openstack/openstack-helm
Code Issues Proposed changes

Remove unused charts

Browse Source 
- Falco (Falco community provides its own well maintained chart)
- Daemonjob-controller (unused)
- Lockdown (unused)
- Metacontroller (unused)

For details see the mailing thread:
https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/27MWCXADBFHWLALH4CZF6K4UVHLLOJ2M/

Signed-off-by: Vladimir Kozhukalov <kozhukalov@gmail.com>
Change-Id: I5fc21946f23bf7b1e3b057ebc0eeb51b0fb1e955
This commit is contained in:
Vladimir Kozhukalov
2026-03-30 12:41:45 -05:00
parent 26ba057c83
commit ae4dad898b
47 changed files with 0 additions and 7485 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
daemonjob-controller/Chart.yaml
View File

@@ -1,24 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v2
appVersion: v1.0.0
description: A Helm chart for DaemonjobController
name: daemonjob-controller
version: 2025.2.0
home: https://opendev.org/openstack
dependencies:
- name: helm-toolkit
repository: file://../helm-toolkit
version: ">= 0.1.0"
...

106
daemonjob-controller/templates/bin/_sync-hook.py.tpl
View File

@@ -1,106 +0,0 @@
#!/usr/bin/env python
{{/*
Copyright 2019 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
import copy
from http.server import BaseHTTPRequestHandler, HTTPServer
import io
import json
def is_job_finished(job):
if 'status' in job:
desiredNumberScheduled = job['status'].get('desiredNumberScheduled', 1)
numberReady = job['status'].get('numberReady', 0)
if (desiredNumberScheduled == numberReady and
desiredNumberScheduled > 0):
return True
return False
def new_daemon(job):
pause_image = {{ .Values.images.tags.pause | quote }}
daemon = copy.deepcopy(job)
daemon['apiVersion'] = 'apps/v1'
daemon['kind'] = 'DaemonSet'
daemon['metadata'] = {}
daemon['metadata']['name'] = '%s-dj' % (job['metadata']['name'])
daemon['metadata']['labels'] = copy.deepcopy(
job['spec']['template']['metadata']['labels'])
daemon['spec'] = {}
daemon['spec']['template'] = copy.deepcopy(job['spec']['template'])
daemon['spec']['template']['spec']['initContainers'] = copy.deepcopy(
job['spec']['template']['spec']['containers'])
daemon['spec']['template']['spec']['containers'] = [
{'name': "pause", 'image': job['spec'].get(
'pauseImage', pause_image),
'resources': {'requests': {'cpu': '10m'}}}]
daemon['spec']['selector'] = {'matchLabels': copy.deepcopy(
job['spec']['template']['metadata']['labels'])}
return daemon
class Controller(BaseHTTPRequestHandler):
def sync(self, job, children):
desired_status = {}
child = '%s-dj' % (job['metadata']['name'])
# If the job already finished at some point, freeze the status,
# delete children, and take no further action.
if is_job_finished(job):
desired_status = copy.deepcopy(job['status'])
desired_status['conditions'] = [
{'type': 'Complete', 'status': 'True'}]
return {'status': desired_status, 'children': []}
# Compute status based on what we observed,
# before building desired state.
# Our .status is just a copy of the DaemonSet .
# status with extra fields.
desired_status = copy.deepcopy(
children['DaemonSet.apps/v1'].get(child, {}).get('status', {}))
if is_job_finished(children['DaemonSet.apps/v1'].get(child, {})):
desired_status['conditions'] = [
{'type': 'Complete', 'status': 'True'}]
else:
desired_status['conditions'] = [
{'type': 'Complete', 'status': 'False'}]
# Always generate desired state for child if we reach this point.
# We should not delete children until after we know we've recorded
# completion in our status, which was the first check we did above.
desired_child = new_daemon(job)
return {'status': desired_status, 'children': [desired_child]}
def do_POST(self):
observed = json.loads(self.rfile.read(
int(self.headers.get('Content-Length'))))
desired = self.sync(observed['parent'], observed['children'])
self.send_response(200)
self.send_header('Content-type', 'application/json')
self.end_headers()
out = io.TextIOWrapper(
self.wfile,
encoding='utf-8',
line_buffering=False,
write_through=True,
)
out.write(json.dumps(desired))
out.detach()
HTTPServer(('', 80), Controller).serve_forever()

33
daemonjob-controller/templates/composite-controller.yaml
View File

@@ -1,33 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{ $groupName := .Values.crds.group_name }}
{{ $groupVersion := .Values.crds.group_version }}
{{ $groupVersionFormat := printf "%s/%s" $groupName $groupVersion }}
apiVersion: metacontroller.k8s.io/v1alpha1
kind: CompositeController
metadata:
name: daemonjob-controller
spec:
generateSelector: true
parentResource:
apiVersion: {{ $groupVersionFormat }}
resource: daemonjobs
childResources:
- apiVersion: apps/v1
resource: daemonsets
hooks:
sync:
webhook:
url: http://daemonjob-controller.metacontroller/sync

25
daemonjob-controller/templates/configmap-bin.yaml
View File

@@ -1,25 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_bin }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: daemonjob-controller-bin
namespace: {{ .Release.Namespace }}
data:
sync.py: |
{{ tuple "bin/_sync-hook.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

4124
daemonjob-controller/templates/crd.yaml
View File

File diff suppressed because it is too large Load Diff

63
daemonjob-controller/templates/deployment.yaml
View File

@@ -1,63 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.deployment }}
{{- $envAll := . }}
{{- $serviceAccountName := "daemonjob-controller-serviceaccount" }}
{{ tuple $envAll "daemonjob_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: daemonjob-controller
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 4 }}
namespace: {{ .Release.Namespace }}
labels:
{{ tuple $envAll "daemonjob-controller" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
replicas: {{ .Values.pod.replicas.daemonjob_controller }}
selector:
matchLabels:
{{ tuple $envAll "daemonjob-controller" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
annotations:
{{ dict "envAll" $envAll "podName" "daemonjob-controller" "containerNames" (list "controller") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
labels:
{{ tuple $envAll "daemonjob-controller" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
nodeSelector:
{{ .Values.labels.daemonjob_controller.node_selector_key }}: {{ .Values.labels.daemonjob_controller.node_selector_value | quote }}
containers:
- name: controller
{{ tuple $envAll "python" | include "helm-toolkit.snippets.image" | indent 8 }}
{{ tuple $envAll $envAll.Values.pod.resources.daemonjob_controller | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
{{ dict "envAll" $envAll "application" "daemonjob_controller" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
command:
- python
- /hooks/sync.py
volumeMounts:
- name: hooks
mountPath: /hooks
readOnly: true
volumes:
- name: hooks
configMap:
name: daemonjob-controller-bin
defaultMode: 0555
{{- end }}

8
daemonjob-controller/templates/extra-manifests.yaml
View File

@@ -1,8 +0,0 @@
{{ range .Values.extraObjects }}
---
{{ if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (toYaml .) $ }}
{{- end }}
{{ end }}

18
daemonjob-controller/templates/job-image-repo-sync.yaml
View File

@@ -1,18 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "daemonjob-controller" -}}
{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
{{- end }}

17
daemonjob-controller/templates/secret-registry.yaml
View File

@@ -1,17 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
{{- end }}

28
daemonjob-controller/templates/service.yaml
View File

@@ -1,28 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.service }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ tuple "daemonjob_controller" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
namespace: {{ .Release.Namespace }}
spec:
ports:
- port: 80
selector:
{{ tuple $envAll "daemonjob-controller" "controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- end }}

164
daemonjob-controller/values.yaml
View File

@@ -1,164 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for elasticsearch
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
---
release_group: null
images:
tags:
python: docker.io/library/python:3.7-slim
pause: registry.k8s.io/pause:latest
image_repo_sync: quay.io/airshipit/docker:27.5.0
pullPolicy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
daemonjob_controller:
node_selector_key: openstack-control-plane
node_selector_value: enabled
crds:
group_name: ctl.example.com
group_version: v1
pod:
lifecycle:
upgrades:
deployments:
pod_replacement_strategy: RollingUpdate
revision_history: 3
rolling_update:
max_surge: 3
max_unavailable: 1
resources:
enabled: false
daemonjob_controller:
limits:
memory: "1024Mi"
cpu: "2000m"
requests:
memory: "128Mi"
cpu: "500m"
replicas:
daemonjob_controller: 1
security_context:
daemonjob_controller:
pod:
runAsUser: 34356
runAsNonRoot: true
container:
controller:
runAsUser: 0
readOnlyRootFilesystem: true
secrets:
oci_image_registry:
daemonjob-controller: daemonjob-controller-oci-image-registry-key
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oci_image_registry:
name: oci-image-registry
namespace: oci-image-registry
auth:
enabled: false
daemonjob-controller:
username: daemonjob-controller
password: password
hosts:
default: localhost
host_fqdn_override:
default: null
port:
registry:
default: null
daemonjob_controller:
hosts:
default: daemonjob-controller
host_fqdn_override:
default: null
port:
http:
default: 80
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- daemonjob-controller-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
daemonjob_controller:
services: null
manifests:
deployment: true
crds_create: true
job_image_repo_sync: true
configmap_bin: true
secret_registry: true
service: true
# -- Array of extra K8s manifests to deploy
## Note: Supports use of custom Helm templates
extraObjects: []
# - apiVersion: secrets-store.csi.x-k8s.io/v1
# kind: SecretProviderClass
# metadata:
# name: osh-secrets-store
# spec:
# provider: aws
# parameters:
# objects: |
# - objectName: "osh"
# objectType: "secretsmanager"
# jmesPath:
# - path: "client_id"
# objectAlias: "client_id"
# - path: "client_secret"
# objectAlias: "client_secret"
# secretObjects:
# - data:
# - key: client_id
# objectName: client_id
# - key: client_secret
# objectName: client_secret
# secretName: osh-secrets-store
# type: Opaque
# labels:
# app.kubernetes.io/part-of: osh
...

4
doc/source/chart/infra_charts.rst
View File

@@ -13,14 +13,12 @@ Infra charts options
ceph-provisioners
ceph-rgw
cert-rotation
daemonjob-controller
elastic-apm-server
elastic-filebeat
elastic-metricbeat
elastic-packetbeat
elasticsearch
etcd
falco
flannel
fluentbit
fluentd
@@ -35,12 +33,10 @@ Infra charts options
libvirt
local-storage
local-volume-provisioner
lockdown
mariadb
mariadb-backup
mariadb-cluster
memcached
metacontroller
mongodb
nagios
namespace-config

36
falco/Chart.yaml
View File

@@ -1,36 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v2
name: falco
version: 2025.2.0
appVersion: 0.11.1
description: Sysdig Falco
keywords:
- monitoring
- security
- alerting
- metric
- troubleshooting
- run-time
home: https://www.sysdig.com/opensource/falco/
icon: https://sysdig.com/wp-content/uploads/2016/08/falco_blog_480.jpg
sources:
- https://github.com/draios/falco
maintainers:
- name: OpenStack-Helm Authors
dependencies:
- name: helm-toolkit
repository: file://../helm-toolkit
version: ">= 0.1.0"
...

18
falco/templates/bin/_falco.sh.tpl
View File

@@ -1,18 +0,0 @@
#!/bin/sh
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
exec /usr/bin/falco -K /var/run/secrets/kubernetes.io/serviceaccount/token -k https://kubernetes.default -pk

25
falco/templates/configmap-bin.yaml
View File

@@ -1,25 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_bin }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: falco-bin
data:
falco.sh: |
{{ tuple "bin/_falco.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

26
falco/templates/configmap-etc.yaml
View File

@@ -1,26 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Secret
metadata:
name: falco
data:
falco.yaml: {{ toYaml .Values.conf.config | b64enc }}
falco_rules.yaml: {{ .Values.conf.rules.falco_rules | b64enc }}
falco_rules.local.yaml: {{ .Values.conf.rules.falco_rules_local | b64enc }}
{{- end }}

24
falco/templates/configmap-rules.yaml
View File

@@ -1,24 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.rules.custom_rules .Values.manifests.configmap_custom_rules }}
apiVersion: v1
kind: Secret
metadata:
name: falco-rules
data:
{{- range $file, $content := .Values.conf.rules.custom_rules }}
{{ $file }}: {{ $content | b64enc }}
{{- end }}
{{- end }}

149
falco/templates/daemonset.yaml
View File

@@ -1,149 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset }}
{{- $envAll := . }}
{{- $serviceAccountName := "falcon-service" }}
{{ tuple $envAll "falco" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
- replicationcontrollers
- services
- events
- configmaps
verbs:
- get
- list
- watch
- nonResourceURLs:
- /healthz
- /healthz/*
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $serviceAccountName }}
roleRef:
kind: ClusterRole
name: {{ $serviceAccountName }}
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: falco-agent
labels:
{{ tuple $envAll "falco" "falco-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
{{ tuple $envAll "falco" "falco-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
{{ tuple $envAll "falco" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
template:
metadata:
labels:
{{ tuple $envAll "falco" "falco-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{ tuple $envAll "falco" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
containers:
- name: falco
{{ tuple $envAll "falco" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.falco | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
privileged: true
args:
- /tmp/falco.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- mountPath: /tmp/falco.sh
name: falco-bin
subPath: falco.sh
readOnly: true
- mountPath: /host/dev
name: dev-fs
- mountPath: /host/proc
name: proc-fs
readOnly: true
- mountPath: /host/boot
name: boot-fs
readOnly: true
- mountPath: /host/lib/modules
name: lib-modules
readOnly: true
- mountPath: /host/usr
name: usr-fs
readOnly: true
- mountPath: /etc/falco
name: config-volume
{{- if .Values.conf.rules.custom_rules }}
- mountPath: /etc/falco/rules.d
name: rules-volume
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: falco-bin
configMap:
name: falco-bin
defaultMode: 0555
- name: dshm
emptyDir:
medium: Memory
- name: dev-fs
hostPath:
path: /dev
- name: proc-fs
hostPath:
path: /proc
- name: boot-fs
hostPath:
path: /boot
- name: lib-modules
hostPath:
path: /lib/modules
- name: usr-fs
hostPath:
path: /usr
- name: config-volume
secret:
secretName: falco
{{- if .Values.conf.rules.custom_rules }}
- name: rules-volume
secret:
secretName: falco-rules
{{- end }}
{{- end }}

8
falco/templates/extra-manifests.yaml
View File

@@ -1,8 +0,0 @@
{{ range .Values.extraObjects }}
---
{{ if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (toYaml .) $ }}
{{- end }}
{{ end }}

18
falco/templates/job-image-repo-sync.yaml
View File

@@ -1,18 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "falco" -}}
{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
{{- end }}

17
falco/templates/secret-registry.yaml
View File

@@ -1,17 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
{{- end }}

1417
falco/values.yaml
View File

File diff suppressed because it is too large Load Diff

21
lockdown/Chart.yaml
View File

@@ -1,21 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v2
appVersion: "1.0"
description: |
A helm chart used to lockdown all ingress and egress for a namespace
name: lockdown
version: 2025.2.0
home: https://kubernetes.io/docs/concepts/services-networking/network-policies/
...

8
lockdown/templates/extra-manifests.yaml
View File

@@ -1,8 +0,0 @@
{{ range .Values.extraObjects }}
---
{{ if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (toYaml .) $ }}
{{- end }}
{{ end }}

35
lockdown/templates/network_policy.yaml
View File

@@ -1,35 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if or .Values.conf.ingress.disallowed .Values.conf.egress.disallowed }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: {{ .Release.Namespace }}
spec:
policyTypes:
{{- if .Values.conf.ingress.disallowed }}
- Ingress
{{- end }}
{{- if .Values.conf.egress.disallowed }}
- Egress
{{- end }}
podSelector: {}
{{- if .Values.conf.ingress.disallowed }}
ingress: []
{{- end }}
{{- if .Values.conf.egress.disallowed }}
egress: []
{{- end }}
{{- end }}

51
lockdown/values.yaml
View File

@@ -1,51 +0,0 @@
---
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for lockdown chart.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
conf:
ingress:
disallowed: true
egress:
disallowed: true
# -- Array of extra K8s manifests to deploy
## Note: Supports use of custom Helm templates
extraObjects: []
# - apiVersion: secrets-store.csi.x-k8s.io/v1
# kind: SecretProviderClass
# metadata:
# name: osh-secrets-store
# spec:
# provider: aws
# parameters:
# objects: |
# - objectName: "osh"
# objectType: "secretsmanager"
# jmesPath:
# - path: "client_id"
# objectAlias: "client_id"
# - path: "client_secret"
# objectAlias: "client_secret"
# secretObjects:
# - data:
# - key: client_id
# objectName: client_id
# - key: client_secret
# objectName: client_secret
# secretName: osh-secrets-store
# type: Opaque
# labels:
# app.kubernetes.io/part-of: osh
...

31
metacontroller/Chart.yaml
View File

@@ -1,31 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v2
appVersion: v0.4.2
description: A Helm chart for Metacontroller
name: metacontroller
version: 2025.2.0
home: https://metacontroller.app/
keywords:
- CRDs
- metacontroller
sources:
- https://github.com/GoogleCloudPlatform/metacontroller
maintainers:
- name: OpenStack-Helm Authors
dependencies:
- name: helm-toolkit
repository: file://../helm-toolkit
version: ">= 0.1.0"
...

333
metacontroller/templates/crds.yaml
View File

@@ -1,333 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.crds }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: compositecontrollers.metacontroller.k8s.io
annotations:
"api-approved.kubernetes.io": "https://github.com/kubernetes/kubernetes/pull/78458"
spec:
group: metacontroller.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
properties:
generateSelector:
type: boolean
resyncPeriodSeconds:
format: int32
type: integer
parentResource:
properties:
apiVersion:
description: APIVersion is the combination of group & version of
the resource
type: string
resource:
description: Resource is the name of the resource. Its also the
plural of Kind
type: string
revisionHistory:
properties:
fieldPaths:
items:
type: string
type: array
type: object
required:
- apiVersion
- resource
type: object
childResources:
items:
properties:
apiVersion:
description: APIVersion is the combination of group & version
of the resource
type: string
resource:
description: Resource is the name of the resource. Its also the
plural of Kind
type: string
updateStrategy:
properties:
method:
description: ChildUpdateMethod represents a typed constant
to determine the update strategy of a child resource
type: string
statusChecks:
properties:
conditions:
items:
properties:
reason:
type: string
status:
type: string
type:
type: string
required:
- type
type: object
type: array
type: object
type: object
required:
- apiVersion
- resource
type: object
type: array
hooks:
properties:
finalize:
description: Hook refers to the logic that builds the desired state
of resources
properties:
inline:
description: Inline invocation to arrive at desired state
properties:
funcName:
type: string
type: object
webhook:
description: Webhook invocation to arrive at desired state
properties:
path:
type: string
service:
properties:
name:
type: string
namespace:
type: string
port:
format: int32
type: integer
protocol:
type: string
required:
- name
- namespace
type: object
timeout:
type: string
url:
type: string
type: object
type: object
postUpdateChild:
description: Hook refers to the logic that builds the desired state
of resources
properties:
inline:
description: Inline invocation to arrive at desired state
properties:
funcName:
type: string
type: object
webhook:
description: Webhook invocation to arrive at desired state
properties:
path:
type: string
service:
properties:
name:
type: string
namespace:
type: string
port:
format: int32
type: integer
protocol:
type: string
required:
- name
- namespace
type: object
timeout:
type: string
url:
type: string
type: object
type: object
preUpdateChild:
description: Hook refers to the logic that builds the desired state
of resources
properties:
inline:
description: Inline invocation to arrive at desired state
properties:
funcName:
type: string
type: object
webhook:
description: Webhook invocation to arrive at desired state
properties:
path:
type: string
service:
properties:
name:
type: string
namespace:
type: string
port:
format: int32
type: integer
protocol:
type: string
required:
- name
- namespace
type: object
timeout:
type: string
url:
type: string
type: object
type: object
sync:
description: Hook refers to the logic that builds the desired state
of resources
properties:
inline:
description: Inline invocation to arrive at desired state
properties:
funcName:
type: string
type: object
webhook:
description: Webhook invocation to arrive at desired state
properties:
path:
type: string
service:
properties:
name:
type: string
namespace:
type: string
port:
format: int32
type: integer
protocol:
type: string
required:
- name
- namespace
type: object
timeout:
type: string
url:
type: string
type: object
type: object
type: object
required:
- parentResource
status:
type: object
required:
- metadata
- spec
scope: Cluster
names:
plural: compositecontrollers
singular: compositecontroller
kind: CompositeController
shortNames:
- cc
- cctl
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: decoratorcontrollers.metacontroller.k8s.io
annotations:
"api-approved.kubernetes.io": "https://github.com/kubernetes/kubernetes/pull/78458"
spec:
group: metacontroller.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
scope: Cluster
names:
plural: decoratorcontrollers
singular: decoratorcontroller
kind: DecoratorController
shortNames:
- dec
- decorators
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: controllerrevisions.metacontroller.k8s.io
annotations:
"api-approved.kubernetes.io": "https://github.com/kubernetes/kubernetes/pull/78458"
spec:
group: metacontroller.k8s.io
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
scope: Namespaced
names:
plural: controllerrevisions
singular: controllerrevision
kind: ControllerRevision
{{- end }}

8
metacontroller/templates/extra-manifests.yaml
View File

@@ -1,8 +0,0 @@
{{ range .Values.extraObjects }}
---
{{ if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (toYaml .) $ }}
{{- end }}
{{ end }}

18
metacontroller/templates/job-image-repo-sync.yaml
View File

@@ -1,18 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }}
{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "metacontroller" -}}
{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
{{- end }}

17
metacontroller/templates/secret-registry.yaml
View File

@@ -1,17 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
{{- end }}

32
metacontroller/templates/service.yaml
View File

@@ -1,32 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.service }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ tuple "metacontroller" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
namespace: {{ .Release.Namespace }}
labels:
{{ tuple $envAll "metacontroller" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
clusterIP: None
ports:
- name: metacontroller
port: {{ tuple "metacontroller" "internal" "metacontroller" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
selector:
{{ tuple $envAll "metacontroller" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{- end }}

94
metacontroller/templates/statefulset.yaml
View File

@@ -1,94 +0,0 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.statefulset }}
{{- $envAll := . }}
{{- $serviceAccountName := "metacontroller-serviceaccount" }}
{{ tuple $envAll "metacontroller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{ $controllerName := printf "%s-%s" .Release.Namespace $serviceAccountName }}
---
{{- if .Values.manifests.rbac }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $controllerName }}
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "*"
{{- end }}
---
{{- if .Values.manifests.rbac }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $controllerName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ $controllerName }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: metacontroller
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 4 }}
namespace: {{ .Release.Namespace }}
labels:
{{ tuple $envAll "metacontroller" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
{{ tuple $envAll "metacontroller" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
serviceName: {{ tuple "metacontroller" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
podManagementPolicy: "Parallel"
replicas: {{ .Values.pod.replicas.metacontroller }}
template:
metadata:
labels:
{{ tuple $envAll "metacontroller" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "metacontroller" "containerNames" (list "metacontroller") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" . "application" "metacontroller" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.server.timeout | default "30" }}
nodeSelector:
{{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value | quote }}
containers:
- name: metacontroller
{{ tuple $envAll "metacontroller" | include "helm-toolkit.snippets.image" | indent 8 }}
{{ tuple $envAll $envAll.Values.pod.resources.metacontroller | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
{{ dict "envAll" $envAll "application" "metacontroller" "container" "metacontroller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
ports:
- name: metacontroller
containerPort: {{ tuple "metacontroller" "internal" "metacontroller" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
command:
- /usr/bin/metacontroller
args:
- --logtostderr
- -v=6
- --discovery-interval=20s
{{- end }}

162
metacontroller/values.yaml
View File

@@ -1,162 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for elasticsearch
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
---
release_group: null
images:
tags:
metacontroller: metacontrollerio/metacontroller:v0.4.2
dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_jammy
image_repo_sync: quay.io/airshipit/docker:27.5.0
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- metacontroller-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
pod:
lifecycle:
termination_grace_period:
server:
timeout: 600
resources:
enabled: false
metacontroller:
limits:
memory: "1024Mi"
cpu: "2000m"
requests:
memory: "128Mi"
cpu: "500m"
replicas:
metacontroller: 1
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
security_context:
metacontroller:
pod:
runAsUser: 34356
container:
metacontroller:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
secrets:
oci_image_registry:
metacontroller: metacontroller-oci-image-registry-key
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oci_image_registry:
name: oci-image-registry
namespace: oci-image-registry
auth:
enabled: false
metacontroller:
username: metacontroller
password: password
hosts:
default: localhost
host_fqdn_override:
default: null
port:
registry:
default: null
metacontroller:
hosts:
default: metacontroller
host_fqdn_override:
default: null
port:
metacontroller:
default: 8083
manifests:
secret_registry: true
service: true
statefulset: true
job_image_repo_sync: true
crds: true
rbac: true
# -- Array of extra K8s manifests to deploy
## Note: Supports use of custom Helm templates
extraObjects: []
# - apiVersion: secrets-store.csi.x-k8s.io/v1
# kind: SecretProviderClass
# metadata:
# name: osh-secrets-store
# spec:
# provider: aws
# parameters:
# objects: |
# - objectName: "osh"
# objectType: "secretsmanager"
# jmesPath:
# - path: "client_id"
# objectAlias: "client_id"
# - path: "client_secret"
# objectAlias: "client_secret"
# secretObjects:
# - data:
# - key: client_id
# objectName: client_id
# - key: client_secret
# objectName: client_secret
# secretName: osh-secrets-store
# type: Opaque
# labels:
# app.kubernetes.io/part-of: osh
...

4
releasenotes/config.yaml
View File

@@ -20,7 +20,6 @@ sections:
- [ceph-provisioners, ceph-provisioners Chart]
- [cinder, cinder Chart]
- [cloudkitty, cloudkitty Chart]
- [daemonjob-controller, daemonjob-controller Chart]
- [designate, designate Chart]
- [elastic-apm-server, elastic-apm-server Chart]
- [elastic-filebeat, elastic-filebeat Chart]
@@ -28,7 +27,6 @@ sections:
- [elastic-packetbeat, elastic-packetbeat Chart]
- [elasticsearch, elasticsearch Chart]
- [etcd, etcd Chart]
- [falco, falco Chart]
- [flannel, flannel Chart]
- [fluentbit, fluentbit Chart]
- [fluentd, fluentd Chart]
@@ -49,11 +47,9 @@ sections:
- [ldap, ldap Chart]
- [libvirt, libvirt Chart]
- [local-storage, local-storage Chart]
- [lockdown, lockdown Chart]
- [magnum, magnum Chart]
- [mariadb, mariadb Chart]
- [memcached, memcached Chart]
- [metacontroller, metacontroller Chart]
- [mistral, mistral Chart]
- [mongodb, mongodb Chart]
- [nagios, nagios Chart]

13
releasenotes/notes/daemonjob-controller.yaml
View File

@@ -1,13 +0,0 @@
---
daemonjob-controller:
- 0.1.0 Initial Chart
- 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
- 0.1.2 Add default value for property in x-kubernetes-list-map-keys
- 0.1.3 Update to container image repo k8s.gcr.io
- 0.1.4 Use full image ref for docker official images
- 0.1.5 Update htk requirements
- 0.1.6 Added OCI registry authentication
- 0.1.7 Update kubernetes registry to registry.k8s.io
- 0.1.8 Update Chart.yaml apiVersion to v2
- 2024.2.0 Update version to align with the Openstack release cycle
...

16
releasenotes/notes/falco.yaml
View File

@@ -1,16 +0,0 @@
---
falco:
- 0.1.0 Initial Chart
- 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
- 0.1.2 Update to container image repo k8s.gcr.io
- 0.1.3 Remove zookeeper residue
- 0.1.4 Remove kafka residue
- 0.1.5 Use full image ref for docker official images
- 0.1.6 Update htk requirements
- 0.1.7 Added OCI registry authentication
- 0.1.8 Replace node-role.kubernetes.io/master with control-plane
- 0.1.9 Update kubernetes registry to registry.k8s.io
- 0.1.10 Use quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal by default
- 0.1.11 Update Chart.yaml apiVersion to v2
- 2024.2.0 Update version to align with the Openstack release cycle
...

7
releasenotes/notes/lockdown.yaml
View File

@@ -1,7 +0,0 @@
---
lockdown:
- 0.1.0 Initial Chart
- 0.1.1 Allows toggling
- 0.1.2 Update Chart.yaml apiVersion to v2
- 2024.2.0 Update version to align with the Openstack release cycle
...

13
releasenotes/notes/metacontroller.yaml
View File

@@ -1,13 +0,0 @@
---
metacontroller:
- 0.1.0 Initial Chart
- 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
- 0.1.2 Fix disappearing metacontroller CRDs on upgrade
- 0.1.3 Use full image ref for docker official images
- 0.1.4 Update htk requirements
- 0.1.5 Fix field validation error
- 0.1.6 Added OCI registry authentication
- 0.1.7 Use quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal by default
- 0.1.8 Update Chart.yaml apiVersion to v2
- 2024.2.0 Update version to align with the Openstack release cycle
...

117
tools/deployment/common/daemonjob-controller.sh
View File

@@ -1,117 +0,0 @@
#!/bin/bash
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
namespace="metacontroller"
: ${OSH_HELM_REPO:="../openstack-helm"}
: ${OSH_VALUES_OVERRIDES_PATH:="../openstack-helm/values_overrides"}
: ${HELM_ARGS_DAEMONJOB_CONTROLLER:="$(helm osh get-values-overrides -p ${OSH_VALUES_OVERRIDES_PATH} -c daemonjob-controller ${FEATURES})"}
#NOTE: Deploy command
helm upgrade --install daemonjob-controller ${OSH_HELM_REPO}/daemonjob-controller \
--namespace=$namespace \
--set pod.replicas.daemonjob_controller=4 \
${HELM_ARGS_DAEMONJOB_CONTROLLER}
#NOTE: Wait for deploy
helm osh wait-for-pods daemonjob-controller
#NOTE: CompositeController succesfully deployed
composite_controller_cr=$(kubectl get compositecontrollers | awk '{print $1}')
echo "$composite_controller_cr, a CompositeController created succesfully"
#NOTE: Check crd of APIGroup ctl.example.com
daemonjob_crd=$(kubectl get crd | awk '/ctl.example.com/{print $1}')
echo "$daemonjob_crd is succesfully created"
#NOTE: Check daemonjob_controller is running
pod=$(kubectl get pods -n $namespace | awk '/daemonjob-controller/{print $1}')
daemonjob_controller_status=$(kubectl get pods -n $namespace | awk '/daemonjob-controller/{print $3}')
NEXT_WAIT_TIME=0
until [[ $daemonjob_controller_status == 'Running' ]] || [ $NEXT_WAIT_TIME -eq 5 ]; do
daemonjob_controller_status=$(kubectl get pods -n $namespace | awk '/daemonjob-controller/{print $3}')
echo "DaemonjobController is not still up and running"
sleep 20
NEXT_WAIT_TIME=$((NEXT_WAIT_TIME+1))
done
#NOTE: Create sample-daemonjob.yaml
tee /tmp/sample-daemonjob.yaml << EOF
apiVersion: ctl.example.com/v1
kind: DaemonJob
metadata:
name: hello-world
annotations:
imageregistry: "https://hub.docker.com/"
labels:
app: hello-world
spec:
selector:
matchLabels:
app: hello-world
template:
metadata:
labels:
app: hello-world
annotations:
container.apparmor.security.beta.kubernetes.io/hello-world: localhost/docker-default
spec:
containers:
- name: hello-world
image: busybox
command: ["sh", "-c", "echo 'Hello world' && sleep 120"]
resources:
requests:
cpu: 10m
terminationGracePeriodSeconds: 10
EOF
dj="daemonjobs"
#NOTE: Deploy daemonjob
kubectl apply -f /tmp/sample-daemonjob.yaml
#NOTE: Wait for successful completion
NEXT_WAIT_TIME=0
echo "Wait for successful completion..."
until [[ "$(kubectl get $dj hello-world -o 'jsonpath={.status.conditions[0].status}')" == "True" ]] || [ $NEXT_WAIT_TIME -eq 5 ]; do
daemonset_pod=$(kubectl get pods | awk '/hello-world-dj/{print $1}')
if [ -z "$daemonset_pod" ]
then
echo "Child resource daemonset not yet created"
else
daemonset_pod_status=$(kubectl get pods | awk '/hello-world-dj/{print $3}')
if [ $daemonset_pod_status == 'Init:0/1' ]; then
kubectl describe dj hello-world
init_container_status=$(kubectl get pod $daemonset_pod -o 'jsonpath={.status.initContainerStatuses[0].state.running}')
if [ ! -z "$init_container_status" ]; then
expected_log=$(kubectl logs $daemonset_pod -c hello-world)
if [ $expected_log == 'Hello world' ]; then
echo "Strings are equal." && break
fi
fi
fi
fi
sleep 20
NEXT_WAIT_TIME=$((NEXT_WAIT_TIME+1))
done
#NOTE: Check that DaemonSet gets cleaned up after finishing
NEXT_WAIT_TIME=0
echo "Check that DaemonSet gets cleaned up after finishing..."
until [[ "$(kubectl get daemonset hello-world-dj 2>&1)" =~ NotFound ]] || [ $NEXT_WAIT_TIME -eq 5 ]; do
sleep 20
NEXT_WAIT_TIME=$((NEXT_WAIT_TIME+1))
done

24
tools/deployment/common/falco.sh
View File

@@ -1,24 +0,0 @@
#!/bin/bash
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
: ${OSH_HELM_REPO:="../openstack-helm"}
#NOTE: Deploy command
helm upgrade --install falco ${OSH_HELM_REPO}/falco \
--namespace=kube-system
#NOTE: Wait for deploy
helm osh wait-for-pods kube-system

28
tools/deployment/common/lockdown-netpol.sh
View File

@@ -1,28 +0,0 @@
#!/bin/bash
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
#NOTE: Define variables
: ${OSH_HELM_REPO:="../openstack-helm"}
: ${OSH_VALUES_OVERRIDES_PATH:="../openstack-helm/values_overrides"}
: ${OSH_EXTRA_HELM_ARGS_LOCKDOWN:="$(helm osh get-values-overrides ${DOWNLOAD_OVERRIDES:-} -p ${OSH_VALUES_OVERRIDES_PATH} -c lockdown ${FEATURES})"}
#NOTE: Deploy command
helm upgrade --install lockdown ${OSH_HELM_REPO}/lockdown \
--namespace=openstack \
${OSH_EXTRA_HELM_ARGS:=} \
${OSH_EXTRA_HELM_ARGS_LOCKDOWN}
#NOTE: Wait for deploy
helm osh wait-for-pods openstack

65
tools/deployment/common/metacontroller.sh
View File

@@ -1,65 +0,0 @@
#!/bin/bash
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
namespace="metacontroller"
: ${OSH_HELM_REPO:="../openstack-helm"}
: ${OSH_VALUES_OVERRIDES_PATH:="../openstack-helm/values_overrides"}
: ${HELM_ARGS_METACONTROLLER:="$(helm osh get-values-overrides -p ${OSH_VALUES_OVERRIDES_PATH} -c metacontroller ${FEATURES})"}
#NOTE: Check no crd exists of APIGroup metacontroller.k8s.io
crds=$(kubectl get crd | awk '/metacontroller.k8s.io/{print $1}')
if [ -z "$crds" ]; then
echo "No crd exists of APIGroup metacontroller.k8s.io"
fi
tee /tmp/${namespace}-ns.yaml << EOF
apiVersion: v1
kind: Namespace
metadata:
labels:
kubernetes.io/metadata.name: ${namespace}
name: ${namespace}
name: ${namespace}
EOF
kubectl create -f /tmp/${namespace}-ns.yaml
#NOTE: Deploy command
helm upgrade --install metacontroller ${OSH_HELM_REPO}/metacontroller \
--namespace=$namespace \
--set pod.replicas.metacontroller=3 \
${HELM_ARGS_METACONTROLLER}
#NOTE: Wait for deploy
helm osh wait-for-pods metacontroller
#NOTE: Check crds of APIGroup metacontroller.k8s.io successfully created
crds=$(kubectl get crd | awk '/metacontroller.k8s.io/{print $1}')
COUNTER=0
for i in $crds
do
case $i in
"compositecontrollers.metacontroller.k8s.io") COUNTER=$((COUNTER+1));;
"controllerrevisions.metacontroller.k8s.io") COUNTER=$((COUNTER+1));;
"decoratorcontrollers.metacontroller.k8s.io") COUNTER=$((COUNTER+1));;
*) echo "This is a wrong crd!!!";;
esac
done
if test $COUNTER -eq 3; then
echo "crds created succesfully"
fi

9
values_overrides/daemonjob-controller/apparmor.yaml
View File

@@ -1,9 +0,0 @@
---
pod:
security_context:
daemonjob_controller:
container:
controller:
appArmorProfile:
type: RuntimeDefault
...

9
values_overrides/metacontroller/apparmor.yaml
View File

@@ -1,9 +0,0 @@
---
pod:
security_context:
metacontroller:
container:
metacontroller:
appArmorProfile:
type: RuntimeDefault
...

16
zuul.d/infra_jobs.yaml
View File

@@ -67,22 +67,6 @@
- ./tools/gate/selenium/prometheus-selenium.sh || true
- ./tools/gate/selenium/nagios-selenium.sh || true
- job:
name: openstack-helm-metacontroller
parent: openstack-helm-deploy
nodeset: openstack-helm-1node-ubuntu_jammy
vars:
osh_params:
container_distro_name: ubuntu
container_distro_version: jammy
feature_gates: apparmor,gateway
ingress_setup: false
gate_scripts:
- ./tools/deployment/common/prepare-k8s.sh
- ./tools/deployment/common/prepare-charts.sh
- ./tools/deployment/common/metacontroller.sh
- ./tools/deployment/common/daemonjob-controller.sh
- job:
name: openstack-helm-mariadb-operator-2025-1-ubuntu_jammy
parent: openstack-helm-deploy

2
zuul.d/project.yaml
View File

@@ -58,7 +58,6 @@
# Infra jobs
- openstack-helm-logging
- openstack-helm-monitoring
- openstack-helm-metacontroller
gate:
jobs:
- openstack-helm-linter
@@ -66,7 +65,6 @@
- openstack-helm-compute-kit-2025-1-ubuntu_jammy
# - openstack-helm-logging
# - openstack-helm-monitoring
- openstack-helm-metacontroller
post:
jobs:
- openstack-helm-publish-charts