diff --git a/charts/kestra/templates/operator.yaml b/charts/kestra/templates/operator.yaml new file mode 100644 index 0000000..cf600bf --- /dev/null +++ b/charts/kestra/templates/operator.yaml @@ -0,0 +1,251 @@ +{{ $merged := (merge (dict "Component" "operator") $) -}} +{{ $service := (merge (dict "Component" "service") $) -}} +{{- if .Values.operator.enabled -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: +{{ include "kestra.labels" $merged | indent 4 }} + name: {{ include "kestra.fullname" $merged }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kestra.fullname" $merged }}-namespace-file-cluster-role +rules: + - apiGroups: + - model.kestra.io + resources: + - kestranamespacefiles + - kestranamespacefiles/status + - kestranamespacefiles/finalizers + verbs: + - get + - list + - watch + - patch + - update + - create + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kestra.fullname" $merged }}-flow-cluster-role +rules: + - apiGroups: + - model.kestra.io + resources: + - kestraflows + - kestraflows/status + - kestraflows/finalizers + verbs: + - get + - list + - watch + - patch + - update + - create + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kestra.fullname" $merged }}-key-value-cluster-role +rules: + - apiGroups: + - model.kestra.io + resources: + - kestrakeyvalues + - kestrakeyvalues/status + - kestrakeyvalues/finalizers + verbs: + - get + - list + - watch + - patch + - update + - create + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kestra.fullname" $merged }}-josdk-crd-validating-cluster-role +rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kestra.fullname" $merged }}-namespace-file-crd-validating-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: {{ include "kestra.fullname" $merged }}-josdk-crd-validating-cluster-role +subjects: + - kind: ServiceAccount + name: {{ include "kestra.fullname" $merged }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kestra.fullname" $merged }}-namespace-file-cluster-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: {{ include "kestra.fullname" $merged }}-namespace-file-cluster-role +subjects: + - kind: ServiceAccount + name: {{ include "kestra.fullname" $merged }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kestra.fullname" $merged }}-flow-crd-validating-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: {{ include "kestra.fullname" $merged }}-josdk-crd-validating-cluster-role +subjects: + - kind: ServiceAccount + name: {{ include "kestra.fullname" $merged }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kestra.fullname" $merged }}-flow-cluster-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: {{ include "kestra.fullname" $merged }}-flow-cluster-role +subjects: + - kind: ServiceAccount + name: {{ include "kestra.fullname" $merged }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kestra.fullname" $merged }}-key-value-crd-validating-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: {{ include "kestra.fullname" $merged }}-josdk-crd-validating-cluster-role +subjects: + - kind: ServiceAccount + name: {{ include "kestra.fullname" $merged }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kestra.fullname" $merged }}-key-value-cluster-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: {{ include "kestra.fullname" $merged }}-key-value-cluster-role +subjects: + - kind: ServiceAccount + name: {{ include "kestra.fullname" $merged }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kestra.fullname" $merged }}-view +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: view +subjects: + - kind: ServiceAccount + name: {{ include "kestra.fullname" $merged }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kestra.fullname" $merged }} + labels: + app: {{ include "kestra.fullname" $merged }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ include "kestra.fullname" $merged }} + template: + metadata: + labels: + app: {{ include "kestra.fullname" $merged }} + spec: + serviceAccountName: kestra-operator + {{- with $.Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: kestra-operator + image: {{ .Values.operator.image }} + resources: + requests: + cpu: 250m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + startupProbe: + httpGet: + path: /q/health/started + port: 8080 + scheme: HTTP + periodSeconds: {{ $.Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ $.Values.startupProbe.timeoutSeconds }} + successThreshold: {{ $.Values.startupProbe.successThreshold }} + failureThreshold: {{ $.Values.startupProbe.failureThreshold }} + livenessProbe: + httpGet: + path: /q/health/live + port: 8080 + scheme: HTTP + initialDelaySeconds: {{ $.Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ $.Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ $.Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ $.Values.livenessProbe.successThreshold }} + failureThreshold: {{ $.Values.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /q/health/ready + port: 8080 + scheme: HTTP + initialDelaySeconds: {{ $.Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ $.Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ $.Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ $.Values.readinessProbe.successThreshold }} + failureThreshold: {{ $.Values.readinessProbe.failureThreshold }} + env: + - name: QUARKUS_OPERATOR_SDK_CRD_APPLY + value: "true" + - name: QUARKUS_OPERATOR_SDK_CRD_VALIDATE + value: "false" + - name: KESTRA_API_URL + value: http://{{ include "kestra.fullname" $service }}:8080 + {{- if .Values.operator.apiKey }} + - name: KESTRA_API_API_KEY + value: {{ .Values.operator.apiKey }} + {{- end }} + {{- if .Values.operator.basicAuth }} + - name: KESTRA_API_BASIC_AUTH + value: {{ .Values.operator.basicAuth }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kestra/values.yaml b/charts/kestra/values.yaml index ed1396e..2b0bb4c 100644 --- a/charts/kestra/values.yaml +++ b/charts/kestra/values.yaml @@ -133,6 +133,13 @@ workerGroup: # By default, we start a number of threads of two times the number of available processors, use 'workerThreads' to configure a different value. #workerThreads: 128 +# EE only - the Kestra Kubernetes Operator +operator: + enabled: false + image: registry.kestra.io/docker/kestra-operator + apiKey: "" + basicAuth: "" + # for io.kestra.core.tasks.scripts.Bash task or io.kestra.plugin.scripts.*, attach a docker dind container in order to isolate in a container # every command launch dind: