From e7ada16e2a1ba635c7e36f6b444a44307bb34b55 Mon Sep 17 00:00:00 2001 From: 23t-renovate Date: Tue, 15 Nov 2022 09:04:18 +0000 Subject: [PATCH] chore(deps): update dependency gardener/dashboard to v1.63.0 --- charts/gardener-dashboard/Chart.yaml | 4 +- .../charts/application/Chart.yaml | 8 + .../application}/templates/_versions.tpl | 0 .../application/templates/clusterrole.yaml | 88 +++ .../templates/clusterrolebinding.yaml | 27 + .../templates/serviceaccount.yaml | 6 +- .../charts/application/values.yaml | 381 ++++++++++ .../charts/runtime/Chart.yaml | 8 + .../runtime}/templates/_helper.tpl | 0 .../charts/runtime/templates/_versions.tpl | 16 + .../runtime}/templates/configmap-assets.yaml | 4 +- .../charts/runtime/templates/configmap.yaml | 352 +++++++++ .../runtime}/templates/deployment.yaml | 91 ++- .../runtime}/templates/ingress.yaml | 12 +- .../runtime}/templates/secret-github.yaml | 8 +- .../runtime}/templates/secret-kubeconfig.yaml | 4 +- .../runtime}/templates/secret-oidc.yaml | 6 +- .../templates/secret-sessionSecret.yaml | 2 +- .../charts/runtime/templates/secret-tls.yaml | 50 ++ .../runtime}/templates/service.yaml | 4 +- .../runtime/templates/serviceaccount.yaml} | 19 +- .../{ => charts/runtime}/templates/vpa.yaml | 14 +- .../charts/runtime/values.yaml | 381 ++++++++++ .../templates/configmap.yaml | 341 --------- .../templates/secret-tls.yaml | 50 -- charts/gardener-dashboard/values.yaml | 667 +++++++++--------- charts/identity/Chart.yaml | 2 +- charts/identity/values.yaml | 2 +- .../import-gardener-charts.py | 2 +- 29 files changed, 1751 insertions(+), 798 deletions(-) create mode 100644 charts/gardener-dashboard/charts/application/Chart.yaml rename charts/gardener-dashboard/{ => charts/application}/templates/_versions.tpl (100%) create mode 100644 charts/gardener-dashboard/charts/application/templates/clusterrole.yaml create mode 100644 charts/gardener-dashboard/charts/application/templates/clusterrolebinding.yaml rename charts/gardener-dashboard/{ => charts/application}/templates/serviceaccount.yaml (63%) create mode 100644 charts/gardener-dashboard/charts/application/values.yaml create mode 100644 charts/gardener-dashboard/charts/runtime/Chart.yaml rename charts/gardener-dashboard/{ => charts/runtime}/templates/_helper.tpl (100%) create mode 100644 charts/gardener-dashboard/charts/runtime/templates/_versions.tpl rename charts/gardener-dashboard/{ => charts/runtime}/templates/configmap-assets.yaml (69%) create mode 100644 charts/gardener-dashboard/charts/runtime/templates/configmap.yaml rename charts/gardener-dashboard/{ => charts/runtime}/templates/deployment.yaml (57%) rename charts/gardener-dashboard/{ => charts/runtime}/templates/ingress.yaml (68%) rename charts/gardener-dashboard/{ => charts/runtime}/templates/secret-github.yaml (60%) rename charts/gardener-dashboard/{ => charts/runtime}/templates/secret-kubeconfig.yaml (75%) rename charts/gardener-dashboard/{ => charts/runtime}/templates/secret-oidc.yaml (62%) rename charts/gardener-dashboard/{ => charts/runtime}/templates/secret-sessionSecret.yaml (80%) create mode 100644 charts/gardener-dashboard/charts/runtime/templates/secret-tls.yaml rename charts/gardener-dashboard/{ => charts/runtime}/templates/service.yaml (85%) rename charts/gardener-dashboard/{templates/rbac.yaml => charts/runtime/templates/serviceaccount.yaml} (53%) rename charts/gardener-dashboard/{ => charts/runtime}/templates/vpa.yaml (54%) create mode 100644 charts/gardener-dashboard/charts/runtime/values.yaml delete mode 100644 charts/gardener-dashboard/templates/configmap.yaml delete mode 100644 charts/gardener-dashboard/templates/secret-tls.yaml diff --git a/charts/gardener-dashboard/Chart.yaml b/charts/gardener-dashboard/Chart.yaml index cd31f0f1..33233626 100644 --- a/charts/gardener-dashboard/Chart.yaml +++ b/charts/gardener-dashboard/Chart.yaml @@ -3,6 +3,6 @@ # SPDX-License-Identifier: Apache-2.0 apiVersion: v1 -description: A Helm chart for Gardener dashboard +description: A Helm chart to deploy the Gardener dashboard name: gardener-dashboard -version: 1.61.3 +version: 1.63.0 diff --git a/charts/gardener-dashboard/charts/application/Chart.yaml b/charts/gardener-dashboard/charts/application/Chart.yaml new file mode 100644 index 00000000..d4174560 --- /dev/null +++ b/charts/gardener-dashboard/charts/application/Chart.yaml @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: 2022 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +description: A Helm chart to deploy the Gardener dashboard application related components +name: application +version: 1.63.0 diff --git a/charts/gardener-dashboard/templates/_versions.tpl b/charts/gardener-dashboard/charts/application/templates/_versions.tpl similarity index 100% rename from charts/gardener-dashboard/templates/_versions.tpl rename to charts/gardener-dashboard/charts/application/templates/_versions.tpl diff --git a/charts/gardener-dashboard/charts/application/templates/clusterrole.yaml b/charts/gardener-dashboard/charts/application/templates/clusterrole.yaml new file mode 100644 index 00000000..95f97c11 --- /dev/null +++ b/charts/gardener-dashboard/charts/application/templates/clusterrole.yaml @@ -0,0 +1,88 @@ +# SPDX-FileCopyrightText: 2022 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: {{ include "rbacversion" . }} +kind: ClusterRole +metadata: + name: gardener.cloud:system:dashboard + labels: + app: gardener-dashboard + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - core.gardener.cloud + resources: + - quotas + verbs: + - list + - watch +- apiGroups: + - core.gardener.cloud + resources: + - projects + verbs: + - list + - watch +- apiGroups: + - core.gardener.cloud + resources: + - shoots + verbs: + - list + - watch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get +- apiGroups: + - core.gardener.cloud + resources: + - controllerregistrations + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + resourceNames: + - cluster-identity +# required for terminal bootstrapping and gardener/dashboard#943 +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +# required for terminal bootstrapping +- apiGroups: + - core.gardener.cloud + resources: + - shoots + verbs: + - get +- apiGroups: + - core.gardener.cloud + resources: + - shoots/adminkubeconfig + verbs: + - create +- apiGroups: + - seedmanagement.gardener.cloud + resources: + - managedseeds + verbs: + - get diff --git a/charts/gardener-dashboard/charts/application/templates/clusterrolebinding.yaml b/charts/gardener-dashboard/charts/application/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..4a563fed --- /dev/null +++ b/charts/gardener-dashboard/charts/application/templates/clusterrolebinding.yaml @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2022 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: {{ include "rbacversion" . }} +kind: ClusterRoleBinding +metadata: + name: gardener.cloud:system:dashboard + labels: + app: gardener-dashboard + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gardener.cloud:system:dashboard +subjects: +{{- if and .Values.global.virtualGarden.enabled .Values.global.virtualGarden.userName }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ .Values.global.virtualGarden.userName }} +{{- else }} +- kind: ServiceAccount + name: {{ required ".Values.global.serviceAccountName is required" .Values.global.serviceAccountName }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/gardener-dashboard/templates/serviceaccount.yaml b/charts/gardener-dashboard/charts/application/templates/serviceaccount.yaml similarity index 63% rename from charts/gardener-dashboard/templates/serviceaccount.yaml rename to charts/gardener-dashboard/charts/application/templates/serviceaccount.yaml index d418c2bf..632a2d59 100644 --- a/charts/gardener-dashboard/templates/serviceaccount.yaml +++ b/charts/gardener-dashboard/charts/application/templates/serviceaccount.yaml @@ -2,15 +2,15 @@ # # SPDX-License-Identifier: Apache-2.0 -{{- if not .Values.kubeconfig }} +{{- if or ( not .Values.global.virtualGarden.enabled ) ( not .Values.global.virtualGarden.userName ) }} apiVersion: v1 kind: ServiceAccount metadata: - name: gardener-dashboard + name: {{ required ".Values.global.serviceAccountName is required" .Values.global.serviceAccountName }} namespace: {{ .Release.Namespace }} labels: app: gardener-dashboard chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gardener-dashboard/charts/application/values.yaml b/charts/gardener-dashboard/charts/application/values.yaml new file mode 100644 index 00000000..8c4989cf --- /dev/null +++ b/charts/gardener-dashboard/charts/application/values.yaml @@ -0,0 +1,381 @@ +# SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +# Default values for gardener-dashboard. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + replicaCount: 1 + + image: + repository: eu.gcr.io/gardener-project/gardener/dashboard + tag: 1.63.0 + pullPolicy: IfNotPresent + + # virtualGarden defines deployment related configuration + virtualGarden: + # enabled should be set to true if the application and runtime charts should be deployed on two separate clusters, usually in a so-called "virtual garden" setup + enabled: false + # # userName is the fully qualified name of the dashboard user, as it would be returned by the tokenreview (.status.user.username) on the virtual garden + # userName: runtime-cluster:system:serviceaccount:garden:gardener-dashboard + + serviceAccountName: gardener-dashboard + + serviceAccountTokenVolumeProjection: + enabled: true + expirationSeconds: 43200 # 12 hours + audience: '' + + # vertical Pod autoscaling disabled by default + # vpa: + # updateMode: Off + # controlledValues: RequestsOnly + # minAllowedCpu: 50m + # minAllowedMemory: 100Mi + # maxAllowedCpu: 500m + # maxAllowedMemory: 500Mi + + logLevel: debug + # # the external url of the apiServer + # apiServerUrl: https://api.example.org + # # the certificateAuthorityData of the kube apiserver + # apiServerCaData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkxpNHUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + # # or the certificateAuthority of the kube apiserver + # apiServerCa: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # # or skip tls verify (insecure) + # apiServerSkipTlsVerify: true + # # Optional list of the intended audiences of the service account token (garden cluster) + # tokenRequestAudiences: + # - foo + # # the identifier of the gardener landscape (defaults to the name stored in kube-system/cluster-identity configmap) + # clusterIdentity: my-landscape-dev + containerPort: 8080 + servicePort: 8080 + resources: + limits: + cpu: 250m + memory: 300Mi + requests: + cpu: 100m + memory: 120Mi + + # If dashboard is running in an environment with less than 1.5GB of available memory + # you should cap the maximum available "old space". In a Docker-512MB-Container, + # the value should not be greater than 90% of the available memory. + # nodeOptions: [--optimize-for-size, --max-old-space-size=460, --gc-interval=100] + + ingress: + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-port-in-redirects: "true" + kubernetes.io/ingress.class: nginx + # # configuration of hosts used for rules and tls + # hosts: + # - dashboard.ingress.example.org + # - dashboard.example.org + tls: + secretName: gardener-dashboard-tls + # crt: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # key: | + # -----BEGIN RSA PRIVATE KEY----- + # Li4u + # -----END RSA PRIVATE KEY----- + + # sessionSecret is used for signing and encrytion of session data + sessionSecret: ~ + oidc: + # well-known URL for OpenID Provider Issuer Discovery + issuerUrl: ~ + # clientId is the public identifier of the gardener-dashboard aplication + clientId: dashboard + # clientSecret is the private secret of the gardener-dashboard aplication + clientSecret: ~ + # # force PKCE usage + # usePKCE: true + # # sessionLifetime is the maximum lifetime of a login session without reauthentication in seconds (defaults to 86400) + # sessionLifetime: 86400 + # # certificate authority of the OpenID provider + # ca: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # # secretKey reference to the certificate authority + # caSecretKeyRef: + # name: oidc-ca-secret-name + # key: ca.crt + # # configuration for kubeconfig download required by kubelogin + # public: + # # clientId is the identifier of the public oidc client use by kubelogin + # clientId: kube-kubectl + # # clientSecret is the public client secret use by kubelogin and all users + # clientSecret: ~ + # # force PKCE usage (automatically enabled if no clientSecret is given) + # usePKCE: true + + frontendConfig: + landingPageUrl: https://github.com/gardener + # # asset configuration (see https://github.com/gardener/dashboard/blob/master/docs/Theming.md#logos-and-icons for the format and generation of the default values). + # assets: + # favicon-16x16.png: | + # favicon-32x32.png: | + # favicon-96x96.png: | + # favicon.ico: | + # logo.svg: | + helpMenuItems: + - title: Getting Started + icon: description + url: https://github.com/gardener/gardener/tree/master/docs + - title: Issues + icon: bug_report + url: https://github.com/gardener/gardener/issues + # ticket: + # avatarSource: github # Define from which source the avatar is fetched. For enterprise github instances it is recommended to use gravatar or none. Possible values: github, gravatar, none + # gitHubRepoUrl: https://foo-github.com/dummyorg/dummyrepo + # hideClustersWithLabels: # hides clusters with labels on the 'ALL PROJECTS' page if the respective table option is enabled + # - ignore + # newTicketLabels: # these are the labels that are automatically preselected when creating a new ticket + # - default-label + # # issueDescriptionTemplate variables: + # # - `${shootName}`: name of the shoot + # # - `${shootNamespace}`: namespace of the shoot + # # - `${shootCreatedAt}`: creation timestamp of the shoot, format 'YYYY-MM-DD' + # # - `${shootUrl}`: dashboard url of the shoot + # # - `${providerType}`: shoot provider type + # # - `${region}`: region of the shoot + # # - `${machineImageNames}`: comma separated list of (unique) machine image names from the shoot workers + # # - `${projectName}`: name of the project + # # - `${utcDateTimeNow}`: current date-time in utc format + # # - `${seedName}`: shoot's seed name + # issueDescriptionTemplate: | + # ## Which cluster is affected? + + # `Cluster Details Dashboard Link`: [${projectName}/${shootName}](${shootUrl}) + # `Operating System`: ${machineImageNames} + # `Platform`: ${providerType} + + # ## What happened? + + # ## What you expected to happen? + + # ## When did it happen or started to happen? + # `Timestamp`: ${utcDateTimeNow} + + # ## How would we reproduce it? + + # ## Anything else we need to know? + defaultHibernationSchedule: + evaluation: + - start: 00 17 * * 1,2,3,4,5 + development: + - start: 00 17 * * 1,2,3,4,5 + end: 00 08 * * 1,2,3,4,5 + production: ~ + seedCandidateDeterminationStrategy: SameRegion + features: + terminalEnabled: false + projectTerminalShortcutsEnabled: false + # alert: + # type: error + # message: This is an **alert** banner + # # identifer: alert-identifier # Optional. If not set, a hash of the alert.message will be used as identifier. The identifier is used to store the user's decision to not show the alert message with this identifier again. + + # terminal: + # shortcuts: + # - title: "Watch Control Plane Pods" + # description: Using kubectl to watch the pods of the control plane for this cluster + # target: cp # possible values: "cp" (Control Plane), "shoot", "garden" + # container: + # image: eu.gcr.io/gardener-project/gardener/ops-toolbelt:latest + # # command: ~ + # args: + # - watch + # - kubectl + # - get + # - pods + # - "-o" + # - wide + # heartbeatIntervalSeconds: 60 + + # # costObject is used for billing purposes and is assigned to the gardener project + # costObject: + # title: Cost Object + # description: Costs for the control planes of the clusters in this project will be charged to this cost object. + # regex: ^([0-9]{10})$ + # errorMessage: Invalid cost object + + # sla: + # title: SLAs + # description: https://foo.example.com/gardener-sla + + # # accessRestriction is used to define the access restricion text, keys and value mappings + # accessRestriction: + # noItemsText: No access restriction options available for region ${region} and cloud profile ${cloudProfile} + # items: + # - key: seed.gardener.cloud/eu-access + # display: + # visibleIf: true + # # title: foo # optional title, if not defined key will be used + # # description: bar # optional description displayed in a tooltip + # input: + # title: EU Access + # description: | + # This service is offered to you with our regular SLAs and 24x7 support for the control plane of the cluster. 24x7 support for cluster add-ons and nodes is only available if you meet the following conditions: + # # inverted: false + # options: + # - key: support.gardener.cloud/eu-access-for-cluster-addons + # display: + # visibleIf: false + # # title: bar # optional title, if not defined key will be used + # # description: baz # optional description displayed in a tooltip + # input: + # title: No personal data is used as name or in the content of Gardener or Kubernetes resources (e.g. Gardener project name or Kubernetes namespace, configMap or secret in Gardener or Kubernetes) + # description: | + # If you can't comply, only third-level/dev support at usual 8x5 working hours in EEA will be available to you for all cluster add-ons such as DNS and certificates, Calico overlay network and network policies, kube-proxy and services, and everything else that would require direct inspection of your cluster through its API server + # inverted: true + # - key: support.gardener.cloud/eu-access-for-cluster-nodes + # display: + # visibleIf: false + # input: + # title: No personal data is stored in any Kubernetes volume except for container file system, emptyDirs, and persistentVolumes (in particular, not on hostPath volumes) + # description: | + # If you can't comply, only third-level/dev support at usual 8x5 working hours in EEA will be available to you for all node-related components such as Docker and Kubelet, the operating system, and everything else that would require direct inspection of your nodes through a privileged pod or SSH + # inverted: true + + # themes - overwrite theme colors with custom colors, use html color codes or material design colors defined by vuetify in the javascript color pack: https://vuetifyjs.com/en/styles/colors/#javascript-color-pack + # themes: + # light: # overwrite light theme colors + # primary: '#0b8062' + # anchor: '#0b8062' + # main-background: 'grey.darken3' + # main-navigation-title: 'shades.white' + # toolbar-background: '#0b8062' + # toolbar-title: 'shades.white' + # action-button: 'grey.darken4' + # dark: # overwrite dark theme colors + # primary: '#0b8062' + # anchor: '#0b8062' + # main-background: 'grey.darken3' + # main-navigation-title: 'shades.white' + # toolbar-background: '#0b8062' + # toolbar-title: 'shades.white' + # action-button: 'grey.lighten4' + # error: 'red.darken4' + # warning: 'orange.darken4' + + # gardenctl - configure the default settings for the gardenctl commands + gardenctl: + legacyCommands: true # false to show gardenctl-v2 commands by default, true to show the legacy gardenctl commands. Can be overwritten by the user. + + defaultNodesCIDR: 10.250.0.0/16 # default CIDR used for nodes network when creating new shoots + + # serviceAccountDefaultTokenExpiration - is the default requested duration of validity of the token request for garden cluster service accounts. + # If no value is provided, the default value corresponds to 90 days + # The token issuer may return a token with a different validity duration + serviceAccountDefaultTokenExpiration: 7776000 # seconds + + # # externalTools are links displayed in a dedicated card External Tools on the cluster details page. + # # The url can be an url-template (https://tools.ietf.org/html/rfc6570). The variables namespace and name of the shoot are available when the url is expanded. + # externalTools: + # - title: Example Tool + # icon: link + # url: https://example.org/foo/bar{?namespace,name} + + # # github configuration of the ticket feature + # gitHub: + # apiUrl: https://api.foo-github.com + # org: dummyorg + # repository: dummyrepo + # webhookSecret: foobar # optional if pollIntervalSeconds is defined + # authentication: + # username: dashboard + # token: dummytoken + # # pollIntervalSeconds: 30 # only necessary when dashboard's webhook can't be reached by github and thus polling needs to be done + + livenessProbe: + enabled: true + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + # terminal: + # container: + # image: eu.gcr.io/gardener-project/gardener/ops-toolbelt:latest + # containerOperator: + # image: ~ # if not defined, value of terminal.container.image will be used + # containerImageDescriptions: + # - image: /eu.gcr.io/gardener-project/gardener/ops-toolbelt:.*/ # regexp must start and end with '/', otherwise it's an exact match + # description: Run `ghelp` to get information about installed tools and packages + # # serviceAccountTokenExpiration - is the default requested duration of validity of the token request for the "attach" service account (residing in the terminal host cluster) + # # If no value is provided, the default value corresponds to 12 hours + # # The token issuer may return a token with a different validity duration + # serviceAccountTokenExpiration: 43200 # seconds + # gardenTerminalHost: # cluster that hosts the terminal pods for the (virtual) garden cluster + # apiServerIngressHost: api.example.org # is host in browser-trusted certificate. Optional, but required if using secretRef + # secretRef: + # namespace: garden # namespace, in which the secret for the gardenTerminalHost resides on the (virtual) garden cluster + # labelSelector: + # - runtime=gardenTerminalHost + # # seedRef: my-soil # if set, you most likely want to disable gardenTerminalHost bootstrapping + # # shootRef: # if set, you most likely want to disable gardenTerminalHost bootstrapping + # # name: myshoot + # # namespace: garden + # garden: # (virtual) garden + # operatorCredentials: # this is the credential used for operators for the (virtual) garden cluster, to create terminal session specific service accounts + # serviceAccountRef: # serviceAccountRef or secretRef + # name: dashboard-terminal-admin + # namespace: garden + # bootstrap: + # disabled: true # indicates if bootstrapping resources required for the terminal feature is generally disabled + # seedDisabled: false # indicates if bootstrapping resources for seeds is disabled, required for gardener operator terminals + # shootDisabled: false # indicates if bootstrapping resources for shoots is disabled, required for enduser terminals + # gardenTerminalHostDisabled: false # indicates if bootstrapping resources for the virtual garden terminal host cluster is disabled + # apiServerIngress: + # annotations: + # kubernetes.io/ingress.class: nginx + # nginx.ingress.kubernetes.io/backend-protocol: HTTPS + # certmanager.k8s.io/cluster-issuer: lets-encrypt + # certmanager.k8s.io/acme-challenge-type: dns01 + # certmanager.k8s.io/acme-dns01-provider: route53 + # queueOptions: ~ # here you can specify options like maxRetries, retryDelay https://github.com/diamondio/better-queue#new-queueprocess-options + # gardenTerminalHost: + # namespace: garden # namespace, in which the tls-secret, ingress and headless service should be created in + # apiServerIngress: + # annotations: + # kubernetes.io/ingress.class: nginx + # nginx.ingress.kubernetes.io/backend-protocol: HTTPS + # apiServerTls: # Optional. Needs to be a browser-trusted certificate! + # crt: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # key: | + # -----BEGIN RSA PRIVATE KEY----- + # Li4u + # -----END RSA PRIVATE KEY----- + + # unreachableSeeds: # disables some UI features for seeds that are unreachable by the dashboard + # matchLabels: + # seed.gardener.cloud/network: private diff --git a/charts/gardener-dashboard/charts/runtime/Chart.yaml b/charts/gardener-dashboard/charts/runtime/Chart.yaml new file mode 100644 index 00000000..0e77dacd --- /dev/null +++ b/charts/gardener-dashboard/charts/runtime/Chart.yaml @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +description: A Helm chart to deploy the Gardener dashboard runtime related components +name: runtime +version: 1.63.0 diff --git a/charts/gardener-dashboard/templates/_helper.tpl b/charts/gardener-dashboard/charts/runtime/templates/_helper.tpl similarity index 100% rename from charts/gardener-dashboard/templates/_helper.tpl rename to charts/gardener-dashboard/charts/runtime/templates/_helper.tpl diff --git a/charts/gardener-dashboard/charts/runtime/templates/_versions.tpl b/charts/gardener-dashboard/charts/runtime/templates/_versions.tpl new file mode 100644 index 00000000..c5e58280 --- /dev/null +++ b/charts/gardener-dashboard/charts/runtime/templates/_versions.tpl @@ -0,0 +1,16 @@ +{{/* +This file should only be symlinked! This text should appear to be +modified only for a file in charts/_versions.tpl +*/}} + +{{- define "rbacversion" -}} +rbac.authorization.k8s.io/v1 +{{- end -}} + +{{- define "deploymentversion" -}} +apps/v1 +{{- end -}} + +{{- define "ingressversion" -}} +networking.k8s.io/v1 +{{- end -}} \ No newline at end of file diff --git a/charts/gardener-dashboard/templates/configmap-assets.yaml b/charts/gardener-dashboard/charts/runtime/templates/configmap-assets.yaml similarity index 69% rename from charts/gardener-dashboard/templates/configmap-assets.yaml rename to charts/gardener-dashboard/charts/runtime/templates/configmap-assets.yaml index 173f256f..4b81923b 100644 --- a/charts/gardener-dashboard/templates/configmap-assets.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/configmap-assets.yaml @@ -2,13 +2,13 @@ # # SPDX-License-Identifier: Apache-2.0 -{{- if .Values.frontendConfig.assets }} +{{- if .Values.global.frontendConfig.assets }} apiVersion: v1 kind: ConfigMap metadata: name: dashboard-assets binaryData: -{{- range $file, $content := .Values.frontendConfig.assets }} +{{- range $file, $content := .Values.global.frontendConfig.assets }} {{ $file }}: | {{ $content }} {{- end }} diff --git a/charts/gardener-dashboard/charts/runtime/templates/configmap.yaml b/charts/gardener-dashboard/charts/runtime/templates/configmap.yaml new file mode 100644 index 00000000..830fcb91 --- /dev/null +++ b/charts/gardener-dashboard/charts/runtime/templates/configmap.yaml @@ -0,0 +1,352 @@ +# SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +apiVersion: v1 +kind: ConfigMap +metadata: + name: gardener-dashboard-configmap + namespace: {{ .Release.Namespace }} + labels: + app: gardener-dashboard + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + login-config.json: | + { + "landingPageUrl": {{ quote .Values.global.frontendConfig.landingPageUrl }}, + {{- if .Values.global.oidc }} + "loginTypes": ["oidc", "token"] + {{- else }} + "loginTypes": ["token"] + {{- end }} + } + config.yaml: | + --- + port: {{ .Values.global.containerPort }} + logLevel: {{ .Values.global.logLevel }} + logFormat: text + apiServerUrl: {{ required ".Values.global.apiServerUrl is required" .Values.global.apiServerUrl }} + {{- if .Values.global.apiServerCaData }} + apiServerCaData: {{ .Values.global.apiServerCaData }} + {{- else if .Values.global.apiServerCa }} + apiServerCaData: {{ b64enc .Values.global.apiServerCa }} + {{- else if eq (default false .Values.global.apiServerSkipTlsVerify) true }} + apiServerSkipTlsVerify: true + {{- end }} + {{- if .Values.global.tokenRequestAudiences }} + tokenRequestAudiences: + {{- range .Values.global.tokenRequestAudiences }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .Values.global.clusterIdentity }} + clusterIdentity: {{ .Values.global.clusterIdentity }} + {{- end }} + readinessProbe: + periodSeconds: {{ .Values.global.readinessProbe.periodSeconds }} + {{- if .Values.global.gitHub }} + gitHub: + apiUrl: {{ .Values.global.gitHub.apiUrl }} + {{- if .Values.global.gitHub.ca }} + ca: {{ quote .Values.global.gitHub.ca }} + {{- end }} + org: {{ .Values.global.gitHub.org }} + repository: {{ .Values.global.gitHub.repository }} + {{- if .Values.global.gitHub.pollIntervalSeconds }} + pollIntervalSeconds: {{ .Values.global.gitHub.pollIntervalSeconds }} + {{- end }} + {{- end }} + {{- if .Values.global.unreachableSeeds }} + unreachableSeeds: + {{- with .Values.global.unreachableSeeds.matchLabels }} + matchLabels: +{{ toYaml . | trim | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.global.oidc }} + oidc: + issuer: {{ required ".Values.global.oidc.issuerUrl is required" .Values.global.oidc.issuerUrl }} + {{- if .Values.global.oidc.usePKCE }} + usePKCE: true + {{- end }} + {{- if .Values.global.oidc.sessionLifetime }} + sessionLifetime: {{ .Values.global.oidc.sessionLifetime }} + {{- end }} + redirect_uris: + {{- $protocol := ternary "http" "https" ( empty .Values.global.ingress.tls ) }} + {{- range .Values.global.ingress.hosts }} + - "{{ $protocol }}://{{ . }}/auth/callback" + {{- end }} + {{- if .Values.global.oidc.scope }} + scope: {{ .Values.global.oidc.scope }} + {{- else }} + scope: "openid email profile groups audience:server:client_id:{{ .Values.global.oidc.clientId }} audience:server:client_id:kube-kubectl" + {{- end }} + {{- if hasKey .Values.global.oidc "rejectUnauthorized" }} + rejectUnauthorized: {{ .Values.global.oidc.rejectUnauthorized }} + {{- else }} + rejectUnauthorized: true + {{- end }} + {{- if .Values.global.oidc.ca }} + ca: {{ quote .Values.global.oidc.ca }} + {{- end }} + {{- if .Values.global.oidc.clockTolerance }} + clockTolerance: {{ .Values.global.oidc.clockTolerance }} + {{- end }} + {{- if .Values.global.oidc.public }} + public: + clientId: {{ .Values.global.oidc.public.clientId | default "kube-kubectl" }} + {{- if .Values.global.oidc.public.clientSecret }} + clientSecret: {{ .Values.global.oidc.public.clientSecret }} + {{- end }} + {{- if or .Values.global.oidc.public.usePKCE (not .Values.global.oidc.public.clientSecret) }} + usePKCE: true + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.terminal }} + terminal: + container: + image: {{ .Values.global.terminal.container.image }} + {{- if .Values.global.terminal.containerOperator }} + {{- if .Values.global.terminal.containerOperator.image }} + containerOperator: + image: {{ .Values.global.terminal.containerOperator.image }} + {{- end }} + {{- end }} + {{- if .Values.global.terminal.containerImageDescriptions }} + containerImageDescriptions: + {{- range .Values.global.terminal.containerImageDescriptions }} + - image: {{ .image }} + description: {{ .description }} + {{- end }} + {{- end }} + {{- if .Values.global.terminal.serviceAccountTokenExpiration }} + serviceAccountTokenExpiration: {{ .Values.global.terminal.serviceAccountTokenExpiration }} + {{- end }} + gardenTerminalHost: + {{- if .Values.global.terminal.gardenTerminalHost.secretRef }} + apiServerIngressHost: {{ .Values.global.terminal.gardenTerminalHost.apiServerIngressHost }} + secretRef: + namespace: {{ .Values.global.terminal.gardenTerminalHost.secretRef.namespace }} + {{- with .Values.global.terminal.gardenTerminalHost.secretRef.labelSelector }} + labelSelector: +{{ toYaml . | trim | indent 12 }} + {{- end }} + {{- end }} + {{- if .Values.global.terminal.gardenTerminalHost.seedRef }} + seedRef: {{ .Values.global.terminal.gardenTerminalHost.seedRef }} + {{- end }} + {{- if .Values.global.terminal.gardenTerminalHost.shootRef }} + shootRef: + name: {{ .Values.global.terminal.gardenTerminalHost.shootRef.name }} + namespace: {{ .Values.global.terminal.gardenTerminalHost.shootRef.namespace }} + {{- end }} + garden: + operatorCredentials: +{{ toYaml .Values.global.terminal.garden.operatorCredentials | trim | indent 10 }} + {{- if .Values.global.terminal.bootstrap }} + bootstrap: + disabled: {{ .Values.global.terminal.bootstrap.disabled | default false }} + {{- if ne .Values.global.terminal.bootstrap.disabled true }} + seedDisabled: {{ .Values.global.terminal.bootstrap.seedDisabled | default false }} + shootDisabled: {{ .Values.global.terminal.bootstrap.shootDisabled | default false }} + gardenTerminalHostDisabled: {{ .Values.global.terminal.bootstrap.gardenTerminalHostDisabled | default false }} + {{- if .Values.global.terminal.bootstrap.apiServerIngress }} + apiServerIngress: + {{- with .Values.global.terminal.bootstrap.apiServerIngress.annotations }} + annotations: +{{ toYaml . | trim | indent 12 }} + {{- end }} + {{- end }} + {{- if .Values.global.terminal.bootstrap.queueOptions }} + queueOptions: +{{ toYaml .Values.global.terminal.bootstrap.queueOptions | trim | indent 10 }} + {{- end }} + {{- if ne .Values.global.terminal.bootstrap.gardenTerminalHostDisabled true }} + gardenTerminalHost: + namespace: {{ .Values.global.terminal.bootstrap.gardenTerminalHost.namespace }} + apiServerIngress: + {{- with .Values.global.terminal.bootstrap.gardenTerminalHost.apiServerIngress.annotations }} + annotations: +{{ toYaml . | trim | indent 14 }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + frontend: + {{- if .Values.global.frontendConfig.helpMenuItems }} + helpMenuItems: + {{- range .Values.global.frontendConfig.helpMenuItems }} + - title: {{ .title }}{{- if .icon }} + icon: {{ .icon }}{{- end }} + url: {{ .url }}{{- if .target }} + target: {{ .target }}{{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.frontendConfig.externalTools }} + externalTools: + {{- range .Values.global.frontendConfig.externalTools }} + - title: {{ .title }}{{- if .icon }} + icon: {{ .icon }}{{- end }} + url: {{ .url }} + {{- end }} + {{- end }} + {{- if .Values.global.frontendConfig.ticket }} + ticket: + {{- if .Values.global.frontendConfig.ticket.hideClustersWithLabels }} + hideClustersWithLabels: + {{- range .Values.global.frontendConfig.ticket.hideClustersWithLabels }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .Values.global.frontendConfig.ticket.newTicketLabels }} + newTicketLabels: + {{- range .Values.global.frontendConfig.ticket.newTicketLabels }} + - {{ . }} + {{- end }} + {{- end }} + gitHubRepoUrl: {{ .Values.global.frontendConfig.ticket.gitHubRepoUrl }} + avatarSource: {{ .Values.global.frontendConfig.ticket.avatarSource | default "github" }} + issueDescriptionTemplate: {{ quote .Values.global.frontendConfig.ticket.issueDescriptionTemplate }} + {{- end }} + features: + terminalEnabled: {{ .Values.global.frontendConfig.features.terminalEnabled | default false }} + projectTerminalShortcutsEnabled: {{ .Values.global.frontendConfig.features.projectTerminalShortcutsEnabled | default false }} + {{- if .Values.global.frontendConfig.terminal }} + terminal: + {{- if .Values.global.frontendConfig.terminal.heartbeatIntervalSeconds }} + heartbeatIntervalSeconds: {{ .Values.global.frontendConfig.terminal.heartbeatIntervalSeconds }} + {{- end }} + {{- if .Values.global.frontendConfig.terminal.shortcuts }} + shortcuts: + {{- range .Values.global.frontendConfig.terminal.shortcuts }} + - title: {{ .title }} + description: {{ .description }} + target: {{ .target }} + {{- if .container }} + container: + {{- if .container.image }} + image: {{ .container.image }} + {{- end }} + {{- if .container.command }} + command: + {{- range .container.command }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .container.args }} + args: + {{- range .container.args }} + - {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.frontendConfig.defaultHibernationSchedule }} + defaultHibernationSchedule: +{{ toYaml .Values.global.frontendConfig.defaultHibernationSchedule | trim | indent 8 }} + {{- end }} + {{- if .Values.global.frontendConfig.seedCandidateDeterminationStrategy }} + seedCandidateDeterminationStrategy: {{ .Values.global.frontendConfig.seedCandidateDeterminationStrategy }} + {{- end }} + {{- if .Values.global.frontendConfig.alert }} + alert: + type: {{ .Values.global.frontendConfig.alert.type }} + message: {{ .Values.global.frontendConfig.alert.message }} + {{- if .Values.global.frontendConfig.alert.identifier }} + identifier: {{ .Values.global.frontendConfig.alert.identifier }} + {{- end }} + {{- end }} + {{- if .Values.global.frontendConfig.costObject }} + costObject: + title: {{ .Values.global.frontendConfig.costObject.title }} + description: {{ .Values.global.frontendConfig.costObject.description }} + regex: {{ .Values.global.frontendConfig.costObject.regex }} + errorMessage: {{ .Values.global.frontendConfig.costObject.errorMessage }} + {{- end }} + {{- if .Values.global.frontendConfig.sla }} + sla: + title: {{ .Values.global.frontendConfig.sla.title }} + description: {{ quote .Values.global.frontendConfig.sla.description }} + {{- end }} + {{- if .Values.global.frontendConfig.accessRestriction }} + accessRestriction: + {{- if .Values.global.frontendConfig.accessRestriction.noItemsText }} + noItemsText: {{ quote .Values.global.frontendConfig.accessRestriction.noItemsText }} + {{- end }} + items: + {{- range .Values.global.frontendConfig.accessRestriction.items }} + - key: {{ .key }} + display: + visibleIf: {{ .display.visibleIf }}{{- if .display.title }} + title: {{ .display.title }}{{- end }}{{- if .display.description }} + description: {{ .display.description }}{{- end }} + input: + title: {{ quote .input.title }} + {{- if .input.description }} + description: {{ quote .input.description }} + {{- end }} + {{- if .input.inverted }} + inverted: {{ .input.inverted }} + {{- end }} + {{- if .options }} + options: + {{- range .options }} + - key: {{ .key }} + display: + visibleIf: {{ .display.visibleIf }}{{- if .display.title }} + title: {{ .display.title }}{{- end }}{{- if .display.description }} + description: {{ .display.description }}{{- end }} + input: + title: {{ quote .input.title }} + {{- if .input.description }} + description: {{ quote .input.description }} + {{- end }} + {{- if .input.inverted }} + inverted: {{ .input.inverted }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.frontendConfig.themes }} + themes: + {{- if .Values.global.frontendConfig.themes.light }} + {{- with .Values.global.frontendConfig.themes.light }} + light: +{{ toYaml . | trim | indent 12 }} + {{- end }} + {{- end }} + {{- if .Values.global.frontendConfig.themes.dark }} + {{- with .Values.global.frontendConfig.themes.dark }} + dark: +{{ toYaml . | trim | indent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.frontendConfig.vendorHints }} + vendorHints: + {{- range .Values.global.frontendConfig.vendorHints }} + - matchNames: {{ toJson .matchNames }} + message: {{ quote .message }} + {{- if .severity }} + severity: {{ .severity }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.frontendConfig.gardenctl }} + gardenctl: + legacyCommands: {{ .Values.global.frontendConfig.gardenctl.legacyCommands | default false }} + {{- end }} + {{- if .Values.global.frontendConfig.defaultNodesCIDR }} + defaultNodesCIDR: {{ .Values.global.frontendConfig.defaultNodesCIDR }} + {{- end }} + {{- if .Values.global.frontendConfig.serviceAccountDefaultTokenExpiration }} + serviceAccountDefaultTokenExpiration: {{ .Values.global.frontendConfig.serviceAccountDefaultTokenExpiration }} + {{- end }} \ No newline at end of file diff --git a/charts/gardener-dashboard/templates/deployment.yaml b/charts/gardener-dashboard/charts/runtime/templates/deployment.yaml similarity index 57% rename from charts/gardener-dashboard/templates/deployment.yaml rename to charts/gardener-dashboard/charts/runtime/templates/deployment.yaml index f90dc9b1..2b05c5e7 100644 --- a/charts/gardener-dashboard/templates/deployment.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/deployment.yaml @@ -13,7 +13,7 @@ metadata: release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" spec: - replicas: {{ .Values.replicaCount }} + replicas: {{ .Values.global.replicaCount }} selector: matchLabels: app: gardener-dashboard @@ -23,20 +23,20 @@ spec: annotations: checksum/configmap-gardener-dashboard-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/secret-gardener-dashboard-sessionSecret: {{ include (print $.Template.BasePath "/secret-sessionSecret.yaml") . | sha256sum }} - {{- if .Values.oidc }} + {{- if .Values.global.oidc }} checksum/secret-gardener-dashboard-oidc: {{ include (print $.Template.BasePath "/secret-oidc.yaml") . | sha256sum }} {{- end }} - {{- if .Values.github }} + {{- if .Values.global.github }} checksum/secret-gardener-dashboard-github: {{ include (print $.Template.BasePath "/secret-github.yaml") . | sha256sum }} {{- end }} - {{- if .Values.kubeconfig }} + {{- if .Values.global.kubeconfig }} checksum/secret-gardener-dashboard-kubeconfig: {{ include (print $.Template.BasePath "/secret-kubeconfig.yaml") . | sha256sum }} {{- end }} labels: app: gardener-dashboard release: {{ .Release.Name }} - {{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} + {{- if .Values.global.podLabels }} +{{ toYaml .Values.global.podLabels | indent 8 }} {{- end }} spec: volumes: @@ -54,57 +54,71 @@ spec: - key: login-config.json path: login-config.json defaultMode: 0444 - {{- if .Values.frontendConfig.assets }} + {{- if .Values.global.frontendConfig.assets }} - name: assets configMap: name: dashboard-assets defaultMode: 0444 {{- end }} - {{- if .Values.kubeconfig }} + {{- if .Values.global.serviceAccountTokenVolumeProjection.enabled }} + - name: service-account-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: {{ required ".Values.global.serviceAccountTokenVolumeProjection.expirationSeconds is required" .Values.global.serviceAccountTokenVolumeProjection.expirationSeconds }} + {{- if .Values.global.serviceAccountTokenVolumeProjection.audience }} + audience: {{ .Values.global.serviceAccountTokenVolumeProjection.audience }} + {{- end }} + {{- end }} + {{- if .Values.global.kubeconfig }} - name: gardener-dashboard-secret-kubeconfig secret: secretName: gardener-dashboard-kubeconfig {{- end }} - {{- if .Values.kubeconfig }} + {{- if .Values.global.kubeconfig }} automountServiceAccountToken: false + {{- end }} + {{- if or ( not .Values.global.virtualGarden.enabled ) .Values.global.serviceAccountTokenVolumeProjection.enabled }} + serviceAccountName: {{ required ".Values.global.serviceAccountName is required" .Values.global.serviceAccountName }} {{- else }} - serviceAccountName: gardener-dashboard + serviceAccountName: default {{- end }} containers: - name: gardener-dashboard - {{- if .Values.nodeOptions }} + {{- if .Values.global.nodeOptions }} args: - {{- range .Values.nodeOptions }} + {{- range .Values.global.nodeOptions }} - {{ . }} {{- end }} - server.js {{- end }} - image: "{{ include "image" .Values.image }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + image: "{{ include "image" .Values.global.image }}" + imagePullPolicy: {{ .Values.global.image.pullPolicy }} ports: - name: http - containerPort: {{ .Values.containerPort }} + containerPort: {{ .Values.global.containerPort }} protocol: TCP - {{- if .Values.livenessProbe.enabled }} + {{- if .Values.global.livenessProbe.enabled }} livenessProbe: tcpSocket: port: http - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.global.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.global.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.global.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.global.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.global.livenessProbe.failureThreshold }} {{- end }} - {{- if .Values.readinessProbe.enabled }} + {{- if .Values.global.readinessProbe.enabled }} readinessProbe: httpGet: path: /healthz port: http - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.global.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.global.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.global.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.global.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.global.readinessProbe.failureThreshold }} {{- end }} env: - name: SESSION_SECRET @@ -112,7 +126,7 @@ spec: secretKeyRef: name: gardener-dashboard-sessionsecret key: keyValue - {{- if .Values.oidc }} + {{- if .Values.global.oidc }} - name: OIDC_CLIENT_ID valueFrom: secretKeyRef: @@ -123,15 +137,15 @@ spec: secretKeyRef: name: gardener-dashboard-oidc key: client_secret - {{- if .Values.oidc.caSecretKeyRef }} + {{- if .Values.global.oidc.caSecretKeyRef }} - name: OIDC_CA valueFrom: secretKeyRef: - name: {{ required ".Values.oidc.caSecretKeyRef.name is required" .Values.oidc.caSecretKeyRef.name }} - key: {{ .Values.oidc.caSecretKeyRef.key | default "ca.crt" }} + name: {{ required ".Values.global.oidc.caSecretKeyRef.name is required" .Values.global.oidc.caSecretKeyRef.name }} + key: {{ .Values.global.oidc.caSecretKeyRef.key | default "ca.crt" }} {{- end }} {{- end }} - {{- if .Values.gitHub }} + {{- if .Values.global.gitHub }} - name: GITHUB_AUTHENTICATION_TOKEN valueFrom: secretKeyRef: @@ -145,23 +159,28 @@ spec: {{- end }} - name: GARDENER_CONFIG value: /etc/gardener-dashboard/config.yaml - {{- if .Values.kubeconfig }} + {{- if .Values.global.kubeconfig }} - name: KUBECONFIG value: /etc/gardener-dashboard/secrets/kubeconfig/kubeconfig {{- end }} resources: -{{ toYaml .Values.resources | trim | indent 12 }} +{{ toYaml .Values.global.resources | trim | indent 12 }} volumeMounts: - name: gardener-dashboard-config mountPath: /etc/gardener-dashboard - name: gardener-dashboard-login-config mountPath: /app/public/login-config.json subPath: login-config.json - {{- if .Values.frontendConfig.assets }} + {{- if .Values.global.frontendConfig.assets }} - name: assets mountPath: /app/public/static/assets {{- end }} - {{- if .Values.kubeconfig }} + {{- if .Values.global.serviceAccountTokenVolumeProjection.enabled }} + - name: service-account-token + mountPath: /var/run/secrets/projected/serviceaccount + readOnly: true + {{- end }} + {{- if .Values.global.kubeconfig }} - name: gardener-dashboard-secret-kubeconfig mountPath: /etc/gardener-dashboard/secrets/kubeconfig readOnly: true diff --git a/charts/gardener-dashboard/templates/ingress.yaml b/charts/gardener-dashboard/charts/runtime/templates/ingress.yaml similarity index 68% rename from charts/gardener-dashboard/templates/ingress.yaml rename to charts/gardener-dashboard/charts/runtime/templates/ingress.yaml index 9468dad5..d36d20ad 100644 --- a/charts/gardener-dashboard/templates/ingress.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/ingress.yaml @@ -12,21 +12,21 @@ metadata: chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" - {{- with .Values.ingress.annotations }} + {{- with .Values.global.ingress.annotations }} annotations: {{ toYaml . | indent 4 }} {{- end }} spec: -{{- if .Values.ingress.tls }} +{{- if .Values.global.ingress.tls }} tls: - - secretName: {{ required ".Values.ingress.tls.secretName is required" .Values.ingress.tls.secretName }} + - secretName: {{ required ".Values.global.ingress.tls.secretName is required" .Values.global.ingress.tls.secretName }} hosts: - {{- range .Values.ingress.hosts }} + {{- range .Values.global.ingress.hosts }} - {{ . }} {{- end }} {{- end }} rules: - {{- range .Values.ingress.hosts }} + {{- range .Values.global.ingress.hosts }} - host: {{ . }} http: paths: @@ -34,7 +34,7 @@ spec: service: name: gardener-dashboard-service port: - number: {{ $.Values.servicePort }} + number: {{ $.Values.global.servicePort }} path: / pathType: Prefix {{- end }} diff --git a/charts/gardener-dashboard/templates/secret-github.yaml b/charts/gardener-dashboard/charts/runtime/templates/secret-github.yaml similarity index 60% rename from charts/gardener-dashboard/templates/secret-github.yaml rename to charts/gardener-dashboard/charts/runtime/templates/secret-github.yaml index 53cb951d..e251e750 100644 --- a/charts/gardener-dashboard/templates/secret-github.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/secret-github.yaml @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{{- if .Values.gitHub }} +{{- if .Values.global.gitHub }} apiVersion: v1 kind: Secret metadata: @@ -15,8 +15,8 @@ metadata: heritage: "{{ .Release.Service }}" type: Opaque data: - authentication.token: {{ required ".Values.gitHub.authentication.token is required" (b64enc .Values.gitHub.authentication.token) }} - {{- if .Values.gitHub.webhookSecret }} - webhookSecret: {{ b64enc .Values.gitHub.webhookSecret }} + authentication.token: {{ required ".Values.global.gitHub.authentication.token is required" (b64enc .Values.global.gitHub.authentication.token) }} + {{- if .Values.global.gitHub.webhookSecret }} + webhookSecret: {{ b64enc .Values.global.gitHub.webhookSecret }} {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/gardener-dashboard/templates/secret-kubeconfig.yaml b/charts/gardener-dashboard/charts/runtime/templates/secret-kubeconfig.yaml similarity index 75% rename from charts/gardener-dashboard/templates/secret-kubeconfig.yaml rename to charts/gardener-dashboard/charts/runtime/templates/secret-kubeconfig.yaml index b3e861bf..c118ca3a 100644 --- a/charts/gardener-dashboard/templates/secret-kubeconfig.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/secret-kubeconfig.yaml @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{{- if .Values.kubeconfig }} +{{- if .Values.global.kubeconfig }} apiVersion: v1 kind: Secret metadata: @@ -15,5 +15,5 @@ metadata: heritage: "{{ .Release.Service }}" type: Opaque data: - kubeconfig: {{ required ".Values.kubeconfig is required" (b64enc .Values.kubeconfig) }} + kubeconfig: {{ required ".Values.global.kubeconfig is required" (b64enc .Values.global.kubeconfig) }} {{- end }} diff --git a/charts/gardener-dashboard/templates/secret-oidc.yaml b/charts/gardener-dashboard/charts/runtime/templates/secret-oidc.yaml similarity index 62% rename from charts/gardener-dashboard/templates/secret-oidc.yaml rename to charts/gardener-dashboard/charts/runtime/templates/secret-oidc.yaml index 1a45d3e1..2d9530b7 100644 --- a/charts/gardener-dashboard/templates/secret-oidc.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/secret-oidc.yaml @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{{- if .Values.oidc }} +{{- if .Values.global.oidc }} apiVersion: v1 kind: Secret metadata: @@ -15,6 +15,6 @@ metadata: heritage: "{{ .Release.Service }}" type: Opaque data: - client_id: {{ required ".Values.oidc.clientId is required" (b64enc .Values.oidc.clientId) }} - client_secret: {{ required ".Values.oidc.clientSecret is required" (b64enc .Values.oidc.clientSecret) }} + client_id: {{ required ".Values.global.oidc.clientId is required" (b64enc .Values.global.oidc.clientId) }} + client_secret: {{ required ".Values.global.oidc.clientSecret is required" (b64enc .Values.global.oidc.clientSecret) }} {{- end }} \ No newline at end of file diff --git a/charts/gardener-dashboard/templates/secret-sessionSecret.yaml b/charts/gardener-dashboard/charts/runtime/templates/secret-sessionSecret.yaml similarity index 80% rename from charts/gardener-dashboard/templates/secret-sessionSecret.yaml rename to charts/gardener-dashboard/charts/runtime/templates/secret-sessionSecret.yaml index 01924f59..fa376eb1 100644 --- a/charts/gardener-dashboard/templates/secret-sessionSecret.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/secret-sessionSecret.yaml @@ -14,4 +14,4 @@ metadata: heritage: "{{ .Release.Service }}" type: Opaque data: - keyValue: {{ required ".Values.sessionSecret is required" (b64enc .Values.sessionSecret) }} \ No newline at end of file + keyValue: {{ required ".Values.global.sessionSecret is required" (b64enc .Values.global.sessionSecret) }} \ No newline at end of file diff --git a/charts/gardener-dashboard/charts/runtime/templates/secret-tls.yaml b/charts/gardener-dashboard/charts/runtime/templates/secret-tls.yaml new file mode 100644 index 00000000..d7454308 --- /dev/null +++ b/charts/gardener-dashboard/charts/runtime/templates/secret-tls.yaml @@ -0,0 +1,50 @@ +# SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +{{- if .Values.global.ingress.tls }} +{{- if and .Values.global.ingress.tls.crt .Values.global.ingress.tls.key }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ required ".Values.global.ingress.tls.secretName is required" .Values.global.ingress.tls.secretName }} + namespace: {{ .Release.Namespace }} + labels: + app: gardener-dashboard + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: kubernetes.io/tls +data: + tls.crt: {{ required ".Values.global.ingress.tls.crt is required" (b64enc .Values.global.ingress.tls.crt) }} + tls.key: {{ required ".Values.global.ingress.tls.key is required" (b64enc .Values.global.ingress.tls.key) }} +{{- end }} +{{- end }} +{{- if .Values.global.terminal }} +{{- if .Values.global.terminal.bootstrap }} +{{- if ne .Values.global.terminal.bootstrap.disabled true }} +{{- if ne .Values.global.terminal.bootstrap.gardenTerminalHostDisabled true }} +{{- if .Values.global.terminal.bootstrap.gardenTerminalHost }} +{{- if .Values.global.terminal.bootstrap.gardenTerminalHost.apiServerTls }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: garden-host-cluster-apiserver-tls + namespace: {{ .Values.global.terminal.bootstrap.gardenTerminalHost.namespace }} + labels: + app: gardener-dashboard + component: dashboard-terminal + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: kubernetes.io/tls +data: + tls.crt: {{ required ".Values.global.terminal.bootstrap.gardenTerminalHost.apiServerTls.crt is required" (b64enc .Values.global.terminal.bootstrap.gardenTerminalHost.apiServerTls.crt) }} + tls.key: {{ required ".Values.global.terminal.bootstrap.gardenTerminalHost.apiServerTls.key is required" (b64enc .Values.global.terminal.bootstrap.gardenTerminalHost.apiServerTls.key) }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/gardener-dashboard/templates/service.yaml b/charts/gardener-dashboard/charts/runtime/templates/service.yaml similarity index 85% rename from charts/gardener-dashboard/templates/service.yaml rename to charts/gardener-dashboard/charts/runtime/templates/service.yaml index 0a9b427a..c52aacb3 100644 --- a/charts/gardener-dashboard/templates/service.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/service.yaml @@ -14,8 +14,8 @@ metadata: heritage: "{{ .Release.Service }}" spec: ports: - - port: {{ .Values.servicePort }} - targetPort: {{ .Values.containerPort }} + - port: {{ .Values.global.servicePort }} + targetPort: {{ .Values.global.containerPort }} protocol: TCP name: http selector: diff --git a/charts/gardener-dashboard/templates/rbac.yaml b/charts/gardener-dashboard/charts/runtime/templates/serviceaccount.yaml similarity index 53% rename from charts/gardener-dashboard/templates/rbac.yaml rename to charts/gardener-dashboard/charts/runtime/templates/serviceaccount.yaml index 06125dbd..efb8b9b0 100644 --- a/charts/gardener-dashboard/templates/rbac.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/serviceaccount.yaml @@ -2,22 +2,15 @@ # # SPDX-License-Identifier: Apache-2.0 -{{- if not .Values.kubeconfig }} -apiVersion: {{ include "rbacversion" . }} -kind: ClusterRoleBinding +{{- if and .Values.global.virtualGarden.enabled .Values.global.serviceAccountTokenVolumeProjection.enabled }} +apiVersion: v1 +kind: ServiceAccount metadata: - name: garden.sapcloud.io:dashboard:admin + name: {{ required ".Values.global.serviceAccountName is required" .Values.global.serviceAccountName }} + namespace: {{ .Release.Namespace }} labels: app: gardener-dashboard chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: gardener-dashboard - namespace: {{ .Release.Namespace }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gardener-dashboard/templates/vpa.yaml b/charts/gardener-dashboard/charts/runtime/templates/vpa.yaml similarity index 54% rename from charts/gardener-dashboard/templates/vpa.yaml rename to charts/gardener-dashboard/charts/runtime/templates/vpa.yaml index 5befcf45..ecf9b557 100644 --- a/charts/gardener-dashboard/templates/vpa.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/vpa.yaml @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{{- if .Values.vpa }} +{{- if .Values.global.vpa }} apiVersion: autoscaling.k8s.io/v1beta2 kind: VerticalPodAutoscaler metadata: @@ -14,16 +14,16 @@ spec: kind: Deployment name: gardener-dashboard updatePolicy: - updateMode: {{ .Values.vpa.updateMode | default "Off" }} + updateMode: {{ .Values.global.vpa.updateMode | default "Off" }} resourcePolicy: containerPolicies: - containerName: '*' - controlledValues: {{ .Values.vpa.controlledValues | default "RequestsOnly" }} + controlledValues: {{ .Values.global.vpa.controlledValues | default "RequestsOnly" }} controlledResources: ["cpu", "memory"] minAllowed: - cpu: {{ .Values.vpa.minAllowedCpu | default "50m" }} - memory: {{ .Values.vpa.minAllowedMemory | default "100Mi" }} + cpu: {{ .Values.global.vpa.minAllowedCpu | default "50m" }} + memory: {{ .Values.global.vpa.minAllowedMemory | default "100Mi" }} maxAllowed: - cpu: {{ .Values.vpa.maxAllowedCpu | default "500m" }} - memory: {{ .Values.vpa.maxAllowedMemory | default "500Mi" }} + cpu: {{ .Values.global.vpa.maxAllowedCpu | default "500m" }} + memory: {{ .Values.global.vpa.maxAllowedMemory | default "500Mi" }} {{- end }} diff --git a/charts/gardener-dashboard/charts/runtime/values.yaml b/charts/gardener-dashboard/charts/runtime/values.yaml new file mode 100644 index 00000000..8c4989cf --- /dev/null +++ b/charts/gardener-dashboard/charts/runtime/values.yaml @@ -0,0 +1,381 @@ +# SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +# Default values for gardener-dashboard. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + replicaCount: 1 + + image: + repository: eu.gcr.io/gardener-project/gardener/dashboard + tag: 1.63.0 + pullPolicy: IfNotPresent + + # virtualGarden defines deployment related configuration + virtualGarden: + # enabled should be set to true if the application and runtime charts should be deployed on two separate clusters, usually in a so-called "virtual garden" setup + enabled: false + # # userName is the fully qualified name of the dashboard user, as it would be returned by the tokenreview (.status.user.username) on the virtual garden + # userName: runtime-cluster:system:serviceaccount:garden:gardener-dashboard + + serviceAccountName: gardener-dashboard + + serviceAccountTokenVolumeProjection: + enabled: true + expirationSeconds: 43200 # 12 hours + audience: '' + + # vertical Pod autoscaling disabled by default + # vpa: + # updateMode: Off + # controlledValues: RequestsOnly + # minAllowedCpu: 50m + # minAllowedMemory: 100Mi + # maxAllowedCpu: 500m + # maxAllowedMemory: 500Mi + + logLevel: debug + # # the external url of the apiServer + # apiServerUrl: https://api.example.org + # # the certificateAuthorityData of the kube apiserver + # apiServerCaData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkxpNHUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + # # or the certificateAuthority of the kube apiserver + # apiServerCa: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # # or skip tls verify (insecure) + # apiServerSkipTlsVerify: true + # # Optional list of the intended audiences of the service account token (garden cluster) + # tokenRequestAudiences: + # - foo + # # the identifier of the gardener landscape (defaults to the name stored in kube-system/cluster-identity configmap) + # clusterIdentity: my-landscape-dev + containerPort: 8080 + servicePort: 8080 + resources: + limits: + cpu: 250m + memory: 300Mi + requests: + cpu: 100m + memory: 120Mi + + # If dashboard is running in an environment with less than 1.5GB of available memory + # you should cap the maximum available "old space". In a Docker-512MB-Container, + # the value should not be greater than 90% of the available memory. + # nodeOptions: [--optimize-for-size, --max-old-space-size=460, --gc-interval=100] + + ingress: + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-port-in-redirects: "true" + kubernetes.io/ingress.class: nginx + # # configuration of hosts used for rules and tls + # hosts: + # - dashboard.ingress.example.org + # - dashboard.example.org + tls: + secretName: gardener-dashboard-tls + # crt: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # key: | + # -----BEGIN RSA PRIVATE KEY----- + # Li4u + # -----END RSA PRIVATE KEY----- + + # sessionSecret is used for signing and encrytion of session data + sessionSecret: ~ + oidc: + # well-known URL for OpenID Provider Issuer Discovery + issuerUrl: ~ + # clientId is the public identifier of the gardener-dashboard aplication + clientId: dashboard + # clientSecret is the private secret of the gardener-dashboard aplication + clientSecret: ~ + # # force PKCE usage + # usePKCE: true + # # sessionLifetime is the maximum lifetime of a login session without reauthentication in seconds (defaults to 86400) + # sessionLifetime: 86400 + # # certificate authority of the OpenID provider + # ca: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # # secretKey reference to the certificate authority + # caSecretKeyRef: + # name: oidc-ca-secret-name + # key: ca.crt + # # configuration for kubeconfig download required by kubelogin + # public: + # # clientId is the identifier of the public oidc client use by kubelogin + # clientId: kube-kubectl + # # clientSecret is the public client secret use by kubelogin and all users + # clientSecret: ~ + # # force PKCE usage (automatically enabled if no clientSecret is given) + # usePKCE: true + + frontendConfig: + landingPageUrl: https://github.com/gardener + # # asset configuration (see https://github.com/gardener/dashboard/blob/master/docs/Theming.md#logos-and-icons for the format and generation of the default values). + # assets: + # favicon-16x16.png: | + # favicon-32x32.png: | + # favicon-96x96.png: | + # favicon.ico: | + # logo.svg: | + helpMenuItems: + - title: Getting Started + icon: description + url: https://github.com/gardener/gardener/tree/master/docs + - title: Issues + icon: bug_report + url: https://github.com/gardener/gardener/issues + # ticket: + # avatarSource: github # Define from which source the avatar is fetched. For enterprise github instances it is recommended to use gravatar or none. Possible values: github, gravatar, none + # gitHubRepoUrl: https://foo-github.com/dummyorg/dummyrepo + # hideClustersWithLabels: # hides clusters with labels on the 'ALL PROJECTS' page if the respective table option is enabled + # - ignore + # newTicketLabels: # these are the labels that are automatically preselected when creating a new ticket + # - default-label + # # issueDescriptionTemplate variables: + # # - `${shootName}`: name of the shoot + # # - `${shootNamespace}`: namespace of the shoot + # # - `${shootCreatedAt}`: creation timestamp of the shoot, format 'YYYY-MM-DD' + # # - `${shootUrl}`: dashboard url of the shoot + # # - `${providerType}`: shoot provider type + # # - `${region}`: region of the shoot + # # - `${machineImageNames}`: comma separated list of (unique) machine image names from the shoot workers + # # - `${projectName}`: name of the project + # # - `${utcDateTimeNow}`: current date-time in utc format + # # - `${seedName}`: shoot's seed name + # issueDescriptionTemplate: | + # ## Which cluster is affected? + + # `Cluster Details Dashboard Link`: [${projectName}/${shootName}](${shootUrl}) + # `Operating System`: ${machineImageNames} + # `Platform`: ${providerType} + + # ## What happened? + + # ## What you expected to happen? + + # ## When did it happen or started to happen? + # `Timestamp`: ${utcDateTimeNow} + + # ## How would we reproduce it? + + # ## Anything else we need to know? + defaultHibernationSchedule: + evaluation: + - start: 00 17 * * 1,2,3,4,5 + development: + - start: 00 17 * * 1,2,3,4,5 + end: 00 08 * * 1,2,3,4,5 + production: ~ + seedCandidateDeterminationStrategy: SameRegion + features: + terminalEnabled: false + projectTerminalShortcutsEnabled: false + # alert: + # type: error + # message: This is an **alert** banner + # # identifer: alert-identifier # Optional. If not set, a hash of the alert.message will be used as identifier. The identifier is used to store the user's decision to not show the alert message with this identifier again. + + # terminal: + # shortcuts: + # - title: "Watch Control Plane Pods" + # description: Using kubectl to watch the pods of the control plane for this cluster + # target: cp # possible values: "cp" (Control Plane), "shoot", "garden" + # container: + # image: eu.gcr.io/gardener-project/gardener/ops-toolbelt:latest + # # command: ~ + # args: + # - watch + # - kubectl + # - get + # - pods + # - "-o" + # - wide + # heartbeatIntervalSeconds: 60 + + # # costObject is used for billing purposes and is assigned to the gardener project + # costObject: + # title: Cost Object + # description: Costs for the control planes of the clusters in this project will be charged to this cost object. + # regex: ^([0-9]{10})$ + # errorMessage: Invalid cost object + + # sla: + # title: SLAs + # description: https://foo.example.com/gardener-sla + + # # accessRestriction is used to define the access restricion text, keys and value mappings + # accessRestriction: + # noItemsText: No access restriction options available for region ${region} and cloud profile ${cloudProfile} + # items: + # - key: seed.gardener.cloud/eu-access + # display: + # visibleIf: true + # # title: foo # optional title, if not defined key will be used + # # description: bar # optional description displayed in a tooltip + # input: + # title: EU Access + # description: | + # This service is offered to you with our regular SLAs and 24x7 support for the control plane of the cluster. 24x7 support for cluster add-ons and nodes is only available if you meet the following conditions: + # # inverted: false + # options: + # - key: support.gardener.cloud/eu-access-for-cluster-addons + # display: + # visibleIf: false + # # title: bar # optional title, if not defined key will be used + # # description: baz # optional description displayed in a tooltip + # input: + # title: No personal data is used as name or in the content of Gardener or Kubernetes resources (e.g. Gardener project name or Kubernetes namespace, configMap or secret in Gardener or Kubernetes) + # description: | + # If you can't comply, only third-level/dev support at usual 8x5 working hours in EEA will be available to you for all cluster add-ons such as DNS and certificates, Calico overlay network and network policies, kube-proxy and services, and everything else that would require direct inspection of your cluster through its API server + # inverted: true + # - key: support.gardener.cloud/eu-access-for-cluster-nodes + # display: + # visibleIf: false + # input: + # title: No personal data is stored in any Kubernetes volume except for container file system, emptyDirs, and persistentVolumes (in particular, not on hostPath volumes) + # description: | + # If you can't comply, only third-level/dev support at usual 8x5 working hours in EEA will be available to you for all node-related components such as Docker and Kubelet, the operating system, and everything else that would require direct inspection of your nodes through a privileged pod or SSH + # inverted: true + + # themes - overwrite theme colors with custom colors, use html color codes or material design colors defined by vuetify in the javascript color pack: https://vuetifyjs.com/en/styles/colors/#javascript-color-pack + # themes: + # light: # overwrite light theme colors + # primary: '#0b8062' + # anchor: '#0b8062' + # main-background: 'grey.darken3' + # main-navigation-title: 'shades.white' + # toolbar-background: '#0b8062' + # toolbar-title: 'shades.white' + # action-button: 'grey.darken4' + # dark: # overwrite dark theme colors + # primary: '#0b8062' + # anchor: '#0b8062' + # main-background: 'grey.darken3' + # main-navigation-title: 'shades.white' + # toolbar-background: '#0b8062' + # toolbar-title: 'shades.white' + # action-button: 'grey.lighten4' + # error: 'red.darken4' + # warning: 'orange.darken4' + + # gardenctl - configure the default settings for the gardenctl commands + gardenctl: + legacyCommands: true # false to show gardenctl-v2 commands by default, true to show the legacy gardenctl commands. Can be overwritten by the user. + + defaultNodesCIDR: 10.250.0.0/16 # default CIDR used for nodes network when creating new shoots + + # serviceAccountDefaultTokenExpiration - is the default requested duration of validity of the token request for garden cluster service accounts. + # If no value is provided, the default value corresponds to 90 days + # The token issuer may return a token with a different validity duration + serviceAccountDefaultTokenExpiration: 7776000 # seconds + + # # externalTools are links displayed in a dedicated card External Tools on the cluster details page. + # # The url can be an url-template (https://tools.ietf.org/html/rfc6570). The variables namespace and name of the shoot are available when the url is expanded. + # externalTools: + # - title: Example Tool + # icon: link + # url: https://example.org/foo/bar{?namespace,name} + + # # github configuration of the ticket feature + # gitHub: + # apiUrl: https://api.foo-github.com + # org: dummyorg + # repository: dummyrepo + # webhookSecret: foobar # optional if pollIntervalSeconds is defined + # authentication: + # username: dashboard + # token: dummytoken + # # pollIntervalSeconds: 30 # only necessary when dashboard's webhook can't be reached by github and thus polling needs to be done + + livenessProbe: + enabled: true + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + # terminal: + # container: + # image: eu.gcr.io/gardener-project/gardener/ops-toolbelt:latest + # containerOperator: + # image: ~ # if not defined, value of terminal.container.image will be used + # containerImageDescriptions: + # - image: /eu.gcr.io/gardener-project/gardener/ops-toolbelt:.*/ # regexp must start and end with '/', otherwise it's an exact match + # description: Run `ghelp` to get information about installed tools and packages + # # serviceAccountTokenExpiration - is the default requested duration of validity of the token request for the "attach" service account (residing in the terminal host cluster) + # # If no value is provided, the default value corresponds to 12 hours + # # The token issuer may return a token with a different validity duration + # serviceAccountTokenExpiration: 43200 # seconds + # gardenTerminalHost: # cluster that hosts the terminal pods for the (virtual) garden cluster + # apiServerIngressHost: api.example.org # is host in browser-trusted certificate. Optional, but required if using secretRef + # secretRef: + # namespace: garden # namespace, in which the secret for the gardenTerminalHost resides on the (virtual) garden cluster + # labelSelector: + # - runtime=gardenTerminalHost + # # seedRef: my-soil # if set, you most likely want to disable gardenTerminalHost bootstrapping + # # shootRef: # if set, you most likely want to disable gardenTerminalHost bootstrapping + # # name: myshoot + # # namespace: garden + # garden: # (virtual) garden + # operatorCredentials: # this is the credential used for operators for the (virtual) garden cluster, to create terminal session specific service accounts + # serviceAccountRef: # serviceAccountRef or secretRef + # name: dashboard-terminal-admin + # namespace: garden + # bootstrap: + # disabled: true # indicates if bootstrapping resources required for the terminal feature is generally disabled + # seedDisabled: false # indicates if bootstrapping resources for seeds is disabled, required for gardener operator terminals + # shootDisabled: false # indicates if bootstrapping resources for shoots is disabled, required for enduser terminals + # gardenTerminalHostDisabled: false # indicates if bootstrapping resources for the virtual garden terminal host cluster is disabled + # apiServerIngress: + # annotations: + # kubernetes.io/ingress.class: nginx + # nginx.ingress.kubernetes.io/backend-protocol: HTTPS + # certmanager.k8s.io/cluster-issuer: lets-encrypt + # certmanager.k8s.io/acme-challenge-type: dns01 + # certmanager.k8s.io/acme-dns01-provider: route53 + # queueOptions: ~ # here you can specify options like maxRetries, retryDelay https://github.com/diamondio/better-queue#new-queueprocess-options + # gardenTerminalHost: + # namespace: garden # namespace, in which the tls-secret, ingress and headless service should be created in + # apiServerIngress: + # annotations: + # kubernetes.io/ingress.class: nginx + # nginx.ingress.kubernetes.io/backend-protocol: HTTPS + # apiServerTls: # Optional. Needs to be a browser-trusted certificate! + # crt: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # key: | + # -----BEGIN RSA PRIVATE KEY----- + # Li4u + # -----END RSA PRIVATE KEY----- + + # unreachableSeeds: # disables some UI features for seeds that are unreachable by the dashboard + # matchLabels: + # seed.gardener.cloud/network: private diff --git a/charts/gardener-dashboard/templates/configmap.yaml b/charts/gardener-dashboard/templates/configmap.yaml deleted file mode 100644 index 9a7d1aa1..00000000 --- a/charts/gardener-dashboard/templates/configmap.yaml +++ /dev/null @@ -1,341 +0,0 @@ -# SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Gardener contributors -# -# SPDX-License-Identifier: Apache-2.0 - -apiVersion: v1 -kind: ConfigMap -metadata: - name: gardener-dashboard-configmap - namespace: {{ .Release.Namespace }} - labels: - app: gardener-dashboard - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -data: - login-config.json: | - { - "landingPageUrl": {{ quote .Values.frontendConfig.landingPageUrl }}, - {{- if .Values.oidc }} - "loginTypes": ["oidc", "token"] - {{- else }} - "loginTypes": ["token"] - {{- end }} - } - config.yaml: | - --- - port: {{ .Values.containerPort }} - logLevel: {{ .Values.logLevel }} - logFormat: text - apiServerUrl: {{ required ".Values.apiServerUrl is required" .Values.apiServerUrl }} - {{- if .Values.apiServerCaData }} - apiServerCaData: {{ .Values.apiServerCaData }} - {{- else if .Values.apiServerCa }} - apiServerCaData: {{ b64enc .Values.apiServerCa }} - {{- else if eq (default false .Values.apiServerSkipTlsVerify) true }} - apiServerSkipTlsVerify: true - {{- end }} - {{- if .Values.tokenRequestAudiences }} - tokenRequestAudiences: - {{- range .Values.tokenRequestAudiences }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.clusterIdentity }} - clusterIdentity: {{ .Values.clusterIdentity }} - {{- end }} - readinessProbe: - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - {{- if .Values.gitHub }} - gitHub: - apiUrl: {{ .Values.gitHub.apiUrl }} - {{- if .Values.gitHub.ca }} - ca: {{ quote .Values.gitHub.ca }} - {{- end }} - org: {{ .Values.gitHub.org }} - repository: {{ .Values.gitHub.repository }} - {{- if .Values.gitHub.pollIntervalSeconds }} - pollIntervalSeconds: {{ .Values.gitHub.pollIntervalSeconds }} - {{- end }} - {{- end }} - {{- if .Values.unreachableSeeds }} - unreachableSeeds: - {{- with .Values.unreachableSeeds.matchLabels }} - matchLabels: -{{ toYaml . | trim | indent 8 }} - {{- end }} - {{- end }} - {{- if .Values.oidc }} - oidc: - issuer: {{ required ".Values.oidc.issuerUrl is required" .Values.oidc.issuerUrl }} - redirect_uris: - {{- $protocol := ternary "http" "https" ( empty .Values.ingress.tls ) }} - {{- range .Values.ingress.hosts }} - - "{{ $protocol }}://{{ . }}/auth/callback" - {{- end }} - {{- if .Values.oidc.scope }} - scope: {{ .Values.oidc.scope }} - {{- else }} - scope: "openid email profile groups audience:server:client_id:{{ .Values.oidc.clientId }} audience:server:client_id:kube-kubectl" - {{- end }} - {{- if hasKey .Values.oidc "rejectUnauthorized" }} - rejectUnauthorized: {{ .Values.oidc.rejectUnauthorized }} - {{- else }} - rejectUnauthorized: true - {{- end }} - {{- if .Values.oidc.ca }} - ca: {{ quote .Values.oidc.ca }} - {{- end }} - {{- if .Values.oidc.clockTolerance }} - clockTolerance: {{ .Values.oidc.clockTolerance }} - {{- end }} - {{- if .Values.oidc.public }} - public: - clientId: {{ .Values.oidc.public.clientId | default "kube-kubectl" }} - clientSecret: {{ required ".Values.oidc.public.clientSecret" .Values.oidc.public.clientSecret }} - {{- end }} - {{- end }} - {{- if .Values.terminal }} - terminal: - container: - image: {{ .Values.terminal.container.image }} - {{- if .Values.terminal.containerOperator }} - {{- if .Values.terminal.containerOperator.image }} - containerOperator: - image: {{ .Values.terminal.containerOperator.image }} - {{- end }} - {{- end }} - {{- if .Values.terminal.containerImageDescriptions }} - containerImageDescriptions: - {{- range .Values.terminal.containerImageDescriptions }} - - image: {{ .image }} - description: {{ .description }} - {{- end }} - {{- end }} - {{- if .Values.terminal.serviceAccountTokenExpiration }} - serviceAccountTokenExpiration: {{ .Values.terminal.serviceAccountTokenExpiration }} - {{- end }} - gardenTerminalHost: - {{- if .Values.terminal.gardenTerminalHost.secretRef }} - apiServerIngressHost: {{ .Values.terminal.gardenTerminalHost.apiServerIngressHost }} - secretRef: - namespace: {{ .Values.terminal.gardenTerminalHost.secretRef.namespace }} - {{- with .Values.terminal.gardenTerminalHost.secretRef.labelSelector }} - labelSelector: -{{ toYaml . | trim | indent 12 }} - {{- end }} - {{- end }} - {{- if .Values.terminal.gardenTerminalHost.seedRef }} - seedRef: {{ .Values.terminal.gardenTerminalHost.seedRef }} - {{- end }} - {{- if .Values.terminal.gardenTerminalHost.shootRef }} - shootRef: - name: {{ .Values.terminal.gardenTerminalHost.shootRef.name }} - namespace: {{ .Values.terminal.gardenTerminalHost.shootRef.namespace }} - {{- end }} - garden: - operatorCredentials: -{{ toYaml .Values.terminal.garden.operatorCredentials | trim | indent 10 }} - {{- if .Values.terminal.bootstrap }} - bootstrap: - disabled: {{ .Values.terminal.bootstrap.disabled | default false }} - {{- if ne .Values.terminal.bootstrap.disabled true }} - seedDisabled: {{ .Values.terminal.bootstrap.seedDisabled | default false }} - shootDisabled: {{ .Values.terminal.bootstrap.shootDisabled | default false }} - gardenTerminalHostDisabled: {{ .Values.terminal.bootstrap.gardenTerminalHostDisabled | default false }} - {{- if .Values.terminal.bootstrap.apiServerIngress }} - apiServerIngress: - {{- with .Values.terminal.bootstrap.apiServerIngress.annotations }} - annotations: -{{ toYaml . | trim | indent 12 }} - {{- end }} - {{- end }} - {{- if .Values.terminal.bootstrap.queueOptions }} - queueOptions: -{{ toYaml .Values.terminal.bootstrap.queueOptions | trim | indent 10 }} - {{- end }} - {{- if ne .Values.terminal.bootstrap.gardenTerminalHostDisabled true }} - gardenTerminalHost: - namespace: {{ .Values.terminal.bootstrap.gardenTerminalHost.namespace }} - apiServerIngress: - {{- with .Values.terminal.bootstrap.gardenTerminalHost.apiServerIngress.annotations }} - annotations: -{{ toYaml . | trim | indent 14 }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - frontend: - {{- if .Values.frontendConfig.helpMenuItems }} - helpMenuItems: - {{- range .Values.frontendConfig.helpMenuItems }} - - title: {{ .title }}{{- if .icon }} - icon: {{ .icon }}{{- end }} - url: {{ .url }}{{- if .target }} - target: {{ .target }}{{- end }} - {{- end }} - {{- end }} - {{- if .Values.frontendConfig.externalTools }} - externalTools: - {{- range .Values.frontendConfig.externalTools }} - - title: {{ .title }}{{- if .icon }} - icon: {{ .icon }}{{- end }} - url: {{ .url }} - {{- end }} - {{- end }} - {{- if .Values.frontendConfig.ticket }} - ticket: - {{- if .Values.frontendConfig.ticket.hideClustersWithLabels }} - hideClustersWithLabels: - {{- range .Values.frontendConfig.ticket.hideClustersWithLabels }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.frontendConfig.ticket.newTicketLabels }} - newTicketLabels: - {{- range .Values.frontendConfig.ticket.newTicketLabels }} - - {{ . }} - {{- end }} - {{- end }} - gitHubRepoUrl: {{ .Values.frontendConfig.ticket.gitHubRepoUrl }} - avatarSource: {{ .Values.frontendConfig.ticket.avatarSource | default "github" }} - issueDescriptionTemplate: {{ quote .Values.frontendConfig.ticket.issueDescriptionTemplate }} - {{- end }} - features: - terminalEnabled: {{ .Values.frontendConfig.features.terminalEnabled | default false }} - projectTerminalShortcutsEnabled: {{ .Values.frontendConfig.features.projectTerminalShortcutsEnabled | default false }} - {{- if .Values.frontendConfig.terminal }} - terminal: - {{- if .Values.frontendConfig.terminal.heartbeatIntervalSeconds }} - heartbeatIntervalSeconds: {{ .Values.frontendConfig.terminal.heartbeatIntervalSeconds }} - {{- end }} - {{- if .Values.frontendConfig.terminal.shortcuts }} - shortcuts: - {{- range .Values.frontendConfig.terminal.shortcuts }} - - title: {{ .title }} - description: {{ .description }} - target: {{ .target }} - {{- if .container }} - container: - {{- if .container.image }} - image: {{ .container.image }} - {{- end }} - {{- if .container.command }} - command: - {{- range .container.command }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .container.args }} - args: - {{- range .container.args }} - - {{ . }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.frontendConfig.defaultHibernationSchedule }} - defaultHibernationSchedule: -{{ toYaml .Values.frontendConfig.defaultHibernationSchedule | trim | indent 8 }} - {{- end }} - {{- if .Values.frontendConfig.seedCandidateDeterminationStrategy }} - seedCandidateDeterminationStrategy: {{ .Values.frontendConfig.seedCandidateDeterminationStrategy }} - {{- end }} - {{- if .Values.frontendConfig.alert }} - alert: - type: {{ .Values.frontendConfig.alert.type }} - message: {{ .Values.frontendConfig.alert.message }} - {{- if .Values.frontendConfig.alert.identifier }} - identifier: {{ .Values.frontendConfig.alert.identifier }} - {{- end }} - {{- end }} - {{- if .Values.frontendConfig.costObject }} - costObject: - title: {{ .Values.frontendConfig.costObject.title }} - description: {{ .Values.frontendConfig.costObject.description }} - regex: {{ .Values.frontendConfig.costObject.regex }} - errorMessage: {{ .Values.frontendConfig.costObject.errorMessage }} - {{- end }} - {{- if .Values.frontendConfig.sla }} - sla: - title: {{ .Values.frontendConfig.sla.title }} - description: {{ quote .Values.frontendConfig.sla.description }} - {{- end }} - {{- if .Values.frontendConfig.accessRestriction }} - accessRestriction: - {{- if .Values.frontendConfig.accessRestriction.noItemsText }} - noItemsText: {{ quote .Values.frontendConfig.accessRestriction.noItemsText }} - {{- end }} - items: - {{- range .Values.frontendConfig.accessRestriction.items }} - - key: {{ .key }} - display: - visibleIf: {{ .display.visibleIf }}{{- if .display.title }} - title: {{ .display.title }}{{- end }}{{- if .display.description }} - description: {{ .display.description }}{{- end }} - input: - title: {{ quote .input.title }} - {{- if .input.description }} - description: {{ quote .input.description }} - {{- end }} - {{- if .input.inverted }} - inverted: {{ .input.inverted }} - {{- end }} - {{- if .options }} - options: - {{- range .options }} - - key: {{ .key }} - display: - visibleIf: {{ .display.visibleIf }}{{- if .display.title }} - title: {{ .display.title }}{{- end }}{{- if .display.description }} - description: {{ .display.description }}{{- end }} - input: - title: {{ quote .input.title }} - {{- if .input.description }} - description: {{ quote .input.description }} - {{- end }} - {{- if .input.inverted }} - inverted: {{ .input.inverted }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.frontendConfig.themes }} - themes: - {{- if .Values.frontendConfig.themes.light }} - {{- with .Values.frontendConfig.themes.light }} - light: -{{ toYaml . | trim | indent 12 }} - {{- end }} - {{- end }} - {{- if .Values.frontendConfig.themes.dark }} - {{- with .Values.frontendConfig.themes.dark }} - dark: -{{ toYaml . | trim | indent 12 }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.frontendConfig.vendorHints }} - vendorHints: - {{- range .Values.frontendConfig.vendorHints }} - - matchNames: {{ toJson .matchNames }} - message: {{ quote .message }} - {{- if .severity }} - severity: {{ .severity }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.frontendConfig.gardenctl }} - gardenctl: - legacyCommands: {{ .Values.frontendConfig.gardenctl.legacyCommands | default false }} - {{- end }} - {{- if .Values.frontendConfig.defaultNodesCIDR }} - defaultNodesCIDR: {{ .Values.frontendConfig.defaultNodesCIDR }} - {{- end }} - {{- if .Values.frontendConfig.serviceAccountDefaultTokenExpiration }} - serviceAccountDefaultTokenExpiration: {{ .Values.frontendConfig.serviceAccountDefaultTokenExpiration }} - {{- end }} \ No newline at end of file diff --git a/charts/gardener-dashboard/templates/secret-tls.yaml b/charts/gardener-dashboard/templates/secret-tls.yaml deleted file mode 100644 index 86f79d12..00000000 --- a/charts/gardener-dashboard/templates/secret-tls.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# SPDX-FileCopyrightText: 2021 SAP SE or an SAP affiliate company and Gardener contributors -# -# SPDX-License-Identifier: Apache-2.0 - -{{- if .Values.ingress.tls }} -{{- if and .Values.ingress.tls.crt .Values.ingress.tls.key }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ required ".Values.ingress.tls.secretName is required" .Values.ingress.tls.secretName }} - namespace: {{ .Release.Namespace }} - labels: - app: gardener-dashboard - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -type: kubernetes.io/tls -data: - tls.crt: {{ required ".Values.ingress.tls.crt is required" (b64enc .Values.ingress.tls.crt) }} - tls.key: {{ required ".Values.ingress.tls.key is required" (b64enc .Values.ingress.tls.key) }} -{{- end }} -{{- end }} -{{- if .Values.terminal }} -{{- if .Values.terminal.bootstrap }} -{{- if ne .Values.terminal.bootstrap.disabled true }} -{{- if ne .Values.terminal.bootstrap.gardenTerminalHostDisabled true }} -{{- if .Values.terminal.bootstrap.gardenTerminalHost }} -{{- if .Values.terminal.bootstrap.gardenTerminalHost.apiServerTls }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: garden-host-cluster-apiserver-tls - namespace: {{ .Values.terminal.bootstrap.gardenTerminalHost.namespace }} - labels: - app: gardener-dashboard - component: dashboard-terminal - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -type: kubernetes.io/tls -data: - tls.crt: {{ required ".Values.terminal.bootstrap.gardenTerminalHost.apiServerTls.crt is required" (b64enc .Values.terminal.bootstrap.gardenTerminalHost.apiServerTls.crt) }} - tls.key: {{ required ".Values.terminal.bootstrap.gardenTerminalHost.apiServerTls.key is required" (b64enc .Values.terminal.bootstrap.gardenTerminalHost.apiServerTls.key) }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/gardener-dashboard/values.yaml b/charts/gardener-dashboard/values.yaml index 46229f73..8c4989cf 100644 --- a/charts/gardener-dashboard/values.yaml +++ b/charts/gardener-dashboard/values.yaml @@ -5,356 +5,377 @@ # Default values for gardener-dashboard. # This is a YAML-formatted file. # Declare variables to be passed into your templates. -replicaCount: 1 +global: + replicaCount: 1 -image: - repository: eu.gcr.io/gardener-project/gardener/dashboard - tag: 1.61.3 - pullPolicy: IfNotPresent + image: + repository: eu.gcr.io/gardener-project/gardener/dashboard + tag: 1.63.0 + pullPolicy: IfNotPresent -# vertical Pod autoscaling disabled by default -# vpa: -# updateMode: Off -# controlledValues: RequestsOnly -# minAllowedCpu: 50m -# minAllowedMemory: 100Mi -# maxAllowedCpu: 500m -# maxAllowedMemory: 500Mi + # virtualGarden defines deployment related configuration + virtualGarden: + # enabled should be set to true if the application and runtime charts should be deployed on two separate clusters, usually in a so-called "virtual garden" setup + enabled: false + # # userName is the fully qualified name of the dashboard user, as it would be returned by the tokenreview (.status.user.username) on the virtual garden + # userName: runtime-cluster:system:serviceaccount:garden:gardener-dashboard -logLevel: debug -# # the external url of the apiServer -# apiServerUrl: https://api.example.org -# # the certificateAuthorityData of the kube apiserver -# apiServerCaData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkxpNHUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== -# # or the certificateAuthority of the kube apiserver -# apiServerCa: | -# -----BEGIN CERTIFICATE----- -# Li4u -# -----END CERTIFICATE----- -# # or skip tls verify (insecure) -# apiServerSkipTlsVerify: true -# # Optional list of the intended audiences of the service account token (garden cluster) -# tokenRequestAudiences: -# - foo -# # the identifier of the gardener landscape (defaults to the name stored in kube-system/cluster-identity configmap) -# clusterIdentity: my-landscape-dev -containerPort: 8080 -servicePort: 8080 -resources: - limits: - cpu: 250m - memory: 300Mi - requests: - cpu: 100m - memory: 120Mi + serviceAccountName: gardener-dashboard -# If dashboard is running in an environment with less than 1.5GB of available memory -# you should cap the maximum available "old space". In a Docker-512MB-Container, -# the value should not be greater than 90% of the available memory. -# nodeOptions: [--optimize-for-size, --max-old-space-size=460, --gc-interval=100] + serviceAccountTokenVolumeProjection: + enabled: true + expirationSeconds: 43200 # 12 hours + audience: '' -ingress: - annotations: - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/use-port-in-redirects: "true" - kubernetes.io/ingress.class: nginx - # # configuration of hosts used for rules and tls - # hosts: - # - dashboard.ingress.example.org - # - dashboard.example.org - tls: - secretName: gardener-dashboard-tls - # crt: | - # -----BEGIN CERTIFICATE----- - # Li4u - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # Li4u - # -----END CERTIFICATE----- - # key: | - # -----BEGIN RSA PRIVATE KEY----- - # Li4u - # -----END RSA PRIVATE KEY----- + # vertical Pod autoscaling disabled by default + # vpa: + # updateMode: Off + # controlledValues: RequestsOnly + # minAllowedCpu: 50m + # minAllowedMemory: 100Mi + # maxAllowedCpu: 500m + # maxAllowedMemory: 500Mi -# sessionSecret is used for signing and encrytion of session data -sessionSecret: ~ -oidc: - # well-known URL for OpenID Provider Issuer Discovery - issuerUrl: ~ - # clientId is the public identifier of the gardener-dashboard aplication - clientId: dashboard - # clientSecret is the private secret of the gardener-dashboard aplication - clientSecret: ~ - # # certificate authority of the OpenID provider - # ca: | + logLevel: debug + # # the external url of the apiServer + # apiServerUrl: https://api.example.org + # # the certificateAuthorityData of the kube apiserver + # apiServerCaData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkxpNHUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + # # or the certificateAuthority of the kube apiserver + # apiServerCa: | # -----BEGIN CERTIFICATE----- # Li4u # -----END CERTIFICATE----- - # # secretKey reference to the certificate authority - # caSecretKeyRef: - # name: oidc-ca-secret-name - # key: ca.crt - # # configuration for kubeconfig download required by kubelogin - # public: - # # clientId is the identifier of the public oidc client use by kubelogin - # clientId: kube-kubectl - # # clientSecret is the public client secret use by kubelogin and all users - # clientSecret: ~ + # # or skip tls verify (insecure) + # apiServerSkipTlsVerify: true + # # Optional list of the intended audiences of the service account token (garden cluster) + # tokenRequestAudiences: + # - foo + # # the identifier of the gardener landscape (defaults to the name stored in kube-system/cluster-identity configmap) + # clusterIdentity: my-landscape-dev + containerPort: 8080 + servicePort: 8080 + resources: + limits: + cpu: 250m + memory: 300Mi + requests: + cpu: 100m + memory: 120Mi -frontendConfig: - landingPageUrl: https://github.com/gardener - # # asset configuration (see https://github.com/gardener/dashboard/blob/master/docs/Theming.md#logos-and-icons for the format and generation of the default values). - # assets: - # favicon-16x16.png: | - # favicon-32x32.png: | - # favicon-96x96.png: | - # favicon.ico: | - # logo.svg: | - helpMenuItems: - - title: Getting Started - icon: description - url: https://github.com/gardener/gardener/tree/master/docs - - title: Issues - icon: bug_report - url: https://github.com/gardener/gardener/issues - # ticket: - # avatarSource: github # Define from which source the avatar is fetched. For enterprise github instances it is recommended to use gravatar or none. Possible values: github, gravatar, none - # gitHubRepoUrl: https://foo-github.com/dummyorg/dummyrepo - # hideClustersWithLabels: # hides clusters with labels on the 'ALL PROJECTS' page if the respective table option is enabled - # - ignore - # newTicketLabels: # these are the labels that are automatically preselected when creating a new ticket - # - default-label - # # issueDescriptionTemplate variables: - # # - `${shootName}`: name of the shoot - # # - `${shootNamespace}`: namespace of the shoot - # # - `${shootCreatedAt}`: creation timestamp of the shoot, format 'YYYY-MM-DD' - # # - `${shootUrl}`: dashboard url of the shoot - # # - `${providerType}`: shoot provider type - # # - `${region}`: region of the shoot - # # - `${machineImageNames}`: comma separated list of (unique) machine image names from the shoot workers - # # - `${projectName}`: name of the project - # # - `${utcDateTimeNow}`: current date-time in utc format - # # - `${seedName}`: shoot's seed name - # issueDescriptionTemplate: | - # ## Which cluster is affected? + # If dashboard is running in an environment with less than 1.5GB of available memory + # you should cap the maximum available "old space". In a Docker-512MB-Container, + # the value should not be greater than 90% of the available memory. + # nodeOptions: [--optimize-for-size, --max-old-space-size=460, --gc-interval=100] - # `Cluster Details Dashboard Link`: [${projectName}/${shootName}](${shootUrl}) - # `Operating System`: ${machineImageNames} - # `Platform`: ${providerType} + ingress: + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/use-port-in-redirects: "true" + kubernetes.io/ingress.class: nginx + # # configuration of hosts used for rules and tls + # hosts: + # - dashboard.ingress.example.org + # - dashboard.example.org + tls: + secretName: gardener-dashboard-tls + # crt: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # key: | + # -----BEGIN RSA PRIVATE KEY----- + # Li4u + # -----END RSA PRIVATE KEY----- - # ## What happened? + # sessionSecret is used for signing and encrytion of session data + sessionSecret: ~ + oidc: + # well-known URL for OpenID Provider Issuer Discovery + issuerUrl: ~ + # clientId is the public identifier of the gardener-dashboard aplication + clientId: dashboard + # clientSecret is the private secret of the gardener-dashboard aplication + clientSecret: ~ + # # force PKCE usage + # usePKCE: true + # # sessionLifetime is the maximum lifetime of a login session without reauthentication in seconds (defaults to 86400) + # sessionLifetime: 86400 + # # certificate authority of the OpenID provider + # ca: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # # secretKey reference to the certificate authority + # caSecretKeyRef: + # name: oidc-ca-secret-name + # key: ca.crt + # # configuration for kubeconfig download required by kubelogin + # public: + # # clientId is the identifier of the public oidc client use by kubelogin + # clientId: kube-kubectl + # # clientSecret is the public client secret use by kubelogin and all users + # clientSecret: ~ + # # force PKCE usage (automatically enabled if no clientSecret is given) + # usePKCE: true - # ## What you expected to happen? + frontendConfig: + landingPageUrl: https://github.com/gardener + # # asset configuration (see https://github.com/gardener/dashboard/blob/master/docs/Theming.md#logos-and-icons for the format and generation of the default values). + # assets: + # favicon-16x16.png: | + # favicon-32x32.png: | + # favicon-96x96.png: | + # favicon.ico: | + # logo.svg: | + helpMenuItems: + - title: Getting Started + icon: description + url: https://github.com/gardener/gardener/tree/master/docs + - title: Issues + icon: bug_report + url: https://github.com/gardener/gardener/issues + # ticket: + # avatarSource: github # Define from which source the avatar is fetched. For enterprise github instances it is recommended to use gravatar or none. Possible values: github, gravatar, none + # gitHubRepoUrl: https://foo-github.com/dummyorg/dummyrepo + # hideClustersWithLabels: # hides clusters with labels on the 'ALL PROJECTS' page if the respective table option is enabled + # - ignore + # newTicketLabels: # these are the labels that are automatically preselected when creating a new ticket + # - default-label + # # issueDescriptionTemplate variables: + # # - `${shootName}`: name of the shoot + # # - `${shootNamespace}`: namespace of the shoot + # # - `${shootCreatedAt}`: creation timestamp of the shoot, format 'YYYY-MM-DD' + # # - `${shootUrl}`: dashboard url of the shoot + # # - `${providerType}`: shoot provider type + # # - `${region}`: region of the shoot + # # - `${machineImageNames}`: comma separated list of (unique) machine image names from the shoot workers + # # - `${projectName}`: name of the project + # # - `${utcDateTimeNow}`: current date-time in utc format + # # - `${seedName}`: shoot's seed name + # issueDescriptionTemplate: | + # ## Which cluster is affected? - # ## When did it happen or started to happen? - # `Timestamp`: ${utcDateTimeNow} + # `Cluster Details Dashboard Link`: [${projectName}/${shootName}](${shootUrl}) + # `Operating System`: ${machineImageNames} + # `Platform`: ${providerType} - # ## How would we reproduce it? + # ## What happened? - # ## Anything else we need to know? - defaultHibernationSchedule: - evaluation: - - start: 00 17 * * 1,2,3,4,5 - development: - - start: 00 17 * * 1,2,3,4,5 - end: 00 08 * * 1,2,3,4,5 - production: ~ - seedCandidateDeterminationStrategy: SameRegion - features: - terminalEnabled: false - projectTerminalShortcutsEnabled: false - # alert: - # type: error - # message: This is an **alert** banner - # # identifer: alert-identifier # Optional. If not set, a hash of the alert.message will be used as identifier. The identifier is used to store the user's decision to not show the alert message with this identifier again. + # ## What you expected to happen? - # terminal: - # shortcuts: - # - title: "Watch Control Plane Pods" - # description: Using kubectl to watch the pods of the control plane for this cluster - # target: cp # possible values: "cp" (Control Plane), "shoot", "garden" - # container: - # image: eu.gcr.io/gardener-project/gardener/ops-toolbelt:latest - # # command: ~ - # args: - # - watch - # - kubectl - # - get - # - pods - # - "-o" - # - wide - # heartbeatIntervalSeconds: 60 + # ## When did it happen or started to happen? + # `Timestamp`: ${utcDateTimeNow} + + # ## How would we reproduce it? - # # costObject is used for billing purposes and is assigned to the gardener project - # costObject: - # title: Cost Object - # description: Costs for the control planes of the clusters in this project will be charged to this cost object. - # regex: ^([0-9]{10})$ - # errorMessage: Invalid cost object + # ## Anything else we need to know? + defaultHibernationSchedule: + evaluation: + - start: 00 17 * * 1,2,3,4,5 + development: + - start: 00 17 * * 1,2,3,4,5 + end: 00 08 * * 1,2,3,4,5 + production: ~ + seedCandidateDeterminationStrategy: SameRegion + features: + terminalEnabled: false + projectTerminalShortcutsEnabled: false + # alert: + # type: error + # message: This is an **alert** banner + # # identifer: alert-identifier # Optional. If not set, a hash of the alert.message will be used as identifier. The identifier is used to store the user's decision to not show the alert message with this identifier again. - # sla: - # title: SLAs - # description: https://foo.example.com/gardener-sla + # terminal: + # shortcuts: + # - title: "Watch Control Plane Pods" + # description: Using kubectl to watch the pods of the control plane for this cluster + # target: cp # possible values: "cp" (Control Plane), "shoot", "garden" + # container: + # image: eu.gcr.io/gardener-project/gardener/ops-toolbelt:latest + # # command: ~ + # args: + # - watch + # - kubectl + # - get + # - pods + # - "-o" + # - wide + # heartbeatIntervalSeconds: 60 - # # accessRestriction is used to define the access restricion text, keys and value mappings - # accessRestriction: - # noItemsText: No access restriction options available for region ${region} and cloud profile ${cloudProfile} - # items: - # - key: seed.gardener.cloud/eu-access - # display: - # visibleIf: true - # # title: foo # optional title, if not defined key will be used - # # description: bar # optional description displayed in a tooltip - # input: - # title: EU Access - # description: | - # This service is offered to you with our regular SLAs and 24x7 support for the control plane of the cluster. 24x7 support for cluster add-ons and nodes is only available if you meet the following conditions: - # # inverted: false - # options: - # - key: support.gardener.cloud/eu-access-for-cluster-addons - # display: - # visibleIf: false - # # title: bar # optional title, if not defined key will be used - # # description: baz # optional description displayed in a tooltip - # input: - # title: No personal data is used as name or in the content of Gardener or Kubernetes resources (e.g. Gardener project name or Kubernetes namespace, configMap or secret in Gardener or Kubernetes) - # description: | - # If you can't comply, only third-level/dev support at usual 8x5 working hours in EEA will be available to you for all cluster add-ons such as DNS and certificates, Calico overlay network and network policies, kube-proxy and services, and everything else that would require direct inspection of your cluster through its API server - # inverted: true - # - key: support.gardener.cloud/eu-access-for-cluster-nodes - # display: - # visibleIf: false - # input: - # title: No personal data is stored in any Kubernetes volume except for container file system, emptyDirs, and persistentVolumes (in particular, not on hostPath volumes) - # description: | - # If you can't comply, only third-level/dev support at usual 8x5 working hours in EEA will be available to you for all node-related components such as Docker and Kubelet, the operating system, and everything else that would require direct inspection of your nodes through a privileged pod or SSH - # inverted: true + # # costObject is used for billing purposes and is assigned to the gardener project + # costObject: + # title: Cost Object + # description: Costs for the control planes of the clusters in this project will be charged to this cost object. + # regex: ^([0-9]{10})$ + # errorMessage: Invalid cost object - # themes - overwrite theme colors with custom colors, use html color codes or material design colors defined by vuetify in the javascript color pack: https://vuetifyjs.com/en/styles/colors/#javascript-color-pack - #themes: - # light: # overwrite light theme colors - # primary: '#0b8062' - # anchor: '#0b8062' - # main-background: 'grey.darken3' - # main-navigation-title: 'shades.white' - # toolbar-background: '#0b8062' - # toolbar-title: 'shades.white' - # action-button: 'grey.darken4' - # dark: # overwrite dark theme colors - # primary: '#0b8062' - # anchor: '#0b8062' - # main-background: 'grey.darken3' - # main-navigation-title: 'shades.white' - # toolbar-background: '#0b8062' - # toolbar-title: 'shades.white' - # action-button: 'grey.lighten4' - # error: 'red.darken4' - # warning: 'orange.darken4' + # sla: + # title: SLAs + # description: https://foo.example.com/gardener-sla - # gardenctl - configure the default settings for the gardenctl commands - gardenctl: - legacyCommands: true # false to show gardenctl-v2 commands by default, true to show the legacy gardenctl commands. Can be overwritten by the user. + # # accessRestriction is used to define the access restricion text, keys and value mappings + # accessRestriction: + # noItemsText: No access restriction options available for region ${region} and cloud profile ${cloudProfile} + # items: + # - key: seed.gardener.cloud/eu-access + # display: + # visibleIf: true + # # title: foo # optional title, if not defined key will be used + # # description: bar # optional description displayed in a tooltip + # input: + # title: EU Access + # description: | + # This service is offered to you with our regular SLAs and 24x7 support for the control plane of the cluster. 24x7 support for cluster add-ons and nodes is only available if you meet the following conditions: + # # inverted: false + # options: + # - key: support.gardener.cloud/eu-access-for-cluster-addons + # display: + # visibleIf: false + # # title: bar # optional title, if not defined key will be used + # # description: baz # optional description displayed in a tooltip + # input: + # title: No personal data is used as name or in the content of Gardener or Kubernetes resources (e.g. Gardener project name or Kubernetes namespace, configMap or secret in Gardener or Kubernetes) + # description: | + # If you can't comply, only third-level/dev support at usual 8x5 working hours in EEA will be available to you for all cluster add-ons such as DNS and certificates, Calico overlay network and network policies, kube-proxy and services, and everything else that would require direct inspection of your cluster through its API server + # inverted: true + # - key: support.gardener.cloud/eu-access-for-cluster-nodes + # display: + # visibleIf: false + # input: + # title: No personal data is stored in any Kubernetes volume except for container file system, emptyDirs, and persistentVolumes (in particular, not on hostPath volumes) + # description: | + # If you can't comply, only third-level/dev support at usual 8x5 working hours in EEA will be available to you for all node-related components such as Docker and Kubelet, the operating system, and everything else that would require direct inspection of your nodes through a privileged pod or SSH + # inverted: true - defaultNodesCIDR: 10.250.0.0/16 # default CIDR used for nodes network when creating new shoots + # themes - overwrite theme colors with custom colors, use html color codes or material design colors defined by vuetify in the javascript color pack: https://vuetifyjs.com/en/styles/colors/#javascript-color-pack + # themes: + # light: # overwrite light theme colors + # primary: '#0b8062' + # anchor: '#0b8062' + # main-background: 'grey.darken3' + # main-navigation-title: 'shades.white' + # toolbar-background: '#0b8062' + # toolbar-title: 'shades.white' + # action-button: 'grey.darken4' + # dark: # overwrite dark theme colors + # primary: '#0b8062' + # anchor: '#0b8062' + # main-background: 'grey.darken3' + # main-navigation-title: 'shades.white' + # toolbar-background: '#0b8062' + # toolbar-title: 'shades.white' + # action-button: 'grey.lighten4' + # error: 'red.darken4' + # warning: 'orange.darken4' - # serviceAccountDefaultTokenExpiration - is the default requested duration of validity of the token request for garden cluster service accounts. - # If no value is provided, the default value corresponds to 90 days - # The token issuer may return a token with a different validity duration - serviceAccountDefaultTokenExpiration: 7776000 # seconds + # gardenctl - configure the default settings for the gardenctl commands + gardenctl: + legacyCommands: true # false to show gardenctl-v2 commands by default, true to show the legacy gardenctl commands. Can be overwritten by the user. - # # externalTools are links displayed in a dedicated card External Tools on the cluster details page. - # # The url can be an url-template (https://tools.ietf.org/html/rfc6570). The variables namespace and name of the shoot are available when the url is expanded. - # externalTools: - # - title: Example Tool - # icon: link - # url: https://example.org/foo/bar{?namespace,name} + defaultNodesCIDR: 10.250.0.0/16 # default CIDR used for nodes network when creating new shoots -# # github configuration of the ticket feature -# gitHub: -# apiUrl: https://api.foo-github.com -# org: dummyorg -# repository: dummyrepo -# webhookSecret: foobar # optional if pollIntervalSeconds is defined -# authentication: -# username: dashboard -# token: dummytoken -# # pollIntervalSeconds: 30 # only necessary when dashboard's webhook can't be reached by github and thus polling needs to be done + # serviceAccountDefaultTokenExpiration - is the default requested duration of validity of the token request for garden cluster service accounts. + # If no value is provided, the default value corresponds to 90 days + # The token issuer may return a token with a different validity duration + serviceAccountDefaultTokenExpiration: 7776000 # seconds -livenessProbe: - enabled: true - initialDelaySeconds: 15 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 + # # externalTools are links displayed in a dedicated card External Tools on the cluster details page. + # # The url can be an url-template (https://tools.ietf.org/html/rfc6570). The variables namespace and name of the shoot are available when the url is expanded. + # externalTools: + # - title: Example Tool + # icon: link + # url: https://example.org/foo/bar{?namespace,name} -readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 + # # github configuration of the ticket feature + # gitHub: + # apiUrl: https://api.foo-github.com + # org: dummyorg + # repository: dummyrepo + # webhookSecret: foobar # optional if pollIntervalSeconds is defined + # authentication: + # username: dashboard + # token: dummytoken + # # pollIntervalSeconds: 30 # only necessary when dashboard's webhook can't be reached by github and thus polling needs to be done -# terminal: -# container: -# image: eu.gcr.io/gardener-project/gardener/ops-toolbelt:latest -# containerOperator: -# image: ~ # if not defined, value of terminal.container.image will be used -# containerImageDescriptions: -# - image: /eu.gcr.io/gardener-project/gardener/ops-toolbelt:.*/ # regexp must start and end with '/', otherwise it's an exact match -# description: Run `ghelp` to get information about installed tools and packages -# # serviceAccountTokenExpiration - is the default requested duration of validity of the token request for the "attach" service account (residing in the terminal host cluster) -# # If no value is provided, the default value corresponds to 12 hours -# # The token issuer may return a token with a different validity duration -# serviceAccountTokenExpiration: 43200 # seconds -# gardenTerminalHost: # cluster that hosts the terminal pods for the (virtual) garden cluster -# apiServerIngressHost: api.example.org # is host in browser-trusted certificate. Optional, but required if using secretRef -# secretRef: -# namespace: garden # namespace, in which the secret for the gardenTerminalHost resides on the (virtual) garden cluster -# labelSelector: -# - runtime=gardenTerminalHost -# # seedRef: my-soil # if set, you most likely want to disable gardenTerminalHost bootstrapping -# # shootRef: # if set, you most likely want to disable gardenTerminalHost bootstrapping -# # name: myshoot -# # namespace: garden -# garden: # (virtual) garden -# operatorCredentials: # this is the credential used for operators for the (virtual) garden cluster, to create terminal session specific service accounts -# serviceAccountRef: # serviceAccountRef or secretRef -# name: dashboard-terminal-admin -# namespace: garden -# bootstrap: -# disabled: true # indicates if bootstrapping resources required for the terminal feature is generally disabled -# seedDisabled: false # indicates if bootstrapping resources for seeds is disabled, required for gardener operator terminals -# shootDisabled: false # indicates if bootstrapping resources for shoots is disabled, required for enduser terminals -# gardenTerminalHostDisabled: false # indicates if bootstrapping resources for the virtual garden terminal host cluster is disabled -# apiServerIngress: -# annotations: -# kubernetes.io/ingress.class: nginx -# nginx.ingress.kubernetes.io/backend-protocol: HTTPS -# certmanager.k8s.io/cluster-issuer: lets-encrypt -# certmanager.k8s.io/acme-challenge-type: dns01 -# certmanager.k8s.io/acme-dns01-provider: route53 -# queueOptions: ~ # here you can specify options like maxRetries, retryDelay https://github.com/diamondio/better-queue#new-queueprocess-options -# gardenTerminalHost: -# namespace: garden # namespace, in which the tls-secret, ingress and headless service should be created in -# apiServerIngress: -# annotations: -# kubernetes.io/ingress.class: nginx -# nginx.ingress.kubernetes.io/backend-protocol: HTTPS -# apiServerTls: # Optional. Needs to be a browser-trusted certificate! -# crt: | -# -----BEGIN CERTIFICATE----- -# Li4u -# -----END CERTIFICATE----- -# -----BEGIN CERTIFICATE----- -# Li4u -# -----END CERTIFICATE----- -# key: | -# -----BEGIN RSA PRIVATE KEY----- -# Li4u -# -----END RSA PRIVATE KEY----- + livenessProbe: + enabled: true + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + # terminal: + # container: + # image: eu.gcr.io/gardener-project/gardener/ops-toolbelt:latest + # containerOperator: + # image: ~ # if not defined, value of terminal.container.image will be used + # containerImageDescriptions: + # - image: /eu.gcr.io/gardener-project/gardener/ops-toolbelt:.*/ # regexp must start and end with '/', otherwise it's an exact match + # description: Run `ghelp` to get information about installed tools and packages + # # serviceAccountTokenExpiration - is the default requested duration of validity of the token request for the "attach" service account (residing in the terminal host cluster) + # # If no value is provided, the default value corresponds to 12 hours + # # The token issuer may return a token with a different validity duration + # serviceAccountTokenExpiration: 43200 # seconds + # gardenTerminalHost: # cluster that hosts the terminal pods for the (virtual) garden cluster + # apiServerIngressHost: api.example.org # is host in browser-trusted certificate. Optional, but required if using secretRef + # secretRef: + # namespace: garden # namespace, in which the secret for the gardenTerminalHost resides on the (virtual) garden cluster + # labelSelector: + # - runtime=gardenTerminalHost + # # seedRef: my-soil # if set, you most likely want to disable gardenTerminalHost bootstrapping + # # shootRef: # if set, you most likely want to disable gardenTerminalHost bootstrapping + # # name: myshoot + # # namespace: garden + # garden: # (virtual) garden + # operatorCredentials: # this is the credential used for operators for the (virtual) garden cluster, to create terminal session specific service accounts + # serviceAccountRef: # serviceAccountRef or secretRef + # name: dashboard-terminal-admin + # namespace: garden + # bootstrap: + # disabled: true # indicates if bootstrapping resources required for the terminal feature is generally disabled + # seedDisabled: false # indicates if bootstrapping resources for seeds is disabled, required for gardener operator terminals + # shootDisabled: false # indicates if bootstrapping resources for shoots is disabled, required for enduser terminals + # gardenTerminalHostDisabled: false # indicates if bootstrapping resources for the virtual garden terminal host cluster is disabled + # apiServerIngress: + # annotations: + # kubernetes.io/ingress.class: nginx + # nginx.ingress.kubernetes.io/backend-protocol: HTTPS + # certmanager.k8s.io/cluster-issuer: lets-encrypt + # certmanager.k8s.io/acme-challenge-type: dns01 + # certmanager.k8s.io/acme-dns01-provider: route53 + # queueOptions: ~ # here you can specify options like maxRetries, retryDelay https://github.com/diamondio/better-queue#new-queueprocess-options + # gardenTerminalHost: + # namespace: garden # namespace, in which the tls-secret, ingress and headless service should be created in + # apiServerIngress: + # annotations: + # kubernetes.io/ingress.class: nginx + # nginx.ingress.kubernetes.io/backend-protocol: HTTPS + # apiServerTls: # Optional. Needs to be a browser-trusted certificate! + # crt: | + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # Li4u + # -----END CERTIFICATE----- + # key: | + # -----BEGIN RSA PRIVATE KEY----- + # Li4u + # -----END RSA PRIVATE KEY----- -# unreachableSeeds: # disables some UI features for seeds that are unreachable by the dashboard -# matchLabels: -# seed.gardener.cloud/network: private + # unreachableSeeds: # disables some UI features for seeds that are unreachable by the dashboard + # matchLabels: + # seed.gardener.cloud/network: private diff --git a/charts/identity/Chart.yaml b/charts/identity/Chart.yaml index d52a5b50..893abd66 100644 --- a/charts/identity/Chart.yaml +++ b/charts/identity/Chart.yaml @@ -5,4 +5,4 @@ apiVersion: v1 description: A Helm chart for kubernetes identity server name: identity -version: 1.61.3 +version: 1.63.0 diff --git a/charts/identity/values.yaml b/charts/identity/values.yaml index f8ee1804..4eadcb39 100644 --- a/charts/identity/values.yaml +++ b/charts/identity/values.yaml @@ -9,7 +9,7 @@ replicaCount: 1 image: repository: ghcr.io/dexidp/dex - tag: v2.33.0-distroless + tag: v2.35.3-distroless pullPolicy: IfNotPresent containerPort: 5556 diff --git a/hack/helmchart-import/import-gardener-charts.py b/hack/helmchart-import/import-gardener-charts.py index 48a686b7..20dc7c43 100644 --- a/hack/helmchart-import/import-gardener-charts.py +++ b/hack/helmchart-import/import-gardener-charts.py @@ -57,7 +57,7 @@ }, { "package": "gardener/dashboard", - "version": "1.61.3", + "version": "1.63.0", "dirs": [ { "src": "charts/gardener-dashboard",