gitea_admin/application
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vcluster28.0

Browse Source
This commit is contained in:
behrooz
2025-08-18 10:48:40 +03:30
parent bfd802911d
commit 80e9650141
55 changed files with 12450 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
argocd/apps/local/vcluster/values.yaml
View File

@@ -1,12 +1,12 @@
applications: applications:
- name: vcluster-username - name: vcluster-username
namespace: vcluster-username namespace: vcluster-username
path: vcluster-0.21.1 path: vcluster-0.28.0
cluster: in-cluster cluster: in-cluster
repoURL: http://192.168.1.10:3000/admin/applications repoURL: http://192.168.1.10:3000/admin/applications
- name: vcluster-behrooz - name: vcluster-behrooz
namespace: vcluster-behrooz namespace: vcluster-behrooz
path: vcluster-0.21.1 path: vcluster-0.28.0
cluster: in-cluster cluster: in-cluster
repoURL: http://192.168.1.10:3000/admin/applications repoURL: http://192.168.1.10:3000/admin/applications

24
vcluster0.28.0/.helmignore Normal file
View File

@@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

26
vcluster0.28.0/Chart.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v2
appVersion: 0.28.0-next.12
description: vcluster - Virtual Kubernetes Clusters
home: https://vcluster.com
icon: https://static.loft.sh/branding/logos/vcluster/vertical/vcluster_vertical.svg
keywords:
- developer
- development
- sharing
- share
- multi-tenancy
- tenancy
- cluster
- space
- namespace
- vcluster
- vclusters
maintainers:
- email: info@loft.sh
name: Loft Labs, Inc.
url: https://twitter.com/loft_sh
name: vcluster
sources:
- https://github.com/loft-sh/vcluster
type: application
version: 0.28.0-next.12

64
vcluster0.28.0/README.md Normal file
View File

@@ -0,0 +1,64 @@
# vcluster
## **[GitHub](https://github.com/loft-sh/vcluster)** • **[Website](https://www.vcluster.com)** • **[Quickstart](https://www.vcluster.com/docs/getting-started/setup)** • **[Documentation](https://www.vcluster.com/docs/what-are-virtual-clusters)** • **[Blog](https://loft.sh/blog)** • **[Twitter](https://twitter.com/loft_sh)** • **[Slack](https://slack.loft.sh/)**
Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
## Prerequisites
- Kubernetes 1.18+
- Helm 3.10.0+
## Get Helm Repository Info
```bash
helm repo add loft-sh https://charts.loft.sh
helm repo update
```
See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation.
## Install Helm Chart
```bash
helm upgrade [RELEASE_NAME] loft-sh/vcluster -n [RELEASE_NAMESPACE] --create-namespace --install
```
See [vcluster docs](https://vcluster.com/docs) for configuration options.
See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation.
## Connect to the vcluster
In order to connect to the installed vcluster, please install [vcluster cli](https://www.vcluster.com/docs/getting-started/setup) and run:
```bash
vcluster connect [RELEASE_NAME] -n [RELEASE_NAMESPACE]
```
## Uninstall Helm Chart
```bash
helm uninstall [RELEASE_NAME]
```
This removes all the Kubernetes components associated with the chart and deletes the release.
See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation.
### Why Virtual Kubernetes Clusters?
- **Cluster Scoped Resources**: much more powerful than simple namespaces (virtual clusters allow users to use CRDs, namespaces, cluster roles etc.)
- **Ease of Use**: usable in any Kubernetes cluster and created in seconds either via a single command or [cluster-api](https://github.com/loft-sh/cluster-api-provider-vcluster)
- **Cost Efficient**: much cheaper and efficient than "real" clusters (single pod and shared resources just like for namespaces)
- **Lightweight**: built upon the ultra-fast k3s distribution with minimal overhead per virtual cluster (other distributions work as well)
- **Strict isolation**: complete separate Kubernetes control plane and access point for each vcluster while still being able to share certain services of the underlying host cluster
- **Cluster Wide Permissions**: allow users to install apps which require cluster-wide permissions while being limited to actually just one namespace within the host cluster
- **Great for Testing**: allow you to test different Kubernetes versions inside a single host cluster which may have a different version than the virtual clusters
Learn more on [www.vcluster.com](https://vcluster.com).
![vcluster Intro](https://github.com/loft-sh/vcluster/raw/main/docs/static/media/vcluster-comparison.png)
Learn more in the [documentation](https://vcluster.com/docs/what-are-virtual-clusters).

36
vcluster0.28.0/templates/_backingstore.tpl Normal file
View File

@@ -0,0 +1,36 @@
{{/*
is deploy etcd enabled?
*/}}
{{- define "vcluster.database.embedded.enabled" -}}
{{- $backingStores := 0 -}}
{{- if .Values.controlPlane.backingStore.etcd.embedded.enabled -}}
{{- $backingStores = add1 $backingStores -}}
{{- end -}}
{{- if .Values.controlPlane.backingStore.etcd.deploy.enabled -}}
{{- $backingStores = add1 $backingStores -}}
{{- end -}}
{{- if .Values.controlPlane.backingStore.etcd.external.enabled -}}
{{- $backingStores = add1 $backingStores -}}
{{- end -}}
{{- if .Values.controlPlane.backingStore.database.embedded.enabled -}}
{{- $backingStores = add1 $backingStores -}}
{{- end -}}
{{- if .Values.controlPlane.backingStore.database.external.enabled -}}
{{- $backingStores = add1 $backingStores -}}
{{- end -}}
{{- if gt $backingStores 1 -}}
{{- fail "you can only enable one backingStore at the same time" -}}
{{- else if or (eq $backingStores 0) .Values.controlPlane.backingStore.database.embedded.enabled -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
migrate from deployed etcd?
*/}}
{{- define "vcluster.etcd.embedded.migrate" -}}
{{- if and .Values.controlPlane.backingStore.etcd.embedded.enabled .Values.controlPlane.backingStore.etcd.embedded.migrateFromDeployedEtcd -}}
{{- true -}}
{{- end -}}
{{- end -}}

27
vcluster0.28.0/templates/_distro.tpl Normal file
View File

@@ -0,0 +1,27 @@
{{- define "vcluster.distro.env" -}}
{{- if and (eq (include "vcluster.distro" .) "k3s") .Values.controlPlane.distro.k3s.env -}}
{{ toYaml .Values.controlPlane.distro.k3s.env }}
{{- else if and (eq (include "vcluster.distro" .) "k8s") .Values.controlPlane.distro.k8s.env -}}
{{ toYaml .Values.controlPlane.distro.k8s.env }}
{{- end -}}
{{- end -}}
{{/*
vCluster Distro
*/}}
{{- define "vcluster.distro" -}}
{{- $distros := 0 -}}
{{- if .Values.controlPlane.distro.k3s.enabled -}}
k3s
{{- $distros = add1 $distros -}}
{{- end -}}
{{- if .Values.controlPlane.distro.k8s.enabled -}}
k8s
{{- $distros = add1 $distros -}}
{{- end -}}
{{- if eq $distros 0 -}}
k8s
{{- else if gt $distros 1 -}}
{{- fail "you can only enable one distro at the same time" -}}
{{- end -}}
{{- end -}}

37
vcluster0.28.0/templates/_exportKubeConfig.tpl Normal file
View File

@@ -0,0 +1,37 @@
{{- define "vcluster.exportKubeConfig.validate" }}
{{- /*
Verify that exportKubeConfig.secret and exportKubeConfig.additionalSecrets are
not set at the same time.
*/}}
{{- $secretSet := false }}
{{- if .Values.exportKubeConfig.secret }}
{{- $secretSet = or (.Values.exportKubeConfig.secret.name | trim | ne "") (.Values.exportKubeConfig.secret.namespace | trim | ne "") }}
{{- end }}
{{- $additionalSecretsSet := false }}
{{- if .Values.exportKubeConfig.additionalSecrets }}
{{- $additionalSecretsSet = gt (len .Values.exportKubeConfig.additionalSecrets) 0 }}
{{- end }}
{{- if and $secretSet $additionalSecretsSet }}
{{- fail "exportKubeConfig.secret and exportKubeConfig.additionalSecrets cannot be set at the same time" }}
{{- end }}
{{- /*
Verify that additional secrets have name or namespace set.
*/}}
{{- range $_, $additionalSecret := .Values.exportKubeConfig.additionalSecrets }}
{{- $nameSet := false }}
{{- $namespaceSet := false }}
{{- if $additionalSecret.name }}
{{- if $additionalSecret.name | trim | ne "" }}
{{- $nameSet = true }}
{{- end }}
{{- end }}
{{- if $additionalSecret.namespace }}
{{- if $additionalSecret.namespace | trim | ne "" }}
{{- $namespaceSet = true }}
{{- end }}
{{- end }}
{{- if not (or $nameSet $namespaceSet) }}
{{- fail (cat "additional secret must have name and/or namespace set, found:" (toJson $additionalSecret)) }}
{{- end }}
{{- end }}
{{- end }}

17
vcluster0.28.0/templates/_helper.tpl Normal file
View File

@@ -0,0 +1,17 @@
{{- define "vcluster.controlPlane.image" -}}
{{- $tag := .Chart.Version -}}
{{- if .Values.controlPlane.statefulSet.image.tag -}}
{{- $tag = .Values.controlPlane.statefulSet.image.tag -}}
{{- end -}}
{{- include "vcluster.image" (dict "defaultImageRegistry" .Values.controlPlane.advanced.defaultImageRegistry "tag" $tag "registry" .Values.controlPlane.statefulSet.image.registry "repository" .Values.controlPlane.statefulSet.image.repository) -}}
{{- end -}}
{{- define "vcluster.image" -}}
{{- if .defaultImageRegistry -}}
{{ .defaultImageRegistry }}/{{ .repository }}:{{ .tag }}
{{- else if .registry -}}
{{ .registry }}/{{ .repository }}:{{ .tag }}
{{- else -}}
{{ .repository }}:{{ .tag }}
{{- end -}}
{{- end -}}

181
vcluster0.28.0/templates/_init-containers.tpl Normal file
View File

@@ -0,0 +1,181 @@
{{- define "vcluster.initContainers" -}}
{{- if eq (include "vcluster.distro" .) "k3s" -}}
{{ include "vcluster.k3s.initContainers" . }}
{{- else if eq (include "vcluster.distro" .) "k8s" -}}
{{ include "vcluster.k8s.initContainers" . }}
{{- end -}}
{{- end -}}
{{/* Bump $defaultTag value whenever k8s version is bumped */}}
{{- define "vcluster.k8s.image.tag" -}}
{{- if not (empty .Values.controlPlane.distro.k8s.version) -}}
{{- if .Values.privateNodes.enabled -}}
{{ .Values.controlPlane.distro.k8s.version }}-full
{{- else -}}
{{ .Values.controlPlane.distro.k8s.version }}
{{- end -}}
{{- else -}}
{{- if .Values.privateNodes.enabled -}}
{{ .Values.controlPlane.distro.k8s.image.tag }}-full
{{- else -}}
{{ .Values.controlPlane.distro.k8s.image.tag }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "vcluster.k8s.initContainers" -}}
{{- include "vcluster.oldPlugins.initContainers" . }}
{{- include "vcluster.plugins.initContainers" . }}
- name: kubernetes
image: "{{ include "vcluster.image" (dict "defaultImageRegistry" .Values.controlPlane.advanced.defaultImageRegistry "registry" .Values.controlPlane.distro.k8s.image.registry "repository" .Values.controlPlane.distro.k8s.image.repository "tag" (include "vcluster.k8s.image.tag" .)) }}"
volumeMounts:
- mountPath: /binaries
name: binaries
command:
- cp
args:
- -a
- /kubernetes/.
- /binaries/
{{- if .Values.controlPlane.distro.k8s.imagePullPolicy }}
imagePullPolicy: {{ .Values.controlPlane.distro.k8s.imagePullPolicy }}
{{- end }}
securityContext:
{{ toYaml .Values.controlPlane.distro.k8s.securityContext | indent 4 }}
resources:
{{ toYaml .Values.controlPlane.distro.k8s.resources | indent 4 }}
{{- end -}}
{{- define "vcluster.k3s.initContainers" -}}
{{- include "vcluster.oldPlugins.initContainers" . }}
{{- include "vcluster.plugins.initContainers" . }}
- name: vcluster
image: "{{ include "vcluster.image" (dict "defaultImageRegistry" .Values.controlPlane.advanced.defaultImageRegistry "registry" .Values.controlPlane.distro.k3s.image.registry "repository" .Values.controlPlane.distro.k3s.image.repository "tag" .Values.controlPlane.distro.k3s.image.tag) }}"
command:
- /bin/sh
args:
- -c
- "cp /bin/k3s /binaries/k3s"
{{- if .Values.controlPlane.distro.k3s.imagePullPolicy }}
imagePullPolicy: {{ .Values.controlPlane.distro.k3s.imagePullPolicy }}
{{- end }}
securityContext:
{{ toYaml .Values.controlPlane.distro.k3s.securityContext | indent 4 }}
volumeMounts:
- name: binaries
mountPath: /binaries
resources:
{{ toYaml .Values.controlPlane.distro.k3s.resources | indent 4 }}
{{- end -}}
{{/*
Plugin init container definition
*/}}
{{- define "vcluster.plugins.initContainers" -}}
{{- range $key, $container := .Values.plugins }}
{{- if not $container.image }}
{{- continue }}
{{- end }}
- {{- if $.Values.controlPlane.advanced.defaultImageRegistry }}
image: {{ $.Values.controlPlane.advanced.defaultImageRegistry }}/{{ $container.image }}
{{- else }}
image: {{ $container.image }}
{{- end }}
{{- if $container.name }}
name: {{ $container.name | quote }}
{{- else }}
name: {{ $key | quote }}
{{- end }}
{{- if $container.imagePullPolicy }}
imagePullPolicy: {{ $container.imagePullPolicy }}
{{- end }}
{{- if or $container.command $container.args }}
{{- if $container.command }}
command:
{{- range $commandIndex, $command := $container.command }}
- {{ $command | quote }}
{{- end }}
{{- end }}
{{- if $container.args }}
args:
{{- range $argIndex, $arg := $container.args }}
- {{ $arg | quote }}
{{- end }}
{{- end }}
{{- else }}
command: ["sh"]
args: ["-c", "cp -r /plugin /plugins/{{ $key }}"]
{{- end }}
{{- if $container.securityContext }}
securityContext:
{{ toYaml $container.securityContext | indent 4 }}
{{- end }}
{{- if $container.volumeMounts }}
volumeMounts:
{{ toYaml $container.volumeMounts | indent 4 }}
{{- else }}
volumeMounts:
- mountPath: /plugins
name: plugins
{{- end }}
{{- if $container.resources }}
resources:
{{ toYaml $container.resources | indent 4 }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Old Plugin init container definition
*/}}
{{- define "vcluster.oldPlugins.initContainers" -}}
{{- range $key, $container := .Values.plugin }}
{{- if or (ne $container.version "v2") (not $container.image) -}}
{{- continue -}}
{{- end -}}
- {{- if $.Values.controlPlane.advanced.defaultImageRegistry }}
image: {{ $.Values.controlPlane.advanced.defaultImageRegistry }}/{{ $container.image }}
{{- else }}
image: {{ $container.image }}
{{- end }}
{{- if $container.name }}
name: {{ $container.name | quote }}
{{- else }}
name: {{ $key | quote }}
{{- end }}
{{- if $container.imagePullPolicy }}
imagePullPolicy: {{ $container.imagePullPolicy }}
{{- end }}
{{- if or $container.command $container.args }}
{{- if $container.command }}
command:
{{- range $commandIndex, $command := $container.command }}
- {{ $command | quote }}
{{- end }}
{{- end }}
{{- if $container.args }}
args:
{{- range $argIndex, $arg := $container.args }}
- {{ $arg | quote }}
{{- end }}
{{- end }}
{{- else }}
command: ["sh"]
args: ["-c", "cp -r /plugin /plugins/{{ $key }}"]
{{- end }}
securityContext:
{{ toYaml $container.securityContext | indent 4 }}
{{- if $container.volumeMounts }}
volumeMounts:
{{ toYaml $container.volumeMounts | indent 4 }}
{{- else }}
volumeMounts:
- mountPath: /plugins
name: plugins
{{- end }}
{{- if $container.resources }}
resources:
{{ toYaml $container.resources | indent 4 }}
{{- end }}
{{- end }}
{{- end -}}

41
vcluster0.28.0/templates/_persistence.tpl Normal file
View File

@@ -0,0 +1,41 @@
{{/*
ControlPlane Kind
*/}}
{{- define "vcluster.kind" -}}
{{ if or (include "vcluster.persistence.volumeClaim.enabled" .) .Values.controlPlane.backingStore.etcd.embedded.enabled }}StatefulSet{{ else }}Deployment{{ end }}
{{- end -}}
{{/*
StatefulSet Persistence Options
*/}}
{{- define "vcluster.persistence" -}}
{{- if .Values.controlPlane.statefulSet.persistence.volumeClaimTemplates }}
volumeClaimTemplates:
{{ toYaml .Values.controlPlane.statefulSet.persistence.volumeClaimTemplates | indent 2 }}
{{- else if include "vcluster.persistence.volumeClaim.enabled" . }}
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: {{ .Values.controlPlane.statefulSet.persistence.volumeClaim.accessModes }}
{{- if .Values.controlPlane.statefulSet.persistence.volumeClaim.storageClass }}
storageClassName: {{ .Values.controlPlane.statefulSet.persistence.volumeClaim.storageClass }}
{{- end }}
resources:
requests:
storage: {{ .Values.controlPlane.statefulSet.persistence.volumeClaim.size }}
{{- end }}
{{- end -}}
{{/*
is persistence enabled?
*/}}
{{- define "vcluster.persistence.volumeClaim.enabled" -}}
{{- if .Values.controlPlane.statefulSet.persistence.volumeClaimTemplates -}}
{{- true -}}
{{- else if eq (toString .Values.controlPlane.statefulSet.persistence.volumeClaim.enabled) "true" -}}
{{- true -}}
{{- else if and (eq (toString .Values.controlPlane.statefulSet.persistence.volumeClaim.enabled) "auto") (or (include "vcluster.database.embedded.enabled" .) .Values.controlPlane.backingStore.etcd.embedded.enabled) -}}
{{- true -}}
{{- end -}}
{{- end -}}

126
vcluster0.28.0/templates/_plugin.tpl Normal file
View File

@@ -0,0 +1,126 @@
{{/*
Plugin volume mount definition
*/}}
{{- define "vcluster.plugins.volumeMounts" -}}
{{- $pluginFound := false -}}
{{- range $key, $container := .Values.plugin }}
{{- if or (ne $container.version "v2") (not $container.image) }}
{{- continue }}
{{- end }}
{{ $pluginFound = true }}
- mountPath: /plugins
name: plugins
{{- break }}
{{- end }}
{{- if eq $pluginFound false }}
{{- range $key, $container := .Values.plugins }}
{{- if not $container.image }}
{{- continue }}
{{- end }}
- mountPath: /plugins
name: plugins
{{- break }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Plugin volume definition
*/}}
{{- define "vcluster.plugins.volumes" -}}
{{- $pluginFound := false -}}
{{- range $key, $container := .Values.plugin }}
{{- if or (ne $container.version "v2") (not $container.image) }}
{{- continue }}
{{- end }}
{{ $pluginFound = true }}
- name: plugins
emptyDir: {}
{{- break }}
{{- end }}
{{- if eq $pluginFound false }}
{{- range $key, $container := .Values.plugins }}
{{- if not $container.image }}
{{- continue }}
{{- end }}
- name: plugins
emptyDir: {}
{{- break }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Sidecar container definition for the legacy syncer parts
*/}}
{{- define "vcluster.legacyPlugins.containers" -}}
{{- $counter := -1 -}}
{{- range $key, $container := .Values.plugin }}
{{- if eq $container.version "v2" }}
{{ continue }}
{{- end }}
{{- $counter = add1 $counter }}
- {{- if $.Values.controlPlane.advanced.defaultImageRegistry }}
image: {{ $.Values.controlPlane.advanced.defaultImageRegistry }}/{{ $container.image }}
{{- else }}
image: {{ $container.image }}
{{- end }}
{{- if $container.name }}
name: {{ $container.name | quote }}
{{- else }}
name: {{ $key | quote }}
{{- end }}
{{- if $container.imagePullPolicy }}
imagePullPolicy: {{ $container.imagePullPolicy }}
{{- end }}
{{- if $container.workingDir }}
workingDir: {{ $container.workingDir }}
{{- end }}
{{- if $container.command }}
command:
{{- range $commandIndex, $command := $container.command }}
- {{ $command | quote }}
{{- end }}
{{- end }}
{{- if $container.args }}
args:
{{- range $argIndex, $arg := $container.args }}
- {{ $arg | quote }}
{{- end }}
{{- end }}
{{- if $container.terminationMessagePath }}
terminationMessagePath: {{ $container.terminationMessagePath }}
{{- end }}
{{- if $container.terminationMessagePolicy }}
terminationMessagePolicy: {{ $container.terminationMessagePolicy }}
{{- end }}
env:
- name: VCLUSTER_PLUGIN_ADDRESS
value: "localhost:{{ add 14000 $counter }}"
- name: VCLUSTER_PLUGIN_NAME
value: "{{ $key }}"
{{- if $container.env }}
{{ toYaml $container.env | indent 4 }}
{{- end }}
envFrom:
{{ toYaml $container.envFrom | indent 4 }}
securityContext:
{{ toYaml $container.securityContext | indent 4 }}
lifecycle:
{{ toYaml $container.lifecycle | indent 4 }}
livenessProbe:
{{ toYaml $container.livenessProbe | indent 4 }}
readinessProbe:
{{ toYaml $container.readinessProbe | indent 4 }}
startupProbe:
{{ toYaml $container.startupProbe | indent 4 }}
volumeDevices:
{{ toYaml $container.volumeDevices | indent 4 }}
volumeMounts:
{{ toYaml $container.volumeMounts | indent 4 }}
{{- if $container.resources }}
resources:
{{ toYaml $container.resources | indent 4 }}
{{- end }}
{{- end }}
{{- end }}

268
vcluster0.28.0/templates/_rbac.tpl Normal file
View File

@@ -0,0 +1,268 @@
{{- define "vcluster.clusterRoleName" -}}
{{- printf "vc-%s-v-%s" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "vcluster.clusterRoleNameMultinamespace" -}}
{{- printf "vc-mn-%s-v-%s" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Whether to create a cluster role or not
*/}}
{{- define "vcluster.createClusterRole" -}}
{{- if eq (toString .Values.rbac.clusterRole.enabled) "true" -}}
{{- true -}}
{{- else if eq (toString .Values.rbac.clusterRole.enabled) "auto" -}}
{{- if or
.Values.rbac.clusterRole.overwriteRules
(not (empty (include "vcluster.rbac.clusterRoleExtraRules" . )))
(not (empty (include "vcluster.plugin.clusterRoleExtraRules" . )))
(not (empty (include "vcluster.generic.clusterRoleExtraRules" . )))
.Values.networking.replicateServices.fromHost
.Values.pro
.Values.sync.toHost.storageClasses.enabled
.Values.experimental.isolatedControlPlane.enabled
.Values.sync.toHost.persistentVolumes.enabled
.Values.sync.toHost.priorityClasses.enabled
.Values.sync.fromHost.priorityClasses.enabled
.Values.sync.toHost.volumeSnapshotContents.enabled
.Values.sync.fromHost.volumeSnapshotClasses.enabled
(and (eq (include "vcluster.distro" .) "k8s") .Values.controlPlane.distro.k8s.scheduler.enabled)
.Values.controlPlane.advanced.virtualScheduler.enabled
.Values.sync.toHost.pods.hybridScheduling.enabled
.Values.sync.fromHost.ingressClasses.enabled
.Values.sync.fromHost.runtimeClasses.enabled
(eq (toString .Values.sync.fromHost.storageClasses.enabled) "true")
(eq (toString .Values.sync.fromHost.csiNodes.enabled) "true")
(eq (toString .Values.sync.fromHost.csiDrivers.enabled) "true")
(eq (toString .Values.sync.fromHost.csiStorageCapacities.enabled) "true")
.Values.sync.fromHost.nodes.enabled
.Values.sync.toHost.customResources
.Values.sync.fromHost.customResources
.Values.integrations.kubeVirt.enabled
.Values.integrations.externalSecrets.enabled
(and .Values.integrations.certManager.enabled .Values.integrations.certManager.sync.fromHost.clusterIssuers.enabled)
(and .Values.integrations.metricsServer.enabled .Values.integrations.metricsServer.nodes)
.Values.sync.fromHost.configMaps.enabled
.Values.sync.fromHost.secrets.enabled
.Values.integrations.istio.enabled
.Values.sync.toHost.namespaces.enabled
-}}
{{- true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Role rules defined on global level
*/}}
{{- define "vcluster.rbac.roleExtraRules" -}}
{{- if .Values.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := .Values.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Role rules defined by plugins
*/}}
{{- define "vcluster.plugin.roleExtraRules" -}}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.role }}
{{- if $container.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- range $key, $container := .Values.plugins }}
{{- if $container.rbac }}
{{- if $container.rbac.role }}
{{- if $container.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Cluster role rules defined by plugins
*/}}
{{- define "vcluster.plugin.clusterRoleExtraRules" -}}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.clusterRole }}
{{- if $container.rbac.clusterRole.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.clusterRole.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- range $key, $container := .Values.plugins }}
{{- if $container.rbac }}
{{- if $container.rbac.clusterRole }}
{{- if $container.rbac.clusterRole.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.clusterRole.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Role rules defined in generic syncer
*/}}
{{- define "vcluster.generic.roleExtraRules" -}}
{{- if .Values.experimental.genericSync.role }}
{{- if .Values.experimental.genericSync.role.extraRules }}
{{- range $ruleIndex, $rule := .Values.experimental.genericSync.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Role rules defined in generic syncer
*/}}
{{- define "vcluster.customResources.roleExtraRules" -}}
{{- if .Values.sync.toHost.customResources }}
{{- range $crdName, $rule := .Values.sync.toHost.customResources }}
{{- if $rule.enabled }}
{{- $crdNameWithoutVersion := (split "/" $crdName)._0 -}} # Takes part before "/"
- resources: [ "{{ (splitn "." 2 $crdNameWithoutVersion)._0 }}" ]
apiGroups: [ "{{ (splitn "." 2 $crdNameWithoutVersion)._1 }}" ]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Cluster role rules defined in generic syncer
*/}}
{{- define "vcluster.customResources.clusterRoleExtraRules" -}}
{{- if .Values.sync.fromHost.customResources }}
{{- range $crdName, $rule := .Values.sync.fromHost.customResources }}
{{- if $rule.enabled }}
{{- $crdNameWithoutVersion := (split "/" $crdName)._0 -}} # Takes part before "/"
- resources: [ "{{ (splitn "." 2 $crdNameWithoutVersion)._0 }}" ]
apiGroups: [ "{{ (splitn "." 2 $crdNameWithoutVersion)._1 }}" ]
verbs: ["get", "list", "watch"]
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Cluster role rules defined in generic syncer
*/}}
{{- define "vcluster.generic.clusterRoleExtraRules" -}}
{{- if .Values.experimental.genericSync.clusterRole }}
{{- if .Values.experimental.genericSync.clusterRole.extraRules }}
{{- range $ruleIndex, $rule := .Values.experimental.genericSync.clusterRole.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Cluster Role rules defined on global level
*/}}
{{- define "vcluster.rbac.clusterRoleExtraRules" -}}
{{- if .Values.rbac.clusterRole.extraRules }}
{{- range $ruleIndex, $rule := .Values.rbac.clusterRole.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Whether to create a role and role binding to access the platform API key secret
*/}}
{{- define "vcluster.rbac.createPlatformSecretRole" -}}
{{- $createRBAC := dig "platform" "apiKey" "createRBAC" true .Values.external -}}
{{- if and $createRBAC (ne (include "vcluster.rbac.platformSecretNamespace" .) .Release.Namespace) }}
{{- true -}}
{{- end }}
{{- end -}}
{{/*
Namespace containing the vCluster platform secret
*/}}
{{- define "vcluster.rbac.platformSecretNamespace" -}}
{{- dig "platform" "apiKey" "namespace" .Release.Namespace .Values.external | default .Release.Namespace -}}
{{- end -}}
{{/*
Name specifies the secret name containing the vCluster platform licenses and tokens
*/}}
{{- define "vcluster.rbac.platformSecretName" -}}
{{- dig "platform" "apiKey" "secretName" "vcluster-platform-api-key" .Values.external | quote -}}
{{- end -}}
{{- define "vcluster.rbac.platformRoleName" -}}
{{- printf "vc-%s-v-%s-platform-role" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "vcluster.rbac.platformRoleBindingName" -}}
{{- printf "vc-%s-v-%s-platform-role-binding" .Release.Name .Release.Namespace | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Cluster role rules needed for fromHost sync (containing namespaces + configmaps/secret/other core resources)
*/}}
{{- define "vcluster.rbac.rulesForFromHostSyncerForGivenCoreResource" -}}
{{- $root := index . 0 -}}
{{- $mappings := index . 1 -}}
{{- $kind := index . 2 -}}
{{- $enabled := index . 3 -}}
{{- if and $enabled $mappings -}}
{{- $namespaces := list -}}
{{- $objNames := list -}}
{{- $addResourceNames := true -}}
{{- range $key, $val := $mappings -}}
{{- $sourceNs := splitList "/" $key | first -}}
{{- $sourceObjName := splitList "/" $key | last }}
{{- if eq $sourceNs "" -}}
{{- $namespaces = append $namespaces (quote $root.Release.Namespace) -}}
{{- else -}}
{{- $namespaces = append $namespaces (quote $sourceNs) -}}
{{- end -}}
{{- if eq $sourceObjName "*" -}}
{{- $addResourceNames = false -}}
{{- else -}}
{{- $objNames = append $objNames (quote $sourceObjName) -}}
{{- end -}}
{{- end -}}
{{- $objList := $objNames | uniq | sortAlpha -}}
{{- $nsList := $namespaces | uniq | sortAlpha -}}
- apiGroups: [""]
resources: [ "namespaces" ]
resourceNames: [ {{ join "," $nsList }} ]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: [ {{ $kind | quote }} ]
verbs: ["list", "watch"]
- apiGroups: [""]
resources: [ {{ $kind | quote }} ]
verbs: ["get"]
{{- if $addResourceNames }}
resourceNames: [ {{ join "," $objList }} ]
{{- end }}
{{- end }}
{{- end }}

4
vcluster0.28.0/templates/_vclusterconfighash.tpl Normal file
View File

@@ -0,0 +1,4 @@
{{- define "vcluster.vClusterConfigHash" -}}
{{- $vals := deepCopy .Values -}}
{{- (unset $vals.privateNodes "nodePools") | toYaml | b64enc | sha256sum | quote -}}
{{- end -}}

148
vcluster0.28.0/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,148 @@
{{- if (include "vcluster.createClusterRole" . ) -}}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "vcluster.clusterRoleName" . }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.advanced.globalMetadata.annotations }}
annotations:
{{ toYaml .Values.controlPlane.advanced.globalMetadata.annotations | indent 4 }}
{{- end }}
rules:
{{- if .Values.rbac.clusterRole.overwriteRules }}
{{ toYaml .Values.rbac.clusterRole.overwriteRules | indent 2 }}
{{- else }}
{{- if .Values.pro }}
- apiGroups: ["cluster.loft.sh", "storage.loft.sh"]
resources: ["features", "virtualclusters"]
verbs: ["get", "list", "watch"]
- apiGroups: ["management.loft.sh"]
resources: ["virtualclusterinstances"]
verbs: ["get"]
{{- end }}
{{- if or .Values.pro .Values.sync.fromHost.nodes.enabled }}
- apiGroups: [""]
resources: ["pods", "nodes", "nodes/status", "nodes/metrics", "nodes/stats", "nodes/proxy"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if .Values.experimental.isolatedControlPlane.enabled }}
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if and .Values.sync.fromHost.nodes.enabled .Values.sync.fromHost.nodes.syncBackChanges }}
- apiGroups: [""]
resources: ["nodes", "nodes/status"]
verbs: ["update", "patch"]
{{- end }}
{{- if or
(and (eq (include "vcluster.distro" .) "k8s") .Values.controlPlane.distro.k8s.scheduler.enabled)
.Values.controlPlane.advanced.virtualScheduler.enabled
.Values.sync.toHost.pods.hybridScheduling.enabled
}}
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses", "csinodes", "csidrivers", "csistoragecapacities"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if eq (toString .Values.sync.fromHost.storageClasses.enabled) "true" }}
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if eq (toString .Values.sync.fromHost.csiNodes.enabled) "true" }}
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if eq (toString .Values.sync.fromHost.csiDrivers.enabled) "true" }}
- apiGroups: ["storage.k8s.io"]
resources: ["csidrivers"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if eq (toString .Values.sync.fromHost.csiStorageCapacities.enabled) "true" }}
- apiGroups: ["storage.k8s.io"]
resources: ["csistoragecapacities"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if .Values.sync.toHost.persistentVolumes.enabled }}
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
{{- end }}
{{- if .Values.sync.fromHost.ingressClasses.enabled }}
- apiGroups: ["networking.k8s.io"]
resources: ["ingressclasses"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if .Values.sync.fromHost.runtimeClasses.enabled }}
- apiGroups: ["node.k8s.io"]
resources: ["runtimeclasses"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if .Values.sync.toHost.storageClasses.enabled }}
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
{{- end }}
{{- if or .Values.sync.toHost.priorityClasses.enabled .Values.sync.fromHost.priorityClasses.enabled }}
- apiGroups: ["scheduling.k8s.io"]
resources: ["priorityclasses"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.sync.fromHost.volumeSnapshotClasses.enabled }}
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
{{- end }}
{{- if .Values.sync.toHost.volumeSnapshotContents.enabled }}
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.networking.replicateServices.fromHost }}
- apiGroups: [""]
resources: ["services", "endpoints"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if .Values.sync.toHost.namespaces.enabled }}
- apiGroups: [""]
resources: ["namespaces", "serviceaccounts"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
{{- end }}
{{- if (and .Values.integrations.metricsServer.enabled .Values.integrations.metricsServer.nodes) }}
- apiGroups: ["metrics.k8s.io"]
resources: ["nodes"]
verbs: ["get", "list"]
{{- end }}
{{- if or (and .Values.integrations.kubeVirt.enabled .Values.integrations.kubeVirt.webhook.enabled) (and .Values.integrations.externalSecrets.enabled .Values.integrations.externalSecrets.webhook.enabled ) }}
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]
{{- end }}
{{- if or .Values.integrations.kubeVirt.enabled .Values.integrations.externalSecrets.enabled .Values.integrations.certManager.enabled .Values.sync.toHost.customResources .Values.sync.fromHost.customResources .Values.integrations.istio.enabled }}
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
{{- end }}
{{- if and .Values.integrations.externalSecrets.enabled (or .Values.integrations.externalSecrets.sync.clusterStores.enabled .Values.integrations.externalSecrets.sync.fromHost.clusterStores.enabled) }}
- apiGroups: ["external-secrets.io"]
resources: ["clustersecretstores"]
verbs: ["get", "list", "watch"]
{{- end }}
{{- if and .Values.integrations.certManager.enabled .Values.integrations.certManager.sync.fromHost.clusterIssuers.enabled }}
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
{{- end }}
{{- include "vcluster.rbac.rulesForFromHostSyncerForGivenCoreResource" (list $ .Values.sync.fromHost.configMaps.mappings.byName "configmaps" .Values.sync.fromHost.configMaps.enabled ) | nindent 2 }}
{{- include "vcluster.rbac.rulesForFromHostSyncerForGivenCoreResource" (list $ .Values.sync.fromHost.secrets.mappings.byName "secrets" .Values.sync.fromHost.secrets.enabled ) | nindent 2 }}
{{- include "vcluster.customResources.clusterRoleExtraRules" . | indent 2 }}
{{- include "vcluster.plugin.clusterRoleExtraRules" . | indent 2 }}
{{- include "vcluster.generic.clusterRoleExtraRules" . | indent 2 }}
{{- include "vcluster.rbac.clusterRoleExtraRules" . | indent 2 }}
{{- end }}
{{- end }}

27
vcluster0.28.0/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,27 @@
{{- if (include "vcluster.createClusterRole" . ) -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "vcluster.clusterRoleName" . }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.advanced.globalMetadata.annotations }}
annotations:
{{ toYaml .Values.controlPlane.advanced.globalMetadata.annotations | indent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
{{- if .Values.controlPlane.advanced.serviceAccount.name }}
name: {{ .Values.controlPlane.advanced.serviceAccount.name }}
{{- else }}
name: vc-{{ .Release.Name }}
{{- end }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ template "vcluster.clusterRoleName" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

17
vcluster0.28.0/templates/config-secret.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Secret
metadata:
name: "vc-config-{{ .Release.Name }}"
namespace: {{ .Release.Namespace }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.advanced.globalMetadata.annotations }}
annotations:
{{ toYaml .Values.controlPlane.advanced.globalMetadata.annotations | indent 4 }}
{{- end }}
type: Opaque
data:
config.yaml: {{ .Values | toYaml | b64enc | quote }}

34
vcluster0.28.0/templates/etcd-headless-service.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if not .Values.experimental.isolatedControlPlane.headless }}
{{- if or .Values.controlPlane.backingStore.etcd.deploy.enabled (include "vcluster.etcd.embedded.migrate" .) }}
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-etcd-headless
namespace: {{ .Release.Namespace }}
labels:
app: vcluster-etcd
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.controlPlane.backingStore.etcd.deploy.headlessService.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
publishNotReadyAddresses: true
ports:
- name: etcd
port: 2379
targetPort: 2379
protocol: TCP
- name: peer
port: 2380
targetPort: 2380
protocol: TCP
clusterIP: None
selector:
app: vcluster-etcd
release: "{{ .Release.Name }}"
{{- end }}
{{- end }}

35
vcluster0.28.0/templates/etcd-service.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{- if not .Values.experimental.isolatedControlPlane.headless }}
{{- if or .Values.controlPlane.backingStore.etcd.deploy.enabled (include "vcluster.etcd.embedded.migrate" .) }}
{{- if .Values.controlPlane.backingStore.etcd.deploy.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-etcd
namespace: {{ .Release.Namespace }}
labels:
app: vcluster-etcd
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.controlPlane.backingStore.etcd.deploy.service.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
type: ClusterIP
ports:
- name: etcd
port: 2379
targetPort: 2379
protocol: TCP
- name: peer
port: 2380
targetPort: 2380
protocol: TCP
selector:
app: vcluster-etcd
release: {{ .Release.Name }}
{{- end }}
{{- end }}
{{- end }}

213
vcluster0.28.0/templates/etcd-statefulset.yaml Normal file
View File

@@ -0,0 +1,213 @@
{{- if not .Values.experimental.isolatedControlPlane.headless }}
{{- if or .Values.controlPlane.backingStore.etcd.deploy.enabled (include "vcluster.etcd.embedded.migrate" .) }}
{{- if .Values.controlPlane.backingStore.etcd.deploy.statefulSet.enabled }}
{{- $externalEtcd := .Values.controlPlane.backingStore.etcd.deploy.statefulSet }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ .Release.Name }}-etcd
namespace: {{ .Release.Namespace }}
labels:
app: vcluster-etcd
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if $externalEtcd.labels }}
{{ toYaml $externalEtcd.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations $externalEtcd.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
replicas: {{ $externalEtcd.highAvailability.replicas }}
podManagementPolicy: {{ $externalEtcd.scheduling.podManagementPolicy }}
serviceName: {{ .Release.Name }}-etcd-headless
{{- if eq $externalEtcd.persistence.volumeClaim.retentionPolicy "Delete" }}
{{- if ge (int .Capabilities.KubeVersion.Minor) 27 }}
persistentVolumeClaimRetentionPolicy:
whenDeleted: {{ $externalEtcd.persistence.volumeClaim.retentionPolicy }}
{{- end }}
{{- end }}
selector:
matchLabels:
app: vcluster-etcd
release: {{ .Release.Name }}
{{- if $externalEtcd.persistence.volumeClaimTemplates }}
volumeClaimTemplates:
{{ toYaml $externalEtcd.persistence.volumeClaimTemplates | indent 4 }}
{{- else if $externalEtcd.persistence.volumeClaim.enabled }}
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: {{ $externalEtcd.persistence.volumeClaim.accessModes }}
{{- if $externalEtcd.persistence.volumeClaim.storageClass }}
storageClassName: {{ $externalEtcd.persistence.volumeClaim.storageClass }}
{{- end }}
resources:
requests:
storage: {{ $externalEtcd.persistence.volumeClaim.size }}
{{- end }}
template:
metadata:
{{- if $externalEtcd.pods.annotations }}
annotations:
{{ toYaml $externalEtcd.pods.annotations | indent 8 }}
{{- end }}
labels:
app: vcluster-etcd
release: {{ .Release.Name }}
{{- range $k, $v := $externalEtcd.pods.labels }}
{{ $k }}: {{ $v | quote }}
{{- end }}
spec:
terminationGracePeriodSeconds: 10
{{- if $externalEtcd.scheduling.affinity }}
affinity:
{{ toYaml $externalEtcd.scheduling.affinity | indent 8 }}
{{- else }}
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
# if possible avoid scheduling more than one pod on one node
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- vcluster-etcd
- key: release
operator: In
values:
- {{ .Release.Name }}
topologyKey: "kubernetes.io/hostname"
# if possible avoid scheduling pod onto node that is in the same zone as one or more vcluster pods are running
- weight: 50
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- vcluster-etcd
- key: release
operator: In
values:
- {{ .Release.Name }}
topologyKey: topology.kubernetes.io/zone
{{- end }}
{{- if $externalEtcd.scheduling.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml $externalEtcd.scheduling.topologySpreadConstraints | indent 8 }}
{{- end }}
nodeSelector:
{{ toYaml $externalEtcd.scheduling.nodeSelector | indent 8 }}
tolerations:
{{ toYaml $externalEtcd.scheduling.tolerations | indent 8 }}
automountServiceAccountToken: false
{{- if .Values.controlPlane.advanced.serviceAccount.name }}
serviceAccountName: {{ .Values.controlPlane.advanced.serviceAccount.name }}
{{- else }}
serviceAccountName: vc-{{ .Release.Name }}
{{- end }}
volumes:
- name: certs
secret:
secretName: {{ .Release.Name }}-certs
{{- if $externalEtcd.persistence.addVolumes }}
{{ toYaml $externalEtcd.persistence.addVolumes | indent 8 }}
{{- end }}
{{- if not $externalEtcd.persistence.volumeClaim.enabled }}
- name: data
emptyDir: {}
{{- end }}
{{- if $externalEtcd.scheduling.priorityClassName }}
priorityClassName: {{ $externalEtcd.scheduling.priorityClassName }}
{{- end }}
{{- if $externalEtcd.security.podSecurityContext }}
securityContext:
{{ toYaml $externalEtcd.security.podSecurityContext | indent 8 }}
{{- end }}
enableServiceLinks: {{ .Values.controlPlane.backingStore.etcd.deploy.statefulSet.enableServiceLinks }}
containers:
- name: etcd
image: '{{ include "vcluster.image" (dict "defaultImageRegistry" .Values.controlPlane.advanced.defaultImageRegistry "registry" $externalEtcd.image.registry "repository" $externalEtcd.image.repository "tag" $externalEtcd.image.tag) }}'
command:
- etcd
- '--cert-file=/run/config/pki/etcd-server.crt'
- '--client-cert-auth=true'
- '--data-dir=/var/lib/etcd'
- '--advertise-client-urls=https://$(NAME).{{ .Release.Name }}-etcd-headless.{{ .Release.Namespace }}:2379'
- '--initial-advertise-peer-urls=https://$(NAME).{{ .Release.Name }}-etcd-headless.{{ .Release.Namespace }}:2380'
{{- $releaseName := .Release.Name -}}
{{- $releaseNamespace := .Release.Namespace }}
- '--initial-cluster={{ range $index := untilStep 0 (int $externalEtcd.highAvailability.replicas) 1 }}{{ if (ne (int $index) 0) }},{{ end }}{{ $releaseName }}-etcd-{{ $index }}=https://{{ $releaseName }}-etcd-{{ $index }}.{{ $releaseName }}-etcd-headless.{{ $releaseNamespace }}:2380{{ end }}'
- '--initial-cluster-token={{ .Release.Name }}'
- '--initial-cluster-state=new'
- '--listen-client-urls=https://0.0.0.0:2379'
- '--listen-metrics-urls=http://0.0.0.0:2381'
- '--listen-peer-urls=https://0.0.0.0:2380'
- '--key-file=/run/config/pki/etcd-server.key'
- '--name=$(NAME)'
- '--peer-cert-file=/run/config/pki/etcd-peer.crt'
- '--peer-client-cert-auth=true'
- '--peer-key-file=/run/config/pki/etcd-peer.key'
- '--peer-trusted-ca-file=/run/config/pki/etcd-ca.crt'
- '--snapshot-count=10000'
- '--trusted-ca-file=/run/config/pki/etcd-ca.crt'
{{- range $f := $externalEtcd.extraArgs }}
- {{ $f | quote }}
{{- end }}
{{- if $externalEtcd.security.containerSecurityContext }}
securityContext:
{{ toYaml $externalEtcd.security.containerSecurityContext | indent 10 }}
{{- end }}
env:
- name: NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- if $externalEtcd.env }}
{{ toYaml $externalEtcd.env | indent 10 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /var/lib/etcd
- mountPath: /run/config/pki
name: certs
readOnly: true
{{- if $externalEtcd.persistence.addVolumeMounts }}
{{ toYaml $externalEtcd.persistence.addVolumeMounts | indent 10 }}
{{- end }}
resources:
{{ toYaml $externalEtcd.resources | indent 10 }}
livenessProbe:
httpGet:
path: /health
port: 2381
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 15
periodSeconds: 10
successThreshold: 1
failureThreshold: 8
startupProbe:
httpGet:
path: /health
port: 2381
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 15
periodSeconds: 10
successThreshold: 1
failureThreshold: 24
{{- if $externalEtcd.imagePullPolicy }}
imagePullPolicy: {{ $externalEtcd.imagePullPolicy }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

43
vcluster0.28.0/templates/headless-service.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- if not .Values.experimental.isolatedControlPlane.headless }}
{{- if eq (include "vcluster.kind" .) "StatefulSet" }}
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-headless
namespace: {{ .Release.Namespace }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.advanced.headlessService.labels }}
{{ toYaml .Values.controlPlane.advanced.headlessService.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.headlessService.annotations .Values.controlPlane.advanced.globalMetadata.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
publishNotReadyAddresses: true
ports:
- name: https
port: 443
targetPort: 8443
protocol: TCP
{{- if .Values.controlPlane.backingStore.etcd.embedded.enabled }}
- name: etcd
port: 2379
targetPort: 2379
protocol: TCP
- name: peer
port: 2380
targetPort: 2380
protocol: TCP
{{- end }}
clusterIP: None
selector:
app: vcluster
release: "{{ .Release.Name }}"
{{- end }}
{{- end }}

37
vcluster0.28.0/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{- if .Values.controlPlane.ingress.enabled }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
{{- $annotations := merge dict .Values.controlPlane.ingress.annotations .Values.controlPlane.advanced.globalMetadata.annotations }}
{{- if $annotations }}
annotations:
{{- toYaml $annotations | nindent 4 }}
{{- end }}
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.ingress.labels }}
{{ toYaml .Values.controlPlane.ingress.labels | indent 4 }}
{{- end }}
spec:
{{- with .Values.controlPlane.ingress.spec }}
{{- tpl (toYaml .) $ | nindent 2 }}
{{- end }}
{{- if not .Values.controlPlane.ingress.spec.rules }}
rules:
- host: {{ .Values.controlPlane.ingress.host | quote }}
http:
paths:
- backend:
service:
name: {{ .Release.Name }}
port:
name: https
path: /
pathType: {{ .Values.controlPlane.ingress.pathType }}
{{- end }}
{{- end }}

49
vcluster0.28.0/templates/limitrange.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if or (eq (toString .Values.policies.limitRange.enabled) "true") (eq (toString .Values.policies.resourceQuota.enabled) "true") }}
{{- if not (eq (toString .Values.policies.limitRange.enabled) "false") }}
apiVersion: v1
kind: LimitRange
metadata:
name: vc-{{ .Release.Name }}
{{- if .Values.experimental.syncSettings.targetNamespace }}
namespace: {{ .Values.experimental.syncSettings.targetNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.policies.limitRange.labels }}
{{ toYaml .Values.policies.limitRange.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.policies.limitRange.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
limits:
- default:
{{- range $key, $val := .Values.policies.limitRange.default }}
{{ $key }}: {{ $val | quote }}
{{- end }}
defaultRequest:
{{- range $key, $val := .Values.policies.limitRange.defaultRequest }}
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- if .Values.policies.limitRange.min }}
min:
{{- range $key, $val := .Values.policies.limitRange.min }}
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- end }}
{{- if .Values.policies.limitRange.max }}
max:
{{- range $key, $val := .Values.policies.limitRange.max }}
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- end }}
type: Container
{{- end }}
{{- end }}

7
vcluster0.28.0/templates/manifests.yaml Normal file
View File

@@ -0,0 +1,7 @@
{{- if .Values.experimental.deploy.host.manifests }}
{{ .Values.experimental.deploy.host.manifests }}
{{- end }}
{{- if .Values.experimental.deploy.host.manifestsTemplate }}
---
{{ tpl .Values.experimental.deploy.host.manifestsTemplate . }}
{{- end }}

112
vcluster0.28.0/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,112 @@
{{- if .Values.policies.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: vc-work-{{ .Release.Name }}
{{- if .Values.experimental.syncSettings.targetNamespace }}
namespace: {{ .Values.experimental.syncSettings.targetNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.policies.networkPolicy.labels }}
{{ toYaml .Values.policies.networkPolicy.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.policies.networkPolicy.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
vcluster.loft.sh/managed-by: {{ .Release.Name }}
egress:
# Allows outgoing connections to the vcluster control plane
- ports:
- port: 443
- port: 8443
to:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
# Allows outgoing connections to DNS server
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allows outgoing connections to the internet or
# other vcluster workloads
- to:
- podSelector:
matchLabels:
vcluster.loft.sh/managed-by: {{ .Release.Name }}
- ipBlock:
cidr: {{ .Values.policies.networkPolicy.outgoingConnections.ipBlock.cidr }}
except:
{{- range .Values.policies.networkPolicy.outgoingConnections.ipBlock.except }}
- {{ . }}
{{- end }}
{{- if .Values.policies.networkPolicy.extraWorkloadRules }}
{{ toYaml .Values.policies.networkPolicy.extraWorkloadRules | indent 4 }}
{{- end }}
policyTypes:
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: vc-cp-{{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.policies.networkPolicy.labels }}
{{ toYaml .Values.policies.networkPolicy.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.policies.networkPolicy.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
egress:
# Allows outgoing connections to all pods with
# port 443, 8443 or 6443. This is needed for host Kubernetes
# access
- ports:
- port: 443
- port: 8443
- port: 6443
# Allows outgoing connections to all vcluster workloads
# or kube system dns server
- to:
- podSelector: {}
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: 'kube-system'
podSelector:
matchLabels:
k8s-app: kube-dns
{{- if .Values.policies.networkPolicy.outgoingConnections.platform }}
- podSelector:
matchLabels:
app: loft
namespaceSelector: {}
{{- end }}
{{- if .Values.policies.networkPolicy.extraControlPlaneRules }}
{{ toYaml .Values.policies.networkPolicy.extraControlPlaneRules | indent 4 }}
{{- end }}
policyTypes:
- Egress
{{- end }}

31
vcluster0.28.0/templates/platform-rbac.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if include "vcluster.rbac.createPlatformSecretRole" . }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "vcluster.rbac.platformRoleName" . }}
namespace: {{ include "vcluster.rbac.platformSecretNamespace" .}}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
- {{ include "vcluster.rbac.platformSecretName" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "vcluster.rbac.platformRoleBindingName" . }}
namespace: {{ include "vcluster.rbac.platformSecretNamespace" .}}
subjects:
- kind: ServiceAccount
{{- if .Values.controlPlane.advanced.serviceAccount.name }}
name: {{ .Values.controlPlane.advanced.serviceAccount.name }}
{{- else }}
name: vc-{{ .Release.Name }}
{{- end }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ include "vcluster.rbac.platformRoleName" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

44
vcluster0.28.0/templates/resourcequota.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{- if or (eq (toString .Values.policies.resourceQuota.enabled) "true") (eq (toString .Values.policies.limitRange.enabled) "true") }}
{{- if not (eq (toString .Values.policies.resourceQuota.enabled) "false") }}
apiVersion: v1
kind: ResourceQuota
metadata:
name: vc-{{ .Release.Name }}
{{- if .Values.experimental.syncSettings.targetNamespace }}
namespace: {{ .Values.experimental.syncSettings.targetNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.policies.resourceQuota.labels }}
{{ toYaml .Values.policies.resourceQuota.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.policies.resourceQuota.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
{{- if .Values.policies.resourceQuota.quota }}
hard:
{{- range $key, $val := .Values.policies.resourceQuota.quota }}
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- end }}
{{- if .Values.policies.resourceQuota.scopeSelector.matchExpressions }}
scopeSelector:
matchExpressions:
{{- toYaml .Values.policies.resourceQuota.scopeSelector.matchExpressions | nindent 6 }}
{{- end }}
{{- if .Values.policies.resourceQuota.scopes }}
scopes:
{{- toYaml .Values.policies.resourceQuota.scopes | nindent 4 }}
{{- end}}
{{- end }}
{{- end }}

141
vcluster0.28.0/templates/role.yaml Normal file
View File

@@ -0,0 +1,141 @@
{{- if .Values.rbac.role.enabled }}
{{- if .Values.sync.toHost.namespaces.enabled }}
kind: ClusterRole
{{- else -}}
kind: Role
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
{{- if .Values.sync.toHost.namespaces.enabled }}
name: {{ template "vcluster.clusterRoleNameMultinamespace" . }}
{{- else }}
name: vc-{{ .Release.Name }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.advanced.globalMetadata.annotations }}
annotations:
{{ toYaml .Values.controlPlane.advanced.globalMetadata.annotations | indent 4 }}
{{- end }}
rules:
{{- if .Values.rbac.role.overwriteRules }}
{{ toYaml .Values.rbac.role.overwriteRules | indent 2 }}
{{- else }}
{{- if .Values.privateNodes.enabled}}
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: [""]
resources: ["services", "pods", "persistentvolumeclaims"]
verbs: ["get", "list", "watch"]
{{- else }}
- apiGroups: [""]
resources: ["configmaps", "secrets", "services", "pods", "pods/attach", "pods/portforward", "pods/exec", "persistentvolumeclaims"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/status", "pods/ephemeralcontainers"]
verbs: ["patch", "update"]
{{- end }}
- apiGroups: ["apps"]
resources: ["statefulsets", "replicasets", "deployments"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "events", "pods/log"]
verbs: ["get", "list", "watch"]
{{- if or .Values.sync.toHost.endpoints.enabled .Values.experimental.isolatedControlPlane.headless }}
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["create", "delete", "patch", "update"]
{{- end }}
{{- if or .Values.privateNodes.enabled (gt (int .Values.controlPlane.statefulSet.highAvailability.replicas) 1) }}
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if (and .Values.integrations.metricsServer.enabled .Values.integrations.metricsServer.pods) }}
- apiGroups: ["metrics.k8s.io"]
resources: ["pods"]
verbs: ["get", "list"]
{{- end }}
{{- if .Values.sync.toHost.ingresses.enabled}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.sync.toHost.networkPolicies.enabled }}
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.sync.toHost.volumeSnapshots.enabled }}
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.sync.toHost.serviceAccounts.enabled }}
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.sync.toHost.podDisruptionBudgets.enabled }}
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.integrations.kubeVirt.enabled }}
- apiGroups: ["subresources.kubevirt.io"]
resources: ["*"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: ["pool.kubevirt.io"]
resources: ["virtualmachinepools", "virtualmachinepools/status"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: ["clone.kubevirt.io"]
resources: ["virtualmachineclones", "virtualmachineclones/status"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: ["cdi.kubevirt.io"]
resources: ["datavolumes", "datavolumes/status"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: ["kubevirt.io"]
resources: ["virtualmachines", "virtualmachines/status", "virtualmachineinstances", "virtualmachineinstances/status", "virtualmachineinstancemigrations", "virtualmachineinstancemigrations/status"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.integrations.externalSecrets.enabled }}
- apiGroups: ["external-secrets.io"]
resources: ["externalsecrets"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- if or .Values.integrations.externalSecrets.sync.stores.enabled .Values.integrations.externalSecrets.sync.toHost.stores.enabled }}
- apiGroups: ["external-secrets.io"]
resources: ["secretstores"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- end }}
{{- if .Values.integrations.certManager.enabled }}
{{- if .Values.integrations.certManager.sync.toHost.certificates.enabled }}
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.integrations.certManager.sync.toHost.issuers.enabled }}
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- end }}
{{- if .Values.integrations.istio.enabled }}
- apiGroups: [ "networking.istio.io" ]
resources: [ "destinationrules", "gateways", "serviceentries", "virtualservices" ]
verbs: [ "create", "delete", "patch", "update", "get", "list", "watch" ]
- apiGroups: [ "gateway.networking.k8s.io" ]
resources: [ "referencegrants" ]
verbs: [ "create", "delete", "patch", "update", "get", "list", "watch" ]
{{- end }}
{{- include "vcluster.customResources.roleExtraRules" . | indent 2 }}
{{- include "vcluster.plugin.roleExtraRules" . | indent 2 }}
{{- include "vcluster.generic.roleExtraRules" . | indent 2 }}
{{- include "vcluster.rbac.roleExtraRules" . | indent 2 }}
{{- end }}
{{- end }}

41
vcluster0.28.0/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- if .Values.rbac.role.enabled }}
{{- if .Values.sync.toHost.namespaces.enabled}}
kind: ClusterRoleBinding
{{- else -}}
kind: RoleBinding
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
{{- if .Values.sync.toHost.namespaces.enabled }}
name: {{ template "vcluster.clusterRoleNameMultinamespace" . }}
{{- else }}
name: vc-{{ .Release.Name }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.advanced.globalMetadata.annotations }}
annotations:
{{ toYaml .Values.controlPlane.advanced.globalMetadata.annotations | indent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
{{- if .Values.controlPlane.advanced.serviceAccount.name }}
name: {{ .Values.controlPlane.advanced.serviceAccount.name }}
{{- else }}
name: vc-{{ .Release.Name }}
{{- end }}
namespace: {{ .Release.Namespace }}
roleRef:
{{- if .Values.sync.toHost.namespaces.enabled }}
kind: ClusterRole
name: {{ template "vcluster.clusterRoleNameMultinamespace" . }}
{{- else }}
kind: Role
name: vc-{{ .Release.Name }}
{{- end }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

95
vcluster0.28.0/templates/service-monitor.yaml Normal file
View File

@@ -0,0 +1,95 @@
{{- if .Values.controlPlane.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: vc-{{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
{{- if or (not .Values.controlPlane.serviceMonitor.labels) (not (hasKey .Values.controlPlane.serviceMonitor.labels "release")) }}
release: "{{ .Release.Name }}"
{{- end}}
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.serviceMonitor.labels }}
{{ toYaml .Values.controlPlane.serviceMonitor.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.serviceMonitor.annotations .Values.controlPlane.advanced.globalMetadata.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app: vcluster
release: "{{ .Release.Name }}"
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
heritage: "{{ .Release.Service }}"
vcluster.loft.sh/service: "true"
endpoints:
- interval: 30s
port: https
path: /metrics
scheme: https
relabelings:
- targetLabel: endpoint
replacement: "apiserver"
tlsConfig:
ca:
secret:
name: vc-{{ .Release.Name }}
key: certificate-authority
cert:
secret:
name: vc-{{ .Release.Name }}
key: client-certificate
keySecret:
name: vc-{{ .Release.Name }}
key: client-key
{{- if eq (include "vcluster.distro" .) "k8s" }}
- interval: 30s
port: https
path: /controller-manager/metrics
scheme: https
relabelings:
- targetLabel: endpoint
replacement: "controller-manager"
tlsConfig:
ca:
secret:
name: vc-{{ .Release.Name }}
key: certificate-authority
cert:
secret:
name: vc-{{ .Release.Name }}
key: client-certificate
keySecret:
name: vc-{{ .Release.Name }}
key: client-key
{{- if or
(and (eq (include "vcluster.distro" .) "k8s") .Values.controlPlane.distro.k8s.scheduler.enabled)
.Values.controlPlane.advanced.virtualScheduler.enabled
}}
- interval: 30s
port: https
path: /scheduler/metrics
scheme: https
relabelings:
- targetLabel: endpoint
replacement: "scheduler"
tlsConfig:
ca:
secret:
name: vc-{{ .Release.Name }}
key: certificate-authority
cert:
secret:
name: vc-{{ .Release.Name }}
key: client-certificate
keySecret:
name: vc-{{ .Release.Name }}
key: client-key
{{- end }}
{{- end }}
{{- end }}

63
vcluster0.28.0/templates/service.yaml Normal file
View File

@@ -0,0 +1,63 @@
{{- $platform_svc_exists := lookup "v1" "Service" .Release.Namespace "loft" }}
{{- if $platform_svc_exists }}
{{- fail (printf "a vCluster platform installation exists in the namespace '%s'. Aborting install" .Release.Namespace) }}
{{- else if .Values.controlPlane.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
vcluster.loft.sh/service: "true"
{{- if .Values.controlPlane.service.labels }}
{{ toYaml .Values.controlPlane.service.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.globalMetadata.annotations .Values.controlPlane.service.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
{{ toYaml .Values.controlPlane.service.spec | indent 2 }}
{{- if not .Values.controlPlane.service.spec.ports }}
ports:
- name: https
port: 443
{{- if not .Values.experimental.isolatedControlPlane.headless }}
targetPort: 8443
{{- end }}
nodePort: {{ .Values.controlPlane.service.httpsNodePort }}
protocol: TCP
{{- if .Values.privateNodes.enabled }}
{{- if .Values.controlPlane.advanced.konnectivity.server.enabled }}
- name: konnectivity
port: 8132
protocol: TCP
{{- end }}
{{- end }}
{{- if .Values.integrations.istio.enabled }}
- name: wake-http
port: 9090
nodePort: {{ .Values.controlPlane.service.httpsNodePort }}
protocol: TCP
{{- end }}
{{- if and .Values.networking.advanced.proxyKubelets.byHostname (not (eq .Values.controlPlane.service.spec.type "LoadBalancer")) }}
- name: kubelet
port: 10250
{{- if not .Values.experimental.isolatedControlPlane.headless }}
targetPort: 8443
{{- end }}
nodePort: {{ .Values.controlPlane.service.kubeletNodePort }}
protocol: TCP
{{- end }}
{{- end }}
{{- if and (not .Values.controlPlane.service.spec.selector) (not .Values.experimental.isolatedControlPlane.headless) }}
selector:
app: vcluster
release: {{ .Release.Name }}
{{- end }}
{{- end }}

28
vcluster0.28.0/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if .Values.controlPlane.advanced.serviceAccount.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
{{- if .Values.controlPlane.advanced.serviceAccount.name }}
name: {{ .Values.controlPlane.advanced.serviceAccount.name | quote }}
{{- else }}
name: vc-{{ .Release.Name }}
{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.advanced.serviceAccount.labels }}
{{ toYaml .Values.controlPlane.advanced.serviceAccount.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.serviceAccount.annotations .Values.controlPlane.advanced.globalMetadata.annotations }}
{{- if $annotations }}
annotations:
{{- toYaml $annotations | nindent 4 }}
{{- end }}
{{- if .Values.controlPlane.advanced.serviceAccount.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.controlPlane.advanced.serviceAccount.imagePullSecrets | indent 2 }}
{{- end }}
{{- end }}

230
vcluster0.28.0/templates/statefulset.yaml Normal file
View File

@@ -0,0 +1,230 @@
{{- include "vcluster.exportKubeConfig.validate" . }}
{{- if not .Values.experimental.isolatedControlPlane.headless }}
apiVersion: apps/v1
kind: {{ include "vcluster.kind" . }}
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: {{ .Release.Name }}
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.statefulSet.labels }}
{{ toYaml .Values.controlPlane.statefulSet.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.statefulSet.annotations .Values.controlPlane.advanced.globalMetadata.annotations }}
{{- if $annotations }}
annotations:
{{ toYaml $annotations | indent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app: vcluster
release: {{ .Release.Name | quote }}
{{- if eq (include "vcluster.kind" .) "StatefulSet" }}
{{- if ge (int .Capabilities.KubeVersion.Minor) 27 }}
persistentVolumeClaimRetentionPolicy:
whenDeleted: {{ .Values.controlPlane.statefulSet.persistence.volumeClaim.retentionPolicy }}
{{- end }}
serviceName: {{ .Release.Name }}-headless
podManagementPolicy: {{ .Values.controlPlane.statefulSet.scheduling.podManagementPolicy }}
{{ include "vcluster.persistence" . | indent 2 }}
{{- else }}
strategy:
rollingUpdate:
maxSurge: 1
{{- if (eq (int .Values.controlPlane.statefulSet.highAvailability.replicas) 1) }}
maxUnavailable: 0
{{- else }}
maxUnavailable: 1
{{- end }}
type: RollingUpdate
{{- end }}
replicas: {{ .Values.controlPlane.statefulSet.highAvailability.replicas }}
template:
metadata:
annotations:
vClusterConfigHash: {{ include "vcluster.vClusterConfigHash" . }}
{{- if .Values.controlPlane.statefulSet.pods.annotations }}
{{ toYaml .Values.controlPlane.statefulSet.pods.annotations | indent 8 }}
{{- end }}
labels:
app: vcluster
release: {{ .Release.Name }}
{{- if .Values.controlPlane.statefulSet.pods.labels }}
{{ toYaml .Values.controlPlane.statefulSet.pods.labels | indent 8 }}
{{- end }}
spec:
terminationGracePeriodSeconds: 10
{{- if .Values.controlPlane.statefulSet.scheduling.priorityClassName }}
priorityClassName: {{ .Values.controlPlane.statefulSet.scheduling.priorityClassName }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.security.podSecurityContext }}
securityContext:
{{ toYaml .Values.controlPlane.statefulSet.security.podSecurityContext | indent 8 }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.scheduling.nodeSelector }}
nodeSelector:
{{ toYaml .Values.controlPlane.statefulSet.scheduling.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.scheduling.affinity }}
affinity:
{{ toYaml .Values.controlPlane.statefulSet.scheduling.affinity | indent 8 }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.scheduling.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.controlPlane.statefulSet.scheduling.topologySpreadConstraints | indent 8 }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.scheduling.tolerations }}
tolerations:
{{ toYaml .Values.controlPlane.statefulSet.scheduling.tolerations | indent 8 }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.scheduling.priorityClassName }}
priorityClassName: {{ .Values.controlPlane.statefulSet.scheduling.priorityClassName }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.dnsPolicy }}
dnsPolicy: {{ .Values.controlPlane.statefulSet.dnsPolicy }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.dnsConfig }}
dnsConfig:
{{ toYaml .Values.controlPlane.statefulSet.dnsConfig | indent 8 }}
{{- end }}
{{- if .Values.controlPlane.advanced.serviceAccount.name }}
serviceAccountName: {{ .Values.controlPlane.advanced.serviceAccount.name }}
{{- else }}
serviceAccountName: vc-{{ .Release.Name }}
{{- end }}
volumes:
{{- include "vcluster.plugins.volumes" . | indent 8 }}
- name: helm-cache
emptyDir: {}
{{ toYaml .Values.controlPlane.statefulSet.persistence.binariesVolume | indent 8 }}
- name: tmp
emptyDir: {}
- name: certs
emptyDir: {}
{{- if eq (include "vcluster.distro" .) "k3s" }}
- name: k3s-config
emptyDir: {}
{{- end }}
- name: vcluster-config
secret:
secretName: vc-config-{{ .Release.Name }}
{{- if .Values.controlPlane.statefulSet.persistence.dataVolume }}
{{ toYaml .Values.controlPlane.statefulSet.persistence.dataVolume | indent 8 }}
{{- else if not (include "vcluster.persistence.volumeClaim.enabled" .) }}
- name: data
emptyDir: {}
{{- end }}
{{- if .Values.controlPlane.statefulSet.persistence.addVolumes }}
{{ tpl (toYaml .Values.controlPlane.statefulSet.persistence.addVolumes) $ | indent 8 }}
{{- end }}
{{- if (not .Values.experimental.syncSettings.disableSync) }}
initContainers:
{{ include "vcluster.initContainers" . | indent 8 }}
{{- end }}
enableServiceLinks: {{ .Values.controlPlane.statefulSet.enableServiceLinks }}
containers:
- name: syncer
image: {{ include "vcluster.controlPlane.image" . | quote }}
imagePullPolicy: {{ .Values.controlPlane.statefulSet.imagePullPolicy }}
{{- if .Values.controlPlane.statefulSet.workingDir }}
workingDir: {{ .Values.controlPlane.statefulSet.workingDir }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.command }}
command:
{{ toYaml .Values.controlPlane.statefulSet.command | indent 12 }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.args }}
args:
{{ toYaml .Values.controlPlane.statefulSet.args | indent 12 }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.probes.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: {{ .Values.controlPlane.statefulSet.probes.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controlPlane.statefulSet.probes.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controlPlane.statefulSet.probes.livenessProbe.timeoutSeconds }}
failureThreshold: {{ .Values.controlPlane.statefulSet.probes.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.probes.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /readyz
port: 8443
scheme: HTTPS
periodSeconds: {{ .Values.controlPlane.statefulSet.probes.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controlPlane.statefulSet.probes.readinessProbe.timeoutSeconds }}
failureThreshold: {{ .Values.controlPlane.statefulSet.probes.readinessProbe.failureThreshold }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.probes.startupProbe.enabled }}
startupProbe:
httpGet:
path: /readyz
port: 8443
scheme: HTTPS
periodSeconds: {{ .Values.controlPlane.statefulSet.probes.startupProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controlPlane.statefulSet.probes.startupProbe.timeoutSeconds }}
failureThreshold: {{ .Values.controlPlane.statefulSet.probes.startupProbe.failureThreshold }}
{{- end }}
{{- if .Values.controlPlane.statefulSet.security.containerSecurityContext }}
securityContext:
{{ toYaml .Values.controlPlane.statefulSet.security.containerSecurityContext | indent 12 }}
{{- end }}
resources:
{{ toYaml .Values.controlPlane.statefulSet.resources | indent 12 }}
env:
- name: VCLUSTER_NAME
value: "{{ .Release.Name }}"
{{- if .Values.logging }}
- name: LOFT_LOG_ENCODING
value: {{ default "console" .Values.logging.encoding }}
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if .Values.controlPlane.statefulSet.env }}
{{ toYaml .Values.controlPlane.statefulSet.env | indent 12 }}
{{- end }}
{{ include "vcluster.distro.env" . | indent 12 }}
volumeMounts:
{{- include "vcluster.plugins.volumeMounts" . | indent 12 }}
- name: data
mountPath: /data
- name: binaries
mountPath: /binaries
- name: certs
mountPath: /pki
- name: helm-cache
mountPath: /.cache/helm
{{- if eq (include "vcluster.distro" .) "k3s" }}
- name: k3s-config
mountPath: /etc/rancher
{{- end }}
- name: vcluster-config
mountPath: /var/lib/vcluster
- name: tmp
mountPath: /tmp
{{- if .Values.controlPlane.statefulSet.persistence.addVolumeMounts }}
{{ toYaml .Values.controlPlane.statefulSet.persistence.addVolumeMounts | indent 12 }}
{{- end }}
{{- include "vcluster.legacyPlugins.containers" . | indent 8 }}
{{- end }}

29
vcluster0.28.0/templates/workload-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- if .Values.controlPlane.advanced.workloadServiceAccount.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
{{- if .Values.controlPlane.advanced.workloadServiceAccount.name }}
name: {{ .Values.controlPlane.advanced.workloadServiceAccount.name | quote }}
{{- else }}
name: vc-workload-{{ .Release.Name }}
{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.advanced.workloadServiceAccount.labels }}
{{ toYaml .Values.controlPlane.advanced.workloadServiceAccount.labels | indent 4 }}
{{- end }}
{{- $annotations := merge dict .Values.controlPlane.advanced.workloadServiceAccount.annotations .Values.controlPlane.advanced.globalMetadata.annotations }}
{{- if $annotations }}
annotations:
{{- toYaml $annotations | nindent 4 }}
{{- end }}
{{- $pullSecrets := concat .Values.controlPlane.advanced.serviceAccount.imagePullSecrets .Values.controlPlane.advanced.workloadServiceAccount.imagePullSecrets }}
{{- if $pullSecrets }}
imagePullSecrets:
{{ toYaml $pullSecrets | indent 2 }}
{{- end }}
{{- end }}

14
vcluster0.28.0/tests/README.md Normal file
View File

@@ -0,0 +1,14 @@
Add [unittest plugin](https://github.com/helm-unittest/helm-unittest) via:
```
helm plugin install https://github.com/helm-unittest/helm-unittest.git
```
Run tests via:
```
helm unittest chart
```
To update the `values.schema.json` run:
```
go run hack/schema/main.go
```

780
vcluster0.28.0/tests/clusterrole_test.yaml Normal file
View File

@@ -0,0 +1,780 @@
suite: ClusterRoleBinding
templates:
- clusterrole.yaml
tests:
- it: disable by default
asserts:
- hasDocuments:
count: 0
- it: force enable
set:
rbac:
clusterRole:
enabled: true
asserts:
- hasDocuments:
count: 1
- it: force disable
set:
rbac:
clusterRole:
enabled: false
extraRules:
- apiGroups: [""]
resources: ["test123"]
verbs: ["test123"]
overwriteRules:
- apiGroups: [""]
resources: ["test"]
verbs: ["test"]
asserts:
- hasDocuments:
count: 0
- it: enable isolated control plane
set:
experimental:
isolatedControlPlane:
enabled: true
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "nodes" ]
verbs: [ "get", "watch", "list" ]
- it: enable scheduler (k8s distro explicitly enabled)
set:
controlPlane:
distro:
k8s:
enabled: true
scheduler:
enabled: true
asserts:
- hasDocuments:
count: 1
- contains:
path: rules
content:
apiGroups: [ "storage.k8s.io" ]
resources: [ "storageclasses", "csinodes", "csidrivers", "csistoragecapacities" ]
verbs: [ "get", "watch", "list" ]
- it: enable scheduler (k8s distro implicitly enabled)
set:
controlPlane:
distro:
k8s:
scheduler:
enabled: true
asserts:
- hasDocuments:
count: 1
- contains:
path: rules
content:
apiGroups: [ "storage.k8s.io" ]
resources: [ "storageclasses", "csinodes", "csidrivers", "csistoragecapacities" ]
verbs: [ "get", "watch", "list" ]
- it: enable scheduler (deprecated)
set:
controlPlane:
advanced:
virtualScheduler:
enabled: true
asserts:
- hasDocuments:
count: 1
- contains:
path: rules
content:
apiGroups: [ "storage.k8s.io" ]
resources: [ "storageclasses", "csinodes", "csidrivers", "csistoragecapacities" ]
verbs: [ "get", "watch", "list" ]
- it: scheduler not enabled for k3s
set:
controlPlane:
distro:
k3s:
enabled: true
k8s:
scheduler:
enabled: true
asserts:
- hasDocuments:
count: 0
- it: enable hybrid scheduling
set:
sync:
toHost:
pods:
hybridScheduling:
enabled: true
asserts:
- hasDocuments:
count: 1
- contains:
path: rules
content:
apiGroups: [ "storage.k8s.io" ]
resources: [ "storageclasses", "csinodes", "csidrivers", "csistoragecapacities" ]
verbs: [ "get", "watch", "list" ]
- it: enable csinodes
set:
sync:
fromHost:
csiNodes:
enabled: true
asserts:
- hasDocuments:
count: 1
- contains:
path: rules
content:
apiGroups: [ "storage.k8s.io" ]
resources: [ "csinodes" ]
verbs: [ "get", "watch", "list" ]
- it: enable by multi namespace mode
set:
rbac:
clusterRole:
enabled: auto
sync:
toHost:
namespaces:
enabled: true
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "namespaces", "serviceaccounts"]
verbs: [ "create", "delete", "patch", "update", "get", "watch", "list" ]
- it: override rules
set:
rbac:
clusterRole:
extraRules:
- apiGroups: [""]
resources: ["test123"]
verbs: ["test123"]
overwriteRules:
- apiGroups: [""]
resources: ["test"]
verbs: ["test"]
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "test" ]
verbs: [ "test" ]
- it: extra rules
set:
sync:
toHost:
priorityClasses:
enabled: true
rbac:
clusterRole:
extraRules:
- apiGroups: [ "" ]
resources: [ "test123" ]
verbs: [ "test123" ]
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 2
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "test123" ]
verbs: [ "test123" ]
- it: plugin rules
set:
plugin:
myTest:
rbac:
clusterRole:
extraRules:
- apiGroups: [ "" ]
resources: [ "test123" ]
verbs: [ "test123" ]
plugins:
myTest2:
rbac:
clusterRole:
extraRules:
- apiGroups: [ "" ]
resources: [ "test1234" ]
verbs: [ "test1234" ]
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 2
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "test123" ]
verbs: [ "test123" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "test1234" ]
verbs: [ "test1234" ]
- it: replicate services
set:
networking:
replicateServices:
fromHost:
- from: test
to: other-test
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "services", "endpoints" ]
verbs: [ "get", "watch", "list" ]
- it: real nodes
set:
sync:
fromHost:
nodes:
enabled: true
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "pods", "nodes", "nodes/status", "nodes/metrics", "nodes/stats", "nodes/proxy" ]
verbs: [ "get", "watch", "list" ]
- it: virtual scheduler
set:
controlPlane:
advanced:
virtualScheduler:
enabled: true
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
content:
apiGroups: ["storage.k8s.io"]
resources: ["storageclasses", "csinodes", "csidrivers", "csistoragecapacities"]
verbs: ["get", "watch", "list"]
- it: legacy pro
set:
pro: true
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 3
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "pods", "nodes", "nodes/status", "nodes/metrics", "nodes/stats", "nodes/proxy" ]
verbs: [ "get", "watch", "list" ]
- contains:
path: rules
content:
apiGroups: [ "cluster.loft.sh", "storage.loft.sh" ]
resources: [ "features", "virtualclusters" ]
verbs: [ "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: ["management.loft.sh"]
resources: ["virtualclusterinstances"]
verbs: ["get"]
- it: metrics proxy
set:
integrations:
metricsServer:
enabled: true
nodes: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- contains:
path: rules
content:
apiGroups: [ "metrics.k8s.io" ]
resources: [ "nodes" ]
verbs: [ "get", "list" ]
- it: externalSecrets
set:
integrations:
externalSecrets:
enabled: true
webhook:
enabled: false
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
content:
apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- it: kubeVirt
set:
integrations:
kubeVirt:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 2
- contains:
path: rules
content:
apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]
- it: certManger enabled
set:
integrations:
certManager:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 2
- contains:
path: rules
content:
apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- it: crd sync to host
set:
sync:
toHost:
customResources:
test.test-group:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
content:
apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: [ "get", "list", "watch" ]
- it: crd sync from host
set:
sync:
fromHost:
customResources:
test.test-group:
enabled: true
scope: Cluster
test.test-versioned-group/v1alpha1:
enabled: true
scope: Cluster
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 3
- contains:
path: rules
content:
apiGroups: [ "test-group" ]
resources: [ "test" ]
verbs: [ "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "test-versioned-group" ]
resources: [ "test" ]
verbs: [ "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: [ "get", "list", "watch" ]
- it: eso clusterstore sync
set:
integrations:
externalSecrets:
enabled: true
webhook:
enabled: true
sync:
clusterStores:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- contains:
path: rules
content:
apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: [ "external-secrets.io" ]
resources: [ "clustersecretstores" ]
verbs: ["get", "list", "watch"]
- it: fromHost sync configmaps disabled
set:
sync:
fromHost:
configMaps:
enabled: false
asserts:
- hasDocuments:
count: 0
- it: fromHost sync configmaps enabled with wildcard namespace
set:
sync:
fromHost:
configMaps:
enabled: true
mappings:
byName:
"": "my-ns/*"
my-ns/*: "my-ns-2/*"
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 3
- contains:
path: rules
content:
apiGroups: [ "" ]
resourceNames: ["NAMESPACE", "my-ns"]
resources: [ "namespaces" ]
verbs: [ "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: [ "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: [ "get" ]
- it: fromHost sync configmaps enabled with wildcard name
set:
sync:
fromHost:
configMaps:
enabled: true
mappings:
byName:
"my-ns/*": "my-ns-4/*"
my-ns-2/*: "my-ns-3/*"
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 3
- contains:
path: rules
content:
apiGroups: [ "" ]
resourceNames: ["my-ns", "my-ns-2"]
resources: [ "namespaces" ]
verbs: [ "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: [ "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: [ "get" ]
- it: fromHost sync configmaps enabled without wildcards
set:
sync:
fromHost:
configMaps:
enabled: true
mappings:
byName:
"my-ns/my-cm": "my-ns-2/my-cm-2"
my-ns-3/my-cm-2: "my-ns-4/my-cm4"
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 3
- contains:
path: rules
content:
apiGroups: [ "" ]
resourceNames: [ "my-ns", "my-ns-3" ]
resources: [ "namespaces" ]
verbs: [ "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "configmaps" ]
verbs: [ "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resourceNames: [ "my-cm", "my-cm-2" ]
resources: [ "configmaps" ]
verbs: [ "get"]
- it: fromHost sync secrets disabled
set:
sync:
fromHost:
secrets:
enabled: false
asserts:
- hasDocuments:
count: 0
- it: fromHost sync secrets enabled with wildcard namespace
set:
sync:
fromHost:
secrets:
enabled: true
mappings:
byName:
"": "my-ns/*"
my-ns/*: "my-ns-2/*"
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 3
- contains:
path: rules
content:
apiGroups: [ "" ]
resourceNames: ["NAMESPACE", "my-ns"]
resources: [ "namespaces" ]
verbs: [ "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "get"]
- it: fromHost sync secrets enabled with wildcard name
set:
sync:
fromHost:
secrets:
enabled: true
mappings:
byName:
"my-ns/*": "my-ns-4/*"
my-ns-2/*: "my-ns-3/*"
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 3
- contains:
path: rules
content:
apiGroups: [ "" ]
resourceNames: ["my-ns", "my-ns-2"]
resources: [ "namespaces" ]
verbs: [ "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "get" ]
- it: fromHost sync secrets enabled without wildcards
set:
sync:
fromHost:
secrets:
enabled: true
mappings:
byName:
"my-ns/my-secret": "my-ns-2/my-secret-2"
my-ns-3/my-secret-2: "my-ns-4/my-secret-4"
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 3
- contains:
path: rules
content:
apiGroups: [ "" ]
resourceNames: [ "my-ns", "my-ns-3" ]
resources: [ "namespaces" ]
verbs: [ "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "" ]
resourceNames: [ "my-secret", "my-secret-2" ]
resources: [ "secrets" ]
verbs: [ "get" ]
- it: istio enabled
set:
integrations:
istio:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
content:
apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: [ "get", "list", "watch" ]

142
vcluster0.28.0/tests/clusterrolebinding_test.yaml Normal file
View File

@@ -0,0 +1,142 @@
suite: ClusterRoleBinding
templates:
- clusterrolebinding.yaml
tests:
- it: disable by default
asserts:
- hasDocuments:
count: 0
- it: enable by multi namespace mode
set:
sync:
toHost:
namespaces:
enabled: true
asserts:
- hasDocuments:
count: 1
- it: enable by from syncer
set:
sync:
fromHost:
ingressClasses:
enabled: true
asserts:
- hasDocuments:
count: 1
- it: enable by generic sync
set:
experimental:
genericSync:
clusterRole:
extraRules:
- apiGroups: [""]
resources: ["test"]
verbs: ["test"]
asserts:
- hasDocuments:
count: 1
- it: enable by plugins
set:
plugins:
test:
rbac:
clusterRole:
extraRules:
- apiGroups: [""]
resources: ["test"]
verbs: ["test"]
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- it: enable by plugin
set:
plugin:
test:
rbac:
clusterRole:
extraRules:
- apiGroups: [""]
resources: ["test"]
verbs: ["test"]
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- it: enable by legacy api key
set:
pro: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: ClusterRoleBinding
- equal:
path: metadata.name
value: vc-my-release-v-my-namespace
- notExists:
path: metadata.namespace
- it: enable by extra rules
set:
rbac:
clusterRole:
extraRules:
- apiGroups: [""]
resources: ["test"]
verbs: ["test"]
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: ClusterRoleBinding
- equal:
path: metadata.name
value: vc-my-release-v-my-namespace
- notExists:
path: metadata.namespace
- it: enable by overwrite rules
set:
rbac:
clusterRole:
overwriteRules:
- apiGroups: [""]
resources: ["test"]
verbs: ["test"]
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: ClusterRoleBinding
- equal:
path: metadata.name
value: vc-my-release-v-my-namespace
- notExists:
path: metadata.namespace

96
vcluster0.28.0/tests/etcd-headless-service_test.yaml Normal file
View File

@@ -0,0 +1,96 @@
suite: External etcd headless Service
templates:
- etcd-headless-service.yaml
tests:
- it: check disabled
asserts:
- hasDocuments:
count: 0
- it: enable for k3s & defaults
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
headlessService:
annotations:
test: test
distro:
k3s:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: my-release-etcd-headless
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: metadata.annotations.test
value: test
- it: enable for k8s & defaults
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
headlessService:
annotations:
test: test
distro:
k8s:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: my-release-etcd-headless
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: metadata.annotations.test
value: test
- it: enable for k8s & defaults
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
headlessService:
annotations:
test: test
distro:
k8s:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: my-release-etcd-headless
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: metadata.annotations.test
value: test

38
vcluster0.28.0/tests/etcd-service_test.yaml Normal file
View File

@@ -0,0 +1,38 @@
suite: External etcd Service
templates:
- etcd-service.yaml
tests:
- it: check disabled
asserts:
- hasDocuments:
count: 0
- it: enable for k8s & defaults
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
service:
annotations:
test: test
distro:
k8s:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: my-release-etcd
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: metadata.annotations.test
value: test

207
vcluster0.28.0/tests/etcd-statefulset_test.yaml Normal file
View File

@@ -0,0 +1,207 @@
suite: External etcd StatefulSet
templates:
- etcd-statefulset.yaml
tests:
- it: check disabled
asserts:
- hasDocuments:
count: 0
- it: check disabled for external etcd
set:
controlPlane:
backingStore:
etcd:
external:
enabled: true
asserts:
- hasDocuments:
count: 0
- it: check disabled headless
set:
controlPlane:
distro:
k8s:
enabled: true
experimental:
isolatedControlPlane:
headless: true
asserts:
- hasDocuments:
count: 0
- it: check default image registry
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
statefulSet:
image:
tag: "123"
advanced:
defaultImageRegistry: fabi.com
asserts:
- hasDocuments:
count: 1
- equal:
path: spec.template.spec.containers[0].image
value: fabi.com/etcd:123
- it: disables serviceLinks for backingStore etcd pod
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
statefulSet:
enabled: true
enableServiceLinks: false
asserts:
- hasDocuments:
count: 1
- equal:
path: spec.template.spec.enableServiceLinks
value: false
- it: change image registry
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
statefulSet:
image:
registry: fabi.com
tag: "123"
asserts:
- hasDocuments:
count: 1
- equal:
path: spec.template.spec.containers[0].image
value: fabi.com/etcd:123
- it: check specified storage class is used
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
statefulSet:
persistence:
volumeClaim:
storageClass: test-sc
asserts:
- hasDocuments:
count: 1
- equal:
path: spec.volumeClaimTemplates[0].spec.storageClassName
value: test-sc
- it: enabled for k3s & non persistent
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
statefulSet:
extraArgs:
- "extra-arg"
env:
- name: my-new-env
persistence:
volumeClaim:
enabled: false
addVolumes:
- name: my-new-volume
addVolumeMounts:
- name: my-new-volume
asserts:
- hasDocuments:
count: 1
- contains:
path: spec.template.spec.volumes
content:
name: "data"
emptyDir: {}
count: 1
- notExists:
path: spec.volumeClaimTemplates
- contains:
path: spec.template.spec.volumes
content:
name: "my-new-volume"
count: 1
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: "my-new-volume"
count: 1
- contains:
path: spec.template.spec.containers[0].env
content:
name: "my-new-env"
count: 1
- contains:
path: spec.template.spec.containers[0].command
content: "extra-arg"
count: 1
- it: enable for k8s & defaults
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
statefulSet:
highAvailability:
replicas: 3
annotations:
test: test
distro:
k8s:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: my-release-etcd
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: metadata.annotations.test
value: test
- equal:
path: spec.replicas
value: 3
- lengthEqual:
path: spec.volumeClaimTemplates
count: 1
- lengthEqual:
path: spec.template.spec.volumes
count: 1
- lengthEqual:
path: spec.template.spec.containers[0].volumeMounts
count: 2
- lengthEqual:
path: spec.template.spec.containers[0].env
count: 1
- notExists:
path: spec.template.spec.containers[0].args
- contains:
path: spec.template.spec.containers[0].command
content: "--initial-cluster=my-release-etcd-0=https://my-release-etcd-0.my-release-etcd-headless.my-namespace:2380,my-release-etcd-1=https://my-release-etcd-1.my-release-etcd-headless.my-namespace:2380,my-release-etcd-2=https://my-release-etcd-2.my-release-etcd-headless.my-namespace:2380"
count: 1

97
vcluster0.28.0/tests/headless-service_test.yaml Normal file
View File

@@ -0,0 +1,97 @@
suite: ControlPlane StatefulSet
templates:
- headless-service.yaml
tests:
- it: should not create control-plane
set:
experimental:
isolatedControlPlane:
headless: true
asserts:
- hasDocuments:
count: 0
- it: should create if k8s
set:
controlPlane:
distro:
k8s:
enabled: true
asserts:
- hasDocuments:
count: 1
- it: should not create if stateless
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
asserts:
- hasDocuments:
count: 0
- it: should not create if stateless 2
set:
controlPlane:
backingStore:
database:
external:
enabled: true
asserts:
- hasDocuments:
count: 0
- it: name
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.ports
count: 1
- equal:
path: metadata.name
value: my-release-headless
- equal:
path: metadata.namespace
value: my-namespace
- it: embedded-etcd
set:
controlPlane:
backingStore:
etcd:
embedded:
enabled: true
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.ports
count: 3
- equal:
path: spec.ports[1].name
value: etcd
- equal:
path: spec.ports[2].name
value: peer
- it: embedded-database
set:
controlPlane:
backingStore:
database:
embedded:
enabled: true
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.ports
count: 1

84
vcluster0.28.0/tests/ingress_test.yaml Normal file
View File

@@ -0,0 +1,84 @@
suite: ControlPlane Ingress
templates:
- ingress.yaml
tests:
- it: should not create ingress by default
asserts:
- hasDocuments:
count: 0
- it: ingress defaults
set:
controlPlane:
ingress:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: my-release
- equal:
path: metadata.namespace
value: my-namespace
- it: overwrite ingress tls
set:
controlPlane:
ingress:
enabled: true
host: my-host
spec:
tls:
- hosts:
- ingress-demo.example.com
secretName: ingress-demo-tls
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.tls
count: 1
- equal:
path: spec.rules[0].host
value: my-host
- contains:
path: spec.tls
count: 1
content:
hosts:
- ingress-demo.example.com
secretName: ingress-demo-tls
- it: template ingress spec
set:
controlPlane:
ingress:
enabled: true
host: my-host
spec:
tls:
- hosts:
- ingress-demo.example.com
secretName: '{{ .Release.Name }}-ingress-demo-tls'
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.tls
count: 1
- equal:
path: spec.rules[0].host
value: my-host
- contains:
path: spec.tls
count: 1
content:
hosts:
- ingress-demo.example.com
secretName: RELEASE-NAME-ingress-demo-tls

94
vcluster0.28.0/tests/limitrange_test.yaml Normal file
View File

@@ -0,0 +1,94 @@
suite: LimitRange
templates:
- limitrange.yaml
tests:
- it: should not create limit range by default
asserts:
- hasDocuments:
count: 0
- it: check defaults
release:
name: my-release
namespace: my-namespace
set:
policies:
limitRange:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: vc-my-release
- equal:
path: metadata.namespace
value: my-namespace
- lengthEqual:
path: spec.limits
count: 1
- it: check enabled
release:
name: my-release
namespace: my-namespace
set:
policies:
resourceQuota:
enabled: true
asserts:
- hasDocuments:
count: 1
- it: check disabled
release:
name: my-release
namespace: my-namespace
set:
policies:
resourceQuota:
enabled: true
limitRange:
enabled: false
asserts:
- hasDocuments:
count: 0
- it: check disabled both false
release:
name: my-release
namespace: my-namespace
set:
policies:
resourceQuota:
enabled: false
limitRange:
enabled: false
asserts:
- hasDocuments:
count: 0
- it: check disabled both false
release:
name: my-release
namespace: my-namespace
set:
policies:
limitRange:
enabled: true
min:
cpu: 1
max:
memory: 256Mi
asserts:
- hasDocuments:
count: 1
- equal:
path: spec.limits[0].min.cpu
value: "1"
- equal:
path: spec.limits[0].max.memory
value: "256Mi"

94
vcluster0.28.0/tests/manifests_test.yaml Normal file
View File

@@ -0,0 +1,94 @@
suite: Manifests
templates:
- manifests.yaml
tests:
- it: should not create manifests by default
asserts:
- hasDocuments:
count: 0
- it: check defaults
release:
name: my-release
namespace: my-namespace
set:
experimental:
deploy:
vcluster:
manifests: |-
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
asserts:
- hasDocuments:
count: 0
- it: check defaults
release:
name: my-release
namespace: my-namespace
set:
experimental:
deploy:
host:
manifests: |-
apiVersion: v1
kind: Pod
metadata:
name: nginx
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Pod
- equal:
path: spec.containers[0].name
value: nginx
- it: check defaults
release:
name: my-release
namespace: my-namespace
set:
experimental:
deploy:
host:
manifestsTemplate: |-
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: {{ .Release.Namespace }}
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Pod
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: spec.containers[0].name
value: nginx

123
vcluster0.28.0/tests/networkpolicy_test.yaml Normal file
View File

@@ -0,0 +1,123 @@
suite: NetworkPolicy
templates:
- networkpolicy.yaml
tests:
- it: should not create network policy by default
asserts:
- hasDocuments:
count: 0
- it: check defaults
release:
name: my-release
namespace: my-namespace
set:
policies:
networkPolicy:
enabled: true
asserts:
- hasDocuments:
count: 2
- documentIndex: 0
equal:
path: metadata.name
value: vc-work-my-release
- documentIndex: 0
equal:
path: spec.egress[2].to[1].ipBlock.cidr
value: 0.0.0.0/0
- documentIndex: 1
equal:
path: metadata.name
value: vc-cp-my-release
- documentIndex: 0
equal:
path: metadata.namespace
value: my-namespace
- documentIndex: 1
equal:
path: metadata.namespace
value: my-namespace
- documentIndex: 0
lengthEqual:
path: spec.egress
count: 3
- documentIndex: 1
lengthEqual:
path: spec.egress
count: 2
- it: check extra control plane rules
release:
name: my-release
namespace: my-namespace
set:
policies:
networkPolicy:
enabled: true
extraControlPlaneRules:
- ports:
- port: 443
- port: 8443
- port: 6443
asserts:
- hasDocuments:
count: 2
- documentIndex: 0
lengthEqual:
path: spec.egress
count: 3
- documentIndex: 1
lengthEqual:
path: spec.egress
count: 3
- documentIndex: 1
equal:
path: spec.egress[2].ports[0].port
value: 443
- documentIndex: 1
equal:
path: spec.egress[2].ports[1].port
value: 8443
- documentIndex: 1
equal:
path: spec.egress[2].ports[2].port
value: 6443
- it: check extra workload rules
release:
name: my-release
namespace: my-namespace
set:
policies:
networkPolicy:
enabled: true
extraWorkloadRules:
- ports:
- port: 443
- port: 8443
- port: 6443
asserts:
- hasDocuments:
count: 2
- documentIndex: 0
lengthEqual:
path: spec.egress
count: 4
- documentIndex: 1
lengthEqual:
path: spec.egress
count: 2
- documentIndex: 0
equal:
path: spec.egress[3].ports[0].port
value: 443
- documentIndex: 0
equal:
path: spec.egress[3].ports[1].port
value: 8443
- documentIndex: 0
equal:
path: spec.egress[3].ports[2].port
value: 6443

118
vcluster0.28.0/tests/platform-secret-role_test.yaml Normal file
View File

@@ -0,0 +1,118 @@
suite: Platform Secret Role
templates:
- platform-rbac.yaml
tests:
- it: check explicitly disabled
set:
external:
platform:
apiKey:
namespace: "some-other-namespace"
createRBAC: false
asserts:
- hasDocuments:
count: 0
- it: check disabled on empty namespace
set:
external:
platform:
apiKey:
namespace: ""
asserts:
- hasDocuments:
count: 0
- it: check disabled on implicit same namespace
set:
external:
platform:
apiKey:
secretName: "some-other-secret"
asserts:
- hasDocuments:
count: 0
- it: automatically create role for specific secret for reading & patching
release:
namespace: test
set:
external:
platform:
apiKey:
secretName: "my-secret-name"
namespace: "some-other-namespace"
asserts:
- hasDocuments:
count: 2
- documentIndex: 0
lengthEqual:
path: rules
count: 1
- documentIndex: 0
equal:
path: metadata.name
value: "vc-RELEASE-NAME-v-test-platform-role"
- documentIndex: 1
equal:
path: metadata.name
value: "vc-RELEASE-NAME-v-test-platform-role-binding"
- documentIndex: 0
contains:
path: rules
count: 1
content:
apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames: ["my-secret-name"]
- documentIndex: 1
contains:
path: subjects
count: 1
content:
kind: ServiceAccount
name: vc-RELEASE-NAME
namespace: test
- it: automatically create role for default secret for reading & patching
release:
namespace: test
set:
external:
platform:
apiKey:
namespace: "some-other-namespace"
asserts:
- hasDocuments:
count: 2
- documentIndex: 0
lengthEqual:
path: rules
count: 1
- documentIndex: 0
equal:
path: metadata.name
value: "vc-RELEASE-NAME-v-test-platform-role"
- documentIndex: 1
equal:
path: metadata.name
value: "vc-RELEASE-NAME-v-test-platform-role-binding"
- documentIndex: 0
contains:
path: rules
count: 1
content:
apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames: ["vcluster-platform-api-key"]
- documentIndex: 1
contains:
path: subjects
count: 1
content:
kind: ServiceAccount
name: vc-RELEASE-NAME
namespace: test

70
vcluster0.28.0/tests/resourcequota_test.yaml Normal file
View File

@@ -0,0 +1,70 @@
suite: ResourceQuota
templates:
- resourcequota.yaml
tests:
- it: should not create resource quota by default
asserts:
- hasDocuments:
count: 0
- it: check defaults
release:
name: my-release
namespace: my-namespace
set:
policies:
resourceQuota:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: vc-my-release
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: spec.hard["requests.cpu"]
value: "10"
- it: check enabled
release:
name: my-release
namespace: my-namespace
set:
policies:
limitRange:
enabled: true
asserts:
- hasDocuments:
count: 1
- it: check disabled
release:
name: my-release
namespace: my-namespace
set:
policies:
resourceQuota:
enabled: false
limitRange:
enabled: true
asserts:
- hasDocuments:
count: 0
- it: check disabled both false
release:
name: my-release
namespace: my-namespace
set:
policies:
resourceQuota:
enabled: false
limitRange:
enabled: false
asserts:
- hasDocuments:
count: 0

457
vcluster0.28.0/tests/role_test.yaml Normal file
View File

@@ -0,0 +1,457 @@
suite: Role
templates:
- role.yaml
tests:
- it: check disabled
set:
rbac:
role:
enabled: false
asserts:
- hasDocuments:
count: 0
- it: check overwrite rules
set:
rbac:
role:
overwriteRules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 1
- contains:
path: rules
count: 1
content:
apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
- it: check plugin extra rules
set:
plugin:
test123:
rbac:
role:
extraRules:
- apiGroups: [""]
resources: ["test123"]
verbs: ["test123"]
plugins:
test:
rbac:
role:
extraRules:
- apiGroups: [""]
resources: ["test"]
verbs: ["test"]
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 7
- contains:
path: rules
count: 1
content:
apiGroups: [""]
resources: ["test123"]
verbs: ["test123"]
- contains:
path: rules
count: 1
content:
apiGroups: [""]
resources: ["test"]
verbs: ["test"]
- it: check generic sync
set:
experimental:
genericSync:
role:
extraRules:
- apiGroups: [""]
resources: ["test"]
verbs: ["test"]
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 6
- contains:
path: rules
count: 1
content:
apiGroups: [""]
resources: ["test"]
verbs: ["test"]
- it: check extra rules
set:
rbac:
role:
extraRules:
- apiGroups: [""]
resources: ["test"]
verbs: ["test"]
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: rules
count: 6
- contains:
path: rules
count: 1
content:
apiGroups: [""]
resources: ["test"]
verbs: ["test"]
- it: check defaults
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Role
- equal:
path: metadata.name
value: vc-my-release
- equal:
path: metadata.namespace
value: my-namespace
- it: multi-namespace mode
set:
sync:
toHost:
namespaces:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: ClusterRole
- equal:
path: metadata.name
value: vc-mn-my-release-v-my-namespace
- it: metrics proxy
set:
integrations:
metricsServer:
enabled: true
pods: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Role
- contains:
path: rules
content:
apiGroups: ["metrics.k8s.io"]
resources: ["pods"]
verbs: ["get", "list"]
- it: external secret test
set:
integrations:
externalSecrets:
enabled: true
sync:
externalSecrets:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Role
- contains:
path: rules
content:
apiGroups: ["external-secrets.io"]
resources: ["externalsecrets"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- it: certManager enabled
set:
integrations:
certManager:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Role
- contains:
path: rules
content:
apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- it: external secret test store sync
set:
integrations:
externalSecrets:
enabled: true
sync:
externalSecrets:
enabled: true
stores:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Role
- contains:
path: rules
content:
apiGroups: ["external-secrets.io"]
resources: ["secretstores"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- it: kubeVirt test
set:
integrations:
kubeVirt:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Role
- contains:
path: rules
content:
apiGroups: ["kubevirt.io"]
resources:
[
"virtualmachines",
"virtualmachines/status",
"virtualmachineinstances",
"virtualmachineinstances/status",
"virtualmachineinstancemigrations",
"virtualmachineinstancemigrations/status",
]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: ["cdi.kubevirt.io"]
resources: ["datavolumes", "datavolumes/status"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: ["clone.kubevirt.io"]
resources: ["virtualmachineclones", "virtualmachineclones/status"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: ["pool.kubevirt.io"]
resources: ["virtualmachinepools", "virtualmachinepools/status"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- it: crd sync
set:
sync:
toHost:
customResources:
test.my-group:
enabled: false
test.my-group-2:
enabled: true
tests.my-group-3.com:
enabled: true
tests.my-versioned-group-1/v1alpha1:
enabled: true
tests.my-versioned-group-2.com/v1beta1:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Role
- lengthEqual:
path: rules
count: 9
- contains:
path: rules
content:
apiGroups: ["my-group-2"]
resources: ["test"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: ["my-group-3.com"]
resources: ["tests"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: [ "my-versioned-group-1" ]
resources: [ "tests" ]
verbs:
[ "create", "delete", "patch", "update", "get", "list", "watch" ]
- contains:
path: rules
content:
apiGroups: [ "my-versioned-group-2.com" ]
resources: [ "tests" ]
verbs:
[ "create", "delete", "patch", "update", "get", "list", "watch" ]
- it: patches
set:
sync:
toHost:
customResources:
test.my-group-2:
enabled: true
patches:
- path: "test"
expression: "test"
release:
name: my-release
namespace: my-namespace
asserts:
- notFailedTemplate: {}
- it: patches 2
set:
sync:
toHost:
customResources:
test.my-group-2:
enabled: true
patches:
- path: "test"
reference:
apiVersion: "v1"
kind: "Secret"
release:
name: my-release
namespace: my-namespace
asserts:
- notFailedTemplate: {}
- it: istio integration
set:
integrations:
istio:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Role
- contains:
path: rules
content:
apiGroups: ["networking.istio.io"]
resources: ["destinationrules", "gateways", "serviceentries", "virtualservices"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: ["gateway.networking.k8s.io"]
resources: ["referencegrants"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- it: private nodes
set:
privateNodes:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: Role
- contains:
path: rules
content:
apiGroups: [""]
resources: ["services", "pods", "persistentvolumeclaims"]
verbs:
["get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]
- contains:
path: rules
content:
apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs:
["create", "delete", "patch", "update", "get", "list", "watch"]

60
vcluster0.28.0/tests/rolebinding_test.yaml Normal file
View File

@@ -0,0 +1,60 @@
suite: RoleBinding
templates:
- rolebinding.yaml
tests:
- it: check defaults
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: RoleBinding
- equal:
path: metadata.name
value: vc-my-release
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: subjects[0].name
value: vc-my-release
- equal:
path: roleRef.kind
value: Role
- equal:
path: roleRef.name
value: vc-my-release
- it: multi-namespace mode
set:
sync:
toHost:
namespaces:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: ClusterRoleBinding
- equal:
path: metadata.name
value: vc-mn-my-release-v-my-namespace
- notExists:
path: metadata.namespace
- equal:
path: subjects[0].name
value: vc-my-release
- equal:
path: roleRef.kind
value: ClusterRole
- equal:
path: roleRef.name
value: vc-mn-my-release-v-my-namespace

115
vcluster0.28.0/tests/service-monitor_test.yaml Normal file
View File

@@ -0,0 +1,115 @@
suite: ServiceMonitor
templates:
- service-monitor.yaml
tests:
- it: should not create service monitor by default
asserts:
- hasDocuments:
count: 0
- it: check defaults
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
serviceMonitor:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: vc-my-release
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: spec.selector.matchLabels.app
value: vcluster
- lengthEqual:
path: spec.endpoints
count: 2
- it: check defaults k3s
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
distro:
k3s:
enabled: true
serviceMonitor:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: vc-my-release
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: spec.selector.matchLabels.app
value: vcluster
- lengthEqual:
path: spec.endpoints
count: 1
- it: override release label
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
serviceMonitor:
enabled: true
labels:
release: kube-prometheus-stack
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.labels.release
value: kube-prometheus-stack
- it: check virtual scheduler
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
distro:
k8s:
enabled: true
scheduler:
enabled: true
serviceMonitor:
enabled: true
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.endpoints
count: 3
- it: check virtual scheduler (deprecated)
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
advanced:
virtualScheduler:
enabled: true
serviceMonitor:
enabled: true
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.endpoints
count: 3

138
vcluster0.28.0/tests/service_test.yaml Normal file
View File

@@ -0,0 +1,138 @@
suite: ControlPlane Service
templates:
- service.yaml
tests:
- it: should not create service
set:
controlPlane:
service:
enabled: false
asserts:
- hasDocuments:
count: 0
- it: should not create kubelet port
set:
networking:
advanced:
proxyKubelets:
byHostname: false
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.ports
count: 1
- contains:
path: spec.ports
content:
name: https
nodePort: 0
targetPort: 8443
protocol: TCP
port: 443
- it: should not create kubelet port 2
set:
controlPlane:
service:
spec:
type: LoadBalancer
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.ports
count: 1
- contains:
path: spec.ports
content:
name: https
nodePort: 0
targetPort: 8443
protocol: TCP
port: 443
- it: should create kubelet port
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.ports
count: 2
- contains:
path: spec.ports
content:
name: kubelet
nodePort: 0
targetPort: 8443
protocol: TCP
port: 10250
- it: service defaults
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: my-release
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: spec.type
value: ClusterIP
- equal:
path: spec.selector.app
value: vcluster
- lengthEqual:
path: spec.ports
count: 2
- it: isolated control plane
release:
name: my-release
namespace: my-namespace
set:
experimental:
isolatedControlPlane:
headless: true
asserts:
- hasDocuments:
count: 1
- equal:
path: spec.type
value: ClusterIP
- lengthEqual:
path: spec.ports
count: 2
- notExists:
path: spec.ports[0].targetPort
- notExists:
path: spec.ports[1].targetPort
- notExists:
path: spec.selector
- it: konnectivity
release:
name: my-release
namespace: my-namespace
set:
privateNodes:
enabled: true
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: spec.ports
count: 3
- contains:
path: spec.ports
content:
name: konnectivity
protocol: TCP
port: 8132

61
vcluster0.28.0/tests/serviceaccount_test.yaml Normal file
View File

@@ -0,0 +1,61 @@
suite: ControlPlane ServiceAccount
templates:
- serviceaccount.yaml
tests:
- it: should not create service account
set:
controlPlane:
advanced:
serviceAccount:
enabled: false
asserts:
- hasDocuments:
count: 0
- it: should create service account
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: vc-my-release
- equal:
path: metadata.namespace
value: my-namespace
- it: should create service account with name
set:
controlPlane:
advanced:
serviceAccount:
name: test
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: test
- it: should create image pull secrets
set:
controlPlane:
advanced:
serviceAccount:
imagePullSecrets:
- name: test1
workloadServiceAccount:
imagePullSecrets:
- name: test2
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: imagePullSecrets
count: 1
- equal:
path: imagePullSecrets[0].name
value: test1

962
vcluster0.28.0/tests/statefulset_test.yaml Normal file
View File

@@ -0,0 +1,962 @@
suite: ControlPlane StatefulSet
templates:
- statefulset.yaml
tests:
- it: should not create control-plane
set:
experimental:
isolatedControlPlane:
headless: true
asserts:
- hasDocuments:
count: 0
- it: image name
set:
controlPlane:
statefulSet:
image:
registry: "custom-registry.com"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: custom-registry.com/loft-sh/vcluster-pro:0.0.1
- it: defaultImageRegistry
set:
controlPlane:
advanced:
defaultImageRegistry: docker.io
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: docker.io/loft-sh/vcluster-pro:0.0.1
- it: custom tag
set:
controlPlane:
statefulSet:
image:
repository: my-repo
tag: "custom-tag"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: ghcr.io/my-repo:custom-tag
- it: custom init container
set:
controlPlane:
distro:
k3s:
enabled: true
image:
registry: "ghcr.io"
repository: "test"
tag: "123"
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/test:123
- it: disables serviceLinks for sts etcd pod
set:
controlPlane:
statefulSet:
enableServiceLinks: false
asserts:
- equal:
path: spec.template.spec.enableServiceLinks
value: false
- it: custom init container
set:
controlPlane:
distro:
k8s:
enabled: true
image:
registry: ""
repository: "k8s-api"
tag: "456"
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: k8s-api:456
- it: custom init container
set:
controlPlane:
distro:
k8s:
enabled: true
image:
repository: "k8s-controller"
tag: "123"
advanced:
defaultImageRegistry: "bbb.com"
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: bbb.com/k8s-controller:123
- it: name & defaults
release:
name: my-release
namespace: my-namespace
capabilities:
majorVersion: 1
minorVersion: 29
asserts:
- hasDocuments:
count: 1
- equal:
path: kind
value: StatefulSet
- lengthEqual:
path: spec.template.spec.containers
count: 1
- equal:
path: spec.template.spec.containers[0].image
value: ghcr.io/loft-sh/vcluster-pro:0.0.1
- contains:
path: spec.template.spec.containers[0].env
content:
name: VCLUSTER_NAME
value: my-release
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: data
mountPath: /data
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: binaries
mountPath: /binaries
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: certs
mountPath: /pki
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: helm-cache
mountPath: /.cache/helm
- equal:
path: metadata.name
value: my-release
- equal:
path: metadata.namespace
value: my-namespace
- equal:
path: spec.podManagementPolicy
value: Parallel
- equal:
path: spec.persistentVolumeClaimRetentionPolicy.whenDeleted
value: Retain
- equal:
path: spec.replicas
value: 1
- equal:
path: spec.template.metadata.labels.app
value: vcluster
- equal:
path: spec.template.spec.terminationGracePeriodSeconds
value: 10
- equal:
path: spec.volumeClaimTemplates[0].spec.accessModes[0]
value: ReadWriteOnce
- equal:
path: spec.volumeClaimTemplates[0].spec.resources.requests.storage
value: 5Gi
- it: fail when both backing stores are enabled
set:
controlPlane:
backingStore:
etcd:
embedded:
enabled: true
deploy:
enabled: true
asserts:
- failedTemplate:
errorMessage: "you can only enable one backingStore at the same time"
- it: not persistent when external etcd is enabled
set:
controlPlane:
backingStore:
etcd:
deploy:
enabled: true
asserts:
- equal:
path: kind
value: Deployment
- notExists:
path: spec.volumeClaimTemplates
- it: not persistent when k8s and external database
set:
controlPlane:
distro:
k8s:
enabled: true
backingStore:
database:
external:
enabled: true
asserts:
- equal:
path: kind
value: Deployment
- notExists:
path: spec.volumeClaimTemplates
- it: persistent when embedded database
set:
controlPlane:
distro:
k8s:
enabled: true
backingStore:
database:
embedded:
enabled: true
asserts:
- equal:
path: kind
value: StatefulSet
- lengthEqual:
path: spec.volumeClaimTemplates
count: 1
- it: persistent when k8s and embedded etcd
set:
controlPlane:
backingStore:
etcd:
embedded:
enabled: true
distro:
k8s:
enabled: true
asserts:
- equal:
path: kind
value: StatefulSet
- lengthEqual:
path: spec.volumeClaimTemplates
count: 1
- it: persistent when embedded database
asserts:
- equal:
path: kind
value: StatefulSet
- lengthEqual:
path: spec.volumeClaimTemplates
count: 1
- it: plugin 1
set:
plugins:
test:
image: test
plugin:
test123:
version: v2
image: test
asserts:
- lengthEqual:
path: spec.template.spec.volumes
count: 6
- lengthEqual:
path: spec.template.spec.initContainers
count: 3
- it: plugin volumes 2
set:
controlPlane:
distro:
k8s:
enabled: true
plugin:
test:
version: v2
image: test
asserts:
- equal:
path: kind
value: StatefulSet
- lengthEqual:
path: spec.template.spec.volumes
count: 6
- lengthEqual:
path: spec.template.spec.initContainers
count: 2
- it: plugin volumes 3
set:
plugin:
test:
image: test
asserts:
- lengthEqual:
path: spec.template.spec.volumes
count: 5
- lengthEqual:
path: spec.template.spec.initContainers
count: 1
- it: add volumes
set:
controlPlane:
distro:
k3s:
enabled: true
statefulSet:
persistence:
addVolumes:
- name: myVolume
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: myVolume
- lengthEqual:
path: spec.template.spec.volumes
count: 7
- it: add templated volumes
set:
controlPlane:
distro:
k3s:
enabled: true
statefulSet:
persistence:
addVolumes:
- name: '{{ .Release.Name }}-myVolume'
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: RELEASE-NAME-myVolume
- lengthEqual:
path: spec.template.spec.volumes
count: 7
- it: enable k8s
set:
controlPlane:
distro:
k8s:
enabled: true
asserts:
- equal:
path: kind
value: StatefulSet
- lengthEqual:
path: spec.volumeClaimTemplates
count: 1
- it: enable k8s with deploy etcd
set:
controlPlane:
distro:
k8s:
enabled: true
backingStore:
etcd:
deploy:
enabled: true
asserts:
- equal:
path: kind
value: Deployment
- notExists:
path: spec.volumeClaimTemplates
- contains:
path: spec.template.spec.volumes
content:
name: data
emptyDir: {}
- it: enable k8s
release:
name: my-release
namespace: my-namespace
set:
controlPlane:
distro:
k8s:
enabled: true
statefulSet:
persistence:
volumeClaim:
enabled: false
volumeClaimTemplates:
- metadata:
name: data
spec:
resources:
requests:
storage: 5Gi
asserts:
- equal:
path: kind
value: StatefulSet
- equal:
path: spec.serviceName
value: my-release-headless
- contains:
path: spec.volumeClaimTemplates
content:
metadata:
name: data
spec:
resources:
requests:
storage: 5Gi
- it: enable k8s
set:
controlPlane:
distro:
k8s:
enabled: true
release:
name: my-release
namespace: my-namespace
asserts:
- equal:
path: kind
value: StatefulSet
- equal:
path: spec.serviceName
value: my-release-headless
- lengthEqual:
path: spec.volumeClaimTemplates
count: 1
- it: enable k8s with deploy etcd
set:
controlPlane:
distro:
k8s:
enabled: true
backingStore:
etcd:
deploy:
enabled: true
asserts:
- equal:
path: kind
value: Deployment
- notExists:
path: spec.volumeClaimTemplates
- contains:
path: spec.template.spec.volumes
content:
name: data
emptyDir: {}
- it: append distro env
set:
controlPlane:
distro:
k3s:
enabled: true
env:
- name: KEY
value: VALUE
asserts:
- equal:
path: kind
value: StatefulSet
- contains:
path: spec.template.spec.containers[0].env
content:
name: KEY
value: VALUE
- it: should correctly set labels on the statefulset
set:
controlPlane:
statefulSet:
labels:
my-label: my-value
asserts:
- equal:
path: kind
value: StatefulSet
- equal:
path: metadata.labels["my-label"]
value: "my-value"
- it: binariesVolume - should set to emptyDir by default
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: binaries
emptyDir: {}
- it: binariesVolume - should set the specified volume type correctly
set:
controlPlane:
statefulSet:
persistence:
binariesVolume:
- name: binaries
persistentVolumeClaim:
claimName: my-pvc
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: binaries
persistentVolumeClaim:
claimName: my-pvc
- it: dataVolume - should set the specified data volume type correctly
set:
controlPlane:
statefulSet:
persistence:
dataVolume:
- name: data
persistentVolumeClaim:
claimName: my-custom-pvc
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: data
persistentVolumeClaim:
claimName: my-custom-pvc
- it: k8s version not set, default tag images used for apiServer and controllerManager
set:
controlPlane:
distro:
k8s:
enabled: true
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.33.1
- it: k8s override image tag
set:
controlPlane:
distro:
k8s:
enabled: true
image:
tag: v99912
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v99912
- it: k8s version sets image tag for apiServer and controllerManager
set:
controlPlane:
distro:
k8s:
enabled: true
version: v1.35.999
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.35.999
- it: k8s version set and not overridden by image tag
set:
controlPlane:
distro:
k8s:
enabled: true
version: v1.30.999
image:
tag: v99912
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.30.999
- it: k8s not version set but image tags for apiServer and controllerManager set
set:
controlPlane:
distro:
k8s:
enabled: true
image:
tag: v99914
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v99914
- it: k8s version not set, default tag images used for apiServer and controllerManager (virtual scheduler enabled)
chart:
version: "test-"
set:
controlPlane:
distro:
k8s:
enabled: true
scheduler:
enabled: true
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.33.1
- it: k8s version not set, default tag images used for apiServer and controllerManager (virtual scheduler enabled, deprecated)
chart:
version: "test-"
set:
controlPlane:
distro:
k8s:
enabled: true
advanced:
virtualScheduler:
enabled: true
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.33.1
- it: k8s version sets image tag for apiServer and controllerManager (virtual scheduler enabled)
set:
controlPlane:
distro:
k8s:
enabled: true
version: v1.35.999
scheduler:
enabled: true
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.35.999
- it: k8s version sets image tag for apiServer and controllerManager (virtual scheduler enabled, deprecated)
set:
controlPlane:
distro:
k8s:
enabled: true
version: v1.35.999
advanced:
virtualScheduler:
enabled: true
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.35.999
- it: k8s version set but not overridden by image tag for apiServer and controllerManager (virtual scheduler enabled)
set:
controlPlane:
distro:
k8s:
enabled: true
version: v1.30.999
image:
tag: v99912
scheduler:
enabled: true
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.30.999
- it: k8s version set but not overridden by image tag for apiServer and controllerManager (virtual scheduler enabled, deprecated)
set:
controlPlane:
distro:
k8s:
enabled: true
version: v1.30.999
image:
tag: v99912
advanced:
virtualScheduler:
enabled: true
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.30.999
- it: custom dnsPolicy
set:
controlPlane:
statefulSet:
dnsPolicy: "ClusterFirst"
asserts:
- equal:
path: spec.template.spec.dnsPolicy
value: "ClusterFirst"
- it: custom dnsConfig
set:
controlPlane:
statefulSet:
dnsConfig:
nameservers:
- 192.0.2.1
searches:
- ns1.svc.cluster-domain.example
options:
- name: ndots
value: "2"
asserts:
- equal:
path: spec.template.spec.dnsConfig.nameservers[0]
value: "192.0.2.1"
- equal:
path: spec.template.spec.dnsConfig.searches[0]
value: "ns1.svc.cluster-domain.example"
- equal:
path: spec.template.spec.dnsConfig.options[0].name
value: "ndots"
- equal:
path: spec.template.spec.dnsConfig.options[0].value
value: "2"
- it: must use StatefulSet for embedded etcd
set:
controlPlane:
backingStore:
etcd:
embedded:
enabled: true
asserts:
- equal:
path: kind
value: StatefulSet
- it: must use StatefulSet for embedded etcd without persistence
set:
controlPlane:
backingStore:
etcd:
embedded:
enabled: true
statefulSet:
persistence:
volumeClaim:
enabled: false
binariesVolume:
- name: binaries
emptyDir:
medium: Memory
asserts:
- equal:
path: kind
value: StatefulSet
- it: sync custom resources
set:
sync:
toHost:
customResources:
test.cert-manager.io:
enabled: true
patches:
- path: spec.dnsNames[*]
expression: "value.startsWith('www.') ? value.slice(4) : value"
reverseExpression: '"www."+value'
asserts:
- equal:
path: kind
value: StatefulSet
- it: fails when you set both exportKubeConfig.secret and exportKubeConfig.additionalSecrets
set:
exportKubeConfig:
secret:
name: my-secret
additionalSecrets:
- name: another-secret
asserts:
- failedTemplate:
errorMessage: "exportKubeConfig.secret and exportKubeConfig.additionalSecrets cannot be set at the same time"
- it: fails when additional secret does not have at least name or namespace
set:
exportKubeConfig:
additionalSecrets:
- name: my-secret
context: my-context
- server: my-server
asserts:
- failedTemplate:
errorMessage: "additional secret must have name and/or namespace set, found: {\"server\":\"my-server\"}"
- it: must use Deployment for external etcd
set:
controlPlane:
backingStore:
etcd:
external:
enabled: true
asserts:
- equal:
path: kind
value: Deployment
- it: private nodes k8s full image
set:
controlPlane:
distro:
k8s:
image:
tag: v1.35.999
privateNodes:
enabled: true
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.35.999-full
- it: private nodes k8s full image version
set:
controlPlane:
distro:
k8s:
version: v1.35.999
privateNodes:
enabled: true
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: ghcr.io/loft-sh/kubernetes:v1.35.999-full
- it: sets custom probe configuration
set:
controlPlane:
statefulSet:
probes:
livenessProbe:
enabled: true
failureThreshold: 70
initialDelaySeconds: 70
timeoutSeconds: 10
periodSeconds: 9
readinessProbe:
enabled: true
failureThreshold: 70
timeoutSeconds: 6
periodSeconds: 8
startupProbe:
enabled: true
failureThreshold: 350
timeoutSeconds: 7
periodSeconds: 8
asserts:
- equal:
path: spec.template.spec.containers[0].livenessProbe.failureThreshold
value: 70
- equal:
path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds
value: 70
- equal:
path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
value: 10
- equal:
path: spec.template.spec.containers[0].livenessProbe.periodSeconds
value: 9
- equal:
path: spec.template.spec.containers[0].readinessProbe.failureThreshold
value: 70
- equal:
path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
value: 6
- equal:
path: spec.template.spec.containers[0].readinessProbe.periodSeconds
value: 8
- equal:
path: spec.template.spec.containers[0].startupProbe.failureThreshold
value: 350
- equal:
path: spec.template.spec.containers[0].startupProbe.timeoutSeconds
value: 7
- equal:
path: spec.template.spec.containers[0].startupProbe.periodSeconds
value: 8
- it: uses default probe values when none are overridden
set:
controlPlane:
statefulSet:
probes:
livenessProbe:
enabled: true
readinessProbe:
enabled: true
startupProbe:
enabled: true
asserts:
- equal:
path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds
value: 60
- equal:
path: spec.template.spec.containers[0].livenessProbe.periodSeconds
value: 2
- equal:
path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
value: 3
- equal:
path: spec.template.spec.containers[0].livenessProbe.failureThreshold
value: 60
- equal:
path: spec.template.spec.containers[0].readinessProbe.periodSeconds
value: 2
- equal:
path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
value: 3
- equal:
path: spec.template.spec.containers[0].readinessProbe.failureThreshold
value: 60
- equal:
path: spec.template.spec.containers[0].startupProbe.periodSeconds
value: 6
- equal:
path: spec.template.spec.containers[0].startupProbe.timeoutSeconds
value: 3
- equal:
path: spec.template.spec.containers[0].startupProbe.failureThreshold
value: 300
- it: should set logging format to json
set:
logging:
encoding: json
asserts:
- equal:
path: spec.template.spec.containers[0].env[?(@.name=="LOFT_LOG_ENCODING")].value
value: json
- it: should set default logging format to console
asserts:
- equal:
path: spec.template.spec.containers[0].env[?(@.name=="LOFT_LOG_ENCODING")].value
value: console

64
vcluster0.28.0/tests/workload-serviceaccount_test.yaml Normal file
View File

@@ -0,0 +1,64 @@
suite: Workload ServiceAccount
templates:
- workload-serviceaccount.yaml
tests:
- it: should not create service account
set:
controlPlane:
advanced:
workloadServiceAccount:
enabled: false
asserts:
- hasDocuments:
count: 0
- it: should create service account
release:
name: my-release
namespace: my-namespace
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: vc-workload-my-release
- equal:
path: metadata.namespace
value: my-namespace
- it: should create service account with name
set:
controlPlane:
advanced:
workloadServiceAccount:
name: test
asserts:
- hasDocuments:
count: 1
- equal:
path: metadata.name
value: test
- it: should create image pull secrets
set:
controlPlane:
advanced:
serviceAccount:
imagePullSecrets:
- name: test1
workloadServiceAccount:
imagePullSecrets:
- name: test2
asserts:
- hasDocuments:
count: 1
- lengthEqual:
path: imagePullSecrets
count: 2
- equal:
path: imagePullSecrets[0].name
value: test1
- equal:
path: imagePullSecrets[1].name
value: test2

5112
vcluster0.28.0/values.schema.json Normal file
View File

File diff suppressed because it is too large Load Diff

1247
vcluster0.28.0/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff