From 630dfda88c98ed6e2e3a9cff8329165f047da4c1 Mon Sep 17 00:00:00 2001 From: PINCHON Benjamin Date: Mon, 28 Oct 2024 16:50:11 +0100 Subject: [PATCH] feat(helm): init helm chart Signed-off-by: PINCHON Benjamin --- charts/powerdns-operator/.helmignore | 26 +++ charts/powerdns-operator/Chart.yaml | 36 +++ charts/powerdns-operator/crds/README.md | 5 + .../crds/dns.cav.enablers.ob_rrsets.yaml | 96 ++++++++ .../crds/dns.cav.enablers.ob_zones.yaml | 115 ++++++++++ charts/powerdns-operator/templates/NOTES.txt | 4 + .../powerdns-operator/templates/_helpers.tpl | 114 ++++++++++ .../templates/deployment.yaml | 118 ++++++++++ charts/powerdns-operator/templates/rbac.yaml | 209 ++++++++++++++++++ .../powerdns-operator/templates/secret.yaml | 18 ++ .../powerdns-operator/templates/service.yaml | 28 +++ .../templates/serviceaccount.yaml | 16 ++ .../templates/servicemonitor.yaml | 48 ++++ charts/powerdns-operator/values.yaml | 144 ++++++++++++ 14 files changed, 977 insertions(+) create mode 100644 charts/powerdns-operator/.helmignore create mode 100644 charts/powerdns-operator/Chart.yaml create mode 100644 charts/powerdns-operator/crds/README.md create mode 100644 charts/powerdns-operator/crds/dns.cav.enablers.ob_rrsets.yaml create mode 100644 charts/powerdns-operator/crds/dns.cav.enablers.ob_zones.yaml create mode 100644 charts/powerdns-operator/templates/NOTES.txt create mode 100644 charts/powerdns-operator/templates/_helpers.tpl create mode 100644 charts/powerdns-operator/templates/deployment.yaml create mode 100644 charts/powerdns-operator/templates/rbac.yaml create mode 100644 charts/powerdns-operator/templates/secret.yaml create mode 100644 charts/powerdns-operator/templates/service.yaml create mode 100644 charts/powerdns-operator/templates/serviceaccount.yaml create mode 100644 charts/powerdns-operator/templates/servicemonitor.yaml create mode 100644 charts/powerdns-operator/values.yaml diff --git a/charts/powerdns-operator/.helmignore b/charts/powerdns-operator/.helmignore new file mode 100644 index 0000000..2156f8a --- /dev/null +++ b/charts/powerdns-operator/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +# CRD Readme.md +templates/crds/README.md \ No newline at end of file diff --git a/charts/powerdns-operator/Chart.yaml b/charts/powerdns-operator/Chart.yaml new file mode 100644 index 0000000..9737b8f --- /dev/null +++ b/charts/powerdns-operator/Chart.yaml @@ -0,0 +1,36 @@ +apiVersion: v2 +name: powerdns-operator +description: Manage PowerDNS resources with Kubernetes +type: application +version: 0.1.0 +appVersion: 0.1.0 +kubeVersion: '>= 1.21.0-0' +keywords: + - powerdns-operator + - powerdns + - dns +home: https://orange-opensource.github.io/PowerDNS-Operator +icon: https://github.com/Orange-OpenSource/PowerDNS-Operator/blob/main/docs/assets/favicon.png?raw=true +maintainers: +- name: antrema +- name: mydoomfr +sources: + - https://github.com/Orange-OpenSource/PowerDNS-Operator +annotations: + artifacthub.io/crds: | + - kind: Zone + version: v1alpha1 + name: zone.dns.cav.enablers.ob + displayName: Zone + description: | + A Zone is a collection of records that are managed together. Zones can + be used to represent a domain, a subdomain, or a set of records that are + managed together. + - kind: RRset + version: v1alpha1 + name: rrset.dns.cav.enablers.ob + displayName: RRset + description: | + An RRset is a collection of records that share the same name and type. + RRsets can be used to represent a collection of records that are managed + together. \ No newline at end of file diff --git a/charts/powerdns-operator/crds/README.md b/charts/powerdns-operator/crds/README.md new file mode 100644 index 0000000..53c7d81 --- /dev/null +++ b/charts/powerdns-operator/crds/README.md @@ -0,0 +1,5 @@ +# CRD Template Directory + +CRDs are autogenerated during helm packaging. To install the CRDs set `installCRDS: true` during helm install or upgrade. + +The latest CRDs in the repository are located [here](../../../../config/crd/bases). \ No newline at end of file diff --git a/charts/powerdns-operator/crds/dns.cav.enablers.ob_rrsets.yaml b/charts/powerdns-operator/crds/dns.cav.enablers.ob_rrsets.yaml new file mode 100644 index 0000000..9b9ae2d --- /dev/null +++ b/charts/powerdns-operator/crds/dns.cav.enablers.ob_rrsets.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + name: rrsets.dns.cav.enablers.ob +spec: + group: dns.cav.enablers.ob + names: + kind: RRset + listKind: RRsetList + plural: rrsets + singular: rrset + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.zoneRef.name + name: Zone + type: string + - jsonPath: .spec.type + name: Type + type: string + - jsonPath: .spec.ttl + name: TTL + type: integer + - jsonPath: .spec.records + name: Records + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: RRset is the Schema for the rrsets API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: RRsetSpec defines the desired state of RRset + properties: + comment: + description: Comment on RRSet. + type: string + records: + description: All records in this Resource Record Set. + items: + type: string + type: array + ttl: + description: DNS TTL of the records, in seconds. + format: int32 + type: integer + type: + description: Type of the record (e.g. "A", "PTR", "MX"). + type: string + zoneRef: + description: ZoneRef reference the zone the RRSet depends on. + properties: + name: + description: Name of the zone. + type: string + required: + - name + type: object + required: + - records + - ttl + - type + - zoneRef + type: object + status: + description: RRsetStatus defines the observed state of RRset + properties: + lastUpdateTime: + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/powerdns-operator/crds/dns.cav.enablers.ob_zones.yaml b/charts/powerdns-operator/crds/dns.cav.enablers.ob_zones.yaml new file mode 100644 index 0000000..0aaf158 --- /dev/null +++ b/charts/powerdns-operator/crds/dns.cav.enablers.ob_zones.yaml @@ -0,0 +1,115 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + name: zones.dns.cav.enablers.ob +spec: + group: dns.cav.enablers.ob + names: + kind: Zone + listKind: ZoneList + plural: zones + singular: zone + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.serial + name: Serial + type: integer + - jsonPath: .status.id + name: ID + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Zone is the Schema for the zones API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ZoneSpec defines the desired state of Zone + properties: + catalog: + description: The catalog this zone is a member of + type: string + kind: + description: Kind of the zone, one of "Native", "Master", "Slave", + "Producer", "Consumer". + enum: + - Native + - Master + - Slave + - Producer + - Consumer + type: string + nameservers: + description: List of the nameservers of the zone. + items: + pattern: ^([a-zA-Z0-9-]+\.)*[a-zA-Z0-9-]+$ + type: string + minItems: 1 + type: array + required: + - kind + - nameservers + type: object + status: + description: ZoneStatus defines the observed state of Zone + properties: + catalog: + description: The catalog this zone is a member of. + type: string + dnssec: + description: Whether or not this zone is DNSSEC signed. + type: boolean + edited_serial: + description: The SOA serial as seen in query responses. + format: int32 + type: integer + id: + description: ID define the opaque zone id. + type: string + kind: + description: Kind of the zone, one of "Native", "Master", "Slave", + "Producer", "Consumer". + type: string + masters: + description: List of IP addresses configured as a master for this + zone ("Slave" type zones only). + items: + type: string + type: array + name: + description: Name of the zone (e.g. "example.com.") + type: string + notified_serial: + description: The SOA serial notifications have been sent out for + format: int32 + type: integer + serial: + description: The SOA serial number. + format: int32 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/powerdns-operator/templates/NOTES.txt b/charts/powerdns-operator/templates/NOTES.txt new file mode 100644 index 0000000..38ead78 --- /dev/null +++ b/charts/powerdns-operator/templates/NOTES.txt @@ -0,0 +1,4 @@ +The powerdns operator has been deployed successfully in namespace {{ .Release.Namespace }}! + +More information on the different resources and how to configure them +can be found in our Github: {{ .Chart.Home }} \ No newline at end of file diff --git a/charts/powerdns-operator/templates/_helpers.tpl b/charts/powerdns-operator/templates/_helpers.tpl new file mode 100644 index 0000000..eda1384 --- /dev/null +++ b/charts/powerdns-operator/templates/_helpers.tpl @@ -0,0 +1,114 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "powerdns-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "powerdns-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "powerdns-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "powerdns-operator.labels" -}} +helm.sh/chart: {{ include "powerdns-operator.chart" . }} +{{ include "powerdns-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.commonLabels}} +{{ toYaml .Values.commonLabels }} +{{- end }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "powerdns-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "powerdns-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "powerdns-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "powerdns-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Determine the image to use +*/}} +{{- define "powerdns-operator.image" -}} +{{ printf "%s:v%s" .image.repository (.image.tag | default .chartAppVersion) }} +{{- end }} + +{{/* +Return true if the OpenShift is the detected platform +Usage: +{{- include "powerdns-operator.isOpenShift" . -}} +*/}} +{{- define "powerdns-operator.isOpenShift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render the securityContext based on the provided securityContext + {{- include "powerdns-operator.renderSecurityContext" (dict "securityContext" .Values.securityContext "context" $) -}} +*/}} +{{- define "powerdns-operator.renderSecurityContext" -}} +{{- $adaptedContext := .securityContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "powerdns-operator.isOpenShift" .context)) -}} + {{/* Remove OpenShift managed fields */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .securityContext.seLinuxOptions -}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} + +{{/* +Create the name for the credentials secret. +*/}} +{{- define "powerdns-operator.credentials.name" -}} +{{- if .Values.credentials.existingSecret -}} + {{- .Values.credentials.existingSecret -}} +{{- else -}} + {{ default (include "powerdns-operator.fullname" .) .Values.credentials.name }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/powerdns-operator/templates/deployment.yaml b/charts/powerdns-operator/templates/deployment.yaml new file mode 100644 index 0000000..920807c --- /dev/null +++ b/charts/powerdns-operator/templates/deployment.yaml @@ -0,0 +1,118 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "powerdns-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "powerdns-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "powerdns-operator.labels" . | nindent 8 }} + app.kubernetes.io/component: controller + {{- with .Values.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.podLabels }} + {{- toYaml .Values.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.dnsConfig }} + dnsConfig: {{ toYaml .Values.dnsConfig | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity | default .Values.global.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations | default .Values.global.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- with .Values.podSecurityContext }} + {{- if and (.enabled) (gt (keys . | len) 1) }} + securityContext: + {{- include "powerdns-operator.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "powerdns-operator.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.hostNetwork }} + containers: + - name: {{ .Chart.Name }} + {{- with .Values.podSecurityContext }} + {{- if and (.enabled) (gt (keys . | len) 1) }} + securityContext: + {{- include "powerdns-operator.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} + args: + - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:{{ .Values.metrics.service.port }} + ports: + - containerPort: {{ .Values.metrics.service.port }} + protocol: TCP + name: http-metrics + command: + - /manager + {{- if or (.Values.credentials.existingSecret) (.Values.credentials.name) }} + envFrom: + {{- if .Values.credentials.existingSecret }} + - secretRef: + name: {{ .Values.credentials.existingSecret }} + {{- end }} + {{- if .Values.credentials.name }} + - secretRef: + name: {{ .Values.credentials.name }} + {{- end }} + {{- end }} + image: {{ include "powerdns-operator.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.image) | trim }} + imagePullPolicy: {{ .Values.image.policy }} + {{- if .Values.livenessProbe }} + livenessProbe: {{ toYaml .Values.livenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe }} + readinessProbe: {{ toYaml .Values.readinessProbe | nindent 12 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.securityContext }} + {{- if and (.enabled) (gt (keys . | len) 1) }} + securityContext: + {{- include "powerdns-operator.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }} + {{- end }} + {{- end }} diff --git a/charts/powerdns-operator/templates/rbac.yaml b/charts/powerdns-operator/templates/rbac.yaml new file mode 100644 index 0000000..1da4751 --- /dev/null +++ b/charts/powerdns-operator/templates/rbac.yaml @@ -0,0 +1,209 @@ +{{- if .Values.rbac.create -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "powerdns-operator.fullname" . }}-leader-election-role + namespace: {{ .Release.Namespace }} + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "powerdns-operator.fullname" . }}-manager-role + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - dns.cav.enablers.ob + resources: + - rrsets + - zones + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - dns.cav.enablers.ob + resources: + - rrsets/finalizers + - zones/finalizers + verbs: + - update +- apiGroups: + - dns.cav.enablers.ob + resources: + - rrsets/status + - zones/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "powerdns-operator.fullname" . }}-rrset-editor-role + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - dns.cav.enablers.ob + resources: + - rrsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - dns.cav.enablers.ob + resources: + - rrsets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "powerdns-operator.fullname" . }}-rrset-viewer-role + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: + - dns.cav.enablers.ob + resources: + - rrsets + verbs: + - get + - list + - watch +- apiGroups: + - dns.cav.enablers.ob + resources: + - rrsets/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "powerdns-operator.fullname" . }}-zone-editor-role + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - dns.cav.enablers.ob + resources: + - zones + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - dns.cav.enablers.ob + resources: + - zones/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "powerdns-operator.fullname" . }}-zone-viewer-role + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - dns.cav.enablers.ob + resources: + - zones + verbs: + - get + - list + - watch +- apiGroups: + - dns.cav.enablers.ob + resources: + - zones/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "powerdns-operator.fullname" . }}-leader-election-rolebinding + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "powerdns-operator.fullname" . }}-leader-election-role +subjects: + - kind: ServiceAccount + name: {{ include "powerdns-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "powerdns-operator.fullname" . }}-manager-rolebinding + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "powerdns-operator.fullname" . }}-manager-role +subjects: + - kind: ServiceAccount + name: {{ include "powerdns-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{ end }} \ No newline at end of file diff --git a/charts/powerdns-operator/templates/secret.yaml b/charts/powerdns-operator/templates/secret.yaml new file mode 100644 index 0000000..4be0b19 --- /dev/null +++ b/charts/powerdns-operator/templates/secret.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.credentials.name (not .Values.credentials.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "powerdns-operator.credentials.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} + {{- with .Values.metrics.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +data: +{{- range $key, $value := .Values.credentials.data }} + {{ $key }}: {{ tpl $value $ | b64enc | quote }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/powerdns-operator/templates/service.yaml b/charts/powerdns-operator/templates/service.yaml new file mode 100644 index 0000000..f154ac0 --- /dev/null +++ b/charts/powerdns-operator/templates/service.yaml @@ -0,0 +1,28 @@ +{{- if .Values.metrics.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "powerdns-operator.fullname" . }}-metrics + namespace: {{ .Release.Namespace }} + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} + {{- with .Values.metrics.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + {{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.service.ipFamilies }} + ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + ports: + - name: http-metrics + port: {{ .Values.metrics.service.port }} + protocol: TCP + targetPort: http-metrics + selector: + {{- include "powerdns-operator.selectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/powerdns-operator/templates/serviceaccount.yaml b/charts/powerdns-operator/templates/serviceaccount.yaml new file mode 100644 index 0000000..0cbee7d --- /dev/null +++ b/charts/powerdns-operator/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "powerdns-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/powerdns-operator/templates/servicemonitor.yaml b/charts/powerdns-operator/templates/servicemonitor.yaml new file mode 100644 index 0000000..35ec03e --- /dev/null +++ b/charts/powerdns-operator/templates/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{ if and (and .Values.metrics.service.enabled .Values.metrics.serviceMonitor.enabled) }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "powerdns-operator.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "powerdns-operator.labels" . | nindent 4 }} + {{- with .Values.metrics.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "powerdns-operator.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + endpoints: + - port: http-metrics + interval: {{ .Values.metrics.serviceMonitor.scrapeInterval }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- if .Values.metrics.serviceMonitor.scheme }} + scheme: {{ .Values.metrics.serviceMonitor.scheme }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{ toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .Values.metrics.serviceMonitor.tlsConfig | nindent 6 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/powerdns-operator/values.yaml b/charts/powerdns-operator/values.yaml new file mode 100644 index 0000000..949212a --- /dev/null +++ b/charts/powerdns-operator/values.yaml @@ -0,0 +1,144 @@ +global: + nodeSelector: {} + tolerations: [] + topologySpreadConstraints: [] + affinity: {} + compatibility: + openshift: + # -- Manages the securityContext properties to make them compatible with OpenShift. + # Possible values: + # auto - Apply configurations if it is detected that OpenShift is the target platform. + # force - Always apply configurations. + # disabled - No modification applied. + adaptSecurityContext: auto + +replicaCount: 1 # we do not support more than 1 replica + +commonLabels: {} + +credentials: + # -- Specifies whether to use an existing secret. + existingSecret: "" + # -- Specifies the secret name to create if `existingSecret` is empty. + name: "" + data: + # -- Specifies the PowerDNS API URL + # PDNS_API_URL: "https://powerdns.example.local:8081" + PDNS_API_URL: "http://powerdns.powerdns.svc:8081" + # -- Specifies the PowerDNS API key used to authenticate + PDNS_API_KEY: "secret" + # -- Specifies the PowerDNS VHOST + PDNS_API_VHOST: "localhost" + +rbac: + create: true + +nodeSelector: {} +tolerations: [] +topologySpreadConstraints: [] +affinity: {} + +service: + # -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) + ipFamilyPolicy: "" + # -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. + ipFamilies: [] + +serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + # -- Extra Labels to add to the service account. + extraLabels: {} + # -- Annotations to add to the service account. + annotations: {} + +image: + repository: "ghcr.io/orange-opensource/powerdns-operator" + policy: "IfNotPresent" + tag: "" + +podAnnotations: {} +podLabels: {} + +# -- Specifies `dnsOptions` to deployment +dnsConfig: {} + +# -- Specifies `dnsPolicy` to deployment +dnsPolicy: ClusterFirst + +# -- Pod priority class name. +priorityClassName: "" + +podSecurityContext: + runAsNonRoot: true + +terminationGracePeriodSeconds: 10 + +# -- Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: secretName + +nameOverride: "" +fullnameOverride: "" +namespaceOverride: "" + +resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + +# -- Run the controller on the host network +hostNetwork: false + +podSecurityContext: + enabled: true + # fsGroup: 2000 + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + enabled: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + +livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + +readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + +metrics: + service: + enabled: true + annotations: {} + port: 8080 + serviceMonitor: + enabled: true + namespace: "" + additionalLabels: {} + scrapeInterval: 15s + scrapeTimeout: 10s + scheme: http + metricRelabelings: [] + relabelings: [] + tlsConfig: {}