go#L60-L63) in Prometheus `client_golang`. +- Agent metrics: `data_readings_upload_size`: Data readings upload size (in bytes) sent by the in-cluster agent. diff --git a/RELEASE.md b/RELEASE.md new file mode 100644 index 00000000..5da2667d --- /dev/null +++ b/RELEASE.md @@ -0,0 +1,104 @@ +# Release Process + +> [!NOTE] +> Before starting, let Michael McLoughlin know that a release is about to be created so that documentation can be prepared in advance. + +The release process is semi-automated. + +### Step 1: Git Tag and GitHub Release + +> [!NOTE] +> +> Upon pushing the tag, a GitHub Action will do the following: +> - Build and publish the container image at `quay.io/jetstack/venafi-agent`, +> - Build and publish the Helm chart at `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`, +> - Create a draft GitHub release, +> - Upload the Helm chart tarball to the GitHub release. + +1. Open the [tests GitHub Actions workflow][tests-workflow] + and verify that it succeeds on the master branch. + +2. Run govulncheck: + ```bash + go install golang.org/x/vuln/cmd/govulncheck@latest + govulncheck -v ./... + ``` + +3. Create a tag for the new release: + ```sh + export VERSION=v1.1.0 + git tag --annotate --message="Release ${VERSION}" "${VERSION}" + git push origin "${VERSION}" + ``` + +4. Wait until the GitHub Actions finishes. + +5. Navigate to the GitHub Releases page and select the draft release to edit. + 1. Click on “Generate release notes” to automatically compile the changelog. + 2. Review and refine the generated notes to ensure they’re clear and useful + for end users. + 3. Remove any irrelevant entries, such as “update deps,” “update CI,” “update + docs,” or similar internal changes that do not impact user functionality. + +6. Publish the release. + +7. Inform the `#venctl` channel that a new version of Venafi Kubernetes Agent has been + released. Make sure to share any breaking change that may affect `venctl connect` + or `venctl generate`. + +8. Inform Michael McLoughlin of the new release so he can update the + documentation at . + +[tests-workflow]: https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml?query=branch%3Amaster + +## Release Artifact Information + +For context, the new tag will create the following images: + +| Image | Automation | +| --------------------------------------------------------- | -------------------------------------------------------------------------------------------- | +| `quay.io/jetstack/venafi-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | +| `registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule | +| `private-registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule | +| `private-registry.venafi.eu/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule | + +and the following OCI Helm charts: + +| Helm Chart | Automation | +| -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | +| `oci://quay.io/jetstack/charts/venafi-kubernetes-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | +| `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule | +| `oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule | +| `oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule | + +Here is replication flow for OCI Helm charts: + +```text +v1.1.0 (Git tag in the jetstack-secure repo) + └── oci://quay.io/jetstack/charts/venafi-kubernetes-agent --version 1.1.0 (GitHub Actions in the jetstack-secure repo) + ├── oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions) + └── oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions) + ├── oci://registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) + └── oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) + └── oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) +``` + +And the replication flow for Docker images: + +```text +v1.1.0 (Git tag in the jetstack-secure repo) + └── quay.io/jetstack/venafi-agent:v1.1.0 (GitHub Actions in the jetstack-secure repo) + ├── us.gcr.io/jetstack-secure-enterprise/venafi-agent:v1.1.0 (Enterprise Builds's GitHub Actions) + └── eu.gcr.io/jetstack-secure-enterprise/venafi-agent:v1.1.0 (Enterprise Builds's GitHub Actions) + ├── registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) + ├── private-registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) + └── private-registry.venafi.eu/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) +``` + +[public-img-and-chart-replication.tf]: https://gitlab.com/venafi/vaas/delivery/harbor/-/blob/3d114f54092eb44a1deb0edc7c4e8a2d4f855aa2/public-registry/module/subsystems/tlspk/replication.tf +[private-img-and-chart-replication.tf]: https://gitlab.com/venafi/vaas/delivery/harbor/-/blob/3d114f54092eb44a1deb0edc7c4e8a2d4f855aa2/private-registry/module/subsystems/tlspk/replication.tf +[release_enterprise_builds.yaml]: https://github.com/jetstack/enterprise-builds/actions/workflows/release_enterprise_builds.yaml + +### Step 2: Test the Helm chart "venafi-kubernetes-agent" with venctl connect + +NOTE(mael): TBD diff --git a/deploy/charts/jetstack-agent/.helmignore b/deploy/charts/jetstack-agent/.helmignore deleted file mode 100644 index 2b29f276..00000000 --- a/deploy/charts/jetstack-agent/.helmignore +++ /dev/null @@ -1 +0,0 @@ -tests diff --git a/deploy/charts/jetstack-agent/Chart.yaml b/deploy/charts/jetstack-agent/Chart.yaml deleted file mode 100644 index 31eb3780..00000000 --- a/deploy/charts/jetstack-agent/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v2 -name: jetstack-agent -description: TLS Protect for Kubernetes Agent -type: application -version: 0.4.0 -appVersion: "v0.1.43" -home: https://github.com/jetstack/jetstack-secure -maintainers: -- name: JSCP and CRE Team - email: tls-protect-for-kubernetes@jetstack.io - url: https://platform.jetstack.io/documentation -sources: -- https://github.com/jetstack/jetstack-secure diff --git a/deploy/charts/jetstack-agent/README.md b/deploy/charts/jetstack-agent/README.md deleted file mode 100644 index e5f2f6a8..00000000 --- a/deploy/charts/jetstack-agent/README.md +++ /dev/null @@ -1,180 +0,0 @@ -# jetstack-agent - -TLS Protect for Kubernetes Agent - -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.43](https://img.shields.io/badge/AppVersion-v0.1.43-informational?style=flat-square) - -## Additional Information - -The Jetstack Secure agent helm chart installs the Kubernetes agent that connects to the TLS Protect For Kubernetes (TLSPK) platform. -It will require a valid TLS Protect for Kubernetes organisation with a license to add the new cluster. -You can sign up for a free account with up to two clusters [here](https://platform.jetstack.io/). -You should also choose a unique name for your cluster that it will appear under in the TLSPK platform. - -## Installation: - -Using chart installation, there are two credentials required. - -- A credential to allow helm to pull the chart from our private OCI registry. -- An agent credential used by the agent to authenticate to TLSPK. - -### 1) Obtain OCI registry credentials - -The helm chart is an OCI chart artifact hosted on both EU and US registries: - -- `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` -- `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` - -More detailed instructions on how to access our registry are available in [this guide](https://platform.jetstack.io/documentation/installation/enterprise-registry). - -For chart installation, run the following to set a registry configuration -file, so `helm` can authenticate to our private OCI registry: - -```shell -export TLSPK_DOCKER_CONFIG_PATH="$(pwd)" -export TLSPK_DOCKER_CONFIG_FILE="${TLSPK_DOCKER_CONFIG_PATH}/config.json" -jsctl registry auth output --format=dockerconfig > "${TLSPK_DOCKER_CONFIG_FILE}" -``` - -To validate you registry credentials are working with `helm`, we can use it to -show us the full list of values available to configure the chart: - -```shell -export TLSPK_REGISTRY="eu.gcr.io/jetstack-secure-enterprise" -helm show values oci://${TLSPK_REGISTRY}/charts/jetstack-agent --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" -``` - -**Note**: Feel free to alter the registry to the US equivalent if that is closer -to you, for example: `export TLSPK_REGISTRY="us.gcr.io/jetstack-secure-enterprise"` - -### 2) Obtaining TLSPK agent credentials: - -Set the following environments variables for ease of installation: - -```shell -export TLSPK_ORG="" -export TLSPK_CLUSTER_NAME="" -``` - -Obtain your service account credential, this can be done through the UI or [jsctl](https://github.com/jetstack/jsctl/releases) - -For example with `jsctl`: - -```shell -jsctl auth login -jsctl set organization ${TLSPK_ORG} -jsctl auth clusters create-service-account ${TLSPK_CLUSTER_NAME} | tee credentials.json -``` - -Store this carefully as we will need it to create a Kubernetes secret in the -installation cluster. - -### 3) Deploying the chart: - -Once credentials are obtained, there are two ways to install the chart: - -#### Option 1 (Recommended): Create secret manually - -Use the credential obtained in the previous step to create the secret in cluster: - -```shell -kubectl create secret generic agent-credentials --namespace jetstack-secure --from-file=credentials.json -``` - -Install the chart with the basic configuration: - -```shell -helm upgrade --install --create-namespace -n jetstack-secure jetstack-agent \ - oci://${TLSPK_REGISTRY}/charts/jetstack-agent \ - --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" \ - --set config.organisation="${TLSPK_ORG}" \ - --set config.cluster="${TLSPK_CLUSTER_NAME}" -``` - -#### Option 2 (Not Recommended): Create secret with helm chart install - -Set this environment variable to contain the encoded agent credential: - -```shell -export HELM_SECRET="$(cat credentials.json | base64 -w0)" -``` - -Installing the chart with additional configuration options for the agents -credential, read from the environment variable just set: - -```shell -helm upgrade --install --create-namespace -n jetstack-secure jetstack-agent \ - oci://${TLSPK_REGISTRY}/charts/jetstack-agent \ - --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" \ - --set config.organisation="${TLSPK_ORG}" \ - --set config.cluster="${TLSPK_CLUSTER_NAME}" \ - --set authentication.createSecret=true \ - --set authentication.secretValue="${HELM_SECRET}" -``` - -### 4) Deployment Verification - -Check the agent logs to ensure you see a similar entry to the following: - -```console -2023/04/19 14:11:41 Running Agent... -2023/04/19 14:11:41 Posting data to: https://platform.jetstack.io -2023/04/19 14:11:42 Data sent successfully. -``` - -You can do this with the following command: - -```shell -kubectl logs -n jetstack-secure $(kubectl get pod -n jetstack-secure -l app.kubernetes.io/instance=agent -o jsonpath='{.items[0].metadata.name}') -``` - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | | -| authentication | object | `{"createSecret":false,"secretKey":"credentials.json","secretName":"agent-credentials","secretValue":"","type":"file"}` | Authentication section for the agent | -| authentication.createSecret | bool | `false` | Reccomend that you do not use this and instead creat the credential secret outside of helm | -| authentication.secretKey | string | `"credentials.json"` | Key name in secret | -| authentication.secretName | string | `"agent-credentials"` | Name of the secret containing agent credentials.json | -| authentication.secretValue | string | `""` | Base64 encoded value from Jetstack Secure Dashboard - only required when createSecret is true | -| authentication.type | string | `"file"` | Type can be "file"/"token" determining how the agent should authenticate the to the backend | -| command | list | `[]` | Override the jetstack-agent entrypoint with specified command. | -| config | object | `{"cluster":"","dataGatherers":{"custom":[],"default":true},"organisation":"","override":{"config":null,"configmap":{"key":null,"name":null},"enabled":false},"period":"0h1m0s","server":"https://platform.jetstack.io"}` | Configuration section for the Jetstack Agent itself | -| config.cluster | string | `""` | REQUIRED - Your Jetstack Secure Cluster Name | -| config.dataGatherers | object | `{"custom":[],"default":true}` | Configure data that is gathered from your cluster, for full details see https://platform.jetstack.io/documentation/configuration/jetstack-agent/configuration | -| config.dataGatherers.custom | list | `[]` | A list of data gatherers to limit agent scope | -| config.dataGatherers.default | bool | `true` | Use the standard full set of data gatherers | -| config.organisation | string | `""` | REQUIRED - Your Jetstack Secure Organisation Name | -| config.override | object | `{"config":null,"configmap":{"key":null,"name":null},"enabled":false}` | Provide an Override to allow completely custom agent configuration | -| config.override.config | string | `nil` | Embed the agent configuration here in the chart values | -| config.override.configmap | object | `{"key":null,"name":null}` | Sepcify ConfigMap details to load config from existing ConfigMap | -| config.override.enabled | bool | `false` | Override disabled by default | -| config.period | string | `"0h1m0s"` | Send data back to the platform every minute unless changed | -| config.server | string | `"https://platform.jetstack.io"` | Overrides the server if using a proxy between agent and Jetstack Secure | -| extraArgs | list | `[]` | Add additional arguments to the default `agent` command. | -| fullnameOverride | string | `""` | Helm default setting, use this to shorten install name | -| image.pullPolicy | string | `"IfNotPresent"` | Defaults to only pull if not already present | -| image.repository | string | `"quay.io/jetstack/preflight"` | Default to Open Source image repository | -| image.tag | string | `"v0.1.43"` | Overrides the image tag whose default is the chart appVersion | -| imagePullSecrets | list | `[]` | Specify image pull credentials if using a prviate registry | -| nameOverride | string | `""` | Helm default setting to override release name, leave blank | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | default replicas, do not scale up | -| resources.limits.cpu | string | `"500m"` | | -| resources.limits.memory | string | `"500Mi"` | | -| resources.requests.cpu | string | `"200m"` | | -| resources.requests.memory | string | `"200Mi"` | | -| securityContext.capabilities.drop[0] | string | `"ALL"` | | -| securityContext.readOnlyRootFilesystem | bool | `true` | | -| securityContext.runAsNonRoot | bool | `true` | | -| securityContext.runAsUser | int | `1000` | | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created @default true | -| serviceAccount.name | string | `""` | | -| tolerations | list | `[]` | | -| volumeMounts | list | `[]` | Additional volume mounts to add to the jetstack-agent container. | -| volumes | list | `[]` | Additional volumes to add to the jetstack-agent pod. | - diff --git a/deploy/charts/jetstack-agent/README.md.gotmpl b/deploy/charts/jetstack-agent/README.md.gotmpl deleted file mode 100644 index c3366e52..00000000 --- a/deploy/charts/jetstack-agent/README.md.gotmpl +++ /dev/null @@ -1,134 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.description" . }} - -{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} - -## Additional Information - -The Jetstack Secure agent helm chart installs the Kubernetes agent that connects to the TLS Protect For Kubernetes (TLSPK) platform. -It will require a valid TLS Protect for Kubernetes organisation with a license to add the new cluster. -You can sign up for a free account with up to two clusters [here](https://platform.jetstack.io/). -You should also choose a unique name for your cluster that it will appear under in the TLSPK platform. - -## Installation: - -Using chart installation, there are two credentials required. - -- A credential to allow helm to pull the chart from our private OCI registry. -- An agent credential used by the agent to authenticate to TLSPK. - -### 1) Obtain OCI registry credentials - -The helm chart is an OCI chart artifact hosted on both EU and US registries: - -- `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` -- `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` - -More detailed instructions on how to access our registry are available in [this guide](https://platform.jetstack.io/documentation/installation/enterprise-registry). - -For chart installation, run the following to set a registry configuration -file, so `helm` can authenticate to our private OCI registry: - -```shell -export TLSPK_DOCKER_CONFIG_PATH="$(pwd)" -export TLSPK_DOCKER_CONFIG_FILE="${TLSPK_DOCKER_CONFIG_PATH}/config.json" -jsctl registry auth output --format=dockerconfig > "${TLSPK_DOCKER_CONFIG_FILE}" -``` - -To validate you registry credentials are working with `helm`, we can use it to -show us the full list of values available to configure the chart: - -```shell -export TLSPK_REGISTRY="eu.gcr.io/jetstack-secure-enterprise" -helm show values oci://${TLSPK_REGISTRY}/charts/jetstack-agent --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" -``` - -**Note**: Feel free to alter the registry to the US equivalent if that is closer -to you, for example: `export TLSPK_REGISTRY="us.gcr.io/jetstack-secure-enterprise"` - -### 2) Obtaining TLSPK agent credentials: - -Set the following environments variables for ease of installation: - -```shell -export TLSPK_ORG="" -export TLSPK_CLUSTER_NAME="" -``` - -Obtain your service account credential, this can be done through the UI or [jsctl](https://github.com/jetstack/jsctl/releases) - -For example with `jsctl`: - -```shell -jsctl auth login -jsctl set organization ${TLSPK_ORG} -jsctl auth clusters create-service-account ${TLSPK_CLUSTER_NAME} | tee credentials.json -``` - -Store this carefully as we will need it to create a Kubernetes secret in the -installation cluster. - -### 3) Deploying the chart: - -Once credentials are obtained, there are two ways to install the chart: - -#### Option 1 (Recommended): Create secret manually - -Use the credential obtained in the previous step to create the secret in cluster: - -```shell -kubectl create secret generic agent-credentials --namespace jetstack-secure --from-file=credentials.json -``` - -Install the chart with the basic configuration: - -```shell -helm upgrade --install --create-namespace -n jetstack-secure jetstack-agent \ - oci://${TLSPK_REGISTRY}/charts/jetstack-agent \ - --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" \ - --set config.organisation="${TLSPK_ORG}" \ - --set config.cluster="${TLSPK_CLUSTER_NAME}" -``` - -#### Option 2 (Not Recommended): Create secret with helm chart install - -Set this environment variable to contain the encoded agent credential: - -```shell -export HELM_SECRET="$(cat credentials.json | base64 -w0)" -``` - -Installing the chart with additional configuration options for the agents -credential, read from the environment variable just set: - -```shell -helm upgrade --install --create-namespace -n jetstack-secure jetstack-agent \ - oci://${TLSPK_REGISTRY}/charts/jetstack-agent \ - --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" \ - --set config.organisation="${TLSPK_ORG}" \ - --set config.cluster="${TLSPK_CLUSTER_NAME}" \ - --set authentication.createSecret=true \ - --set authentication.secretValue="${HELM_SECRET}" -``` - -### 4) Deployment Verification - -Check the agent logs to ensure you see a similar entry to the following: - -```console -2023/04/19 14:11:41 Running Agent... -2023/04/19 14:11:41 Posting data to: https://platform.jetstack.io -2023/04/19 14:11:42 Data sent successfully. -``` - -You can do this with the following command: - -```shell -kubectl logs -n jetstack-secure $(kubectl get pod -n jetstack-secure -l app.kubernetes.io/instance=agent -o jsonpath='{.items[0].metadata.name}') -``` - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/deploy/charts/jetstack-agent/templates/NOTES.txt b/deploy/charts/jetstack-agent/templates/NOTES.txt deleted file mode 100644 index 6d5d5ee6..00000000 --- a/deploy/charts/jetstack-agent/templates/NOTES.txt +++ /dev/null @@ -1,8 +0,0 @@ -1. Please make sure you have the credentials secret: "{{ .Values.authentication.secretName }}" available -> kubectl get secret -n {{ .Release.Namespace }} {{ .Values.authentication.secretName }} - -2. Check the application is running with the following: -> kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} - -3. Check the application logs for successful connection to the platform: -> kubectl logs -n {{ .Release.Namespace }} $(kubectl get pod -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} -o jsonpath='{.items[0].metadata.name}') diff --git a/deploy/charts/jetstack-agent/templates/_helpers.tpl b/deploy/charts/jetstack-agent/templates/_helpers.tpl deleted file mode 100644 index 6a68a905..00000000 --- a/deploy/charts/jetstack-agent/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "jetstack-agent.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "jetstack-agent.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "jetstack-agent.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "jetstack-agent.labels" -}} -helm.sh/chart: {{ include "jetstack-agent.chart" . }} -{{ include "jetstack-agent.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "jetstack-agent.selectorLabels" -}} -app.kubernetes.io/name: {{ include "jetstack-agent.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "jetstack-agent.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "jetstack-agent.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/deploy/charts/jetstack-agent/templates/configmap.yaml b/deploy/charts/jetstack-agent/templates/configmap.yaml deleted file mode 100644 index 78fa3cc2..00000000 --- a/deploy/charts/jetstack-agent/templates/configmap.yaml +++ /dev/null @@ -1,215 +0,0 @@ -{{ if not (and .Values.config.override.enabled .Values.config.override.configmap.name) }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: agent-config - namespace: {{ .Release.Namespace }} - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -data: -{{- if .Values.config.override.config }} - config.yaml: |- - {{- toYaml .Values.config.override.config | nindent 4 }} -{{- else }} - config.yaml: |- - server: {{ .Values.config.server | quote }} - organization_id: {{ required "Organisation is a required input value" .Values.config.organisation }} - cluster_id: {{ required "Cluster is a required input value" .Values.config.cluster }} - data-gatherers: - # gather k8s apiserver version information - - kind: "k8s-discovery" - name: "k8s-discovery" - # pods data is used in the pods and application_versions packages - - kind: "k8s-dynamic" - name: "k8s/pods" - config: - resource-type: - resource: pods - version: v1 - # gather services for pod readiness probe rules - - kind: "k8s-dynamic" - name: "k8s/services" - config: - resource-type: - resource: services - version: v1 - # gather higher level resources to ensure data to determine ownership is present - - kind: "k8s-dynamic" - name: "k8s/deployments" - config: - resource-type: - version: v1 - resource: deployments - group: apps - - kind: "k8s-dynamic" - name: "k8s/replicasets" - config: - resource-type: - version: v1 - resource: replicasets - group: apps - - kind: "k8s-dynamic" - name: "k8s/statefulsets" - config: - resource-type: - version: v1 - resource: statefulsets - group: apps - - kind: "k8s-dynamic" - name: "k8s/daemonsets" - config: - resource-type: - version: v1 - resource: daemonsets - group: apps - - kind: "k8s-dynamic" - name: "k8s/jobs" - config: - resource-type: - version: v1 - resource: jobs - group: batch - - kind: "k8s-dynamic" - name: "k8s/cronjobs" - config: - resource-type: - version: v1 - resource: cronjobs - group: batch - - kind: "k8s-dynamic" - name: "k8s/ingresses" - config: - resource-type: - group: networking.k8s.io - version: v1 - resource: ingresses -{{- if or .Values.config.dataGatherers.default (has "secret" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/secrets" - config: - resource-type: - version: v1 - resource: secrets -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "cert-manager" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/certificates" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: certificates - - kind: "k8s-dynamic" - name: "k8s/certificaterequests" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: certificaterequests - - kind: "k8s-dynamic" - name: "k8s/issuers" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: issuers - - kind: "k8s-dynamic" - name: "k8s/clusterissuers" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: clusterissuers -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "googlecas" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/googlecasissuers" - config: - resource-type: - group: cas-issuer.jetstack.io - version: v1beta1 - resource: googlecasissuers - - kind: "k8s-dynamic" - name: "k8s/googlecasclusterissuers" - config: - resource-type: - group: cas-issuer.jetstack.io - version: v1beta1 - resource: googlecasclusterissuers -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "awspca" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/awspcaissuer" - config: - resource-type: - group: awspca.cert-manager.io - version: v1beta1 - resource: awspcaissuers - - kind: "k8s-dynamic" - name: "k8s/awspcaclusterissuers" - config: - resource-type: - group: awspca.cert-manager.io - version: v1beta1 - resource: awspcaclusterissuers -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "webhook" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/mutatingwebhookconfigurations" - config: - resource-type: - group: admissionregistration.k8s.io - version: v1 - resource: mutatingwebhookconfigurations - - kind: "k8s-dynamic" - name: "k8s/validatingwebhookconfigurations" - config: - resource-type: - group: admissionregistration.k8s.io - version: v1 - resource: validatingwebhookconfigurations -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "istio" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/gateways" - config: - resource-type: - group: networking.istio.io - version: v1alpha3 - resource: gateways - - kind: "k8s-dynamic" - name: "k8s/virtualservices" - config: - resource-type: - group: networking.istio.io - version: v1alpha3 - resource: virtualservices -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "openshift" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/routes" - config: - resource-type: - version: v1 - group: route.openshift.io - resource: routes -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "venafienhancedissuer" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/venaficlusterissuers" - config: - resource-type: - group: jetstack.io - version: v1alpha1 - resource: venaficlusterissuers - - kind: "k8s-dynamic" - name: "k8s/venafiissuers" - config: - resource-type: - group: jetstack.io - version: v1alpha1 - resource: venafiissuers -{{- end }} -{{- end }} -{{- end }} diff --git a/deploy/charts/jetstack-agent/templates/deployment.yaml b/deploy/charts/jetstack-agent/templates/deployment.yaml deleted file mode 100644 index 64b0be22..00000000 --- a/deploy/charts/jetstack-agent/templates/deployment.yaml +++ /dev/null @@ -1,111 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "jetstack-agent.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - {{- include "jetstack-agent.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "jetstack-agent.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "jetstack-agent.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if eq .Values.authentication.type "token" }} - env: - - name: API_TOKEN - valueFrom: - secretKeyRef: - name: {{ default "agent-credentials" .Values.authentication.secretName }} - key: {{ default "apitoken" .Values.authentication.secretKey }} - {{- end }} - {{- if not (empty .Values.command) }} - command: - {{- range .Values.command }} - - {{ . | quote }} - {{- end }} - {{- end }} - args: - - "agent" - - "-c" - {{- if .Values.config.override.enabled }} - - "/etc/jetstack-secure/agent/config/{{ default "config.yaml" .Values.config.override.configmap.key }}" - {{- else }} - - "/etc/jetstack-secure/agent/config/config.yaml" - {{- end }} - {{- if eq .Values.authentication.type "file" }} - - "-k" - - "/etc/jetstack-secure/agent/credentials/{{ default "credentials.json" .Values.authentication.secretKey}}" - {{- end }} - - "-p" - - "0h1m0s" - {{- range .Values.extraArgs }} - - {{ . | quote }} - {{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - name: config - mountPath: "/etc/jetstack-secure/agent/config" - readOnly: true - {{- if eq .Values.authentication.type "file" }} - - name: credentials - mountPath: "/etc/jetstack-secure/agent/credentials" - readOnly: true - {{- end }} - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - {{- if .Values.config.override.enabled }} - - name: config - configMap: - name: {{ default "agent-config" .Values.config.override.configmap.name }} - optional: false - {{- else }} - - name: config - configMap: - name: agent-config - optional: false - {{- end }} - - name: credentials - secret: - secretName: {{ default "agent-credentials" .Values.authentication.secretName }} - optional: false - {{- with .Values.volumes }} - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/deploy/charts/jetstack-agent/templates/rbac.yaml b/deploy/charts/jetstack-agent/templates/rbac.yaml deleted file mode 100644 index 3cb3c2f9..00000000 --- a/deploy/charts/jetstack-agent/templates/rbac.yaml +++ /dev/null @@ -1,278 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-cluster-viewer - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if or .Values.config.dataGatherers.default (has "node" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-node-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-node-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-node-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "secret" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-secret-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-secret-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-secret-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "cert-manager" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-cert-manager-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["cert-manager.io"] - resources: - - certificates - - certificaterequests - - issuers - - clusterissuers - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-cert-manager-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-cert-manager-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "googlecas" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-googlecas-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["cas-issuer.jetstack.io"] - resources: - - googlecasissuers - - googlecasclusterissuers - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-googlecas-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-googlecas-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "awspca" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-awspca-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["awspca.cert-manager.io"] - resources: - - awspcaissuers - - awspcaclusterissuers - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-awspca-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-awspca-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "webhook" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-webhook-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: - - validatingwebhookconfigurations - - mutatingwebhookconfigurations - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-webhook-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-webhook-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "openshift" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-openshift-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["*.openshift.io"] - resources: - - routes - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-openshift-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-openshift-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "istio" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-istio-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["networking.istio.io"] - resources: - - virtualservices - - gateways - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-istio-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-istio-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "venafienhancedissuer" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-venafi-enhanced-reader -rules: - - apiGroups: ["jetstack.io"] - resources: - - venafiissuers - - venaficlusterissuers - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-venafi-enhanced-reader -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-venafi-enhanced-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/deploy/charts/jetstack-agent/templates/secret.yaml b/deploy/charts/jetstack-agent/templates/secret.yaml deleted file mode 100644 index 0ac6e286..00000000 --- a/deploy/charts/jetstack-agent/templates/secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.authentication.createSecret -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.authentication.secretName}} - namespace: {{ .Release.Namespace }} - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -type: Opaque -data: - {{ default "credentials.json" .Values.authentication.secretKey}}: {{ .Values.authentication.secretValue }} -{{- end -}} diff --git a/deploy/charts/jetstack-agent/templates/serviceaccount.yaml b/deploy/charts/jetstack-agent/templates/serviceaccount.yaml deleted file mode 100644 index 9f9e5d67..00000000 --- a/deploy/charts/jetstack-agent/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/deploy/charts/jetstack-agent/tests/__snapshot__/configuration_test.yaml.snap b/deploy/charts/jetstack-agent/tests/__snapshot__/configuration_test.yaml.snap deleted file mode 100644 index b6f0d01f..00000000 --- a/deploy/charts/jetstack-agent/tests/__snapshot__/configuration_test.yaml.snap +++ /dev/null @@ -1,197 +0,0 @@ -render correctly when only required config is given: - 1: | - apiVersion: v1 - data: - config.yaml: |- - server: "https://platform.jetstack.io" - organization_id: test_org - cluster_id: test_cluster - data-gatherers: - # gather k8s apiserver version information - - kind: "k8s-discovery" - name: "k8s-discovery" - # pods data is used in the pods and application_versions packages - - kind: "k8s-dynamic" - name: "k8s/pods" - config: - resource-type: - resource: pods - version: v1 - # gather services for pod readiness probe rules - - kind: "k8s-dynamic" - name: "k8s/services" - config: - resource-type: - resource: services - version: v1 - # gather higher level resources to ensure data to determine ownership is present - - kind: "k8s-dynamic" - name: "k8s/deployments" - config: - resource-type: - version: v1 - resource: deployments - group: apps - - kind: "k8s-dynamic" - name: "k8s/replicasets" - config: - resource-type: - version: v1 - resource: replicasets - group: apps - - kind: "k8s-dynamic" - name: "k8s/statefulsets" - config: - resource-type: - version: v1 - resource: statefulsets - group: apps - - kind: "k8s-dynamic" - name: "k8s/daemonsets" - config: - resource-type: - version: v1 - resource: daemonsets - group: apps - - kind: "k8s-dynamic" - name: "k8s/jobs" - config: - resource-type: - version: v1 - resource: jobs - group: batch - - kind: "k8s-dynamic" - name: "k8s/cronjobs" - config: - resource-type: - version: v1 - resource: cronjobs - group: batch - - kind: "k8s-dynamic" - name: "k8s/ingresses" - config: - resource-type: - group: networking.k8s.io - version: v1 - resource: ingresses - - kind: "k8s-dynamic" - name: "k8s/secrets" - config: - resource-type: - version: v1 - resource: secrets - - kind: "k8s-dynamic" - name: "k8s/certificates" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: certificates - - kind: "k8s-dynamic" - name: "k8s/certificaterequests" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: certificaterequests - - kind: "k8s-dynamic" - name: "k8s/issuers" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: issuers - - kind: "k8s-dynamic" - name: "k8s/clusterissuers" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: clusterissuers - - kind: "k8s-dynamic" - name: "k8s/googlecasissuers" - config: - resource-type: - group: cas-issuer.jetstack.io - version: v1beta1 - resource: googlecasissuers - - kind: "k8s-dynamic" - name: "k8s/googlecasclusterissuers" - config: - resource-type: - group: cas-issuer.jetstack.io - version: v1beta1 - resource: googlecasclusterissuers - - kind: "k8s-dynamic" - name: "k8s/awspcaissuer" - config: - resource-type: - group: awspca.cert-manager.io - version: v1beta1 - resource: awspcaissuers - - kind: "k8s-dynamic" - name: "k8s/awspcaclusterissuers" - config: - resource-type: - group: awspca.cert-manager.io - version: v1beta1 - resource: awspcaclusterissuers - - kind: "k8s-dynamic" - name: "k8s/mutatingwebhookconfigurations" - config: - resource-type: - group: admissionregistration.k8s.io - version: v1 - resource: mutatingwebhookconfigurations - - kind: "k8s-dynamic" - name: "k8s/validatingwebhookconfigurations" - config: - resource-type: - group: admissionregistration.k8s.io - version: v1 - resource: validatingwebhookconfigurations - - kind: "k8s-dynamic" - name: "k8s/gateways" - config: - resource-type: - group: networking.istio.io - version: v1alpha3 - resource: gateways - - kind: "k8s-dynamic" - name: "k8s/virtualservices" - config: - resource-type: - group: networking.istio.io - version: v1alpha3 - resource: virtualservices - - kind: "k8s-dynamic" - name: "k8s/routes" - config: - resource-type: - version: v1 - group: route.openshift.io - resource: routes - - kind: "k8s-dynamic" - name: "k8s/venaficlusterissuers" - config: - resource-type: - group: jetstack.io - version: v1alpha1 - resource: venaficlusterissuers - - kind: "k8s-dynamic" - name: "k8s/venafiissuers" - config: - resource-type: - group: jetstack.io - version: v1alpha1 - resource: venafiissuers - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: jetstack-agent - app.kubernetes.io/version: v0.1.43 - helm.sh/chart: jetstack-agent-0.4.0 - name: agent-config - namespace: NAMESPACE diff --git a/deploy/charts/jetstack-agent/tests/configuration_test.yaml b/deploy/charts/jetstack-agent/tests/configuration_test.yaml deleted file mode 100644 index a1e4a0f9..00000000 --- a/deploy/charts/jetstack-agent/tests/configuration_test.yaml +++ /dev/null @@ -1,57 +0,0 @@ -suite: test configuration overrides -templates: - - templates/configmap.yaml - -tests: - - it: should not generate a configmap when name and override given - set: - config.override.enabled: true - config.override.configmap.name: custom-agent-config - template: configmap.yaml - asserts: - # No congifmap is produced - - hasDocuments: - count: 0 - - - it: embedded config is only config in configmap - set: - config.override.enabled: true - values: - - values/custom-config.yaml - template: configmap.yaml - asserts: - # ConfigMap is generated - - containsDocument: - kind: ConfigMap - apiVersion: v1 - name: agent-config - documentIndex: 0 - # Assert ths content matches the input - # This was tricky due to the |- and the alphabetical ordering - - equal: - path: data - value: - config.yaml: |- - cluster_id: test_cluster - data-gatherers: - - kind: k8s-discovery - name: k8s-discovery - organization_id: test_org - server: https://platform.jetstack.io - - # This checks the configmap is rendered properly when required config is given - - it: render correctly when only required config is given - set: - config.organisation: test_org - config.cluster: test_cluster - template: configmap.yaml - asserts: - - hasDocuments: - count: 1 - - isKind: - of: ConfigMap - - isAPIVersion: - of: v1 - - matchSnapshot: {} - - \ No newline at end of file diff --git a/deploy/charts/jetstack-agent/tests/deployment_test.yaml b/deploy/charts/jetstack-agent/tests/deployment_test.yaml deleted file mode 100644 index 72ed79ea..00000000 --- a/deploy/charts/jetstack-agent/tests/deployment_test.yaml +++ /dev/null @@ -1,116 +0,0 @@ -suite: test deployment -templates: - - deployment.yaml - -tests: - # Basic checks on deployment - - it: templates as expected - set: - image.tag: latest - config.organisation: test_org - config.cluster: test_cluster - template: deployment.yaml - asserts: - - isKind: - of: Deployment - # Validate name matches - - matchRegex: - path: metadata.name - pattern: ^jetstack-agent-* - # Check is latest is set as tag that it uses that tag - - equal: - path: spec.template.spec.containers[0].image - value: quay.io/jetstack/preflight:latest - - # Check naming works with nameOverride - - it: Deployment name is set when nameOverride is used - set: - config.organisation: test_org - config.cluster: test_cluster - nameOverride: example - template: deployment.yaml - asserts: - - isKind: - of: Deployment - - matchRegex: - path: metadata.name - pattern: ^example-RELEASE-NAME$ - # see example output as why this has to be like this. It's more subtle than - # the fullnameOverride: - # Actual: - # agent-RELEASE-NAME - # Diff: - # --- Expected - # +++ Actual - # @@ -1,2 +1,2 @@ - # -agent-* - # +agent-RELEASE-NAME - - # Check similar with fullnameOverride - - it: Deployment name is set when fullnameOverride is used - set: - config.organisation: test_org - config.cluster: test_cluster - fullnameOverride: example - template: deployment.yaml - asserts: - - isKind: - of: Deployment - - equal: - path: metadata.name - value: example - - # Checking extraArgs are passed - - it: Extra Args passed in a valid format when supplied - set: - config.organisation: test_org - config.cluster: test_cluster - extraArgs: ["--strict", "--one-shot"] - template: deployment.yaml - asserts: - - isKind: - of: Deployment - - contains: - path: spec.template.spec.containers[0].args - content: --strict - - contains: - path: spec.template.spec.containers[0].args - content: --one-shot - - # Check command is present when configured - - it: Command passes to deployment manifest - set: - config.organisation: test_org - config.cluster: test_cluster - command: ["notpreflight"] - template: deployment.yaml - asserts: - - isKind: - of: Deployment - - contains: - path: spec.template.spec.containers[0].command - content: notpreflight - - # Check the volumes and volumeMounts works correctly - - it: Volumes and VolumeMounts added correctly - set: - config.organisation: test_org - config.cluster: test_cluster - values: - - ./values/custom-volumes.yaml - asserts: - - isKind: - of: Deployment - - equal: - # In template this comes after credentials and agent config volumeMounts - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "cabundle")] - value: - mountPath: /etc/ssl/certs/ - name: cabundle - readOnly: true - - equal: - path: spec.template.spec.volumes[?(@.name == "cabundle")].configmap - value: - defaultMode: 420 - name: cabundle - optional: true diff --git a/deploy/charts/jetstack-agent/tests/values/custom-config.yaml b/deploy/charts/jetstack-agent/tests/values/custom-config.yaml deleted file mode 100644 index ee3489b2..00000000 --- a/deploy/charts/jetstack-agent/tests/values/custom-config.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# -- Configuration section for the Jetstack Agent itself -config: - # -- Provide an Override to allow completely custom agent configuration - override: - # -- Override disabled by default - enabled: true - # -- Embed the agent configuration here in the chart values - config: - server: "https://platform.jetstack.io" - organization_id: test_org - cluster_id: test_cluster - data-gatherers: - # gather k8s apiserver version information - - kind: "k8s-discovery" - name: "k8s-discovery" diff --git a/deploy/charts/jetstack-agent/tests/values/custom-volumes.yaml b/deploy/charts/jetstack-agent/tests/values/custom-volumes.yaml deleted file mode 100644 index 394222c7..00000000 --- a/deploy/charts/jetstack-agent/tests/values/custom-volumes.yaml +++ /dev/null @@ -1,11 +0,0 @@ -volumes: - - name: cabundle - configmap: - name: cabundle - optional: true - defaultMode: 0644 - -volumeMounts: - - name: cabundle - readOnly: true - mountPath: /etc/ssl/certs/ diff --git a/deploy/charts/jetstack-agent/values.yaml b/deploy/charts/jetstack-agent/values.yaml deleted file mode 100644 index 351b55a7..00000000 --- a/deploy/charts/jetstack-agent/values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -# Default values for jetstack-agent. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- default replicas, do not scale up -replicaCount: 1 - -image: - # -- Default to Open Source image repository - repository: quay.io/jetstack/preflight - # -- Defaults to only pull if not already present - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "v0.1.43" - -# -- Specify image pull credentials if using a prviate registry -imagePullSecrets: [] - -# -- Helm default setting to override release name, leave blank -nameOverride: "" -# -- Helm default setting, use this to shorten install name -fullnameOverride: "" - -serviceAccount: - # -- Specifies whether a service account should be created - # @default true - create: true - # -- Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - -resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - requests: - memory: 200Mi - cpu: 200m - limits: - memory: 500Mi - cpu: 500m - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# -- Additional volumes to add to the jetstack-agent pod. -volumes: [] - -# -- Additional volume mounts to add to the jetstack-agent container. -volumeMounts: [] - -# -- Override the jetstack-agent entrypoint with specified command. -command: [] - -# -- Add additional arguments to the default `agent` command. -extraArgs: [] - -# -- Authentication section for the agent -authentication: - # -- Reccomend that you do not use this and instead creat the credential secret outside of helm - createSecret: false - # -- Type can be "file"/"token" determining how the agent should authenticate the to the backend - type: file - # -- Name of the secret containing agent credentials.json - secretName: agent-credentials - # -- Key name in secret - secretKey: "credentials.json" - # -- Base64 encoded value from Jetstack Secure Dashboard - only required when createSecret is true - secretValue: "" - -# -- Configuration section for the Jetstack Agent itself -config: - # -- Overrides the server if using a proxy between agent and Jetstack Secure - server: "https://platform.jetstack.io" - # -- REQUIRED - Your Jetstack Secure Organisation Name - organisation: "" - # -- REQUIRED - Your Jetstack Secure Cluster Name - cluster: "" - # -- Send data back to the platform every minute unless changed - period: "0h1m0s" - - # -- Configure data that is gathered from your cluster, for full details see https://platform.jetstack.io/documentation/configuration/jetstack-agent/configuration - dataGatherers: - # -- Use the standard full set of data gatherers - default: true - # -- A list of data gatherers to limit agent scope - custom: [] - # Full list that makes up the default role - # - node - # - secret - # - cert-manager - # - googlecas - # - awspca - # - webhook - # - openshift - # - istio - # - venafienhancedissuer - - # -- Provide an Override to allow completely custom agent configuration - override: - # -- Override disabled by default - enabled: false - # -- Embed the agent configuration here in the chart values - config: - # -- Sepcify ConfigMap details to load config from existing ConfigMap - configmap: - name: - key: