From 3b891e4d12ae37416e39f0bf37e6ca62fbd74776 Mon Sep 17 00:00:00 2001 From: Pablo Date: Mon, 23 May 2022 10:57:18 -0600 Subject: [PATCH 1/9] feat: reuse settings and secrets with a template injection --- .gitignore | 3 + Chart.lock | 9 ++- Chart.yaml | 10 ++- templates/default/configmap.yaml | 27 +------ templates/default/secrets.yaml | 21 +----- templates/diffgram_settings.tpl | 35 +++++++++ templates/diffgrams_secrets.tpl | 23 ++++++ templates/eventhandlers/configmap.yaml | 6 ++ templates/eventhandlers/deployment.yaml | 77 ++++++++++++++++++++ templates/eventhandlers/secrets.yaml | 7 ++ templates/eventhandlers/service.yaml | 15 ++++ templates/hooks/configmap_db_migrations.yaml | 27 +------ templates/hooks/secrets_db_migrations.yaml | 21 +----- templates/walrus/configmap.yaml | 31 +------- templates/walrus/secrets.yaml | 21 +----- values.yaml | 29 +++++++- 16 files changed, 214 insertions(+), 148 deletions(-) create mode 100644 templates/diffgram_settings.tpl create mode 100644 templates/diffgrams_secrets.tpl create mode 100644 templates/eventhandlers/configmap.yaml create mode 100644 templates/eventhandlers/deployment.yaml create mode 100644 templates/eventhandlers/secrets.yaml create mode 100644 templates/eventhandlers/service.yaml diff --git a/.gitignore b/.gitignore index 0255e5e..77cdcf2 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,6 @@ example.com\+5.pem example.com\+6-key.pem example.com\+6.pem + +# Chart dependencies +**/charts/*.tgz \ No newline at end of file diff --git a/Chart.lock b/Chart.lock index 4bb6015..dc87b50 100644 --- a/Chart.lock +++ b/Chart.lock @@ -1,6 +1,9 @@ dependencies: +- name: rabbitmq + repository: https://charts.bitnami.com/bitnami + version: 9.1.4 - name: cert-manager - repository: https://charts.jetstack.io/ + repository: https://charts.jetstack.io version: v1.1.0 -digest: sha256:50d9686126f61b7d7b8a50112464b41ac426a483ae053b4820c9e5f953cf7b76 -generated: "2021-01-29T14:30:59.744116786-06:00" +digest: sha256:16a0d329ffcd4f4ec533d51af30ac1c014066795596729f5572bf93a379a5416 +generated: "2022-05-23T09:23:56.111110299-06:00" diff --git a/Chart.yaml b/Chart.yaml index e1f8568..94e0247 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,10 +15,16 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.0.1" \ No newline at end of file +appVersion: "0.0.1" + +dependencies: + - name: rabbitmq + version: 9.1.4 + repository: https://charts.bitnami.com/bitnami + condition: useRabbitMq \ No newline at end of file diff --git a/templates/default/configmap.yaml b/templates/default/configmap.yaml index 7c75807..f3da080 100644 --- a/templates/default/configmap.yaml +++ b/templates/default/configmap.yaml @@ -3,29 +3,4 @@ kind: ConfigMap metadata: name: diffgram-default-configmap data: - USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }} - DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }} - DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }} - DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }} - ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }} - GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml - CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }} - ML__CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }} - URL_BASE: {{ .Values.diffgramDomain }} - WALRUS_SERVICE_URL_BASE: {{ .Values.diffgramSettings.WALRUS_SERVICE_URL_BASE }} - SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }} - DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }} - ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }} - DIFFGRAM_INSTALL_FINGERPRINT: {{ .Values.diffgramSettings.DIFFGRAM_INSTALL_FINGERPRINT }} - DIFFGRAM_VERSION_TAG: {{ .Values.diffgramVersion }} - DIFFGRAM_HOST_OS: {{ .Values.diffgramSettings.DIFFGRAM_HOST_OS }} - DATABASE_CONNECTION_POOL_SIZE: {{ .Values.diffgramSettings.DATABASE_CONNECTION_POOL_SIZE }} - PYTHONPATH: "/app:/app/shared:/" - PROCESS_MEDIA_NUM_VIDEO_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_VIDEO_THREADS }} - PROCESS_MEDIA_NUM_FRAME_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_FRAME_THREADS }} - NEW_RELIC_LICENSE_KEY: {{ .Values.diffgramSettings.NEW_RELIC_LICENSE_KEY }} - EMAIL_DOMAIN_NAME: {{ .Values.diffgramSettings.EMAIL_DOMAIN_NAME }} - ALLOW_EVENTHUB: {{ .Values.diffgramSettings.ALLOW_EVENTHUB }} - EMAIL_VALIDATION: {{ .Values.diffgramSettings.EMAIL_VALIDATION }} - ALLOW_STRIPE_BILLING: {{ .Values.diffgramSettings.ALLOW_STRIPE_BILLING }} - IS_OPEN_SOURCE: {{ .Values.diffgramSettings.IS_OPEN_SOURCE }} \ No newline at end of file +{{- template "diffgram.settings" . }} \ No newline at end of file diff --git a/templates/default/secrets.yaml b/templates/default/secrets.yaml index 271775a..f1322a8 100644 --- a/templates/default/secrets.yaml +++ b/templates/default/secrets.yaml @@ -4,23 +4,4 @@ metadata: name: diffgram-default-secrets type: Opaque stringData: - STRIPE_API_KEY: {{ .Values.diffgramSecrets.STRIPE_API_KEY }} - DIFFGRAM_AWS_ACCESS_KEY_SECRET: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET }} - DIFFGRAM_AWS_ACCESS_KEY_ID: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID }} - _ANALYTICS_WRITE_KEY: {{ .Values.diffgramSecrets._ANALYTICS_WRITE_KEY }} - MAILGUN_KEY: {{ .Values.diffgramSecrets.MAILGUN_KEY }} - HUB_SPOT_KEY: {{ .Values.diffgramSecrets.HUB_SPOT_KEY }} - SECRET_KEY: {{ .Values.diffgramSecrets.SECRET_KEY }} - INTER_SERVICE_SECRET: {{ .Values.diffgramSecrets.INTER_SERVICE_SECRET }} - FERNET_KEY: {{ .Values.diffgramSecrets.FERNET_KEY }} - {{ if eq .Values.dbSettings.dbProvider "local"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@diffgram-postgres/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "rds"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-rds-service/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "azure"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-azure-service/{{ .Values.dbSettings.dbName }}" - {{ end }} - USER_PASSWORDS_SECRET: {{ .Values.diffgramSecrets.USER_PASSWORDS_SECRET }} - DIFFGRAM_AZURE_CONNECTION_STRING: {{ .Values.diffgramSecrets.DIFFGRAM_AZURE_CONNECTION_STRING }} \ No newline at end of file +{{- template "diffgram.secrets" . }} \ No newline at end of file diff --git a/templates/diffgram_settings.tpl b/templates/diffgram_settings.tpl new file mode 100644 index 0000000..63e2763 --- /dev/null +++ b/templates/diffgram_settings.tpl @@ -0,0 +1,35 @@ +{{- define "diffgram.settings" }} + USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }} + DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }} + DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }} + DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }} + ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }} + GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml + CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }} + ML__CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }} + URL_BASE: {{ .Values.diffgramDomain }} + WALRUS_SERVICE_URL_BASE: {{ .Values.diffgramSettings.WALRUS_SERVICE_URL_BASE }} + SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }} + DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }} + ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }} + DIFFGRAM_INSTALL_FINGERPRINT: {{ .Values.diffgramSettings.DIFFGRAM_INSTALL_FINGERPRINT }} + DIFFGRAM_VERSION_TAG: {{ .Values.diffgramVersion }} + DIFFGRAM_HOST_OS: {{ .Values.diffgramSettings.DIFFGRAM_HOST_OS }} + DATABASE_CONNECTION_POOL_SIZE: {{ .Values.diffgramSettings.DATABASE_CONNECTION_POOL_SIZE }} + PYTHONPATH: "/app:/app/shared:/" + PROCESS_MEDIA_NUM_VIDEO_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_VIDEO_THREADS }} + PROCESS_MEDIA_NUM_FRAME_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_FRAME_THREADS }} + NEW_RELIC_LICENSE_KEY: {{ .Values.diffgramSettings.NEW_RELIC_LICENSE_KEY }} + EMAIL_DOMAIN_NAME: {{ .Values.diffgramSettings.EMAIL_DOMAIN_NAME }} + ALLOW_EVENTHUB: {{ .Values.diffgramSettings.ALLOW_EVENTHUB }} + EMAIL_VALIDATION: {{ .Values.diffgramSettings.EMAIL_VALIDATION }} + ALLOW_STRIPE_BILLING: {{ .Values.diffgramSettings.ALLOW_STRIPE_BILLING }} + IS_OPEN_SOURCE: {{ .Values.diffgramSettings.IS_OPEN_SOURCE }} + DIFFGRAM_MINIO_ENDPOINT_URL: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ENDPOINT_URL}} + DIFFGRAM_MINIO_ACCESS_KEY_ID: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ACCESS_KEY_ID}} + DIFFGRAM_MINIO_ACCESS_KEY_SECRET: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ACCESS_KEY_SECRET}} + DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: {{.Values.diffgramSettings.DIFFGRAM_MINIO_DISABLED_SSL_VERIFY}} + RABBITMQ_HOST: {{.Values.diffgramSettings.RABBITMQ_HOST}} + RABBITMQ_PORT: {{.Values.diffgramSettings.RABBITMQ_PORT}} + RABBITMQ_DEFAULT_USER: {{.Values.rabbitmq.auth.rabbitmq}} +{{- end }} \ No newline at end of file diff --git a/templates/diffgrams_secrets.tpl b/templates/diffgrams_secrets.tpl new file mode 100644 index 0000000..16780b7 --- /dev/null +++ b/templates/diffgrams_secrets.tpl @@ -0,0 +1,23 @@ +{{- define "diffgram.secrets" }} + STRIPE_API_KEY: {{ .Values.diffgramSecrets.STRIPE_API_KEY }} + DIFFGRAM_AWS_ACCESS_KEY_SECRET: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET }} + DIFFGRAM_AWS_ACCESS_KEY_ID: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID }} + _ANALYTICS_WRITE_KEY: {{ .Values.diffgramSecrets._ANALYTICS_WRITE_KEY }} + MAILGUN_KEY: {{ .Values.diffgramSecrets.MAILGUN_KEY }} + HUB_SPOT_KEY: {{ .Values.diffgramSecrets.HUB_SPOT_KEY }} + SECRET_KEY: {{ .Values.diffgramSecrets.SECRET_KEY }} + INTER_SERVICE_SECRET: {{ .Values.diffgramSecrets.INTER_SERVICE_SECRET }} + FERNET_KEY: {{ .Values.diffgramSecrets.FERNET_KEY }} + {{ if eq .Values.dbSettings.dbProvider "local"}} + DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@diffgram-postgres/{{ .Values.dbSettings.dbName }}" + {{ end }} + {{ if eq .Values.dbSettings.dbProvider "rds"}} + DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-rds-service/{{ .Values.dbSettings.dbName }}" + {{ end }} + {{ if eq .Values.dbSettings.dbProvider "azure"}} + DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-azure-service/{{ .Values.dbSettings.dbName }}" + {{ end }} + USER_PASSWORDS_SECRET: {{ .Values.diffgramSecrets.USER_PASSWORDS_SECRET }} + DIFFGRAM_AZURE_CONNECTION_STRING: {{ .Values.diffgramSecrets.DIFFGRAM_AZURE_CONNECTION_STRING }} + RABBITMQ_DEFAULT_PASS: {{ .Values.rabbitmq.auth.password }} +{{- end }} \ No newline at end of file diff --git a/templates/eventhandlers/configmap.yaml b/templates/eventhandlers/configmap.yaml new file mode 100644 index 0000000..3b8721f --- /dev/null +++ b/templates/eventhandlers/configmap.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: diffgram-eventhandlers-configmap +data: +{{- template "diffgram.settings" . }} \ No newline at end of file diff --git a/templates/eventhandlers/deployment.yaml b/templates/eventhandlers/deployment.yaml new file mode 100644 index 0000000..c6bfd28 --- /dev/null +++ b/templates/eventhandlers/deployment.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: diffgram-eventhandlers + name: diffgram-eventhandlers + namespace: {{ .Release.Namespace }} +spec: + replicas: {{ .Values.defaultService.numReplicas }} + selector: + matchLabels: + app: diffgram-eventhandlers + template: + metadata: + labels: + app: diffgram-eventhandlers + spec: + {{ if .Values.nodeGroupLabel }} + nodeSelector: + poolName: {{ .Values.nodeGroupLabel }} + {{ end }} + {{ if eq .Values.diffgramEdition "enterprise"}} + imagePullSecrets: + - name: diffgramsecret + {{ end }} + volumes: + {{ if eq .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER "gcp"}} + - name: service-account-credentials-volume + secret: + secretName: gcp-service-account-credentials + items: + - key: sa_json + path: sa_credentials.json + {{ end }} + initContainers: + - name: check-db-ready + image: postgres:11 + {{ if eq .Values.dbSettings.dbProvider "local"}} + command: ['sh', '-c', + 'until pg_isready -h diffgram-postgres -p 5432; + do echo waiting for database; sleep 2; done;'] + {{ end }} + {{ if eq .Values.dbSettings.dbProvider "rds"}} + command: ['sh', '-c', 'until pg_isready -h postgres-rds-service -p 5432; do echo waiting for database; sleep 2; done;'] + {{ end }} + {{ if eq .Values.dbSettings.dbProvider "azure"}} + command: ['sh', '-c', 'until pg_isready -h postgres-azure-service -p 5432; do echo waiting for database; sleep 2; done;'] + {{ end }} + containers: + {{ if eq .Values.diffgramEdition "enterprise"}} + - image: gcr.io/diffgram-enterprise/eventhandlers:{{ .Values.diffgramVersion }} + {{ end }} + {{ if eq .Values.diffgramEdition "opencore"}} + - image: gcr.io/diffgram-open-core/eventhandlers:{{ .Values.diffgramVersion }} + {{ end }} + imagePullPolicy: Always + name: diffgram-default + ports: + - containerPort: 8080 + {{ if eq .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER "gcp"}} + volumeMounts: + - name: service-account-credentials-volume + mountPath: /etc/gcp + readOnly: true + {{ end }} + envFrom: + - configMapRef: + name: diffgram-eventhandlers-configmap + - secretRef: + name: diffgram-eventhandlers-secrets + resources: + requests: + cpu: {{ .Values.eventHandlersService.requests.cpu }} + memory: {{ .Values.eventHandlersService.requests.memory }} + limits: + cpu: {{ .Values.eventHandlersService.limits.cpu }} + memory: {{ .Values.eventHandlersService.limits.memory }} \ No newline at end of file diff --git a/templates/eventhandlers/secrets.yaml b/templates/eventhandlers/secrets.yaml new file mode 100644 index 0000000..62060c0 --- /dev/null +++ b/templates/eventhandlers/secrets.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: diffgram-eventhandlers-secrets +type: Opaque +stringData: +{{- template "diffgram.secrets" . }} \ No newline at end of file diff --git a/templates/eventhandlers/service.yaml b/templates/eventhandlers/service.yaml new file mode 100644 index 0000000..f441802 --- /dev/null +++ b/templates/eventhandlers/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: diffgram-eventhandlers + name: diffgram-eventhandlers + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: diffgram-eventhandlers + type: ClusterIP \ No newline at end of file diff --git a/templates/hooks/configmap_db_migrations.yaml b/templates/hooks/configmap_db_migrations.yaml index 43279c6..aa9159d 100644 --- a/templates/hooks/configmap_db_migrations.yaml +++ b/templates/hooks/configmap_db_migrations.yaml @@ -7,29 +7,4 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded name: db-migrations-configmap data: - USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }} - DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }} - DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }} - DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }} - ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }} - GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml - CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }} - ML__CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }} - URL_BASE: {{ .Values.diffgramDomain }} - WALRUS_SERVICE_URL_BASE: {{ .Values.diffgramSettings.WALRUS_SERVICE_URL_BASE }} - SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }} - DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }} - ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }} - DIFFGRAM_INSTALL_FINGERPRINT: {{ .Values.diffgramSettings.DIFFGRAM_INSTALL_FINGERPRINT }} - DIFFGRAM_VERSION_TAG: {{ .Values.diffgramVersion }} - DIFFGRAM_HOST_OS: {{ .Values.diffgramSettings.DIFFGRAM_HOST_OS }} - DATABASE_CONNECTION_POOL_SIZE: {{ .Values.diffgramSettings.DATABASE_CONNECTION_POOL_SIZE }} - PYTHONPATH: /app - PROCESS_MEDIA_NUM_VIDEO_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_VIDEO_THREADS }} - PROCESS_MEDIA_NUM_FRAME_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_FRAME_THREADS }} - NEW_RELIC_LICENSE_KEY: {{ .Values.diffgramSettings.NEW_RELIC_LICENSE_KEY }} - EMAIL_DOMAIN_NAME: {{ .Values.diffgramSettings.EMAIL_DOMAIN_NAME }} - ALLOW_EVENTHUB: {{ .Values.diffgramSettings.ALLOW_EVENTHUB }} - EMAIL_VALIDATION: {{ .Values.diffgramSettings.EMAIL_VALIDATION }} - ALLOW_STRIPE_BILLING: {{ .Values.diffgramSettings.ALLOW_STRIPE_BILLING }} - IS_OPEN_SOURCE: {{ .Values.diffgramSettings.IS_OPEN_SOURCE }} \ No newline at end of file +{{- template "diffgram.settings" . }} \ No newline at end of file diff --git a/templates/hooks/secrets_db_migrations.yaml b/templates/hooks/secrets_db_migrations.yaml index d1f8c1b..ba08793 100644 --- a/templates/hooks/secrets_db_migrations.yaml +++ b/templates/hooks/secrets_db_migrations.yaml @@ -9,23 +9,4 @@ metadata: name: db-migrations-secret type: Opaque stringData: - STRIPE_API_KEY: {{ .Values.diffgramSecrets.STRIPE_API_KEY }} - DIFFGRAM_AWS_ACCESS_KEY_ID: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID }} - DIFFGRAM_AWS_ACCESS_KEY_SECRET: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET }} - _ANALYTICS_WRITE_KEY: {{ .Values.diffgramSecrets._ANALYTICS_WRITE_KEY }} - MAILGUN_KEY: {{ .Values.diffgramSecrets.MAILGUN_KEY }} - HUB_SPOT_KEY: {{ .Values.diffgramSecrets.HUB_SPOT_KEY }} - SECRET_KEY: {{ .Values.diffgramSecrets.SECRET_KEY }} - FERNET_KEY: {{ .Values.diffgramSecrets.FERNET_KEY }} - INTER_SERVICE_SECRET: {{ .Values.diffgramSecrets.INTER_SERVICE_SECRET }} - {{ if eq .Values.dbSettings.dbProvider "local"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@diffgram-postgres-hook/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "rds"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@{{ .Values.dbSettings.rdsEndpoint }}/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "azure"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@{{ .Values.dbSettings.azureSqlEndpoint }}/{{ .Values.dbSettings.dbName }}" - {{ end }} - USER_PASSWORDS_SECRET: {{ .Values.diffgramSecrets.USER_PASSWORDS_SECRET }} - DIFFGRAM_AZURE_CONNECTION_STRING: {{ .Values.diffgramSecrets.DIFFGRAM_AZURE_CONNECTION_STRING }} +{{- template "diffgram.secrets" . }} \ No newline at end of file diff --git a/templates/walrus/configmap.yaml b/templates/walrus/configmap.yaml index 792b7e7..3d24155 100644 --- a/templates/walrus/configmap.yaml +++ b/templates/walrus/configmap.yaml @@ -3,33 +3,4 @@ kind: ConfigMap metadata: name: diffgram-walrus-configmap data: - USERDOMAIN: {{ .Values.diffgramSettings.USERDOMAIN }} - DIFFGRAM_SYSTEM_MODE: {{ .Values.diffgramSettings.DIFFGRAM_SYSTEM_MODE }} - DIFFGRAM_STATIC_STORAGE_PROVIDER: {{ .Values.diffgramSettings.DIFFGRAM_STATIC_STORAGE_PROVIDER }} - DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.DIFFGRAM_S3_BUCKET_NAME }} - ML__DIFFGRAM_S3_BUCKET_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME }} - GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml - CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }} - ML__CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }} - PYTHONPATH: /app - URL_BASE: {{ .Values.diffgramDomain }} - WALRUS_SERVICE_URL_BASE: {{ .Values.diffgramSettings.WALRUS_SERVICE_URL_BASE }} - SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }} - DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }} - ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }} - DIFFGRAM_INSTALL_FINGERPRINT: {{ .Values.diffgramSettings.DIFFGRAM_INSTALL_FINGERPRINT }} - DIFFGRAM_VERSION_TAG: {{ .Values.diffgramVersion }} - DIFFGRAM_HOST_OS: {{ .Values.diffgramSettings.DIFFGRAM_HOST_OS }} - DATABASE_CONNECTION_POOL_SIZE: {{ .Values.diffgramSettings.DATABASE_CONNECTION_POOL_SIZE }} - PROCESS_MEDIA_NUM_VIDEO_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_VIDEO_THREADS }} - PROCESS_MEDIA_NUM_FRAME_THREADS: {{ .Values.diffgramSettings.PROCESS_MEDIA_NUM_FRAME_THREADS }} - NEW_RELIC_LICENSE_KEY: {{ .Values.diffgramSettings.NEW_RELIC_LICENSE_KEY }} - EMAIL_DOMAIN_NAME: {{ .Values.diffgramSettings.EMAIL_DOMAIN_NAME }} - ALLOW_EVENTHUB: {{ .Values.diffgramSettings.ALLOW_EVENTHUB }} - EMAIL_VALIDATION: {{ .Values.diffgramSettings.EMAIL_VALIDATION }} - ALLOW_STRIPE_BILLING: {{ .Values.diffgramSettings.ALLOW_STRIPE_BILLING }} - IS_OPEN_SOURCE: {{ .Values.diffgramSettings.IS_OPEN_SOURCE }} - DIFFGRAM_MINIO_ENDPOINT_URL: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ENDPOINT_URL}} - DIFFGRAM_MINIO_ACCESS_KEY_ID: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ACCESS_KEY_ID}} - DIFFGRAM_MINIO_ACCESS_KEY_SECRET: {{.Values.diffgramSettings.DIFFGRAM_MINIO_ACCESS_KEY_SECRET}} - DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: {{.Values.diffgramSettings.DIFFGRAM_MINIO_DISABLED_SSL_VERIFY}} \ No newline at end of file +{{- template "diffgram.settings" . }} \ No newline at end of file diff --git a/templates/walrus/secrets.yaml b/templates/walrus/secrets.yaml index 7094e60..f2595cc 100644 --- a/templates/walrus/secrets.yaml +++ b/templates/walrus/secrets.yaml @@ -4,23 +4,4 @@ metadata: name: diffgram-walrus-secrets type: Opaque stringData: - STRIPE_API_KEY: {{ .Values.diffgramSecrets.STRIPE_API_KEY }} - DIFFGRAM_AWS_ACCESS_KEY_SECRET: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET }} - DIFFGRAM_AWS_ACCESS_KEY_ID: {{ .Values.diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID }} - _ANALYTICS_WRITE_KEY: {{ .Values.diffgramSecrets._ANALYTICS_WRITE_KEY }} - MAILGUN_KEY: {{ .Values.diffgramSecrets.MAILGUN_KEY }} - HUB_SPOT_KEY: {{ .Values.diffgramSecrets.HUB_SPOT_KEY }} - FERNET_KEY: {{ .Values.diffgramSecrets.FERNET_KEY }} - SECRET_KEY: {{ .Values.diffgramSecrets.SECRET_KEY }} - INTER_SERVICE_SECRET: {{ .Values.diffgramSecrets.INTER_SERVICE_SECRET }} - {{ if eq .Values.dbSettings.dbProvider "local"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@diffgram-postgres/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "rds"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-rds-service/{{ .Values.dbSettings.dbName }}" - {{ end }} - {{ if eq .Values.dbSettings.dbProvider "azure"}} - DATABASE_URL: "postgresql+psycopg2://{{ .Values.dbSettings.dbUser }}:{{ .Values.dbSettings.dbPassword }}@postgres-azure-service/{{ .Values.dbSettings.dbName }}" - {{ end }} - USER_PASSWORDS_SECRET: {{ .Values.diffgramSecrets.USER_PASSWORDS_SECRET }} - DIFFGRAM_AZURE_CONNECTION_STRING: {{ .Values.diffgramSecrets.DIFFGRAM_AZURE_CONNECTION_STRING }} \ No newline at end of file +{{- template "diffgram.secrets" . }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 6d4d971..0c0edcc 100644 --- a/values.yaml +++ b/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. # The Diffgram Version. Whenever a new update arrives, this will be changed. -diffgramVersion: 0.14.1 +diffgramVersion: 0.16.0 # Either 'opencore' or 'enterprise'. Please note that selecting 'enterprise' # requires that you also set imagePullCredentials.gcrCredentials. @@ -89,11 +89,27 @@ diffgramSettings: DIFFGRAM_MINIO_ACCESS_KEY_ID: none DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none + RABBITMQ_PORT: 5672 + RABBITMQ_HOST: diffgram-rabbitmq imagePullCredentials: # The service account with permissions to pull from the GCR Repository. [Should be Provided by Diffgram Team.] gcrCredentials: provided_by_diffgram_team + +####### Dependencies +# Read: https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq for further configs +useRabbitMq: true +rabbitmq: + auth: + rabbitmq: "diffgram" + password: "diffgram" + tls: + enabled: true + autoGenerated: true + +####### End Dependencies + nodeGroupLabel: null # The service for API calls. @@ -106,6 +122,17 @@ defaultService: limits: cpu: "2.0" memory: "2G" + +# The service for Event Handlers. +# This are minimal defaults. Please feel free to change them as you start having more usage +eventHandlersService: + numReplicas: 1 + requests: + cpu: "1.0" + memory: "1G" + limits: + cpu: "2.0" + memory: "2G" # The service for the UI frontend. # This are minimal defaults. Please feel free to change them as you start having more usage frontendService: From 7f8b1b25ffd2500715bbb00b405b767eb33fd3de Mon Sep 17 00:00:00 2001 From: Pablo Date: Mon, 23 May 2022 11:24:59 -0600 Subject: [PATCH 2/9] fix: default values --- result.txt | 2187 ++++++++++++++++++ templates/diffgram_settings.tpl | 2 +- templates/hooks/configmap_db_migrations.yaml | 2 +- values.yaml | 6 +- 4 files changed, 2192 insertions(+), 5 deletions(-) create mode 100644 result.txt diff --git a/result.txt b/result.txt new file mode 100644 index 0000000..7c4e0c0 --- /dev/null +++ b/result.txt @@ -0,0 +1,2187 @@ +NAME: diffgram +LAST DEPLOYED: Mon May 23 11:09:09 2022 +NAMESPACE: default +STATUS: pending-install +REVISION: 1 +TEST SUITE: None +HOOKS: +--- +# Source: diffgram/templates/hooks/secrets_db_migrations.yaml +apiVersion: v1 +kind: Secret + +metadata: + annotations: + "helm.sh/hook": pre-install, pre-upgrade, pre-rollback + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded + name: db-migrations-secret +type: Opaque +stringData: + STRIPE_API_KEY: none + DIFFGRAM_AWS_ACCESS_KEY_SECRET: write_your_aws_access_key_secret + DIFFGRAM_AWS_ACCESS_KEY_ID: write_your_aws_access_key + _ANALYTICS_WRITE_KEY: provided_by_diffgram_team + MAILGUN_KEY: provided_by_diffgram_team + HUB_SPOT_KEY: provided_by_diffgram_team + SECRET_KEY: provided_by_diffgram_team + INTER_SERVICE_SECRET: provided_by_diffgram_team + FERNET_KEY: NeL_RED6zZ1XF3XT7Yd1hzFPYyebrg6UdkECTOLHEdI= + + DATABASE_URL: "postgresql+psycopg2://postgres:postgres@diffgram-postgres/postgres" + + + + USER_PASSWORDS_SECRET: provided_by_diffgram_team + DIFFGRAM_AZURE_CONNECTION_STRING: put_your_azure_connection_string_here + RABBITMQ_DEFAULT_PASS: diffgram +--- +# Source: diffgram/templates/hooks/configmap_db_migrations.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade, pre-rollback + "helm.sh/hook-weight": "-3" # we use a smaller weight so it's created before the job + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded + name: db-migrations-configmap +data: + USERDOMAIN: kubernetes + DIFFGRAM_SYSTEM_MODE: production + DIFFGRAM_STATIC_STORAGE_PROVIDER: aws + DIFFGRAM_S3_BUCKET_NAME: none + ML__DIFFGRAM_S3_BUCKET_NAME: diffgram-testing + GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml + CLOUD_STORAGE_BUCKET: diffgram-testing + ML__CLOUD_STORAGE_BUCKET: diffgram-testing + URL_BASE: example.com + WALRUS_SERVICE_URL_BASE: example.com + SERVICE_ACCOUNT_FULL_PATH: /etc/gcp/sa_credentials.json + DIFFGRAM_AZURE_CONTAINER_NAME: none + ML__DIFFGRAM_AZURE_CONTAINER_NAME: none + DIFFGRAM_INSTALL_FINGERPRINT: helm_fingerprint_default + DIFFGRAM_VERSION_TAG: 0.16.0 + DIFFGRAM_HOST_OS: helm_os_default + DATABASE_CONNECTION_POOL_SIZE: "10" + PYTHONPATH: "/app:/app/shared:/" + PROCESS_MEDIA_NUM_VIDEO_THREADS: "1" + PROCESS_MEDIA_NUM_FRAME_THREADS: "4" + NEW_RELIC_LICENSE_KEY: none + EMAIL_DOMAIN_NAME: example.com + ALLOW_EVENTHUB: "False" + EMAIL_VALIDATION: "False" + ALLOW_STRIPE_BILLING: "False" + IS_OPEN_SOURCE: "True" + DIFFGRAM_MINIO_ENDPOINT_URL: none + DIFFGRAM_MINIO_ACCESS_KEY_ID: none + DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none + DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none + RABBITMQ_HOST: diffgram-rabbitmq + RABBITMQ_PORT: 5672 + RABBITMQ_DEFAULT_USER: user +--- +# Source: diffgram/templates/postgres/volumeclaim.yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: postgres-pv-claim + annotations: + "helm.sh/resource-policy": keep + "helm.sh/hook": "pre-install" + "helm.sh/hook-weight": "-5" +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi +--- +# Source: diffgram/templates/hooks/db_service_migrations.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install, pre-upgrade, pre-rollback + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded + name: diffgram-postgres-hook +spec: + ports: + - port: 5432 + selector: + app: postgres +--- +# Source: diffgram/templates/postgres/deployment.yaml +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "postgres" + namespace: default + labels: + app: "postgres" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + replicas: 1 + selector: + matchLabels: + app: "postgres" + template: + metadata: + labels: + app: "postgres" + spec: + containers: + - name: "postgres" + image: "postgres:11" + env: + - name: "POSTGRES_DB" + value: postgres + - name: "POSTGRES_USER" + value: postgres + - name: "POSTGRES_PASSWORD" + value: postgres + ports: + - containerPort: 5432 + name: postgres + volumeMounts: + - name: postgres-storage + mountPath: /var/lib/postgresql/db-data + volumes: + - name: postgres-storage + persistentVolumeClaim: + claimName: postgres-pv-claim +--- +# Source: diffgram/templates/hooks/database_pre_install.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: "diffgram-pre-install" + labels: + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "diffgram" + app.kubernetes.io/version: 0.0.1 + helm.sh/chart: "diffgram-0.2.0" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: "diffgram" + labels: + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "diffgram" + helm.sh/chart: "diffgram-0.2.0" + spec: + + restartPolicy: Never + + volumes: + + + - name: postgres-storage + persistentVolumeClaim: + claimName: postgres-pv-claim + + containers: + + + - image: gcr.io/diffgram-open-core/default:0.16.0 + + imagePullPolicy: Always + name: pre-upgrade-alembic-hook + + envFrom: + - configMapRef: + name: db-migrations-configmap + - secretRef: + name: db-migrations-secret + # The actual migrations command + command: ["sh","-c", "cd shared; export PYTHONPATH=/app; pip install sqlalchemy-utils==0.36.6;python /app/play_and_scripts/scripts/create_database.py; alembic upgrade head"] +--- +# Source: diffgram/templates/hooks/database_pre_upgrade.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: "diffgram-pre-upgrade" + labels: + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "diffgram" + app.kubernetes.io/version: 0.0.1 + helm.sh/chart: "diffgram-0.2.0" + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "2" +spec: + template: + metadata: + name: "diffgram" + labels: + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "diffgram" + helm.sh/chart: "diffgram-0.2.0" + spec: + restartPolicy: Never + + + containers: + + + - image: gcr.io/diffgram-open-core/default:0.16.0 + + imagePullPolicy: Always + name: pre-upgrade-alembic-hook + + envFrom: + - configMapRef: + name: db-migrations-configmap + - secretRef: + name: db-migrations-secret + # The actual migrations command + command: ["sh","-c", "cd shared; export PYTHONPATH=/app; pip install sqlalchemy-utils==0.36.6;python /app/play_and_scripts/scripts/create_database.py; alembic upgrade head"] +MANIFEST: +--- +# Source: diffgram/charts/cert-manager/templates/cainjector-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: diffgram-cert-manager-cainjector + namespace: "default" + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v1.1.0 +--- +# Source: diffgram/charts/cert-manager/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: diffgram-cert-manager + namespace: "default" + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +--- +# Source: diffgram/charts/cert-manager/templates/webhook-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: diffgram-cert-manager-webhook + namespace: "default" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v1.1.0 +--- +# Source: diffgram/charts/rabbitmq/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: diffgram-rabbitmq + namespace: "default" + labels: + app.kubernetes.io/name: rabbitmq + helm.sh/chart: rabbitmq-9.1.4 + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: true +secrets: + - name: diffgram-rabbitmq +--- +# Source: diffgram/charts/rabbitmq/templates/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: diffgram-rabbitmq + namespace: "default" + labels: + app.kubernetes.io/name: rabbitmq + helm.sh/chart: rabbitmq-9.1.4 + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm +type: Opaque +data: + rabbitmq-password: "ZGlmZmdyYW0=" + + rabbitmq-erlang-cookie: "S3htRjhHaXpYSXRNOUhEU2xLQTdKZFYyZXVvUHVpdmE=" +--- +# Source: diffgram/charts/rabbitmq/templates/tls-secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: diffgram-rabbitmq-certs + namespace: "default" + labels: + app.kubernetes.io/name: rabbitmq + helm.sh/chart: rabbitmq-9.1.4 + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm +type: kubernetes.io/tls +data: + ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLVENDQWhHZ0F3SUJBZ0lRZnBqUlNUdkZJZHpCdlZEZFJvZFJtVEFOQmdrcWhraUc5dzBCQVFzRkFEQWYKTVIwd0d3WURWUVFERXhSeVlXSmlhWFJ0Y1MxcGJuUmxjbTVoYkMxallUQWVGdzB5TWpBMU1qTXhOekE1TURsYQpGdzB5TXpBMU1qTXhOekE1TURsYU1COHhIVEFiQmdOVkJBTVRGSEpoWW1KcGRHMXhMV2x1ZEdWeWJtRnNMV05oCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNEZHaHZtYXEvMWxaTGx0WFJnRzMKUEEyOGRaeC9yUzRoNGxFUXRwNlNYV0VUUHF2RUthRndCZVg2aDRyRTZMZFZlR2RrRDBrTnZQWGx1cDNKSzZRRgo1a2lQVG5yaGkrRGNmRDNNY096VXJYcXBnL3BCb21HWVNrc1BCMEhDSFUweGJ1QUZ5bzZ2VlN4eDlSSFBZLyt1CkFlNUNRdzIwM0QxWHFXUHQ2VktmRTR2c3hjMi9PL0c1MTVVMWFlUmw5K1RFc1ArT1E4Nk5KeVQ3N0xMc0VYcXUKamNobFUyWjdvbnVqalhkMjg0ZTVKZEVLZ1YxbXZVWENSbncrSUxKTy84bFFlZlJEYjdrV2hPanh3akkvdm0wdQoydTBzV05kMHArVC96YVpwVjExbGkzM1VYWDIyTkRQazc0bk1hTnNMNVR5QUVnenoxY1RuSld4QjN4Q3Y3enFvCmp3SURBUUFCbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQXFRd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk9LZ3g5dkE0V2FUU3FyTwoxMzZYZUl0WjEzVmxNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNucHFYZlprU09mdUQvdEVwdUh6c2xoNWRVClA0aDllMXdZTEYrTGgxV1RUUU5KSUZXQXRaN0tnWkxJME9kS2RVb05EanlVcCtoMW40bGpqNU9pRkVpNlJ5SnMKbWlyVTRaMkJIUzhycHphcEtnc3pnZGg1SDk5bkZIbzh2ZXprdzBFSmlIMEk2Rlgrd0lkWitnSnB6QUpCTTBSWQphSzlHdmo4RENLdUk1dUtjbFRXVXpjVGVlTldOdmR3K0ZPbnRZMFhhYXJiVFRlYm9WQ2lTUkN6WHFYck50L2lDCjhZYW4xekxyODMrVENJUTJFWTlPSk1EWll2RHQxUnFFNzdDc0lhRGRhVXZBQmd5WWplOUVHSW5LUlFndU90bjkKUWdISUJlVkNEM3JLd1hhcXNPV3pMcVRjOGRWQTh2Tko1aXQwWTB1RHpGQjVESmx3NkRZa3gzRnhtZDJPCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" + tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvVENDQW9tZ0F3SUJBZ0lRQWxLVGdvN005VENJNGo4bWZ5aG1RREFOQmdrcWhraUc5dzBCQVFzRkFEQWYKTVIwd0d3WURWUVFERXhSeVlXSmlhWFJ0Y1MxcGJuUmxjbTVoYkMxallUQWVGdzB5TWpBMU1qTXhOekE1TURsYQpGdzB5TXpBMU1qTXhOekE1TURsYU1Cd3hHakFZQmdOVkJBTVRFV1JwWm1abmNtRnRMWEpoWW1KcGRHMXhNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF5Q2lvZVVDUDYwOGtkUDROL244U0UzWEIKYklFNWg5ZGJtRkxjSzdoRDRxWUdFZXVuWm1kRVR2RmdvdnRhK1cwM0lSeGNocTBOSlB3TE9aYlArUGlucWRiOQpKYTUrc1p1SDNOZ1lselovc2k1QytXcnkvTVpzNFIyTWFQSFZmNngwUTh3Wnk0ejI3VFJYeWU2WWhDWUFKRUxICmtXN24yZTgrS3MwVDRWMWhtSkJTTC9pT05rZytMYWdWem9xZTI0d1JmeEhwRGIzQnFZQ1p6a1QzYVhCNEZBSDUKS0o0SjdYK1pscWZrZmxCaHgvTFhsZlNsVnJnZ2oxbkRUTVlENkNhSFhOb2F2d091VDQwOHJvdmxJeVpYSEZVcQpvdjBVekJnK2RsWWpLTlVScm92ZzdhQWxJMytLYlRPbis4YytiTGMvdm1rRWZrY1hDNElGSmYyWGs1Tnord0lECkFRQUJvNEhiTUlIWU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlRpb01mYndPRm1rMHFxenRkKwpsM2lMV2RkMVpUQjRCZ05WSFJFRWNUQnZnaTBxTG1ScFptWm5jbUZ0TFhKaFltSnBkRzF4TG1SbFptRjFiSFF1CmMzWmpMbU5zZFhOMFpYSXViRzlqWVd5Q0syUnBabVpuY21GdExYSmhZbUpwZEcxeExtUmxabUYxYkhRdWMzWmoKTG1Oc2RYTjBaWEl1Ykc5allXeUNFV1JwWm1abmNtRnRMWEpoWW1KcGRHMXhNQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFBWjBMTXBxMnBOYW10WmN2TGttZ2haRWFVbEVudmlTZFNQNGVjYmx6eFpNZXkwOVdXYlpJdlpiTlp1CkM2bVhNclVQZkFhb0pKSjkyRlJQR3RmWkxQeVFoWTYxZ291ZFJuOFltQ2p2Q3V2N0o2V1R6dHJwUEd4S1ltN20Kb2JSTWl3RnZ4MGNGK0xlcDU5RHFuUUJUNHFrZXkrUFRmeGhWVzZYOHRFaXZrL3hjQk1OV2daWFJFRTdpd1BocgpMWFRsRjc3MnZ3QnZYdU1hYjAzUUV3V2pmd2tRR2xZcWFOU3BVTnNTdEd6b25yV3BzTDJEV2FOL29nWXVuQjRiCmQvNGcwUDlWbVQ1K2FFSUNyZVFNNHpYNysxZ0JGNVNiNmtUTUtsb2x3eFpoaU1GQVZqYkpsekgvMTc5VldwNEEKa0dQdXVBemFvdFFVcnpKalJ3cHRHa0xES3pLLwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" + tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeUNpb2VVQ1A2MDhrZFA0Ti9uOFNFM1hCYklFNWg5ZGJtRkxjSzdoRDRxWUdFZXVuClptZEVUdkZnb3Z0YStXMDNJUnhjaHEwTkpQd0xPWmJQK1BpbnFkYjlKYTUrc1p1SDNOZ1lselovc2k1QytXcnkKL01aczRSMk1hUEhWZjZ4MFE4d1p5NHoyN1RSWHllNlloQ1lBSkVMSGtXN24yZTgrS3MwVDRWMWhtSkJTTC9pTwpOa2crTGFnVnpvcWUyNHdSZnhIcERiM0JxWUNaemtUM2FYQjRGQUg1S0o0SjdYK1pscWZrZmxCaHgvTFhsZlNsClZyZ2dqMW5EVE1ZRDZDYUhYTm9hdndPdVQ0MDhyb3ZsSXlaWEhGVXFvdjBVekJnK2RsWWpLTlVScm92ZzdhQWwKSTMrS2JUT24rOGMrYkxjL3Zta0Vma2NYQzRJRkpmMlhrNU56K3dJREFRQUJBb0lCQUVDRXdwR2JHd2tKa01IWgpacDlqVEd0VGFNN1Y5THB4MDhlTTVnVjl0dndtOGd2eXZ4b0dMWUdZMHNLV2JTTzdiYXJSbm8yVzJJYlVhN1hiCmhCeEg0cHVmZmlnWVVDUmw4dXhnQjhVdVB3a3JXbEZWaFErdjBrYmFKSGxyZ3B0TjlvZ29FU1NJd3N1Qk5NOFYKaHJvS0diK1dld2ZKRFJrMXdmOC83YW1XVlRBOHV5STVOUFRVU1U2OWxyRjdHWnZVRjNSbEhzZHlVMDI2QVBESQo3eE16TG8zZWRaaEM4S3BXTlg4SkhGcE9nQkptSVJuQ2gxYXJuazR2Z0VYdXZKaTJmdlhyejNRSTlScVp5MlIrCmZJaWc1dUJGajZUVXI2WXNLSWk2aVNwUUNOZkt1T2t1cys4Mmx4WGg3TVB1ZWliWlJqQnZKeFpuT2Yrbm5xK1oKSlJOeEQ0RUNnWUVBNFp2UnBXWU1DUFpBSVJnbW5mNnQvc29NODV2SXRlYXJjUmJCZERoSk1Mb01ZeFFwS1EvMwpVMUR0bHNNcm11Y2Ywa1FQU0tBM2VRQ0tuQlVJQ1NpNTg5cmJIVXdWQmlJMGtrMHRPUGl0VTUwNThtU3NuSXp1Cm1KY1k1WEhBYzJDbWhicE9reURkQlJ0Qzk2R0h2aVZQdmVtRWRjZDI4RmZKcVhqN1Z0MG9McnNDZ1lFQTR4OHgKbUhzQkFoT2lUT3ZKWEMvOXBtbGsyVjlJRlhlY1FWNDlTZEo0UG8ySTZscXdJRGQ1NTNlMVpCaXYyc0RtOHd2NgpROTR0dEdyMEQyTklmM05GZGs5RmZYSGNZWHZzUkYxWkZldmFHWWFLckZIOWt3M2hOVUgwVTRldTYxclUyc3V2Cjd6bkJQTGFlaCtFR2U3ZnVHdW4vc2owRkduejVYbStuMnBpbm04RUNnWUVBejFDL2Vxem1mRW5GTG1RaUFHZXEKL2dvdmtxQmg5UDJPSjNLUXZMcUlUelYzOG9meE51R01GY3kxTnlnTDV1RmlOWGNEVUdxaDd4aFhSd3h3Z1BJaQp4bm9qaGEySFdFYVFacXh5MVBwM1UvR1Q4VEVnQ1EvY3BPMmNIQ1BHaEgrWkppUEkxcHlKWFlycW8rR1VlbCtSCkFtUVdxNkJxcEhzWFBodUZZeElCUGNjQ2dZQWVEMmpmQjVpd2o2eXhoWnVYQ2ZzR1pYaWxsSWpUM29yZDAvMUUKb2dpc0xzdHFTU3A2ZVIwM1Y0NjRldFA3bmdCek5xaWZCdThCckE0MVl5eWJRY1IxempRaVVFbWMxV3dGK0Z6cwpHOVUzLzZpbStnc1h4WVNES2dHT2RLemdGWnVLZ2Q3OVNLV2N4WWJoOFJTTWwyRjZTbkkvUXZoRDh6cUdGejBlCkg0by9nUUtCZ0I2enlaUFBuYk84cEx6cThaZk1ETHFCZmF2VmVQRXplS3pCS1RDVUhHbkc3MytRak14V1hYVTkKUWxNQm82MjZ3RGljNmdBOEg3VzA3cUhDRVdqejRYU3JEK0dIOVdWcDR4NU9waVRyZkNhR0ZjdWdIaG1yR2htZwpWUnFpKzVjV2ZGUmJkaU51RGsySG5yWUllcFhhSkNBNGZOcWJveGtkandMYkY5K1cyK0VKCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" +--- +# Source: diffgram/templates/default/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: diffgram-default-secrets +type: Opaque +stringData: + STRIPE_API_KEY: none + DIFFGRAM_AWS_ACCESS_KEY_SECRET: write_your_aws_access_key_secret + DIFFGRAM_AWS_ACCESS_KEY_ID: write_your_aws_access_key + _ANALYTICS_WRITE_KEY: provided_by_diffgram_team + MAILGUN_KEY: provided_by_diffgram_team + HUB_SPOT_KEY: provided_by_diffgram_team + SECRET_KEY: provided_by_diffgram_team + INTER_SERVICE_SECRET: provided_by_diffgram_team + FERNET_KEY: NeL_RED6zZ1XF3XT7Yd1hzFPYyebrg6UdkECTOLHEdI= + + DATABASE_URL: "postgresql+psycopg2://postgres:postgres@diffgram-postgres/postgres" + + + + USER_PASSWORDS_SECRET: provided_by_diffgram_team + DIFFGRAM_AZURE_CONNECTION_STRING: put_your_azure_connection_string_here + RABBITMQ_DEFAULT_PASS: diffgram +--- +# Source: diffgram/templates/eventhandlers/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: diffgram-eventhandlers-secrets +type: Opaque +stringData: + STRIPE_API_KEY: none + DIFFGRAM_AWS_ACCESS_KEY_SECRET: write_your_aws_access_key_secret + DIFFGRAM_AWS_ACCESS_KEY_ID: write_your_aws_access_key + _ANALYTICS_WRITE_KEY: provided_by_diffgram_team + MAILGUN_KEY: provided_by_diffgram_team + HUB_SPOT_KEY: provided_by_diffgram_team + SECRET_KEY: provided_by_diffgram_team + INTER_SERVICE_SECRET: provided_by_diffgram_team + FERNET_KEY: NeL_RED6zZ1XF3XT7Yd1hzFPYyebrg6UdkECTOLHEdI= + + DATABASE_URL: "postgresql+psycopg2://postgres:postgres@diffgram-postgres/postgres" + + + + USER_PASSWORDS_SECRET: provided_by_diffgram_team + DIFFGRAM_AZURE_CONNECTION_STRING: put_your_azure_connection_string_here + RABBITMQ_DEFAULT_PASS: diffgram +--- +# Source: diffgram/templates/walrus/secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: diffgram-walrus-secrets +type: Opaque +stringData: + STRIPE_API_KEY: none + DIFFGRAM_AWS_ACCESS_KEY_SECRET: write_your_aws_access_key_secret + DIFFGRAM_AWS_ACCESS_KEY_ID: write_your_aws_access_key + _ANALYTICS_WRITE_KEY: provided_by_diffgram_team + MAILGUN_KEY: provided_by_diffgram_team + HUB_SPOT_KEY: provided_by_diffgram_team + SECRET_KEY: provided_by_diffgram_team + INTER_SERVICE_SECRET: provided_by_diffgram_team + FERNET_KEY: NeL_RED6zZ1XF3XT7Yd1hzFPYyebrg6UdkECTOLHEdI= + + DATABASE_URL: "postgresql+psycopg2://postgres:postgres@diffgram-postgres/postgres" + + + + USER_PASSWORDS_SECRET: provided_by_diffgram_team + DIFFGRAM_AZURE_CONNECTION_STRING: put_your_azure_connection_string_here + RABBITMQ_DEFAULT_PASS: diffgram +--- +# Source: diffgram/charts/rabbitmq/templates/configuration.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: diffgram-rabbitmq-config + namespace: "default" + labels: + app.kubernetes.io/name: rabbitmq + helm.sh/chart: rabbitmq-9.1.4 + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm +data: + rabbitmq.conf: |- + ## Username and password + ## + default_user = user + default_pass = CHANGEME + ## Clustering + ## + cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s + cluster_formation.k8s.host = kubernetes.default + cluster_formation.node_cleanup.interval = 10 + cluster_formation.node_cleanup.only_log_warning = true + cluster_partition_handling = autoheal + # queue master locator + queue_master_locator = min-masters + # enable guest user + loopback_users.guest = false + #default_vhost = default-vhost + #disk_free_limit.absolute = 50MB + ssl_options.verify = verify_peer + listeners.ssl.default = 5671 + ssl_options.fail_if_no_peer_cert = true + ssl_options.cacertfile = /opt/bitnami/rabbitmq/certs/ca_certificate.pem + ssl_options.certfile = /opt/bitnami/rabbitmq/certs/server_certificate.pem + ssl_options.keyfile = /opt/bitnami/rabbitmq/certs/server_key.pem +--- +# Source: diffgram/templates/default/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: diffgram-default-configmap +data: + USERDOMAIN: kubernetes + DIFFGRAM_SYSTEM_MODE: production + DIFFGRAM_STATIC_STORAGE_PROVIDER: aws + DIFFGRAM_S3_BUCKET_NAME: none + ML__DIFFGRAM_S3_BUCKET_NAME: diffgram-testing + GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml + CLOUD_STORAGE_BUCKET: diffgram-testing + ML__CLOUD_STORAGE_BUCKET: diffgram-testing + URL_BASE: example.com + WALRUS_SERVICE_URL_BASE: example.com + SERVICE_ACCOUNT_FULL_PATH: /etc/gcp/sa_credentials.json + DIFFGRAM_AZURE_CONTAINER_NAME: none + ML__DIFFGRAM_AZURE_CONTAINER_NAME: none + DIFFGRAM_INSTALL_FINGERPRINT: helm_fingerprint_default + DIFFGRAM_VERSION_TAG: 0.16.0 + DIFFGRAM_HOST_OS: helm_os_default + DATABASE_CONNECTION_POOL_SIZE: "10" + PYTHONPATH: "/app:/app/shared:/" + PROCESS_MEDIA_NUM_VIDEO_THREADS: "1" + PROCESS_MEDIA_NUM_FRAME_THREADS: "4" + NEW_RELIC_LICENSE_KEY: none + EMAIL_DOMAIN_NAME: example.com + ALLOW_EVENTHUB: "False" + EMAIL_VALIDATION: "False" + ALLOW_STRIPE_BILLING: "False" + IS_OPEN_SOURCE: "True" + DIFFGRAM_MINIO_ENDPOINT_URL: none + DIFFGRAM_MINIO_ACCESS_KEY_ID: none + DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none + DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none + RABBITMQ_HOST: diffgram-rabbitmq + RABBITMQ_PORT: 5672 + RABBITMQ_DEFAULT_USER: user +--- +# Source: diffgram/templates/eventhandlers/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: diffgram-eventhandlers-configmap +data: + USERDOMAIN: kubernetes + DIFFGRAM_SYSTEM_MODE: production + DIFFGRAM_STATIC_STORAGE_PROVIDER: aws + DIFFGRAM_S3_BUCKET_NAME: none + ML__DIFFGRAM_S3_BUCKET_NAME: diffgram-testing + GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml + CLOUD_STORAGE_BUCKET: diffgram-testing + ML__CLOUD_STORAGE_BUCKET: diffgram-testing + URL_BASE: example.com + WALRUS_SERVICE_URL_BASE: example.com + SERVICE_ACCOUNT_FULL_PATH: /etc/gcp/sa_credentials.json + DIFFGRAM_AZURE_CONTAINER_NAME: none + ML__DIFFGRAM_AZURE_CONTAINER_NAME: none + DIFFGRAM_INSTALL_FINGERPRINT: helm_fingerprint_default + DIFFGRAM_VERSION_TAG: 0.16.0 + DIFFGRAM_HOST_OS: helm_os_default + DATABASE_CONNECTION_POOL_SIZE: "10" + PYTHONPATH: "/app:/app/shared:/" + PROCESS_MEDIA_NUM_VIDEO_THREADS: "1" + PROCESS_MEDIA_NUM_FRAME_THREADS: "4" + NEW_RELIC_LICENSE_KEY: none + EMAIL_DOMAIN_NAME: example.com + ALLOW_EVENTHUB: "False" + EMAIL_VALIDATION: "False" + ALLOW_STRIPE_BILLING: "False" + IS_OPEN_SOURCE: "True" + DIFFGRAM_MINIO_ENDPOINT_URL: none + DIFFGRAM_MINIO_ACCESS_KEY_ID: none + DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none + DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none + RABBITMQ_HOST: diffgram-rabbitmq + RABBITMQ_PORT: 5672 + RABBITMQ_DEFAULT_USER: user +--- +# Source: diffgram/templates/ingress_configmap.yaml +apiVersion: v1 +kind: ConfigMap +data: + + enable-underscores-in-headers: "true" + ignore-invalid-headers: "false" + use-gzip: "true" # ENABLE GZIP COMPRESSION + gzip-types: "*" # SPECIFY MIME TYPES TO COMPRESS ("*" FOR ALL) +metadata: + name: ingress-nginx-controller + namespace: default +--- +# Source: diffgram/templates/walrus/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: diffgram-walrus-configmap +data: + USERDOMAIN: kubernetes + DIFFGRAM_SYSTEM_MODE: production + DIFFGRAM_STATIC_STORAGE_PROVIDER: aws + DIFFGRAM_S3_BUCKET_NAME: none + ML__DIFFGRAM_S3_BUCKET_NAME: diffgram-testing + GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml + CLOUD_STORAGE_BUCKET: diffgram-testing + ML__CLOUD_STORAGE_BUCKET: diffgram-testing + URL_BASE: example.com + WALRUS_SERVICE_URL_BASE: example.com + SERVICE_ACCOUNT_FULL_PATH: /etc/gcp/sa_credentials.json + DIFFGRAM_AZURE_CONTAINER_NAME: none + ML__DIFFGRAM_AZURE_CONTAINER_NAME: none + DIFFGRAM_INSTALL_FINGERPRINT: helm_fingerprint_default + DIFFGRAM_VERSION_TAG: 0.16.0 + DIFFGRAM_HOST_OS: helm_os_default + DATABASE_CONNECTION_POOL_SIZE: "10" + PYTHONPATH: "/app:/app/shared:/" + PROCESS_MEDIA_NUM_VIDEO_THREADS: "1" + PROCESS_MEDIA_NUM_FRAME_THREADS: "4" + NEW_RELIC_LICENSE_KEY: none + EMAIL_DOMAIN_NAME: example.com + ALLOW_EVENTHUB: "False" + EMAIL_VALIDATION: "False" + ALLOW_STRIPE_BILLING: "False" + IS_OPEN_SOURCE: "True" + DIFFGRAM_MINIO_ENDPOINT_URL: none + DIFFGRAM_MINIO_ACCESS_KEY_ID: none + DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none + DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none + RABBITMQ_HOST: diffgram-rabbitmq + RABBITMQ_PORT: 5672 + RABBITMQ_DEFAULT_USER: user +--- +# Source: diffgram/charts/cert-manager/templates/cainjector-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: diffgram-cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v1.1.0 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "create", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["auditregistration.k8s.io"] + resources: ["auditsinks"] + verbs: ["get", "list", "watch", "update"] +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: diffgram-cert-manager-controller-issuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: diffgram-cert-manager-controller-clusterissuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: diffgram-cert-manager-controller-certificates + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers", "certificaterequests/finalizers"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +# Orders controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: diffgram-cert-manager-controller-orders + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +rules: + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +# Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: diffgram-cert-manager-controller-challenges + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +rules: + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + # HTTP01 rules + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require the ability to specify a custom hostname when we are creating + # new ingress resources. + # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 + - apiGroups: ["route.openshift.io"] + resources: ["routes/custom-host"] + verbs: ["create"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges/finalizers"] + verbs: ["update"] + # DNS01 rules (duplicated above) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +# ingress-shim controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: diffgram-cert-manager-controller-ingress-shim + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["extensions"] + resources: ["ingresses/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: diffgram-cert-manager-view + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["get", "list", "watch"] +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: diffgram-cert-manager-edit + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "orders"] + verbs: ["get", "list", "watch"] +--- +# Source: diffgram/charts/cert-manager/templates/cainjector-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: diffgram-cert-manager-cainjector + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: diffgram-cert-manager-cainjector +subjects: + - name: diffgram-cert-manager-cainjector + namespace: "default" + kind: ServiceAccount +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: diffgram-cert-manager-controller-issuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: diffgram-cert-manager-controller-issuers +subjects: + - name: diffgram-cert-manager + namespace: "default" + kind: ServiceAccount +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: diffgram-cert-manager-controller-clusterissuers + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: diffgram-cert-manager-controller-clusterissuers +subjects: + - name: diffgram-cert-manager + namespace: "default" + kind: ServiceAccount +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: diffgram-cert-manager-controller-certificates + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: diffgram-cert-manager-controller-certificates +subjects: + - name: diffgram-cert-manager + namespace: "default" + kind: ServiceAccount +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: diffgram-cert-manager-controller-orders + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: diffgram-cert-manager-controller-orders +subjects: + - name: diffgram-cert-manager + namespace: "default" + kind: ServiceAccount +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: diffgram-cert-manager-controller-challenges + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: diffgram-cert-manager-controller-challenges +subjects: + - name: diffgram-cert-manager + namespace: "default" + kind: ServiceAccount +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: diffgram-cert-manager-controller-ingress-shim + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: diffgram-cert-manager-controller-ingress-shim +subjects: + - name: diffgram-cert-manager + namespace: "default" + kind: ServiceAccount +--- +# Source: diffgram/charts/cert-manager/templates/cainjector-rbac.yaml +# leader election rules +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: diffgram-cert-manager-cainjector:leaderelection + namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v1.1.0 +rules: + # Used for leader election by the controller + # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller + # see cmd/cainjector/start.go#L113 + # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller + # see cmd/cainjector/start.go#L137 + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] + verbs: ["get", "update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: diffgram-cert-manager:leaderelection + namespace: kube-system + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +rules: + # Used for leader election by the controller + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["cert-manager-controller"] + verbs: ["get", "update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] +--- +# Source: diffgram/charts/cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: diffgram-cert-manager-webhook:dynamic-serving + namespace: "default" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v1.1.0 +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: + - 'diffgram-cert-manager-webhook-ca' + verbs: ["get", "list", "watch", "update"] +# It's not possible to grant CREATE permission on a single resourceName. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +--- +# Source: diffgram/charts/rabbitmq/templates/role.yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: diffgram-rabbitmq-endpoint-reader + namespace: "default" + labels: + app.kubernetes.io/name: rabbitmq + helm.sh/chart: rabbitmq-9.1.4 + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create"] +--- +# Source: diffgram/charts/cert-manager/templates/cainjector-rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: diffgram-cert-manager-cainjector:leaderelection + namespace: kube-system + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: diffgram-cert-manager-cainjector:leaderelection +subjects: + - kind: ServiceAccount + name: diffgram-cert-manager-cainjector + namespace: default +--- +# Source: diffgram/charts/cert-manager/templates/rbac.yaml +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: diffgram-cert-manager:leaderelection + namespace: kube-system + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: diffgram-cert-manager:leaderelection +subjects: + - apiGroup: "" + kind: ServiceAccount + name: diffgram-cert-manager + namespace: default +--- +# Source: diffgram/charts/cert-manager/templates/webhook-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: diffgram-cert-manager-webhook:dynamic-serving + namespace: "default" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: diffgram-cert-manager-webhook:dynamic-serving +subjects: +- apiGroup: "" + kind: ServiceAccount + name: diffgram-cert-manager-webhook + namespace: default +--- +# Source: diffgram/charts/rabbitmq/templates/rolebinding.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: diffgram-rabbitmq-endpoint-reader + namespace: "default" + labels: + app.kubernetes.io/name: rabbitmq + helm.sh/chart: rabbitmq-9.1.4 + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm +subjects: + - kind: ServiceAccount + name: diffgram-rabbitmq +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: diffgram-rabbitmq-endpoint-reader +--- +# Source: diffgram/charts/cert-manager/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: diffgram-cert-manager + namespace: "default" + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +spec: + type: ClusterIP + ports: + - protocol: TCP + port: 9402 + targetPort: 9402 + selector: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/component: "controller" +--- +# Source: diffgram/charts/cert-manager/templates/webhook-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: diffgram-cert-manager-webhook + namespace: "default" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v1.1.0 +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: 10250 + selector: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: diffgram + app.kubernetes.io/component: "webhook" +--- +# Source: diffgram/charts/rabbitmq/templates/svc-headless.yaml +apiVersion: v1 +kind: Service +metadata: + name: diffgram-rabbitmq-headless + namespace: "default" + labels: + app.kubernetes.io/name: rabbitmq + helm.sh/chart: rabbitmq-9.1.4 + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm +spec: + clusterIP: None + ports: + - name: epmd + port: 4369 + targetPort: epmd + - name: amqp + port: 5672 + targetPort: amqp + - name: amqp-ssl + port: 5671 + targetPort: amqp-tls + - name: dist + port: 25672 + targetPort: dist + - name: http-stats + port: 15672 + targetPort: stats + selector: + app.kubernetes.io/name: rabbitmq + app.kubernetes.io/instance: diffgram + publishNotReadyAddresses: true +--- +# Source: diffgram/charts/rabbitmq/templates/svc.yaml +apiVersion: v1 +kind: Service +metadata: + name: diffgram-rabbitmq + namespace: "default" + labels: + app.kubernetes.io/name: rabbitmq + helm.sh/chart: rabbitmq-9.1.4 + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + sessionAffinity: None + ports: + - name: amqp + port: 5672 + targetPort: amqp + nodePort: null + - name: amqp-ssl + port: 5671 + targetPort: amqp-ssl + nodePort: null + - name: epmd + port: 4369 + targetPort: epmd + nodePort: null + - name: dist + port: 25672 + targetPort: dist + nodePort: null + - name: http-stats + port: 15672 + targetPort: stats + nodePort: null + selector: + app.kubernetes.io/name: rabbitmq + app.kubernetes.io/instance: diffgram +--- +# Source: diffgram/templates/default/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + app: diffgram-default + name: diffgram-default + namespace: default +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: diffgram-default + type: ClusterIP +--- +# Source: diffgram/templates/eventhandlers/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + app: diffgram-eventhandlers + name: diffgram-eventhandlers + namespace: default +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: diffgram-eventhandlers + type: ClusterIP +--- +# Source: diffgram/templates/frontend/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + app: frontend + name: frontend + namespace: default +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 80 + selector: + app: frontend + type: ClusterIP +--- +# Source: diffgram/templates/postgres/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: diffgram-postgres + namespace: default +spec: + ports: + - port: 5432 + selector: + app: postgres +--- +# Source: diffgram/templates/walrus/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + app: diffgram-walrus + name: diffgram-walrus + namespace: default +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: diffgram-walrus + type: ClusterIP +--- +# Source: diffgram/charts/cert-manager/templates/cainjector-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: diffgram-cert-manager-cainjector + namespace: "default" + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v1.1.0 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: diffgram + app.kubernetes.io/component: "cainjector" + template: + metadata: + labels: + app: cainjector + app.kubernetes.io/name: cainjector + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "cainjector" + helm.sh/chart: cert-manager-v1.1.0 + spec: + serviceAccountName: diffgram-cert-manager-cainjector + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-cainjector:v1.1.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --leader-election-namespace=kube-system + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} +--- +# Source: diffgram/charts/cert-manager/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: diffgram-cert-manager + namespace: "default" + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "controller" + helm.sh/chart: cert-manager-v1.1.0 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/component: "controller" + template: + metadata: + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: diffgram + app.kubernetes.io/component: "controller" + app.kubernetes.io/managed-by: Helm + helm.sh/chart: cert-manager-v1.1.0 + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + spec: + serviceAccountName: diffgram-cert-manager + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-controller:v1.1.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=kube-system + ports: + - containerPort: 9402 + protocol: TCP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} +--- +# Source: diffgram/charts/cert-manager/templates/webhook-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: diffgram-cert-manager-webhook + namespace: "default" + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v1.1.0 +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: diffgram + app.kubernetes.io/component: "webhook" + template: + metadata: + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v1.1.0 + spec: + serviceAccountName: diffgram-cert-manager-webhook + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-webhook:v1.1.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --secure-port=10250 + - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) + - --dynamic-serving-ca-secret-name=diffgram-cert-manager-webhook-ca + - --dynamic-serving-dns-names=diffgram-cert-manager-webhook,diffgram-cert-manager-webhook.default,diffgram-cert-manager-webhook.default.svc + ports: + - name: https + containerPort: 10250 + livenessProbe: + httpGet: + path: /livez + port: 6080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: 6080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} +--- +# Source: diffgram/templates/default/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: diffgram-default + name: diffgram-default + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: diffgram-default + template: + metadata: + labels: + app: diffgram-default + spec: + + + volumes: + + initContainers: + - name: check-db-ready + image: postgres:11 + + command: ['sh', '-c', + 'until pg_isready -h diffgram-postgres -p 5432; + do echo waiting for database; sleep 2; done;'] + + + + containers: + + + - image: gcr.io/diffgram-open-core/default:0.16.0 + + imagePullPolicy: Always + name: diffgram-default + ports: + - containerPort: 8080 + + envFrom: + - configMapRef: + name: diffgram-default-configmap + - secretRef: + name: diffgram-default-secrets + resources: + requests: + cpu: 1.0 + memory: 1G + limits: + cpu: 2.0 + memory: 2G +--- +# Source: diffgram/templates/eventhandlers/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: diffgram-eventhandlers + name: diffgram-eventhandlers + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: diffgram-eventhandlers + template: + metadata: + labels: + app: diffgram-eventhandlers + spec: + + + volumes: + + initContainers: + - name: check-db-ready + image: postgres:11 + + command: ['sh', '-c', + 'until pg_isready -h diffgram-postgres -p 5432; + do echo waiting for database; sleep 2; done;'] + + + + containers: + + + - image: gcr.io/diffgram-open-core/eventhandlers:0.16.0 + + imagePullPolicy: Always + name: diffgram-default + ports: + - containerPort: 8080 + + envFrom: + - configMapRef: + name: diffgram-eventhandlers-configmap + - secretRef: + name: diffgram-eventhandlers-secrets + resources: + requests: + cpu: 1.0 + memory: 1G + limits: + cpu: 2.0 + memory: 2G +--- +# Source: diffgram/templates/frontend/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: frontend + name: frontend + namespace: default +spec: + replicas: 1 + + selector: + matchLabels: + app: frontend + template: + metadata: + labels: + app: frontend + spec: + + + containers: + + + - image: gcr.io/diffgram-open-core/frontend:0.16.0 + + imagePullPolicy: Always + name: frontend + resources: + requests: + cpu: 1.0 + memory: 1G + limits: + cpu: 1.0 + memory: 1G +--- +# Source: diffgram/templates/walrus/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: diffgram-walrus + name: diffgram-walrus + namespace: +spec: + replicas: 1 + selector: + matchLabels: + app: diffgram-walrus + template: + metadata: + labels: + app: diffgram-walrus + spec: + + + volumes: + + - name: empty-dir + emptyDir: {} + initContainers: + - name: check-db-ready + image: postgres:11 + + command: ['sh', '-c', + 'until pg_isready -h diffgram-postgres -p 5432; + do echo waiting for database; sleep 2; done;'] + + + + containers: + + + - image: gcr.io/diffgram-open-core/walrus:0.16.0 + + imagePullPolicy: Always + name: diffgram-walrus + ports: + - containerPort: 8080 + + envFrom: + - configMapRef: + name: diffgram-walrus-configmap + - secretRef: + name: diffgram-walrus-secrets + resources: + requests: + cpu: 1.0 + memory: 1G + limits: + cpu: 2.0 + memory: 2G +--- +# Source: diffgram/charts/rabbitmq/templates/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: diffgram-rabbitmq + namespace: "default" + labels: + app.kubernetes.io/name: rabbitmq + helm.sh/chart: rabbitmq-9.1.4 + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm +spec: + serviceName: diffgram-rabbitmq-headless + podManagementPolicy: OrderedReady + replicas: 1 + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: rabbitmq + app.kubernetes.io/instance: diffgram + template: + metadata: + labels: + app.kubernetes.io/name: rabbitmq + helm.sh/chart: rabbitmq-9.1.4 + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + annotations: + checksum/config: 90f3ba80cbd09b1aa0513943a5b142fbdfb582755cd247065d6a31476c4b6d4e + checksum/secret: 51814d12d9a6e92712de061b1c43f6e74964885f7a78d51a542dc767dcc8d2ec + spec: + + serviceAccountName: diffgram-rabbitmq + affinity: + podAffinity: + + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: rabbitmq + app.kubernetes.io/instance: diffgram + namespaces: + - "default" + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + securityContext: + fsGroup: 1001 + terminationGracePeriodSeconds: 120 + initContainers: + containers: + - name: rabbitmq + image: docker.io/bitnami/rabbitmq:3.9.18-debian-10-r0 + imagePullPolicy: "IfNotPresent" + securityContext: + runAsNonRoot: true + runAsUser: 1001 + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -ec + - | + if [[ -f /opt/bitnami/scripts/rabbitmq/nodeshutdown.sh ]]; then + /opt/bitnami/scripts/rabbitmq/nodeshutdown.sh -t "120" -d "false" + else + rabbitmqctl stop_app + fi + env: + - name: BITNAMI_DEBUG + value: "false" + - name: MY_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: K8S_SERVICE_NAME + value: diffgram-rabbitmq-headless + - name: K8S_ADDRESS_TYPE + value: hostname + - name: RABBITMQ_FORCE_BOOT + value: "no" + - name: RABBITMQ_NODE_NAME + value: "rabbit@$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.cluster.local" + - name: K8S_HOSTNAME_SUFFIX + value: ".$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.cluster.local" + - name: RABBITMQ_MNESIA_DIR + value: "/bitnami/rabbitmq/mnesia/$(RABBITMQ_NODE_NAME)" + - name: RABBITMQ_LDAP_ENABLE + value: "no" + - name: RABBITMQ_LOGS + value: "-" + - name: RABBITMQ_ULIMIT_NOFILES + value: "65536" + - name: RABBITMQ_USE_LONGNAME + value: "true" + - name: RABBITMQ_ERL_COOKIE + valueFrom: + secretKeyRef: + name: diffgram-rabbitmq + key: rabbitmq-erlang-cookie + - name: RABBITMQ_LOAD_DEFINITIONS + value: "no" + - name: RABBITMQ_DEFINITIONS_FILE + value: "/app/load_definition.json" + - name: RABBITMQ_SECURE_PASSWORD + value: "yes" + - name: RABBITMQ_USERNAME + value: "user" + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: diffgram-rabbitmq + key: rabbitmq-password + - name: RABBITMQ_PLUGINS + value: "rabbitmq_management, rabbitmq_peer_discovery_k8s, rabbitmq_auth_backend_ldap" + envFrom: + ports: + - name: amqp + containerPort: 5672 + - name: dist + containerPort: 25672 + - name: stats + containerPort: 15672 + - name: epmd + containerPort: 4369 + - name: amqp-ssl + containerPort: 5671 + livenessProbe: + failureThreshold: 6 + initialDelaySeconds: 120 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 20 + exec: + command: + - /bin/bash + - -ec + - rabbitmq-diagnostics -q ping + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 20 + exec: + command: + - /bin/bash + - -ec + - rabbitmq-diagnostics -q check_running && rabbitmq-diagnostics -q check_local_alarms + resources: + limits: {} + requests: {} + volumeMounts: + - name: configuration + mountPath: /bitnami/rabbitmq/conf + - name: data + mountPath: /bitnami/rabbitmq/mnesia + - name: certs + mountPath: /opt/bitnami/rabbitmq/certs + volumes: + - name: certs + secret: + secretName: diffgram-rabbitmq-certs + items: + - key: ca.crt + path: ca_certificate.pem + - key: tls.crt + path: server_certificate.pem + - key: tls.key + path: server_key.pem + - name: configuration + configMap: + name: diffgram-rabbitmq-config + items: + - key: rabbitmq.conf + path: rabbitmq.conf + volumeClaimTemplates: + - metadata: + name: data + labels: + app.kubernetes.io/name: rabbitmq + app.kubernetes.io/instance: diffgram + spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "8Gi" +--- +# Source: diffgram/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: diffgram-ingress + namespace: default + annotations: + kubernetes.io/ingress.class: "nginx" + ingressclass.kubernetes.io/is-default-class: "true" + nginx.ingress.kubernetes.io/use-regex: "true" + + + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_pass_header directory_id; + + + nginx.org/proxy-pass-headers: directory_id + + cert-manager.io/issuer: "letsencrypt-prod" + + watch-namespace: default +# nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # Limit uploads to 8TB + nginx.ingress.kubernetes.io/proxy-body-size: 800000m + +spec: + + tls: + - secretName: diffgram-cert-tls-example.com + hosts: + - example.com + - www.example.com + + rules: + - host: example.com + http: + paths: + - path: /api/walrus(/|$)(.*) + pathType: ImplementationSpecific + backend: + service: + name: diffgram-walrus + port: + number: 8080 + - path: /api(/|$)(.*) + pathType: ImplementationSpecific + backend: + service: + name: diffgram-default + port: + number: 8080 + - path: /(.*) + pathType: ImplementationSpecific + backend: + service: + name: frontend + port: + number: 8080 +--- +# Source: diffgram/templates/tls/issuer_prod.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: letsencrypt-prod +spec: + acme: + # The ACME server URL + server: https://acme-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: pablo.estrada@diffgram.com + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-prod + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + class: nginx +--- +# Source: diffgram/templates/tls/issuer_staging.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: letsencrypt-staging +spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: pablo.estrada@diffgram.com + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + class: nginx +--- +# Source: diffgram/charts/cert-manager/templates/webhook-mutating-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: diffgram-cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v1.1.0 + annotations: + cert-manager.io/inject-ca-from-secret: "default/diffgram-cert-manager-webhook-ca" +webhooks: + - name: webhook.cert-manager.io + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + admissionReviewVersions: ["v1", "v1beta1"] + timeoutSeconds: 10 + failurePolicy: Fail + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None + clientConfig: + service: + name: diffgram-cert-manager-webhook + namespace: "default" + path: /mutate +--- +# Source: diffgram/charts/cert-manager/templates/webhook-validating-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: diffgram-cert-manager-webhook + labels: + app: webhook + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: diffgram + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: "webhook" + helm.sh/chart: cert-manager-v1.1.0 + annotations: + cert-manager.io/inject-ca-from-secret: "default/diffgram-cert-manager-webhook-ca" +webhooks: + - name: webhook.cert-manager.io + namespaceSelector: + matchExpressions: + - key: "cert-manager.io/disable-validation" + operator: "NotIn" + values: + - "true" + - key: "name" + operator: "NotIn" + values: + - default + rules: + - apiGroups: + - "cert-manager.io" + - "acme.cert-manager.io" + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + resources: + - "*/*" + admissionReviewVersions: ["v1", "v1beta1"] + timeoutSeconds: 10 + failurePolicy: Fail + # Only include 'sideEffects' field in Kubernetes 1.12+ + sideEffects: None + clientConfig: + service: + name: diffgram-cert-manager-webhook + namespace: "default" + path: /validate + diff --git a/templates/diffgram_settings.tpl b/templates/diffgram_settings.tpl index 63e2763..16b3b04 100644 --- a/templates/diffgram_settings.tpl +++ b/templates/diffgram_settings.tpl @@ -31,5 +31,5 @@ DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: {{.Values.diffgramSettings.DIFFGRAM_MINIO_DISABLED_SSL_VERIFY}} RABBITMQ_HOST: {{.Values.diffgramSettings.RABBITMQ_HOST}} RABBITMQ_PORT: {{.Values.diffgramSettings.RABBITMQ_PORT}} - RABBITMQ_DEFAULT_USER: {{.Values.rabbitmq.auth.rabbitmq}} + RABBITMQ_DEFAULT_USER: {{.Values.rabbitmq.auth.username}} {{- end }} \ No newline at end of file diff --git a/templates/hooks/configmap_db_migrations.yaml b/templates/hooks/configmap_db_migrations.yaml index aa9159d..acdeb72 100644 --- a/templates/hooks/configmap_db_migrations.yaml +++ b/templates/hooks/configmap_db_migrations.yaml @@ -7,4 +7,4 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded name: db-migrations-configmap data: -{{- template "diffgram.settings" . }} \ No newline at end of file + {{- template "diffgram.settings" . }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 0c0edcc..de2b4f3 100644 --- a/values.yaml +++ b/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. # The Diffgram Version. Whenever a new update arrives, this will be changed. -diffgramVersion: 0.16.0 +diffgramVersion: testwfbuilder # Either 'opencore' or 'enterprise'. Please note that selecting 'enterprise' # requires that you also set imagePullCredentials.gcrCredentials. @@ -89,8 +89,8 @@ diffgramSettings: DIFFGRAM_MINIO_ACCESS_KEY_ID: none DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none - RABBITMQ_PORT: 5672 - RABBITMQ_HOST: diffgram-rabbitmq + RABBITMQ_PORT: "'5672'" + RABBITMQ_HOST: "diffgram-rabbitmq" imagePullCredentials: # The service account with permissions to pull from the GCR Repository. [Should be Provided by Diffgram Team.] From ea1fc1ad75dcb97faeba61e473e4fdc725c6b0ff Mon Sep 17 00:00:00 2001 From: Pablo Date: Tue, 24 May 2022 14:52:06 -0600 Subject: [PATCH 3/9] fix: hooks order --- templates/postgres/azure_postgres_service.yaml | 5 +++++ templates/postgres/rds_postgres_service.yaml | 5 +++++ templates/postgres/service.yaml | 5 +++++ values.yaml | 2 +- 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/templates/postgres/azure_postgres_service.yaml b/templates/postgres/azure_postgres_service.yaml index 396bb53..aacabee 100644 --- a/templates/postgres/azure_postgres_service.yaml +++ b/templates/postgres/azure_postgres_service.yaml @@ -5,6 +5,11 @@ metadata: labels: app: postgres-azure-service name: postgres-azure-service + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-2" spec: externalName: {{ .Values.dbSettings.azureSqlEndpoint }} selector: diff --git a/templates/postgres/rds_postgres_service.yaml b/templates/postgres/rds_postgres_service.yaml index 88fd4e4..323e925 100644 --- a/templates/postgres/rds_postgres_service.yaml +++ b/templates/postgres/rds_postgres_service.yaml @@ -5,6 +5,11 @@ metadata: labels: app: postgres-rds-service name: postgres-rds-service + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-2" spec: externalName: {{ .Values.dbSettings.rdsEndpoint }} selector: diff --git a/templates/postgres/service.yaml b/templates/postgres/service.yaml index 49c6cc8..87af75d 100644 --- a/templates/postgres/service.yaml +++ b/templates/postgres/service.yaml @@ -4,6 +4,11 @@ kind: Service metadata: name: diffgram-postgres namespace: {{ .Release.Namespace }} + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-2" spec: ports: - port: 5432 diff --git a/values.yaml b/values.yaml index de2b4f3..239791c 100644 --- a/values.yaml +++ b/values.yaml @@ -88,7 +88,7 @@ diffgramSettings: DIFFGRAM_MINIO_ENDPOINT_URL: none DIFFGRAM_MINIO_ACCESS_KEY_ID: none DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none - DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none + DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: '"False"' RABBITMQ_PORT: "'5672'" RABBITMQ_HOST: "diffgram-rabbitmq" From ee0832750bf1e871ff6446c7b171009eade588c2 Mon Sep 17 00:00:00 2001 From: Pablo Date: Tue, 24 May 2022 22:31:47 -0600 Subject: [PATCH 4/9] fix: ingress --- README.md | 4 +- result.txt | 2187 ---------------------------------------- templates/ingress.yaml | 4 +- values.yaml | 3 +- 4 files changed, 6 insertions(+), 2192 deletions(-) delete mode 100644 result.txt diff --git a/README.md b/README.md index 7eaab4a..076362e 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ Default domain on diffgram is: `example.com` so make sure you add that to your l 3. Reinstall the helm chart -`helm upgrade diffgram -f diffgram/new_updated_values_from_above_step.yaml` +`helm upgrade -n diffgram-ns diffgram -f diffgram/new_updated_values_from_above_step.yaml` 4. After a few minutes you should be able to see the issuer and the certificate generated. You can confirm this by running: `kubectl describe issuer letsencrypt-prod` @@ -77,7 +77,7 @@ Default domain on diffgram is: `example.com` so make sure you add that to your l ## B. Installation `git clone https://github.com/diffgram/diffgram-helm/` -`helm install diffgram ./diffgram-helm --create-namespace` +`helm install -n diffgram-ns diffgram ./diffgram-helm --create-namespace` If you don't change anything on `values.yaml`. You will have the namespace `default` created on your cluster diff --git a/result.txt b/result.txt deleted file mode 100644 index 7c4e0c0..0000000 --- a/result.txt +++ /dev/null @@ -1,2187 +0,0 @@ -NAME: diffgram -LAST DEPLOYED: Mon May 23 11:09:09 2022 -NAMESPACE: default -STATUS: pending-install -REVISION: 1 -TEST SUITE: None -HOOKS: ---- -# Source: diffgram/templates/hooks/secrets_db_migrations.yaml -apiVersion: v1 -kind: Secret - -metadata: - annotations: - "helm.sh/hook": pre-install, pre-upgrade, pre-rollback - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded - name: db-migrations-secret -type: Opaque -stringData: - STRIPE_API_KEY: none - DIFFGRAM_AWS_ACCESS_KEY_SECRET: write_your_aws_access_key_secret - DIFFGRAM_AWS_ACCESS_KEY_ID: write_your_aws_access_key - _ANALYTICS_WRITE_KEY: provided_by_diffgram_team - MAILGUN_KEY: provided_by_diffgram_team - HUB_SPOT_KEY: provided_by_diffgram_team - SECRET_KEY: provided_by_diffgram_team - INTER_SERVICE_SECRET: provided_by_diffgram_team - FERNET_KEY: NeL_RED6zZ1XF3XT7Yd1hzFPYyebrg6UdkECTOLHEdI= - - DATABASE_URL: "postgresql+psycopg2://postgres:postgres@diffgram-postgres/postgres" - - - - USER_PASSWORDS_SECRET: provided_by_diffgram_team - DIFFGRAM_AZURE_CONNECTION_STRING: put_your_azure_connection_string_here - RABBITMQ_DEFAULT_PASS: diffgram ---- -# Source: diffgram/templates/hooks/configmap_db_migrations.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - annotations: - "helm.sh/hook": pre-install,pre-upgrade, pre-rollback - "helm.sh/hook-weight": "-3" # we use a smaller weight so it's created before the job - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded - name: db-migrations-configmap -data: - USERDOMAIN: kubernetes - DIFFGRAM_SYSTEM_MODE: production - DIFFGRAM_STATIC_STORAGE_PROVIDER: aws - DIFFGRAM_S3_BUCKET_NAME: none - ML__DIFFGRAM_S3_BUCKET_NAME: diffgram-testing - GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml - CLOUD_STORAGE_BUCKET: diffgram-testing - ML__CLOUD_STORAGE_BUCKET: diffgram-testing - URL_BASE: example.com - WALRUS_SERVICE_URL_BASE: example.com - SERVICE_ACCOUNT_FULL_PATH: /etc/gcp/sa_credentials.json - DIFFGRAM_AZURE_CONTAINER_NAME: none - ML__DIFFGRAM_AZURE_CONTAINER_NAME: none - DIFFGRAM_INSTALL_FINGERPRINT: helm_fingerprint_default - DIFFGRAM_VERSION_TAG: 0.16.0 - DIFFGRAM_HOST_OS: helm_os_default - DATABASE_CONNECTION_POOL_SIZE: "10" - PYTHONPATH: "/app:/app/shared:/" - PROCESS_MEDIA_NUM_VIDEO_THREADS: "1" - PROCESS_MEDIA_NUM_FRAME_THREADS: "4" - NEW_RELIC_LICENSE_KEY: none - EMAIL_DOMAIN_NAME: example.com - ALLOW_EVENTHUB: "False" - EMAIL_VALIDATION: "False" - ALLOW_STRIPE_BILLING: "False" - IS_OPEN_SOURCE: "True" - DIFFGRAM_MINIO_ENDPOINT_URL: none - DIFFGRAM_MINIO_ACCESS_KEY_ID: none - DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none - DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none - RABBITMQ_HOST: diffgram-rabbitmq - RABBITMQ_PORT: 5672 - RABBITMQ_DEFAULT_USER: user ---- -# Source: diffgram/templates/postgres/volumeclaim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: postgres-pv-claim - annotations: - "helm.sh/resource-policy": keep - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-5" -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi ---- -# Source: diffgram/templates/hooks/db_service_migrations.yaml -apiVersion: v1 -kind: Service -metadata: - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-install, pre-upgrade, pre-rollback - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded - name: diffgram-postgres-hook -spec: - ports: - - port: 5432 - selector: - app: postgres ---- -# Source: diffgram/templates/postgres/deployment.yaml -apiVersion: "apps/v1" -kind: "Deployment" -metadata: - name: "postgres" - namespace: default - labels: - app: "postgres" - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-install - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - replicas: 1 - selector: - matchLabels: - app: "postgres" - template: - metadata: - labels: - app: "postgres" - spec: - containers: - - name: "postgres" - image: "postgres:11" - env: - - name: "POSTGRES_DB" - value: postgres - - name: "POSTGRES_USER" - value: postgres - - name: "POSTGRES_PASSWORD" - value: postgres - ports: - - containerPort: 5432 - name: postgres - volumeMounts: - - name: postgres-storage - mountPath: /var/lib/postgresql/db-data - volumes: - - name: postgres-storage - persistentVolumeClaim: - claimName: postgres-pv-claim ---- -# Source: diffgram/templates/hooks/database_pre_install.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: "diffgram-pre-install" - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "diffgram" - app.kubernetes.io/version: 0.0.1 - helm.sh/chart: "diffgram-0.2.0" - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-install - "helm.sh/hook-weight": "2" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - template: - metadata: - name: "diffgram" - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "diffgram" - helm.sh/chart: "diffgram-0.2.0" - spec: - - restartPolicy: Never - - volumes: - - - - name: postgres-storage - persistentVolumeClaim: - claimName: postgres-pv-claim - - containers: - - - - image: gcr.io/diffgram-open-core/default:0.16.0 - - imagePullPolicy: Always - name: pre-upgrade-alembic-hook - - envFrom: - - configMapRef: - name: db-migrations-configmap - - secretRef: - name: db-migrations-secret - # The actual migrations command - command: ["sh","-c", "cd shared; export PYTHONPATH=/app; pip install sqlalchemy-utils==0.36.6;python /app/play_and_scripts/scripts/create_database.py; alembic upgrade head"] ---- -# Source: diffgram/templates/hooks/database_pre_upgrade.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: "diffgram-pre-upgrade" - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "diffgram" - app.kubernetes.io/version: 0.0.1 - helm.sh/chart: "diffgram-0.2.0" - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "2" -spec: - template: - metadata: - name: "diffgram" - labels: - app.kubernetes.io/managed-by: "Helm" - app.kubernetes.io/instance: "diffgram" - helm.sh/chart: "diffgram-0.2.0" - spec: - restartPolicy: Never - - - containers: - - - - image: gcr.io/diffgram-open-core/default:0.16.0 - - imagePullPolicy: Always - name: pre-upgrade-alembic-hook - - envFrom: - - configMapRef: - name: db-migrations-configmap - - secretRef: - name: db-migrations-secret - # The actual migrations command - command: ["sh","-c", "cd shared; export PYTHONPATH=/app; pip install sqlalchemy-utils==0.36.6;python /app/play_and_scripts/scripts/create_database.py; alembic upgrade head"] -MANIFEST: ---- -# Source: diffgram/charts/cert-manager/templates/cainjector-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: diffgram-cert-manager-cainjector - namespace: "default" - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "cainjector" - helm.sh/chart: cert-manager-v1.1.0 ---- -# Source: diffgram/charts/cert-manager/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: diffgram-cert-manager - namespace: "default" - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 ---- -# Source: diffgram/charts/cert-manager/templates/webhook-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: diffgram-cert-manager-webhook - namespace: "default" - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "webhook" - helm.sh/chart: cert-manager-v1.1.0 ---- -# Source: diffgram/charts/rabbitmq/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: diffgram-rabbitmq - namespace: "default" - labels: - app.kubernetes.io/name: rabbitmq - helm.sh/chart: rabbitmq-9.1.4 - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm -automountServiceAccountToken: true -secrets: - - name: diffgram-rabbitmq ---- -# Source: diffgram/charts/rabbitmq/templates/secrets.yaml -apiVersion: v1 -kind: Secret -metadata: - name: diffgram-rabbitmq - namespace: "default" - labels: - app.kubernetes.io/name: rabbitmq - helm.sh/chart: rabbitmq-9.1.4 - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm -type: Opaque -data: - rabbitmq-password: "ZGlmZmdyYW0=" - - rabbitmq-erlang-cookie: "S3htRjhHaXpYSXRNOUhEU2xLQTdKZFYyZXVvUHVpdmE=" ---- -# Source: diffgram/charts/rabbitmq/templates/tls-secrets.yaml -apiVersion: v1 -kind: Secret -metadata: - name: diffgram-rabbitmq-certs - namespace: "default" - labels: - app.kubernetes.io/name: rabbitmq - helm.sh/chart: rabbitmq-9.1.4 - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm -type: kubernetes.io/tls -data: - ca.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLVENDQWhHZ0F3SUJBZ0lRZnBqUlNUdkZJZHpCdlZEZFJvZFJtVEFOQmdrcWhraUc5dzBCQVFzRkFEQWYKTVIwd0d3WURWUVFERXhSeVlXSmlhWFJ0Y1MxcGJuUmxjbTVoYkMxallUQWVGdzB5TWpBMU1qTXhOekE1TURsYQpGdzB5TXpBMU1qTXhOekE1TURsYU1COHhIVEFiQmdOVkJBTVRGSEpoWW1KcGRHMXhMV2x1ZEdWeWJtRnNMV05oCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNEZHaHZtYXEvMWxaTGx0WFJnRzMKUEEyOGRaeC9yUzRoNGxFUXRwNlNYV0VUUHF2RUthRndCZVg2aDRyRTZMZFZlR2RrRDBrTnZQWGx1cDNKSzZRRgo1a2lQVG5yaGkrRGNmRDNNY096VXJYcXBnL3BCb21HWVNrc1BCMEhDSFUweGJ1QUZ5bzZ2VlN4eDlSSFBZLyt1CkFlNUNRdzIwM0QxWHFXUHQ2VktmRTR2c3hjMi9PL0c1MTVVMWFlUmw5K1RFc1ArT1E4Nk5KeVQ3N0xMc0VYcXUKamNobFUyWjdvbnVqalhkMjg0ZTVKZEVLZ1YxbXZVWENSbncrSUxKTy84bFFlZlJEYjdrV2hPanh3akkvdm0wdQoydTBzV05kMHArVC96YVpwVjExbGkzM1VYWDIyTkRQazc0bk1hTnNMNVR5QUVnenoxY1RuSld4QjN4Q3Y3enFvCmp3SURBUUFCbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQXFRd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk9LZ3g5dkE0V2FUU3FyTwoxMzZYZUl0WjEzVmxNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNucHFYZlprU09mdUQvdEVwdUh6c2xoNWRVClA0aDllMXdZTEYrTGgxV1RUUU5KSUZXQXRaN0tnWkxJME9kS2RVb05EanlVcCtoMW40bGpqNU9pRkVpNlJ5SnMKbWlyVTRaMkJIUzhycHphcEtnc3pnZGg1SDk5bkZIbzh2ZXprdzBFSmlIMEk2Rlgrd0lkWitnSnB6QUpCTTBSWQphSzlHdmo4RENLdUk1dUtjbFRXVXpjVGVlTldOdmR3K0ZPbnRZMFhhYXJiVFRlYm9WQ2lTUkN6WHFYck50L2lDCjhZYW4xekxyODMrVENJUTJFWTlPSk1EWll2RHQxUnFFNzdDc0lhRGRhVXZBQmd5WWplOUVHSW5LUlFndU90bjkKUWdISUJlVkNEM3JLd1hhcXNPV3pMcVRjOGRWQTh2Tko1aXQwWTB1RHpGQjVESmx3NkRZa3gzRnhtZDJPCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" - tls.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvVENDQW9tZ0F3SUJBZ0lRQWxLVGdvN005VENJNGo4bWZ5aG1RREFOQmdrcWhraUc5dzBCQVFzRkFEQWYKTVIwd0d3WURWUVFERXhSeVlXSmlhWFJ0Y1MxcGJuUmxjbTVoYkMxallUQWVGdzB5TWpBMU1qTXhOekE1TURsYQpGdzB5TXpBMU1qTXhOekE1TURsYU1Cd3hHakFZQmdOVkJBTVRFV1JwWm1abmNtRnRMWEpoWW1KcGRHMXhNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF5Q2lvZVVDUDYwOGtkUDROL244U0UzWEIKYklFNWg5ZGJtRkxjSzdoRDRxWUdFZXVuWm1kRVR2RmdvdnRhK1cwM0lSeGNocTBOSlB3TE9aYlArUGlucWRiOQpKYTUrc1p1SDNOZ1lselovc2k1QytXcnkvTVpzNFIyTWFQSFZmNngwUTh3Wnk0ejI3VFJYeWU2WWhDWUFKRUxICmtXN24yZTgrS3MwVDRWMWhtSkJTTC9pT05rZytMYWdWem9xZTI0d1JmeEhwRGIzQnFZQ1p6a1QzYVhCNEZBSDUKS0o0SjdYK1pscWZrZmxCaHgvTFhsZlNsVnJnZ2oxbkRUTVlENkNhSFhOb2F2d091VDQwOHJvdmxJeVpYSEZVcQpvdjBVekJnK2RsWWpLTlVScm92ZzdhQWxJMytLYlRPbis4YytiTGMvdm1rRWZrY1hDNElGSmYyWGs1Tnord0lECkFRQUJvNEhiTUlIWU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlRpb01mYndPRm1rMHFxenRkKwpsM2lMV2RkMVpUQjRCZ05WSFJFRWNUQnZnaTBxTG1ScFptWm5jbUZ0TFhKaFltSnBkRzF4TG1SbFptRjFiSFF1CmMzWmpMbU5zZFhOMFpYSXViRzlqWVd5Q0syUnBabVpuY21GdExYSmhZbUpwZEcxeExtUmxabUYxYkhRdWMzWmoKTG1Oc2RYTjBaWEl1Ykc5allXeUNFV1JwWm1abmNtRnRMWEpoWW1KcGRHMXhNQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFBWjBMTXBxMnBOYW10WmN2TGttZ2haRWFVbEVudmlTZFNQNGVjYmx6eFpNZXkwOVdXYlpJdlpiTlp1CkM2bVhNclVQZkFhb0pKSjkyRlJQR3RmWkxQeVFoWTYxZ291ZFJuOFltQ2p2Q3V2N0o2V1R6dHJwUEd4S1ltN20Kb2JSTWl3RnZ4MGNGK0xlcDU5RHFuUUJUNHFrZXkrUFRmeGhWVzZYOHRFaXZrL3hjQk1OV2daWFJFRTdpd1BocgpMWFRsRjc3MnZ3QnZYdU1hYjAzUUV3V2pmd2tRR2xZcWFOU3BVTnNTdEd6b25yV3BzTDJEV2FOL29nWXVuQjRiCmQvNGcwUDlWbVQ1K2FFSUNyZVFNNHpYNysxZ0JGNVNiNmtUTUtsb2x3eFpoaU1GQVZqYkpsekgvMTc5VldwNEEKa0dQdXVBemFvdFFVcnpKalJ3cHRHa0xES3pLLwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" - tls.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeUNpb2VVQ1A2MDhrZFA0Ti9uOFNFM1hCYklFNWg5ZGJtRkxjSzdoRDRxWUdFZXVuClptZEVUdkZnb3Z0YStXMDNJUnhjaHEwTkpQd0xPWmJQK1BpbnFkYjlKYTUrc1p1SDNOZ1lselovc2k1QytXcnkKL01aczRSMk1hUEhWZjZ4MFE4d1p5NHoyN1RSWHllNlloQ1lBSkVMSGtXN24yZTgrS3MwVDRWMWhtSkJTTC9pTwpOa2crTGFnVnpvcWUyNHdSZnhIcERiM0JxWUNaemtUM2FYQjRGQUg1S0o0SjdYK1pscWZrZmxCaHgvTFhsZlNsClZyZ2dqMW5EVE1ZRDZDYUhYTm9hdndPdVQ0MDhyb3ZsSXlaWEhGVXFvdjBVekJnK2RsWWpLTlVScm92ZzdhQWwKSTMrS2JUT24rOGMrYkxjL3Zta0Vma2NYQzRJRkpmMlhrNU56K3dJREFRQUJBb0lCQUVDRXdwR2JHd2tKa01IWgpacDlqVEd0VGFNN1Y5THB4MDhlTTVnVjl0dndtOGd2eXZ4b0dMWUdZMHNLV2JTTzdiYXJSbm8yVzJJYlVhN1hiCmhCeEg0cHVmZmlnWVVDUmw4dXhnQjhVdVB3a3JXbEZWaFErdjBrYmFKSGxyZ3B0TjlvZ29FU1NJd3N1Qk5NOFYKaHJvS0diK1dld2ZKRFJrMXdmOC83YW1XVlRBOHV5STVOUFRVU1U2OWxyRjdHWnZVRjNSbEhzZHlVMDI2QVBESQo3eE16TG8zZWRaaEM4S3BXTlg4SkhGcE9nQkptSVJuQ2gxYXJuazR2Z0VYdXZKaTJmdlhyejNRSTlScVp5MlIrCmZJaWc1dUJGajZUVXI2WXNLSWk2aVNwUUNOZkt1T2t1cys4Mmx4WGg3TVB1ZWliWlJqQnZKeFpuT2Yrbm5xK1oKSlJOeEQ0RUNnWUVBNFp2UnBXWU1DUFpBSVJnbW5mNnQvc29NODV2SXRlYXJjUmJCZERoSk1Mb01ZeFFwS1EvMwpVMUR0bHNNcm11Y2Ywa1FQU0tBM2VRQ0tuQlVJQ1NpNTg5cmJIVXdWQmlJMGtrMHRPUGl0VTUwNThtU3NuSXp1Cm1KY1k1WEhBYzJDbWhicE9reURkQlJ0Qzk2R0h2aVZQdmVtRWRjZDI4RmZKcVhqN1Z0MG9McnNDZ1lFQTR4OHgKbUhzQkFoT2lUT3ZKWEMvOXBtbGsyVjlJRlhlY1FWNDlTZEo0UG8ySTZscXdJRGQ1NTNlMVpCaXYyc0RtOHd2NgpROTR0dEdyMEQyTklmM05GZGs5RmZYSGNZWHZzUkYxWkZldmFHWWFLckZIOWt3M2hOVUgwVTRldTYxclUyc3V2Cjd6bkJQTGFlaCtFR2U3ZnVHdW4vc2owRkduejVYbStuMnBpbm04RUNnWUVBejFDL2Vxem1mRW5GTG1RaUFHZXEKL2dvdmtxQmg5UDJPSjNLUXZMcUlUelYzOG9meE51R01GY3kxTnlnTDV1RmlOWGNEVUdxaDd4aFhSd3h3Z1BJaQp4bm9qaGEySFdFYVFacXh5MVBwM1UvR1Q4VEVnQ1EvY3BPMmNIQ1BHaEgrWkppUEkxcHlKWFlycW8rR1VlbCtSCkFtUVdxNkJxcEhzWFBodUZZeElCUGNjQ2dZQWVEMmpmQjVpd2o2eXhoWnVYQ2ZzR1pYaWxsSWpUM29yZDAvMUUKb2dpc0xzdHFTU3A2ZVIwM1Y0NjRldFA3bmdCek5xaWZCdThCckE0MVl5eWJRY1IxempRaVVFbWMxV3dGK0Z6cwpHOVUzLzZpbStnc1h4WVNES2dHT2RLemdGWnVLZ2Q3OVNLV2N4WWJoOFJTTWwyRjZTbkkvUXZoRDh6cUdGejBlCkg0by9nUUtCZ0I2enlaUFBuYk84cEx6cThaZk1ETHFCZmF2VmVQRXplS3pCS1RDVUhHbkc3MytRak14V1hYVTkKUWxNQm82MjZ3RGljNmdBOEg3VzA3cUhDRVdqejRYU3JEK0dIOVdWcDR4NU9waVRyZkNhR0ZjdWdIaG1yR2htZwpWUnFpKzVjV2ZGUmJkaU51RGsySG5yWUllcFhhSkNBNGZOcWJveGtkandMYkY5K1cyK0VKCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" ---- -# Source: diffgram/templates/default/secrets.yaml -apiVersion: v1 -kind: Secret -metadata: - name: diffgram-default-secrets -type: Opaque -stringData: - STRIPE_API_KEY: none - DIFFGRAM_AWS_ACCESS_KEY_SECRET: write_your_aws_access_key_secret - DIFFGRAM_AWS_ACCESS_KEY_ID: write_your_aws_access_key - _ANALYTICS_WRITE_KEY: provided_by_diffgram_team - MAILGUN_KEY: provided_by_diffgram_team - HUB_SPOT_KEY: provided_by_diffgram_team - SECRET_KEY: provided_by_diffgram_team - INTER_SERVICE_SECRET: provided_by_diffgram_team - FERNET_KEY: NeL_RED6zZ1XF3XT7Yd1hzFPYyebrg6UdkECTOLHEdI= - - DATABASE_URL: "postgresql+psycopg2://postgres:postgres@diffgram-postgres/postgres" - - - - USER_PASSWORDS_SECRET: provided_by_diffgram_team - DIFFGRAM_AZURE_CONNECTION_STRING: put_your_azure_connection_string_here - RABBITMQ_DEFAULT_PASS: diffgram ---- -# Source: diffgram/templates/eventhandlers/secrets.yaml -apiVersion: v1 -kind: Secret -metadata: - name: diffgram-eventhandlers-secrets -type: Opaque -stringData: - STRIPE_API_KEY: none - DIFFGRAM_AWS_ACCESS_KEY_SECRET: write_your_aws_access_key_secret - DIFFGRAM_AWS_ACCESS_KEY_ID: write_your_aws_access_key - _ANALYTICS_WRITE_KEY: provided_by_diffgram_team - MAILGUN_KEY: provided_by_diffgram_team - HUB_SPOT_KEY: provided_by_diffgram_team - SECRET_KEY: provided_by_diffgram_team - INTER_SERVICE_SECRET: provided_by_diffgram_team - FERNET_KEY: NeL_RED6zZ1XF3XT7Yd1hzFPYyebrg6UdkECTOLHEdI= - - DATABASE_URL: "postgresql+psycopg2://postgres:postgres@diffgram-postgres/postgres" - - - - USER_PASSWORDS_SECRET: provided_by_diffgram_team - DIFFGRAM_AZURE_CONNECTION_STRING: put_your_azure_connection_string_here - RABBITMQ_DEFAULT_PASS: diffgram ---- -# Source: diffgram/templates/walrus/secrets.yaml -apiVersion: v1 -kind: Secret -metadata: - name: diffgram-walrus-secrets -type: Opaque -stringData: - STRIPE_API_KEY: none - DIFFGRAM_AWS_ACCESS_KEY_SECRET: write_your_aws_access_key_secret - DIFFGRAM_AWS_ACCESS_KEY_ID: write_your_aws_access_key - _ANALYTICS_WRITE_KEY: provided_by_diffgram_team - MAILGUN_KEY: provided_by_diffgram_team - HUB_SPOT_KEY: provided_by_diffgram_team - SECRET_KEY: provided_by_diffgram_team - INTER_SERVICE_SECRET: provided_by_diffgram_team - FERNET_KEY: NeL_RED6zZ1XF3XT7Yd1hzFPYyebrg6UdkECTOLHEdI= - - DATABASE_URL: "postgresql+psycopg2://postgres:postgres@diffgram-postgres/postgres" - - - - USER_PASSWORDS_SECRET: provided_by_diffgram_team - DIFFGRAM_AZURE_CONNECTION_STRING: put_your_azure_connection_string_here - RABBITMQ_DEFAULT_PASS: diffgram ---- -# Source: diffgram/charts/rabbitmq/templates/configuration.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: diffgram-rabbitmq-config - namespace: "default" - labels: - app.kubernetes.io/name: rabbitmq - helm.sh/chart: rabbitmq-9.1.4 - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm -data: - rabbitmq.conf: |- - ## Username and password - ## - default_user = user - default_pass = CHANGEME - ## Clustering - ## - cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s - cluster_formation.k8s.host = kubernetes.default - cluster_formation.node_cleanup.interval = 10 - cluster_formation.node_cleanup.only_log_warning = true - cluster_partition_handling = autoheal - # queue master locator - queue_master_locator = min-masters - # enable guest user - loopback_users.guest = false - #default_vhost = default-vhost - #disk_free_limit.absolute = 50MB - ssl_options.verify = verify_peer - listeners.ssl.default = 5671 - ssl_options.fail_if_no_peer_cert = true - ssl_options.cacertfile = /opt/bitnami/rabbitmq/certs/ca_certificate.pem - ssl_options.certfile = /opt/bitnami/rabbitmq/certs/server_certificate.pem - ssl_options.keyfile = /opt/bitnami/rabbitmq/certs/server_key.pem ---- -# Source: diffgram/templates/default/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: diffgram-default-configmap -data: - USERDOMAIN: kubernetes - DIFFGRAM_SYSTEM_MODE: production - DIFFGRAM_STATIC_STORAGE_PROVIDER: aws - DIFFGRAM_S3_BUCKET_NAME: none - ML__DIFFGRAM_S3_BUCKET_NAME: diffgram-testing - GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml - CLOUD_STORAGE_BUCKET: diffgram-testing - ML__CLOUD_STORAGE_BUCKET: diffgram-testing - URL_BASE: example.com - WALRUS_SERVICE_URL_BASE: example.com - SERVICE_ACCOUNT_FULL_PATH: /etc/gcp/sa_credentials.json - DIFFGRAM_AZURE_CONTAINER_NAME: none - ML__DIFFGRAM_AZURE_CONTAINER_NAME: none - DIFFGRAM_INSTALL_FINGERPRINT: helm_fingerprint_default - DIFFGRAM_VERSION_TAG: 0.16.0 - DIFFGRAM_HOST_OS: helm_os_default - DATABASE_CONNECTION_POOL_SIZE: "10" - PYTHONPATH: "/app:/app/shared:/" - PROCESS_MEDIA_NUM_VIDEO_THREADS: "1" - PROCESS_MEDIA_NUM_FRAME_THREADS: "4" - NEW_RELIC_LICENSE_KEY: none - EMAIL_DOMAIN_NAME: example.com - ALLOW_EVENTHUB: "False" - EMAIL_VALIDATION: "False" - ALLOW_STRIPE_BILLING: "False" - IS_OPEN_SOURCE: "True" - DIFFGRAM_MINIO_ENDPOINT_URL: none - DIFFGRAM_MINIO_ACCESS_KEY_ID: none - DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none - DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none - RABBITMQ_HOST: diffgram-rabbitmq - RABBITMQ_PORT: 5672 - RABBITMQ_DEFAULT_USER: user ---- -# Source: diffgram/templates/eventhandlers/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: diffgram-eventhandlers-configmap -data: - USERDOMAIN: kubernetes - DIFFGRAM_SYSTEM_MODE: production - DIFFGRAM_STATIC_STORAGE_PROVIDER: aws - DIFFGRAM_S3_BUCKET_NAME: none - ML__DIFFGRAM_S3_BUCKET_NAME: diffgram-testing - GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml - CLOUD_STORAGE_BUCKET: diffgram-testing - ML__CLOUD_STORAGE_BUCKET: diffgram-testing - URL_BASE: example.com - WALRUS_SERVICE_URL_BASE: example.com - SERVICE_ACCOUNT_FULL_PATH: /etc/gcp/sa_credentials.json - DIFFGRAM_AZURE_CONTAINER_NAME: none - ML__DIFFGRAM_AZURE_CONTAINER_NAME: none - DIFFGRAM_INSTALL_FINGERPRINT: helm_fingerprint_default - DIFFGRAM_VERSION_TAG: 0.16.0 - DIFFGRAM_HOST_OS: helm_os_default - DATABASE_CONNECTION_POOL_SIZE: "10" - PYTHONPATH: "/app:/app/shared:/" - PROCESS_MEDIA_NUM_VIDEO_THREADS: "1" - PROCESS_MEDIA_NUM_FRAME_THREADS: "4" - NEW_RELIC_LICENSE_KEY: none - EMAIL_DOMAIN_NAME: example.com - ALLOW_EVENTHUB: "False" - EMAIL_VALIDATION: "False" - ALLOW_STRIPE_BILLING: "False" - IS_OPEN_SOURCE: "True" - DIFFGRAM_MINIO_ENDPOINT_URL: none - DIFFGRAM_MINIO_ACCESS_KEY_ID: none - DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none - DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none - RABBITMQ_HOST: diffgram-rabbitmq - RABBITMQ_PORT: 5672 - RABBITMQ_DEFAULT_USER: user ---- -# Source: diffgram/templates/ingress_configmap.yaml -apiVersion: v1 -kind: ConfigMap -data: - - enable-underscores-in-headers: "true" - ignore-invalid-headers: "false" - use-gzip: "true" # ENABLE GZIP COMPRESSION - gzip-types: "*" # SPECIFY MIME TYPES TO COMPRESS ("*" FOR ALL) -metadata: - name: ingress-nginx-controller - namespace: default ---- -# Source: diffgram/templates/walrus/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: diffgram-walrus-configmap -data: - USERDOMAIN: kubernetes - DIFFGRAM_SYSTEM_MODE: production - DIFFGRAM_STATIC_STORAGE_PROVIDER: aws - DIFFGRAM_S3_BUCKET_NAME: none - ML__DIFFGRAM_S3_BUCKET_NAME: diffgram-testing - GOOGLE_APPLICATION_CREDENTIALS: /etc/gcp/sa_credentials.json # Check the volume in deployment.yaml and service_account_secret.yaml - CLOUD_STORAGE_BUCKET: diffgram-testing - ML__CLOUD_STORAGE_BUCKET: diffgram-testing - URL_BASE: example.com - WALRUS_SERVICE_URL_BASE: example.com - SERVICE_ACCOUNT_FULL_PATH: /etc/gcp/sa_credentials.json - DIFFGRAM_AZURE_CONTAINER_NAME: none - ML__DIFFGRAM_AZURE_CONTAINER_NAME: none - DIFFGRAM_INSTALL_FINGERPRINT: helm_fingerprint_default - DIFFGRAM_VERSION_TAG: 0.16.0 - DIFFGRAM_HOST_OS: helm_os_default - DATABASE_CONNECTION_POOL_SIZE: "10" - PYTHONPATH: "/app:/app/shared:/" - PROCESS_MEDIA_NUM_VIDEO_THREADS: "1" - PROCESS_MEDIA_NUM_FRAME_THREADS: "4" - NEW_RELIC_LICENSE_KEY: none - EMAIL_DOMAIN_NAME: example.com - ALLOW_EVENTHUB: "False" - EMAIL_VALIDATION: "False" - ALLOW_STRIPE_BILLING: "False" - IS_OPEN_SOURCE: "True" - DIFFGRAM_MINIO_ENDPOINT_URL: none - DIFFGRAM_MINIO_ACCESS_KEY_ID: none - DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none - DIFFGRAM_MINIO_DISABLED_SSL_VERIFY: none - RABBITMQ_HOST: diffgram-rabbitmq - RABBITMQ_PORT: 5672 - RABBITMQ_DEFAULT_USER: user ---- -# Source: diffgram/charts/cert-manager/templates/cainjector-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: diffgram-cert-manager-cainjector - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "cainjector" - helm.sh/chart: cert-manager-v1.1.0 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "create", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["apiregistration.k8s.io"] - resources: ["apiservices"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["auditregistration.k8s.io"] - resources: ["auditsinks"] - verbs: ["get", "list", "watch", "update"] ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -# Issuer controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: diffgram-cert-manager-controller-issuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["issuers", "issuers/status"] - verbs: ["update"] - - apiGroups: ["cert-manager.io"] - resources: ["issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -# ClusterIssuer controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: diffgram-cert-manager-controller-clusterissuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers", "clusterissuers/status"] - verbs: ["update"] - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -# Certificates controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: diffgram-cert-manager-controller-certificates - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] - verbs: ["update"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] - verbs: ["get", "list", "watch"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["cert-manager.io"] - resources: ["certificates/finalizers", "certificaterequests/finalizers"] - verbs: ["update"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders"] - verbs: ["create", "delete", "get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "create", "update", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -# Orders controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: diffgram-cert-manager-controller-orders - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -rules: - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders", "orders/status"] - verbs: ["update"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders", "challenges"] - verbs: ["get", "list", "watch"] - - apiGroups: ["cert-manager.io"] - resources: ["clusterissuers", "issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges"] - verbs: ["create", "delete"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["acme.cert-manager.io"] - resources: ["orders/finalizers"] - verbs: ["update"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -# Challenges controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: diffgram-cert-manager-controller-challenges - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -rules: - # Use to update challenge resource status - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "challenges/status"] - verbs: ["update"] - # Used to watch challenge resources - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges"] - verbs: ["get", "list", "watch"] - # Used to watch challenges, issuer and clusterissuer resources - - apiGroups: ["cert-manager.io"] - resources: ["issuers", "clusterissuers"] - verbs: ["get", "list", "watch"] - # Need to be able to retrieve ACME account private key to complete challenges - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] - # Used to create events - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - # HTTP01 rules - - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["extensions"] - resources: ["ingresses"] - verbs: ["get", "list", "watch", "create", "delete", "update"] - # We require the ability to specify a custom hostname when we are creating - # new ingress resources. - # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 - - apiGroups: ["route.openshift.io"] - resources: ["routes/custom-host"] - verbs: ["create"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges/finalizers"] - verbs: ["update"] - # DNS01 rules (duplicated above) - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -# ingress-shim controller role -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: diffgram-cert-manager-controller-ingress-shim - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests"] - verbs: ["create", "update", "delete"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - # We require these rules to support users with the OwnerReferencesPermissionEnforcement - # admission controller enabled: - # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - - apiGroups: ["extensions"] - resources: ["ingresses/finalizers"] - verbs: ["update"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: diffgram-cert-manager-view - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "orders"] - verbs: ["get", "list", "watch"] ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: diffgram-cert-manager-edit - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificaterequests", "issuers"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["acme.cert-manager.io"] - resources: ["challenges", "orders"] - verbs: ["get", "list", "watch"] ---- -# Source: diffgram/charts/cert-manager/templates/cainjector-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: diffgram-cert-manager-cainjector - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "cainjector" - helm.sh/chart: cert-manager-v1.1.0 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: diffgram-cert-manager-cainjector -subjects: - - name: diffgram-cert-manager-cainjector - namespace: "default" - kind: ServiceAccount ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: diffgram-cert-manager-controller-issuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: diffgram-cert-manager-controller-issuers -subjects: - - name: diffgram-cert-manager - namespace: "default" - kind: ServiceAccount ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: diffgram-cert-manager-controller-clusterissuers - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: diffgram-cert-manager-controller-clusterissuers -subjects: - - name: diffgram-cert-manager - namespace: "default" - kind: ServiceAccount ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: diffgram-cert-manager-controller-certificates - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: diffgram-cert-manager-controller-certificates -subjects: - - name: diffgram-cert-manager - namespace: "default" - kind: ServiceAccount ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: diffgram-cert-manager-controller-orders - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: diffgram-cert-manager-controller-orders -subjects: - - name: diffgram-cert-manager - namespace: "default" - kind: ServiceAccount ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: diffgram-cert-manager-controller-challenges - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: diffgram-cert-manager-controller-challenges -subjects: - - name: diffgram-cert-manager - namespace: "default" - kind: ServiceAccount ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: diffgram-cert-manager-controller-ingress-shim - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: diffgram-cert-manager-controller-ingress-shim -subjects: - - name: diffgram-cert-manager - namespace: "default" - kind: ServiceAccount ---- -# Source: diffgram/charts/cert-manager/templates/cainjector-rbac.yaml -# leader election rules -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: diffgram-cert-manager-cainjector:leaderelection - namespace: kube-system - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "cainjector" - helm.sh/chart: cert-manager-v1.1.0 -rules: - # Used for leader election by the controller - # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller - # see cmd/cainjector/start.go#L113 - # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller - # see cmd/cainjector/start.go#L137 - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] - verbs: ["get", "update", "patch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: diffgram-cert-manager:leaderelection - namespace: kube-system - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -rules: - # Used for leader election by the controller - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["cert-manager-controller"] - verbs: ["get", "update", "patch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] ---- -# Source: diffgram/charts/cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: diffgram-cert-manager-webhook:dynamic-serving - namespace: "default" - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "webhook" - helm.sh/chart: cert-manager-v1.1.0 -rules: -- apiGroups: [""] - resources: ["secrets"] - resourceNames: - - 'diffgram-cert-manager-webhook-ca' - verbs: ["get", "list", "watch", "update"] -# It's not possible to grant CREATE permission on a single resourceName. -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] ---- -# Source: diffgram/charts/rabbitmq/templates/role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: diffgram-rabbitmq-endpoint-reader - namespace: "default" - labels: - app.kubernetes.io/name: rabbitmq - helm.sh/chart: rabbitmq-9.1.4 - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create"] ---- -# Source: diffgram/charts/cert-manager/templates/cainjector-rbac.yaml -# grant cert-manager permission to manage the leaderelection configmap in the -# leader election namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: diffgram-cert-manager-cainjector:leaderelection - namespace: kube-system - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "cainjector" - helm.sh/chart: cert-manager-v1.1.0 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: diffgram-cert-manager-cainjector:leaderelection -subjects: - - kind: ServiceAccount - name: diffgram-cert-manager-cainjector - namespace: default ---- -# Source: diffgram/charts/cert-manager/templates/rbac.yaml -# grant cert-manager permission to manage the leaderelection configmap in the -# leader election namespace -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: diffgram-cert-manager:leaderelection - namespace: kube-system - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: diffgram-cert-manager:leaderelection -subjects: - - apiGroup: "" - kind: ServiceAccount - name: diffgram-cert-manager - namespace: default ---- -# Source: diffgram/charts/cert-manager/templates/webhook-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: diffgram-cert-manager-webhook:dynamic-serving - namespace: "default" - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "webhook" - helm.sh/chart: cert-manager-v1.1.0 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: diffgram-cert-manager-webhook:dynamic-serving -subjects: -- apiGroup: "" - kind: ServiceAccount - name: diffgram-cert-manager-webhook - namespace: default ---- -# Source: diffgram/charts/rabbitmq/templates/rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: diffgram-rabbitmq-endpoint-reader - namespace: "default" - labels: - app.kubernetes.io/name: rabbitmq - helm.sh/chart: rabbitmq-9.1.4 - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm -subjects: - - kind: ServiceAccount - name: diffgram-rabbitmq -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: diffgram-rabbitmq-endpoint-reader ---- -# Source: diffgram/charts/cert-manager/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: diffgram-cert-manager - namespace: "default" - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -spec: - type: ClusterIP - ports: - - protocol: TCP - port: 9402 - targetPort: 9402 - selector: - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/component: "controller" ---- -# Source: diffgram/charts/cert-manager/templates/webhook-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: diffgram-cert-manager-webhook - namespace: "default" - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "webhook" - helm.sh/chart: cert-manager-v1.1.0 -spec: - type: ClusterIP - ports: - - name: https - port: 443 - targetPort: 10250 - selector: - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: diffgram - app.kubernetes.io/component: "webhook" ---- -# Source: diffgram/charts/rabbitmq/templates/svc-headless.yaml -apiVersion: v1 -kind: Service -metadata: - name: diffgram-rabbitmq-headless - namespace: "default" - labels: - app.kubernetes.io/name: rabbitmq - helm.sh/chart: rabbitmq-9.1.4 - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm -spec: - clusterIP: None - ports: - - name: epmd - port: 4369 - targetPort: epmd - - name: amqp - port: 5672 - targetPort: amqp - - name: amqp-ssl - port: 5671 - targetPort: amqp-tls - - name: dist - port: 25672 - targetPort: dist - - name: http-stats - port: 15672 - targetPort: stats - selector: - app.kubernetes.io/name: rabbitmq - app.kubernetes.io/instance: diffgram - publishNotReadyAddresses: true ---- -# Source: diffgram/charts/rabbitmq/templates/svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: diffgram-rabbitmq - namespace: "default" - labels: - app.kubernetes.io/name: rabbitmq - helm.sh/chart: rabbitmq-9.1.4 - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - sessionAffinity: None - ports: - - name: amqp - port: 5672 - targetPort: amqp - nodePort: null - - name: amqp-ssl - port: 5671 - targetPort: amqp-ssl - nodePort: null - - name: epmd - port: 4369 - targetPort: epmd - nodePort: null - - name: dist - port: 25672 - targetPort: dist - nodePort: null - - name: http-stats - port: 15672 - targetPort: stats - nodePort: null - selector: - app.kubernetes.io/name: rabbitmq - app.kubernetes.io/instance: diffgram ---- -# Source: diffgram/templates/default/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: diffgram-default - name: diffgram-default - namespace: default -spec: - ports: - - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: diffgram-default - type: ClusterIP ---- -# Source: diffgram/templates/eventhandlers/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: diffgram-eventhandlers - name: diffgram-eventhandlers - namespace: default -spec: - ports: - - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: diffgram-eventhandlers - type: ClusterIP ---- -# Source: diffgram/templates/frontend/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: frontend - name: frontend - namespace: default -spec: - ports: - - port: 8080 - protocol: TCP - targetPort: 80 - selector: - app: frontend - type: ClusterIP ---- -# Source: diffgram/templates/postgres/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: diffgram-postgres - namespace: default -spec: - ports: - - port: 5432 - selector: - app: postgres ---- -# Source: diffgram/templates/walrus/service.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - app: diffgram-walrus - name: diffgram-walrus - namespace: default -spec: - ports: - - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: diffgram-walrus - type: ClusterIP ---- -# Source: diffgram/charts/cert-manager/templates/cainjector-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: diffgram-cert-manager-cainjector - namespace: "default" - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "cainjector" - helm.sh/chart: cert-manager-v1.1.0 -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: diffgram - app.kubernetes.io/component: "cainjector" - template: - metadata: - labels: - app: cainjector - app.kubernetes.io/name: cainjector - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "cainjector" - helm.sh/chart: cert-manager-v1.1.0 - spec: - serviceAccountName: diffgram-cert-manager-cainjector - containers: - - name: cert-manager - image: "quay.io/jetstack/cert-manager-cainjector:v1.1.0" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --leader-election-namespace=kube-system - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - {} ---- -# Source: diffgram/charts/cert-manager/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: diffgram-cert-manager - namespace: "default" - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "controller" - helm.sh/chart: cert-manager-v1.1.0 -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/component: "controller" - template: - metadata: - labels: - app: cert-manager - app.kubernetes.io/name: cert-manager - app.kubernetes.io/instance: diffgram - app.kubernetes.io/component: "controller" - app.kubernetes.io/managed-by: Helm - helm.sh/chart: cert-manager-v1.1.0 - annotations: - prometheus.io/path: "/metrics" - prometheus.io/scrape: 'true' - prometheus.io/port: '9402' - spec: - serviceAccountName: diffgram-cert-manager - containers: - - name: cert-manager - image: "quay.io/jetstack/cert-manager-controller:v1.1.0" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=kube-system - ports: - - containerPort: 9402 - protocol: TCP - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - {} ---- -# Source: diffgram/charts/cert-manager/templates/webhook-deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: diffgram-cert-manager-webhook - namespace: "default" - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "webhook" - helm.sh/chart: cert-manager-v1.1.0 -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: diffgram - app.kubernetes.io/component: "webhook" - template: - metadata: - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "webhook" - helm.sh/chart: cert-manager-v1.1.0 - spec: - serviceAccountName: diffgram-cert-manager-webhook - containers: - - name: cert-manager - image: "quay.io/jetstack/cert-manager-webhook:v1.1.0" - imagePullPolicy: IfNotPresent - args: - - --v=2 - - --secure-port=10250 - - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - - --dynamic-serving-ca-secret-name=diffgram-cert-manager-webhook-ca - - --dynamic-serving-dns-names=diffgram-cert-manager-webhook,diffgram-cert-manager-webhook.default,diffgram-cert-manager-webhook.default.svc - ports: - - name: https - containerPort: 10250 - livenessProbe: - httpGet: - path: /livez - port: 6080 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 6080 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - {} ---- -# Source: diffgram/templates/default/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: diffgram-default - name: diffgram-default - namespace: default -spec: - replicas: 1 - selector: - matchLabels: - app: diffgram-default - template: - metadata: - labels: - app: diffgram-default - spec: - - - volumes: - - initContainers: - - name: check-db-ready - image: postgres:11 - - command: ['sh', '-c', - 'until pg_isready -h diffgram-postgres -p 5432; - do echo waiting for database; sleep 2; done;'] - - - - containers: - - - - image: gcr.io/diffgram-open-core/default:0.16.0 - - imagePullPolicy: Always - name: diffgram-default - ports: - - containerPort: 8080 - - envFrom: - - configMapRef: - name: diffgram-default-configmap - - secretRef: - name: diffgram-default-secrets - resources: - requests: - cpu: 1.0 - memory: 1G - limits: - cpu: 2.0 - memory: 2G ---- -# Source: diffgram/templates/eventhandlers/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: diffgram-eventhandlers - name: diffgram-eventhandlers - namespace: default -spec: - replicas: 1 - selector: - matchLabels: - app: diffgram-eventhandlers - template: - metadata: - labels: - app: diffgram-eventhandlers - spec: - - - volumes: - - initContainers: - - name: check-db-ready - image: postgres:11 - - command: ['sh', '-c', - 'until pg_isready -h diffgram-postgres -p 5432; - do echo waiting for database; sleep 2; done;'] - - - - containers: - - - - image: gcr.io/diffgram-open-core/eventhandlers:0.16.0 - - imagePullPolicy: Always - name: diffgram-default - ports: - - containerPort: 8080 - - envFrom: - - configMapRef: - name: diffgram-eventhandlers-configmap - - secretRef: - name: diffgram-eventhandlers-secrets - resources: - requests: - cpu: 1.0 - memory: 1G - limits: - cpu: 2.0 - memory: 2G ---- -# Source: diffgram/templates/frontend/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: frontend - name: frontend - namespace: default -spec: - replicas: 1 - - selector: - matchLabels: - app: frontend - template: - metadata: - labels: - app: frontend - spec: - - - containers: - - - - image: gcr.io/diffgram-open-core/frontend:0.16.0 - - imagePullPolicy: Always - name: frontend - resources: - requests: - cpu: 1.0 - memory: 1G - limits: - cpu: 1.0 - memory: 1G ---- -# Source: diffgram/templates/walrus/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: diffgram-walrus - name: diffgram-walrus - namespace: -spec: - replicas: 1 - selector: - matchLabels: - app: diffgram-walrus - template: - metadata: - labels: - app: diffgram-walrus - spec: - - - volumes: - - - name: empty-dir - emptyDir: {} - initContainers: - - name: check-db-ready - image: postgres:11 - - command: ['sh', '-c', - 'until pg_isready -h diffgram-postgres -p 5432; - do echo waiting for database; sleep 2; done;'] - - - - containers: - - - - image: gcr.io/diffgram-open-core/walrus:0.16.0 - - imagePullPolicy: Always - name: diffgram-walrus - ports: - - containerPort: 8080 - - envFrom: - - configMapRef: - name: diffgram-walrus-configmap - - secretRef: - name: diffgram-walrus-secrets - resources: - requests: - cpu: 1.0 - memory: 1G - limits: - cpu: 2.0 - memory: 2G ---- -# Source: diffgram/charts/rabbitmq/templates/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: diffgram-rabbitmq - namespace: "default" - labels: - app.kubernetes.io/name: rabbitmq - helm.sh/chart: rabbitmq-9.1.4 - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm -spec: - serviceName: diffgram-rabbitmq-headless - podManagementPolicy: OrderedReady - replicas: 1 - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/name: rabbitmq - app.kubernetes.io/instance: diffgram - template: - metadata: - labels: - app.kubernetes.io/name: rabbitmq - helm.sh/chart: rabbitmq-9.1.4 - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - annotations: - checksum/config: 90f3ba80cbd09b1aa0513943a5b142fbdfb582755cd247065d6a31476c4b6d4e - checksum/secret: 51814d12d9a6e92712de061b1c43f6e74964885f7a78d51a542dc767dcc8d2ec - spec: - - serviceAccountName: diffgram-rabbitmq - affinity: - podAffinity: - - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: rabbitmq - app.kubernetes.io/instance: diffgram - namespaces: - - "default" - topologyKey: kubernetes.io/hostname - weight: 1 - nodeAffinity: - - securityContext: - fsGroup: 1001 - terminationGracePeriodSeconds: 120 - initContainers: - containers: - - name: rabbitmq - image: docker.io/bitnami/rabbitmq:3.9.18-debian-10-r0 - imagePullPolicy: "IfNotPresent" - securityContext: - runAsNonRoot: true - runAsUser: 1001 - lifecycle: - preStop: - exec: - command: - - /bin/bash - - -ec - - | - if [[ -f /opt/bitnami/scripts/rabbitmq/nodeshutdown.sh ]]; then - /opt/bitnami/scripts/rabbitmq/nodeshutdown.sh -t "120" -d "false" - else - rabbitmqctl stop_app - fi - env: - - name: BITNAMI_DEBUG - value: "false" - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: K8S_SERVICE_NAME - value: diffgram-rabbitmq-headless - - name: K8S_ADDRESS_TYPE - value: hostname - - name: RABBITMQ_FORCE_BOOT - value: "no" - - name: RABBITMQ_NODE_NAME - value: "rabbit@$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.cluster.local" - - name: K8S_HOSTNAME_SUFFIX - value: ".$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.cluster.local" - - name: RABBITMQ_MNESIA_DIR - value: "/bitnami/rabbitmq/mnesia/$(RABBITMQ_NODE_NAME)" - - name: RABBITMQ_LDAP_ENABLE - value: "no" - - name: RABBITMQ_LOGS - value: "-" - - name: RABBITMQ_ULIMIT_NOFILES - value: "65536" - - name: RABBITMQ_USE_LONGNAME - value: "true" - - name: RABBITMQ_ERL_COOKIE - valueFrom: - secretKeyRef: - name: diffgram-rabbitmq - key: rabbitmq-erlang-cookie - - name: RABBITMQ_LOAD_DEFINITIONS - value: "no" - - name: RABBITMQ_DEFINITIONS_FILE - value: "/app/load_definition.json" - - name: RABBITMQ_SECURE_PASSWORD - value: "yes" - - name: RABBITMQ_USERNAME - value: "user" - - name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - name: diffgram-rabbitmq - key: rabbitmq-password - - name: RABBITMQ_PLUGINS - value: "rabbitmq_management, rabbitmq_peer_discovery_k8s, rabbitmq_auth_backend_ldap" - envFrom: - ports: - - name: amqp - containerPort: 5672 - - name: dist - containerPort: 25672 - - name: stats - containerPort: 15672 - - name: epmd - containerPort: 4369 - - name: amqp-ssl - containerPort: 5671 - livenessProbe: - failureThreshold: 6 - initialDelaySeconds: 120 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 20 - exec: - command: - - /bin/bash - - -ec - - rabbitmq-diagnostics -q ping - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 10 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 20 - exec: - command: - - /bin/bash - - -ec - - rabbitmq-diagnostics -q check_running && rabbitmq-diagnostics -q check_local_alarms - resources: - limits: {} - requests: {} - volumeMounts: - - name: configuration - mountPath: /bitnami/rabbitmq/conf - - name: data - mountPath: /bitnami/rabbitmq/mnesia - - name: certs - mountPath: /opt/bitnami/rabbitmq/certs - volumes: - - name: certs - secret: - secretName: diffgram-rabbitmq-certs - items: - - key: ca.crt - path: ca_certificate.pem - - key: tls.crt - path: server_certificate.pem - - key: tls.key - path: server_key.pem - - name: configuration - configMap: - name: diffgram-rabbitmq-config - items: - - key: rabbitmq.conf - path: rabbitmq.conf - volumeClaimTemplates: - - metadata: - name: data - labels: - app.kubernetes.io/name: rabbitmq - app.kubernetes.io/instance: diffgram - spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "8Gi" ---- -# Source: diffgram/templates/ingress.yaml -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: diffgram-ingress - namespace: default - annotations: - kubernetes.io/ingress.class: "nginx" - ingressclass.kubernetes.io/is-default-class: "true" - nginx.ingress.kubernetes.io/use-regex: "true" - - - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - proxy_pass_header directory_id; - - - nginx.org/proxy-pass-headers: directory_id - - cert-manager.io/issuer: "letsencrypt-prod" - - watch-namespace: default -# nginx.ingress.kubernetes.io/force-ssl-redirect: "false" - # Limit uploads to 8TB - nginx.ingress.kubernetes.io/proxy-body-size: 800000m - -spec: - - tls: - - secretName: diffgram-cert-tls-example.com - hosts: - - example.com - - www.example.com - - rules: - - host: example.com - http: - paths: - - path: /api/walrus(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: diffgram-walrus - port: - number: 8080 - - path: /api(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: diffgram-default - port: - number: 8080 - - path: /(.*) - pathType: ImplementationSpecific - backend: - service: - name: frontend - port: - number: 8080 ---- -# Source: diffgram/templates/tls/issuer_prod.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: letsencrypt-prod -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: pablo.estrada@diffgram.com - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-prod - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: nginx ---- -# Source: diffgram/templates/tls/issuer_staging.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: letsencrypt-staging -spec: - acme: - # The ACME server URL - server: https://acme-staging-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: pablo.estrada@diffgram.com - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: nginx ---- -# Source: diffgram/charts/cert-manager/templates/webhook-mutating-webhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: diffgram-cert-manager-webhook - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "webhook" - helm.sh/chart: cert-manager-v1.1.0 - annotations: - cert-manager.io/inject-ca-from-secret: "default/diffgram-cert-manager-webhook-ca" -webhooks: - - name: webhook.cert-manager.io - rules: - - apiGroups: - - "cert-manager.io" - - "acme.cert-manager.io" - apiVersions: - - "*" - operations: - - CREATE - - UPDATE - resources: - - "*/*" - admissionReviewVersions: ["v1", "v1beta1"] - timeoutSeconds: 10 - failurePolicy: Fail - # Only include 'sideEffects' field in Kubernetes 1.12+ - sideEffects: None - clientConfig: - service: - name: diffgram-cert-manager-webhook - namespace: "default" - path: /mutate ---- -# Source: diffgram/charts/cert-manager/templates/webhook-validating-webhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: diffgram-cert-manager-webhook - labels: - app: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/instance: diffgram - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: "webhook" - helm.sh/chart: cert-manager-v1.1.0 - annotations: - cert-manager.io/inject-ca-from-secret: "default/diffgram-cert-manager-webhook-ca" -webhooks: - - name: webhook.cert-manager.io - namespaceSelector: - matchExpressions: - - key: "cert-manager.io/disable-validation" - operator: "NotIn" - values: - - "true" - - key: "name" - operator: "NotIn" - values: - - default - rules: - - apiGroups: - - "cert-manager.io" - - "acme.cert-manager.io" - apiVersions: - - "*" - operations: - - CREATE - - UPDATE - resources: - - "*/*" - admissionReviewVersions: ["v1", "v1beta1"] - timeoutSeconds: 10 - failurePolicy: Fail - # Only include 'sideEffects' field in Kubernetes 1.12+ - sideEffects: None - clientConfig: - service: - name: diffgram-cert-manager-webhook - namespace: "default" - path: /validate - diff --git a/templates/ingress.yaml b/templates/ingress.yaml index 8ad2d24..67ab741 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -41,10 +41,10 @@ metadata: spec: {{ if eq .Values.useTls true}} tls: - - secretName: diffgram-cert-tls-{{ .Values.diffgramDomain }} - hosts: + - hosts: - {{ .Values.diffgramDomain }} - www.{{ .Values.diffgramDomain }} + secretName: diffgram-cert-tls-{{ .Values.diffgramDomain }} {{ end }} rules: - host: {{ .Values.diffgramDomain }} diff --git a/values.yaml b/values.yaml index 239791c..66cfb4e 100644 --- a/values.yaml +++ b/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. # The Diffgram Version. Whenever a new update arrives, this will be changed. -diffgramVersion: testwfbuilder +diffgramVersion: DAD-244-actions-builder-v-2 # Either 'opencore' or 'enterprise'. Please note that selecting 'enterprise' # requires that you also set imagePullCredentials.gcrCredentials. @@ -85,6 +85,7 @@ diffgramSettings: EMAIL_VALIDATION: '"False"' ALLOW_STRIPE_BILLING: '"False"' IS_OPEN_SOURCE: '"True"' + Iwe can add S_OPEN_SOURCE: '"True"' DIFFGRAM_MINIO_ENDPOINT_URL: none DIFFGRAM_MINIO_ACCESS_KEY_ID: none DIFFGRAM_MINIO_ACCESS_KEY_SECRET: none From fcf515975ae6542e182b92266111f697707348ed Mon Sep 17 00:00:00 2001 From: Pablo Date: Wed, 25 May 2022 18:30:00 -0600 Subject: [PATCH 5/9] wip: improve TLS management for helm Still need to fix some redirects issues. But main goal is to add better resources for testing diffgram in local minikube env. This will help both first time users and helm chart developers to iterate faster over the helm chart changes and test faster any changes to the k8s resources generated by helm. --- .gitignore | 7 +++- Chart.lock | 7 ++-- README.md | 32 ++++++++++++++++-- templates/ingress.yaml | 53 +++++++++++++++--------------- templates/postgres/deployment.yaml | 1 - templates/tls/issuer_local.yaml | 9 +++++ templates/tls/issuer_prod.yaml | 2 +- templates/tls/issuer_staging.yaml | 2 +- values.yaml | 6 +++- 9 files changed, 79 insertions(+), 40 deletions(-) create mode 100644 templates/tls/issuer_local.yaml diff --git a/.gitignore b/.gitignore index 77cdcf2..c910d3f 100644 --- a/.gitignore +++ b/.gitignore @@ -18,4 +18,9 @@ example.com\+6-key.pem example.com\+6.pem # Chart dependencies -**/charts/*.tgz \ No newline at end of file +**/charts/*.tgz +ca.crt + +ca.key + +local-ca.crt diff --git a/Chart.lock b/Chart.lock index dc87b50..80079b9 100644 --- a/Chart.lock +++ b/Chart.lock @@ -2,8 +2,5 @@ dependencies: - name: rabbitmq repository: https://charts.bitnami.com/bitnami version: 9.1.4 -- name: cert-manager - repository: https://charts.jetstack.io - version: v1.1.0 -digest: sha256:16a0d329ffcd4f4ec533d51af30ac1c014066795596729f5572bf93a379a5416 -generated: "2022-05-23T09:23:56.111110299-06:00" +digest: sha256:a92c6d671ae303d36df25c5c05705ee5193e1e22a6987e1476f4f815aa9887d7 +generated: "2022-05-24T22:45:09.592488539-06:00" diff --git a/README.md b/README.md index 076362e..602e477 100644 --- a/README.md +++ b/README.md @@ -46,15 +46,41 @@ imagePullCredentials: ### TLS Ceritificates #### Using minikube (For local testing) Install Cert Manager -`helm repo add jetstack https://charts.jetstack.io` +``` +helm repo add jetstack https://charts.jetstack.io +helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true +``` -`helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true` Default domain on diffgram is: `example.com` so make sure you add that to your local hosts file: `echo "$(minikube ip) example.com" | sudo tee -a /etc/hosts` -#### Using cert-manager +In order for TLS to work on your local machine, you will need to provide local certificate authorities. +Otherwise your web browser will detect the certificates as invalid. + +To do that you can generate a key and certificate like this: +``` +# Generate key +openssl genrsa -out ca.key 2048 +# Create CA certificate signing it with the previous key. +openssl req -x509 -new -nodes -key ca.key -sha256 -subj "/CN=sampleissuer.local" -days 1024 -out ca.crt -extensions v3_ca +``` +Now create the certificates as secrets on your minkube cluster: +```angular2html +kubectl create secret tls my-local-ca-key-pair --key=ca.key --cert=ca.crt +``` +Finally Modify your `values.yaml` so that helm chart can grab the secret using cert-manager +issuers. Set `tlsIssuer` to `issuer-local` and `localCaSecretName` to the name you have to the secret created above: + +```angular2html +tlsIssuer: issuer-local # One of: "issuer-local", "letsencrypt-staging", or "letsencrypt-prod" +localCaSecretName: my-local-ca-key-pair + +``` + + +#### Using cert-manager & Public Domains 1. If you want to have TLS connections, please make sure you have a domain available and access to the name servers so you can modify the records to point to the IP addresses of the ingress. diff --git a/templates/ingress.yaml b/templates/ingress.yaml index 67ab741..cf968c2 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -11,7 +11,7 @@ metadata: nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/hsts: "false" hsts: "false" - nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/configuration-snippet: | add_header Access-Control-Allow-Methods "POST, GET, PUT, PATCH, DELETE, OPTIONS"; add_header Access-Control-Allow-Credentials true; @@ -31,10 +31,9 @@ metadata: nginx.org/proxy-pass-headers: directory_id {{ if eq .Values.useTls true}} - cert-manager.io/issuer: "letsencrypt-prod" + cert-manager.io/issuer: {{ .Values.tlsIssuer }} {{ end }} watch-namespace: {{ .Release.Namespace }} -# nginx.ingress.kubernetes.io/force-ssl-redirect: "false" # Limit uploads to 8TB nginx.ingress.kubernetes.io/proxy-body-size: 800000m @@ -47,27 +46,27 @@ spec: secretName: diffgram-cert-tls-{{ .Values.diffgramDomain }} {{ end }} rules: - - host: {{ .Values.diffgramDomain }} - http: - paths: - - path: /api/walrus(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: diffgram-walrus - port: - number: 8080 - - path: /api(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: diffgram-default - port: - number: 8080 - - path: /(.*) - pathType: ImplementationSpecific - backend: - service: - name: frontend - port: - number: 8080 \ No newline at end of file + - host: {{ .Values.diffgramDomain }} + http: + paths: + - path: /api/walrus(/|$)(.*) + pathType: ImplementationSpecific + backend: + service: + name: diffgram-walrus + port: + number: 8080 + - path: /api(/|$)(.*) + pathType: ImplementationSpecific + backend: + service: + name: diffgram-default + port: + number: 8080 + - path: /(.*) + pathType: ImplementationSpecific + backend: + service: + name: frontend + port: + number: 8080 \ No newline at end of file diff --git a/templates/postgres/deployment.yaml b/templates/postgres/deployment.yaml index 7f13be6..10a64f6 100644 --- a/templates/postgres/deployment.yaml +++ b/templates/postgres/deployment.yaml @@ -13,7 +13,6 @@ metadata: # job is considered part of the release. "helm.sh/hook": pre-install "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: replicas: 1 selector: diff --git a/templates/tls/issuer_local.yaml b/templates/tls/issuer_local.yaml new file mode 100644 index 0000000..0db7dbf --- /dev/null +++ b/templates/tls/issuer_local.yaml @@ -0,0 +1,9 @@ +{{ if eq .Values.tlsIssuer "issuer-local" }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: issuer-local +spec: + ca: + secretName: {{ .Values.localCaSecretName }} +{{ end }} \ No newline at end of file diff --git a/templates/tls/issuer_prod.yaml b/templates/tls/issuer_prod.yaml index 7a77510..b9cdd85 100644 --- a/templates/tls/issuer_prod.yaml +++ b/templates/tls/issuer_prod.yaml @@ -8,7 +8,7 @@ spec: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration - email: pablo.estrada@diffgram.com + email: {{ .Values.issuerEmail }} # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod diff --git a/templates/tls/issuer_staging.yaml b/templates/tls/issuer_staging.yaml index 86b34f6..510d825 100644 --- a/templates/tls/issuer_staging.yaml +++ b/templates/tls/issuer_staging.yaml @@ -8,7 +8,7 @@ spec: # The ACME server URL server: https://acme-staging-v02.api.letsencrypt.org/directory # Email address used for ACME registration - email: pablo.estrada@diffgram.com + email: {{ .Values.issuerEmail }} # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-staging diff --git a/values.yaml b/values.yaml index 66cfb4e..cfb7f54 100644 --- a/values.yaml +++ b/values.yaml @@ -12,12 +12,16 @@ diffgramEdition: opencore # Set this to your public domain where you want diffgram to be. # This must be a domain name and not a public IP address. # The chart will generate TLS certificates for the provided domain if useCertManager is 'true' -diffgramDomain: example.com +diffgramDomain: mydiffgram1.com # Set this to true if you want to use cert manager for TLS certificates generation. useCertManager: true + # Use it to activate TLS on the nginx ingress useTls: true +tlsIssuer: issuer-local # One of: "issuer-local", "letsencrypt-staging", or "letsencrypt-prod" +localCaSecretName: my-local-ca-key-pair +issuerEmail: pablo.estrada@diffgram.com dbSettings: # Specify How the DB Service should be created From 08b7e5d4ed8d07a7e3f4e5afd5b777f7ef031457 Mon Sep 17 00:00:00 2001 From: Pablo Date: Thu, 26 May 2022 16:33:31 -0600 Subject: [PATCH 6/9] feat: add rabbitmq to ingress and improve values.yaml --- templates/diffgram_settings.tpl | 2 +- templates/ingress.yaml | 19 ++++++++++++------- templates/ingress_configmap.yaml | 14 -------------- values.yaml | 27 ++++++++++++++++----------- 4 files changed, 29 insertions(+), 33 deletions(-) delete mode 100644 templates/ingress_configmap.yaml diff --git a/templates/diffgram_settings.tpl b/templates/diffgram_settings.tpl index 16b3b04..a8287fc 100644 --- a/templates/diffgram_settings.tpl +++ b/templates/diffgram_settings.tpl @@ -8,7 +8,7 @@ CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.CLOUD_STORAGE_BUCKET }} ML__CLOUD_STORAGE_BUCKET: {{ .Values.diffgramSettings.ML__CLOUD_STORAGE_BUCKET }} URL_BASE: {{ .Values.diffgramDomain }} - WALRUS_SERVICE_URL_BASE: {{ .Values.diffgramSettings.WALRUS_SERVICE_URL_BASE }} + WALRUS_SERVICE_URL_BASE: https://{{ .Values.diffgramDomain }} SERVICE_ACCOUNT_FULL_PATH: {{ .Values.diffgramSettings.SERVICE_ACCOUNT_FULL_PATH }} DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.DIFFGRAM_AZURE_CONTAINER_NAME }} ML__DIFFGRAM_AZURE_CONTAINER_NAME: {{ .Values.diffgramSettings.ML__DIFFGRAM_AZURE_CONTAINER_NAME }} diff --git a/templates/ingress.yaml b/templates/ingress.yaml index cf968c2..08c9aac 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -7,11 +7,10 @@ metadata: kubernetes.io/ingress.class: "nginx" ingressclass.kubernetes.io/is-default-class: "true" nginx.ingress.kubernetes.io/use-regex: "true" - {{ if eq .Values.useTls false}} nginx.ingress.kubernetes.io/enable-cors: "true" + {{ if eq .Values.useTls false}} nginx.ingress.kubernetes.io/hsts: "false" hsts: "false" - nginx.ingress.kubernetes.io/configuration-snippet: | add_header Access-Control-Allow-Methods "POST, GET, PUT, PATCH, DELETE, OPTIONS"; add_header Access-Control-Allow-Credentials true; @@ -24,15 +23,11 @@ metadata: } {{ end }} {{ if eq .Values.useTls true}} - nginx.ingress.kubernetes.io/enable-cors: "true" + cert-manager.io/issuer: {{ .Values.tlsIssuer }} nginx.ingress.kubernetes.io/configuration-snippet: | proxy_pass_header directory_id; {{ end }} - nginx.org/proxy-pass-headers: directory_id - {{ if eq .Values.useTls true}} - cert-manager.io/issuer: {{ .Values.tlsIssuer }} - {{ end }} watch-namespace: {{ .Release.Namespace }} # Limit uploads to 8TB nginx.ingress.kubernetes.io/proxy-body-size: 800000m @@ -46,6 +41,16 @@ spec: secretName: diffgram-cert-tls-{{ .Values.diffgramDomain }} {{ end }} rules: + - host: rabbitmq.{{ .Values.diffgramDomain}} + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: diffgram-rabbitmq + port: + number: 15672 - host: {{ .Values.diffgramDomain }} http: paths: diff --git a/templates/ingress_configmap.yaml b/templates/ingress_configmap.yaml deleted file mode 100644 index 3c00a06..0000000 --- a/templates/ingress_configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -data: - {{ if eq .Values.useTls false}} - hsts: "false" - ssl-redirect: "false" - {{ end }} - enable-underscores-in-headers: "true" - ignore-invalid-headers: "false" - use-gzip: "true" # ENABLE GZIP COMPRESSION - gzip-types: "*" # SPECIFY MIME TYPES TO COMPRESS ("*" FOR ALL) -metadata: - name: ingress-nginx-controller - namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index cfb7f54..b7602d2 100644 --- a/values.yaml +++ b/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. # The Diffgram Version. Whenever a new update arrives, this will be changed. -diffgramVersion: DAD-244-actions-builder-v-2 +diffgramVersion: 0.16.0 # Either 'opencore' or 'enterprise'. Please note that selecting 'enterprise' # requires that you also set imagePullCredentials.gcrCredentials. @@ -12,7 +12,7 @@ diffgramEdition: opencore # Set this to your public domain where you want diffgram to be. # This must be a domain name and not a public IP address. # The chart will generate TLS certificates for the provided domain if useCertManager is 'true' -diffgramDomain: mydiffgram1.com +diffgramDomain: example.com # Set this to true if you want to use cert manager for TLS certificates generation. useCertManager: true @@ -42,14 +42,14 @@ dbSettings: # All the Secrets Used in Diffgram. diffgramSecrets: STRIPE_API_KEY: none - DIFFGRAM_AWS_ACCESS_KEY_ID: write_your_aws_access_key - DIFFGRAM_AWS_ACCESS_KEY_SECRET: write_your_aws_access_key_secret + DIFFGRAM_AWS_ACCESS_KEY_ID: none + DIFFGRAM_AWS_ACCESS_KEY_SECRET: none _ANALYTICS_WRITE_KEY: provided_by_diffgram_team MAILGUN_KEY: provided_by_diffgram_team HUB_SPOT_KEY: provided_by_diffgram_team SECRET_KEY: provided_by_diffgram_team FERNET_KEY: NeL_RED6zZ1XF3XT7Yd1hzFPYyebrg6UdkECTOLHEdI= # Please change this for production usage - INTER_SERVICE_SECRET: provided_by_diffgram_team + INTER_SERVICE_SECRET: interservicesecret_please_replace_with_secure_value # Use diffgram-postgres, postgres-rds-service depending on which DB service you set on dbSettings USER_PASSWORDS_SECRET: provided_by_diffgram_team # The service account JSON for GCP Static Storage Encoded in Base64. @@ -60,12 +60,11 @@ diffgramSecrets: diffgramSettings: USERDOMAIN: kubernetes - WALRUS_SERVICE_URL_BASE: example.com DIFFGRAM_SYSTEM_MODE: production DIFFGRAM_STATIC_STORAGE_PROVIDER: aws - DIFFGRAM_S3_BUCKET_NAME: none - DIFFGRAM_AZURE_CONTAINER_NAME: none - ML__DIFFGRAM_AZURE_CONTAINER_NAME: none + DIFFGRAM_S3_BUCKET_NAME: diffgram-testing + DIFFGRAM_AZURE_CONTAINER_NAME: diffgram-testing + ML__DIFFGRAM_AZURE_CONTAINER_NAME: diffgram-testing ML__DIFFGRAM_S3_BUCKET_NAME: diffgram-testing CLOUD_STORAGE_BUCKET: diffgram-testing ML__CLOUD_STORAGE_BUCKET: diffgram-testing @@ -107,12 +106,18 @@ imagePullCredentials: useRabbitMq: true rabbitmq: auth: - rabbitmq: "diffgram" + username: "diffgram" password: "diffgram" tls: enabled: true autoGenerated: true - + resources: + requests: + cpu: "1.0" + memory: "1G" + limits: + cpu: "2.0" + memory: "2G" ####### End Dependencies nodeGroupLabel: null From 4c718b309ebe64e11a31ebf5e6b0aa6e8eeb2fe8 Mon Sep 17 00:00:00 2001 From: Pablo Date: Thu, 26 May 2022 16:34:53 -0600 Subject: [PATCH 7/9] feat: set version 1.0 --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 94e0247..371afb3 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From 9b83657b731267baadcd3c7065399aa07464c983 Mon Sep 17 00:00:00 2001 From: Pablo Date: Thu, 26 May 2022 16:36:44 -0600 Subject: [PATCH 8/9] fix: set to next major release --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index b7602d2..0a2b4fe 100644 --- a/values.yaml +++ b/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. # The Diffgram Version. Whenever a new update arrives, this will be changed. -diffgramVersion: 0.16.0 +diffgramVersion: 1.0.0 # Either 'opencore' or 'enterprise'. Please note that selecting 'enterprise' # requires that you also set imagePullCredentials.gcrCredentials. From d3041d982ed678c658ba6fad8901bf1e0ee37df5 Mon Sep 17 00:00:00 2001 From: Pablo Date: Fri, 27 May 2022 08:18:46 -0600 Subject: [PATCH 9/9] fix: default values --- values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/values.yaml b/values.yaml index 0a2b4fe..6910083 100644 --- a/values.yaml +++ b/values.yaml @@ -116,8 +116,8 @@ rabbitmq: cpu: "1.0" memory: "1G" limits: - cpu: "2.0" - memory: "2G" + cpu: "1.0" + memory: "1G" ####### End Dependencies nodeGroupLabel: null @@ -141,8 +141,8 @@ eventHandlersService: cpu: "1.0" memory: "1G" limits: - cpu: "2.0" - memory: "2G" + cpu: "1.0" + memory: "1G" # The service for the UI frontend. # This are minimal defaults. Please feel free to change them as you start having more usage frontendService: