public/nplus
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Public Information

Browse Source
This commit is contained in:
Andreas Ahmann
2025-01-24 16:18:47 +01:00
commit 0bd2038c86
449 changed files with 108655 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
charts/README.md Normal file
View File

@@ -0,0 +1,100 @@
# nplus Charts
These are the sources to the nplus Charts. There are 4 levels:
1. Cluster
2. Environment
3. Instance
4. Component
## Cluster
The ***cluster*** chart is responsible for installing all prerequisites for nplus into the Kubernetes Cluster. This is specifically the CRDs later used by the environment.
## Environment
The ***environment*** chart installes the nplus operator, toolbox etc. into a Kubernetes namespace, making this namespace capable of housing nplus Instances
## Instance
The ***instance*** and ***instance-argo** charts install an nplus Instance into an nplus Environment. Every Instance consist of any possible combination of componens:
## Components
### administrator
This is the official nscale Administrator (Web / RAP). It connects to an Application Layer to store its state in the global client settings. It can however connect to any nscale component to perform the **online** configuration.
### Prepper
Downloads, deploys and runs any git asset or script prior to deployment of the components
### application
This handles the installation of solutions / scenarios / apps into a running instance.
### cmis
This component exposes a CMIS compatible interface, with REST and SOAP flavours.
### database
The database charts installs a postgres instance into the nplus instance. It should not be used for production without further service.
### ilm
The ***ilm*** chart installs the *nscale ERP ILM Connector* which is a SAP certified ILM service.
### proxy
The ***proxy*** chart installs the *nscale ERP Proxy Connector* which is a SAP Content Service request forwarder to migrate alien Archiv Solutions to nscale
### mon
The ***mon*** chart adds a *nscale Monitoring Console* to the nplus instance.
### nappl
The ***nappl*** chart hosts an nscale Server Application Layer, which is a central component in the nscale ecosystem. Most nplus Instances should have at least one ***nappl*** instance. However, there are also scenarios like *central services* (see samples), where one would potentially not use a ***nappl*** within the nplus instance.
### nstl
A *nscale Server Storage Layer* is added by this ***nstl*** chart. The Storage Layer is basically a Blob Store Component, that virtualizes storage subsystems and adds a layer of legal compliance for many governmental requirements.
In terms of storage subsystems, the ***nstl*** chart can be used to connect multiple storage subsystems like S3, Azure Blob Storage and also Hardware Stores like NetApp, EMC Centera etc.
### pam
This is a Chart for the *nscale Process Automation Modeler*, an administrative component that allows the definition of workflows or processes in BPMN on a web ui.
### pipeliner
The ***pipeliner*** chart installs the *nscale Pipeliner*. It also features an optional **WebDAV** component to provide upload capabilities.
### rms
The ***rms*** chart can be used as an *Adminstrator Server* for the nscale Administrator Client. The chart comes with the original nscale RMS component as well as a TCP Proxy, that allows to connect to the original component running in a container via TCP.
The chart exposes its service through a virtual IP adress provided by a Kubernetes loadbalancer service.
### rs
The *nscale Rendition Server* is installed by this ***rs*** chart. It is used by the *nscale Application Layer* to render content into multiple formats.
### sharepoint
This is a chart for *nscale Sharepoint Connector*
### web
*nscale Web* is the official Web Client for *nscale*. It connects to a *nscale Application Layer* as the *EIM* backend.
### webdav
*nscale WebDAV Connector* is a WebDAV Client for *nscale*. It connects to a *nscale Application Layer* as the *EIM* backend. It services a standard WebDAV protocol interface to be used by any WebDAV client.
# Misc
The ***global*** chart is a library chart with common functions used by all other charts. It cannot be installed.

11
charts/administrator/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: nplus-component-administrator
description: nscale Administrator, providing the Web Version of the Administrator to be used in the Instance
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
dependencies:
- name: nplus-globals
alias: globals
version: "*-0"
repository: "file://../globals"
version: 1.0.0

174
charts/administrator/README.md Normal file
View File

@@ -0,0 +1,174 @@
# nplus-component-administrator
nscale Administrator, providing the Web Version of the Administrator to be used in the Instance
## nplus-component-administrator Chart Configuration
You can customize / configure nplus-component-administrator by setting configuration values on the command line or in values files,
that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
### Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template,
or escaped quotes).
### Global Values
All values can be set per component, per instance or globally per environment.
Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority:
- Prio 1 - Component Level: `ingress.domain`
- Prio 2 - Instance Level: `global.ingress.domain`
- Prio 3 - Environment Level: `global.environment.ingress.domain`
### Using Values in Templates
As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your
template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version
of your Values.
So an example in your `values.yaml` would be:
```
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
```
This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care.
The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables:
- `.component.chartName`
The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride`
- `.component.shortChartName`
A shorter Version of the name - `nappl` instead of `nplus-component-nappl`
- `.component.prefix`
The instance Prefix used to name the resources including `-`. This prefix is dropped, if the
`.Release.Name` equals `.Release.Namespace` for those of you that only
run one nplus Instance per namespace
- `.component.name`
The name of the component, including `.Values.nameOverride` and some logic
- `.component.fullName`
The fullName inlcuding `.Values.fullnameOverride` and some logic
- `.component.chart`
Mainly the `Chart.Name` and `Chart.Version`
- `.component.storagePath`
The path where the component config is stored in the conf PVC
- `.component.handler`
The handler (either helm, argoCD or manual)
- `.instance.name`
The name of the instance, but with override by `.Values.instanceOverride`
- `.instance.group`
The group, this instance belongs to. Override by `.Values.groupOverride`
- `.instance.version`
The *nscale* version (mostly taken from Application Layer), this instance is deploying.
- `.environment.name`
The name of the environment, but with override by `.Values.environmentNameOverride`
### Keys
You can set any of the following values for this component:
| Key | Description | Default |
|-----|-------------|---------|
env | Sets additional environment variables for the configuration. | |
envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | |
envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | |
fullnameOverride | This overrides the output of the internal fullname function | |
**image**​.name | the name of the image to use | `"administrator"` |
**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` |
**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` |
**image**​.tag | the tag of the image to use | `"latest"` |
**ingress**​.annotations | Adds extra Annotations to the ingress | |
**ingress**&#8203;.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http` <br> `https` in zero trust mode |
**ingress**&#8203;.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` |
**ingress**&#8203;.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/rapadm"` |
**ingress**&#8203;.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | |
**ingress**&#8203;.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | |
**ingress**&#8203;.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | |
**ingress**&#8203;.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` |
**ingress**&#8203;.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" |
**ingress**&#8203;.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | |
**ingress**&#8203;.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` |
**ingress**&#8203;.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | |
**javaOpts**&#8203;.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | |
**javaOpts**&#8203;.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | |
**javaOpts**&#8203;.javaMinMem | set the minimum memory, java will consume | |
**javaOpts**&#8203;.javaMisc | Any misc Java Options that need to be passed to the container | `"-Dorg.eclipse.rap.rwt.settingStoreFactory=settings-per-user"` |
**meta**&#8203;.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` |
**meta**&#8203;.ports&#8203;.http | The http port this component uses (if any). In zero trust mode, this will be disabled. <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `8080` |
**meta**&#8203;.ports&#8203;.https | The tls / https port, this component uses (if any) <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `8443` |
**meta**&#8203;.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"administrator"` |
**meta**&#8203;.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | |
**meta**&#8203;.tenant | sets tenant information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"administrator"` |
**meta**&#8203;.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | |
minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | |
**mounts**&#8203;.caCerts&#8203;.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.caCerts&#8203;.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.componentCerts&#8203;.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.componentCerts&#8203;.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.data&#8203;.class | Sets the class of the data disk | |
**mounts**&#8203;.data&#8203;.size | Sets the size of the data disk | |
**mounts**&#8203;.data&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.disk&#8203;.class | Sets the class of the disk | |
**mounts**&#8203;.disk&#8203;.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` |
**mounts**&#8203;.disk&#8203;.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` |
**mounts**&#8203;.disk&#8203;.size | Sets the size of the disk | |
**mounts**&#8203;.disk&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.file&#8203;.class | Sets the class of the shared disk | |
**mounts**&#8203;.file&#8203;.size | Sets the size of the shared disk | |
**mounts**&#8203;.file&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | |
**mounts**&#8203;.logs&#8203;.size | Sets the size of the log disk (all paths) | |
**mounts**&#8203;.temp&#8203;.path | Sets the path to the temporary files <br>do not change this value | **info only**, do not change<br> `"/tmp"` |
**mounts**&#8203;.temp&#8203;.size | Sets the size of the temporary disk (all paths) | `"1Gi"` |
nameOverride | This overrides the output of the internal name function | |
**nappl**&#8203;.account | The technical account to login with | |
**nappl**&#8203;.domain | The domain of the technical account | |
**nappl**&#8203;.host | nappl host name | |
**nappl**&#8203;.instance | instance of the Application Layer, likely `instance1` | |
**nappl**&#8203;.password | The password of the technical accunt (if not set by secret) | |
**nappl**&#8203;.port | nappl port (http 8080 or https 8443) | |
**nappl**&#8203;.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | |
**nappl**&#8203;.ssl | sets the Advanced Connect to tls | |
nodeSelector | select specific nodes for this component | |
**resources**&#8203;.limits&#8203;.cpu | The maximum allowed CPU for the container | |
**resources**&#8203;.limits&#8203;.memory | The maximum allowed RAM for the container | |
**resources**&#8203;.requests&#8203;.cpu | Set the share of guaranteed CPU to the container. | |
**resources**&#8203;.requests&#8203;.memory | Set the share of guaranteed RAM to the container | |
**security**&#8203;.containerSecurityContext&#8203;.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive <br>you should not change this | **info only**, do not change<br> `false` |
**security**&#8203;.containerSecurityContext&#8203;.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment <br>you should not change this | **info only**, do not change<br> `true` |
**security**&#8203;.podSecurityContext&#8203;.fsGroup | The file system group as which new files are created <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.podSecurityContext&#8203;.fsGroupChangePolicy | Under which condition should the fsGroup be changed <br>there is normally no need to change this | **info only**, do not change<br> `"OnRootMismatch"` |
**security**&#8203;.podSecurityContext&#8203;.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` |
**service**&#8203;.annotations | adds extra Annotations to the service | |
**service**&#8203;.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` |
**service**&#8203;.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` |
**telemetry**&#8203;.openTelemetry | turns Open Telemetry on | |
**telemetry**&#8203;.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | |
**template**&#8203;.annotations | set additional annotations for pods | |
**template**&#8203;.labels | set additional labels for pods | |
terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | |
timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` |
tolerations | Set tolerations for this component | |
**utils**&#8203;.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` |
**utils**&#8203;.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` |
**utils**&#8203;.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` |
**utils**&#8203;.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later | `true` |
**utils**&#8203;.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` |
**utils**&#8203;.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` |
waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | |

2
charts/administrator/templates/component.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.component" . -}}

16
charts/administrator/templates/ingress.tpl Normal file
View File

@@ -0,0 +1,16 @@
{{- include "nplus.init" $ -}}
{{- if ( include "nplus.ingressEnabled" . ) }}
{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }}
- path: {{ .Values.ingress.contextPath }}
pathType: Prefix
backend:
service:
name: {{ .component.fullName }}
port:
name: {{ include "nplus.backendProtocol" . }}
{{- else }}
# kind: ingress
# Not Generating any Ingress for {{ .component.fullName }} as
# Ingress = {{ .this.ingress }}
# Service = {{ .this.service }}
{{- end }}

34
charts/administrator/templates/networkpolicy.tpl Normal file
View File

@@ -0,0 +1,34 @@
{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
- Egress
ingress:
{{- if ( include "nplus.ingressEnabled" . ) }}
{{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }}
{{- end }}
egress:
- to:
- podSelector:
matchLabels:
nplus/group: {{ .instance.group }}
{{- end }}

2
charts/administrator/templates/pvc.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.pvc" . }}

32
charts/administrator/templates/service.tpl Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: Service
metadata:
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
name: {{ .component.fullName }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
{{- include "nplus.serviceAnnotations" . | nindent 4 }}
spec:
# this is a "headless service", no cluster IP is defined
# as none of the internal components need to access this service,
# access is purely through an ingress if desired.
type: ClusterIP
clusterIP: None
ports:
{{- include "nplus.defaultServicePorts" . | nindent 4 }}
selector:
{{- if eq .this.service.selector "component" }}
{{- include "nplus.selectorLabels" . | nindent 4 }}
{{- else if eq .this.service.selector "type" }}
{{- include "nplus.selectorLabelsNc" . | nindent 4 }}
{{- else }}
{{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }}
{{- end }}

116
charts/administrator/templates/statefulset.tpl Normal file
View File

@@ -0,0 +1,116 @@
{{- include "nplus.init" $ -}}
# Component: {{ .component.chartName }}
# will connect to:
{{- if (.this.nappl).host }}
# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }}
{{- else }}
# defined by config file in conf PV.
{{- end }}
#
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
serviceName: {{ .component.fullName }}
selector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
replicas: {{ .Values.replicaCount }}
podManagementPolicy: OrderedReady
updateStrategy:
type: {{ .Values.updateStrategy | default "OnDelete" }}
minReadySeconds: 5
template:
metadata:
labels:
{{- include "nplus.templateLabels" . | nindent 8 }}
annotations:
{{- include "nplus.templateAnnotations" . | nindent 8 }}
{{- include "nplus.securityAnnotations" . | nindent 8 }}
spec:
{{- include "nplus.imagePullSecrets" . | nindent 6 }}
{{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }}
{{- include "nplus.podSecurityContext" . | nindent 6 }}
{{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }}
initContainers:
{{- include "nplus.waitFor" . | nindent 6 }}
containers:
- name: administrator
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
env:
{{- if ($.this.nappl).host }}
- name: APPLICATION_LAYER_HOST
value: {{ ($.this.nappl).host | quote }}
{{- end }}
{{- if ($.this.nappl).port }}
- name: APPLICATION_LAYER_PORT
value: {{ ($.this.nappl).port | quote }}
{{- end }}
{{- if ($.this.nappl).ssl }}
- name: APPLICATION_LAYER_SSL
value: {{ ($.this.nappl).ssl | quote }}
{{- end }}
{{- if ($.this.nappl).instance }}
- name: APPLICATION_LAYER_INSTANCE
value: {{ ($.this.nappl).instance | quote }}
{{- end }}
{{- include "nplus.environment" . | nindent 8 }}
{{- if .this.utils.maintenance }}
{{- include "nplus.idle" . | nindent 8 }}
{{- else }}
startupProbe:
httpGet:
path: /rapadm/
port: {{ include "nplus.backendPort" . }}
scheme: {{ include "nplus.backendProtocol" . | upper }}
initialDelaySeconds: 10
failureThreshold: 12
periodSeconds: 10
timeoutSeconds: 5
livenessProbe:
httpGet:
path: /rapadm/
port: {{ include "nplus.backendPort" . }}
scheme: {{ include "nplus.backendProtocol" . | upper }}
periodSeconds: 30
timeoutSeconds: 1
readinessProbe:
httpGet:
path: /rapadm/
port: {{ include "nplus.backendPort" . }}
scheme: {{ include "nplus.backendProtocol" . | upper }}
periodSeconds: 10
timeoutSeconds: 1
{{- end }}
ports:
{{- include "nplus.defaultContainerPorts" . | nindent 8 }}
{{- include "nplus.resources" . | nindent 8 }}
volumeMounts:
{{- include "nplus.defaultMounts" . | nindent 8 }}
volumes:
{{- include "nplus.defaultVolumes" . | nindent 6 }}

834
charts/administrator/values.schema.json Normal file
View File

@@ -0,0 +1,834 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"env": {
"default": "",
"description": "Sets additional environment variables for the configuration.",
"title": "env"
},
"envMap": {
"default": "",
"description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.",
"title": "envMap"
},
"envSecret": {
"default": "",
"description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.",
"title": "envSecret"
},
"fullnameOverride": {
"default": "",
"description": "This overrides the output of the internal fullname function",
"title": "fullnameOverride"
},
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
},
"globals": {
"description": "nplus Global Functions Library Chart",
"properties": {
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
}
},
"title": "nplus-globals",
"type": "object"
},
"image": {
"additionalProperties": false,
"description": "provide the image to be used for this component",
"properties": {
"name": {
"default": "administrator",
"description": "the name of the image to use",
"title": "name"
},
"pullPolicy": {
"default": "IfNotPresent",
"title": "pullPolicy",
"type": "string"
},
"pullSecrets": {
"description": "you can provide your own pullSecrets, in case you use a private repo.",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
]
},
"title": "pullSecrets"
},
"repo": {
"default": "ceyoniq.azurecr.io/release/nscale",
"description": "if you use a private repo, feel free to set it here",
"title": "repo"
},
"tag": {
"default": "ubi.9.3.1201",
"description": "the tag of the image to use",
"title": "tag"
}
},
"title": "image"
},
"ingress": {
"additionalProperties": false,
"description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)",
"properties": {
"annotations": {
"default": "",
"description": "Adds extra Annotations to the ingress",
"title": "annotations"
},
"backendProtocol": {
"default": "`http` <br> `https` in zero trust mode",
"description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.",
"title": "backendProtocol"
},
"class": {
"default": "`public`",
"description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one",
"title": "class"
},
"contextPath": {
"default": "/rapadm",
"description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.",
"title": "contextPath"
},
"cookie": {
"default": "",
"description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web",
"title": "cookie"
},
"deny": {
"default": "",
"description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.",
"title": "deny"
},
"domain": {
"default": "",
"description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here",
"title": "domain"
},
"enabled": {
"default": "true",
"description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.",
"title": "enabled"
},
"inputPath": {
"default": "",
"description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.",
"title": "inputPath"
},
"namespace": {
"default": "\"ingress, kube-system, ingress-nginx\"",
"description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list",
"title": "namespace"
},
"proxyReadTimeout": {
"default": "",
"description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.",
"title": "proxyReadTimeout"
},
"rewriteTarget": {
"default": "",
"description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.",
"title": "rewriteTarget"
},
"secret": {
"default": "`{{ .this.ingress.domain }}-tls`",
"description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance",
"title": "secret"
},
"whitelist": {
"default": "",
"description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers",
"title": "whitelist"
}
},
"title": "ingress"
},
"javaOpts": {
"additionalProperties": false,
"description": "Options for the Java VM",
"properties": {
"javaMaxMem": {
"default": "",
"description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed",
"title": "javaMaxMem"
},
"javaMaxRamPercentage": {
"default": "",
"description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.",
"title": "javaMaxRamPercentage"
},
"javaMinMem": {
"default": "",
"description": "set the minimum memory, java will consume",
"title": "javaMinMem"
},
"javaMisc": {
"default": "-Dorg.eclipse.rap.rwt.settingStoreFactory=settings-per-user",
"description": "Any misc Java Options that need to be passed to the container",
"title": "javaMisc"
}
},
"title": "javaOpts"
},
"meta": {
"additionalProperties": false,
"description": "defines internal constants for nplus. do not change these values",
"properties": {
"componentVersion": {
"default": "",
"description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify",
"title": "componentVersion"
},
"language": {
"default": "java",
"description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.",
"title": "language"
},
"ports": {
"additionalProperties": false,
"description": "lists the ports this component exposes. This is important for zero trust mode and others.",
"properties": {
"http": {
"default": "8080",
"description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.",
"title": "http"
},
"https": {
"default": "8443",
"description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "https"
},
"rmi": {
"default": "",
"description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "rmi"
},
"tcp": {
"default": "",
"description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcp"
},
"tcps": {
"default": "",
"description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcps"
}
},
"title": "ports"
},
"provider": {
"default": "",
"description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment",
"title": "provider"
},
"serviceContainer": {
"default": "administrator",
"description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any",
"title": "serviceContainer"
},
"stage": {
"default": "",
"description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)",
"title": "stage"
},
"tenant": {
"default": "",
"description": "sets tenant information to be able to invoice per use in a cloud environment",
"title": "tenant"
},
"type": {
"default": "administrator",
"description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.",
"title": "type"
},
"wave": {
"default": "",
"description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation",
"title": "wave"
}
},
"title": "meta"
},
"minReplicaCountType": {
"default": "",
"description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer",
"title": "minReplicaCountType"
},
"mounts": {
"additionalProperties": false,
"properties": {
"caCerts": {
"additionalProperties": false,
"description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.",
"properties": {
"configMap": {
"default": "",
"description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting",
"title": "configMap"
},
"paths": {
"default": "",
"description": "Sets the path to the certs folder. @internal -- do not change this value",
"title": "paths"
},
"secret": {
"default": "",
"description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting",
"title": "secret"
}
},
"title": "caCerts"
},
"componentCerts": {
"additionalProperties": false,
"description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here",
"properties": {
"configMap": {
"default": "",
"description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting",
"title": "configMap"
},
"paths": {
"default": "",
"description": "Sets the path to the component certs. @internal -- do not change this value",
"title": "paths"
},
"secret": {
"default": "",
"description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting",
"title": "secret"
}
},
"title": "componentCerts"
},
"conf": {
"additionalProperties": false,
"description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the conf files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the conf files @internal -- do not change this value",
"title": "paths"
}
},
"title": "conf"
},
"data": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the data disk",
"title": "class"
},
"path": {
"default": "",
"description": "Sets the path to the data files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the data files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the data disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "data",
"type": "object"
},
"disk": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the disk",
"title": "class"
},
"enabled": {
"default": "false",
"description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.",
"title": "enabled"
},
"migration": {
"default": "false",
"description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!",
"title": "migration"
},
"path": {
"default": "",
"description": "Sets the path to the disk files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the data files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "disk",
"type": "object"
},
"file": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the shared disk",
"title": "class"
},
"path": {
"default": "",
"description": "Sets the path to the shared files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the shared files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the shared disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "file",
"type": "object"
},
"fonts": {
"additionalProperties": false,
"description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the fonts folder. @internal -- do not change this value",
"title": "path"
}
},
"title": "fonts"
},
"generic": {
"default": "",
"description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.",
"title": "generic"
},
"license": {
"additionalProperties": false,
"description": "some nscale Components require a license file and this defines it's location",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the license files @internal -- do not change this value",
"title": "path"
}
},
"title": "license"
},
"logs": {
"additionalProperties": false,
"description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the log files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the log files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the log disk (all paths)",
"title": "size"
}
},
"title": "logs"
},
"pool": {
"additionalProperties": false,
"properties": {
"path": {
"default": "",
"description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value",
"title": "path"
}
},
"title": "pool",
"type": "object"
},
"ptemp": {
"additionalProperties": false,
"description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only",
"properties": {
"path": {
"default": "",
"description": "Sets the path for temporary files that are persisted @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value",
"title": "paths"
}
},
"title": "ptemp"
},
"temp": {
"additionalProperties": false,
"description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only",
"properties": {
"path": {
"default": "/tmp",
"description": "Sets the path to the temporary files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the temporary files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "1Gi",
"description": "Sets the size of the temporary disk (all paths)",
"title": "size"
}
},
"title": "temp"
}
},
"title": "mounts",
"type": "object"
},
"nameOverride": {
"default": "",
"description": "This overrides the output of the internal name function",
"title": "nameOverride"
},
"nappl": {
"additionalProperties": false,
"description": "The nscale Application Layer, this component should talk to",
"properties": {
"account": {
"default": "",
"description": "The technical account to login with",
"title": "account"
},
"domain": {
"default": "",
"description": "The domain of the technical account",
"title": "domain"
},
"host": {
"default": "",
"description": "nappl host name",
"title": "host"
},
"instance": {
"default": "",
"description": "instance of the Application Layer, likely `instance1`",
"title": "instance"
},
"password": {
"default": "",
"description": "The password of the technical accunt (if not set by secret)",
"title": "password"
},
"port": {
"default": "",
"description": "nappl port (http 8080 or https 8443)",
"title": "port"
},
"secret": {
"default": "",
"description": "An optional secret that holds the credentials (the keys must be `account` and `password`)",
"title": "secret"
},
"ssl": {
"default": "",
"description": "sets the Advanced Connect to tls",
"title": "ssl"
}
},
"title": "nappl"
},
"nodeSelector": {
"default": "",
"description": "select specific nodes for this component",
"title": "nodeSelector"
},
"replicaCount": {
"default": "1",
"description": "There should only be a single Administrator instance, so the replicaCount is fixed to 1 @ignore -- Do not change this.",
"title": "replicaCount"
},
"resources": {
"additionalProperties": false,
"description": "Assigns hardware resources to container",
"properties": {
"limits": {
"additionalProperties": false,
"description": "Limits the maximum resources",
"properties": {
"cpu": {
"default": "",
"description": "The maximum allowed CPU for the container",
"title": "cpu"
},
"memory": {
"default": "",
"description": "The maximum allowed RAM for the container",
"title": "memory"
}
},
"title": "limits"
},
"requests": {
"additionalProperties": false,
"description": "Requests are used to assign a minimum to a container. This is the guaranteed amount",
"properties": {
"cpu": {
"default": "",
"description": "Set the share of guaranteed CPU to the container.",
"title": "cpu"
},
"memory": {
"default": "",
"description": "Set the share of guaranteed RAM to the container",
"title": "memory"
}
},
"title": "requests"
}
},
"title": "resources"
},
"security": {
"additionalProperties": false,
"description": "Security Section defining default runtime environment for your container",
"properties": {
"containerSecurityContext": {
"additionalProperties": false,
"properties": {
"allowPrivilegeEscalation": {
"default": "false",
"description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this",
"title": "allowPrivilegeEscalation"
},
"capabilities": {
"additionalProperties": false,
"description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this",
"properties": {
"drop": {
"items": {
"anyOf": [
{
"type": "string"
}
]
},
"title": "drop",
"type": "array"
}
},
"title": "capabilities"
},
"readOnlyRootFilesystem": {
"default": "true",
"description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this",
"title": "readOnlyRootFilesystem"
}
},
"title": "containerSecurityContext",
"type": "object"
},
"podSecurityContext": {
"additionalProperties": false,
"properties": {
"fsGroup": {
"default": "1001",
"description": "The file system group as which new files are created @internal -- there is normally no need to change this",
"title": "fsGroup"
},
"fsGroupChangePolicy": {
"default": "OnRootMismatch",
"description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this",
"title": "fsGroupChangePolicy"
},
"runAsUser": {
"default": "1001",
"description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this",
"title": "runAsUser"
}
},
"title": "podSecurityContext",
"type": "object"
},
"zeroTrust": {
"default": "`false`",
"description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes",
"title": "zeroTrust"
}
},
"title": "security"
},
"service": {
"additionalProperties": false,
"properties": {
"annotations": {
"default": "",
"description": "adds extra Annotations to the service",
"title": "annotations"
},
"enabled": {
"default": "true",
"description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.",
"title": "enabled"
},
"selector": {
"default": "component",
"description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type",
"title": "selector"
}
},
"title": "service",
"type": "object"
},
"telemetry": {
"additionalProperties": false,
"description": "Settings for telemetry tools",
"properties": {
"openTelemetry": {
"default": "",
"description": "turns Open Telemetry on",
"title": "openTelemetry"
},
"serviceName": {
"default": "",
"description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"",
"title": "serviceName"
}
},
"title": "telemetry"
},
"template": {
"additionalProperties": false,
"description": "provide extra settings for pod templates",
"properties": {
"annotations": {
"default": "",
"description": "set additional annotations for pods",
"title": "annotations"
},
"labels": {
"default": "",
"description": "set additional labels for pods",
"title": "labels"
}
},
"title": "template"
},
"terminationGracePeriodSeconds": {
"default": "",
"description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults",
"title": "terminationGracePeriodSeconds"
},
"timezone": {
"default": "`Europe/Berlin`",
"description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.",
"title": "timezone"
},
"tolerations": {
"default": "",
"description": "Set tolerations for this component",
"title": "tolerations"
},
"utils": {
"additionalProperties": false,
"properties": {
"debug": {
"default": "`false`",
"description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide",
"title": "debug"
},
"disableWait": {
"default": "`false`",
"description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.",
"title": "disableWait"
},
"disableWave": {
"default": "`false`",
"description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.",
"title": "disableWave"
},
"includeNamespace": {
"default": "`true`",
"description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later",
"title": "includeNamespace"
},
"maintenance": {
"default": "`false`",
"description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.",
"title": "maintenance"
},
"renderComments": {
"default": "`true`",
"description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD",
"title": "renderComments"
}
},
"title": "utils",
"type": "object"
},
"waitFor": {
"default": "",
"description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.",
"title": "waitFor"
}
},
"type": "object"
}

417
charts/administrator/values.yaml Normal file
View File

@@ -0,0 +1,417 @@
# yaml-language-server: $schema=values.schema.json
# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)
ingress:
# -- You can toggle the ingress on wether you'd like this component
# to be reachable through an ingress or not.
enabled: true
# -- Overrides the default backend protocol. The default is http,
# unless in zeroTrust Mode, then it is switched to https automatically.
# @default -- `http` <br> `https` in zero trust mode
backendProtocol:
# -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason
# Example: `/nscalealinst1(/\|$)(.*)`
# @internal -- This is an alpha feature - do not use it.
inputPath:
# -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason
# Example: `/nscalealinst1/$2`
# @internal -- This is an alpha feature - do not use it.
rewriteTarget:
# -- deny is used to exclude specific paths from public access, such as
# administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is
# the burlap protocol. The configuration service is the endpoint used by
# the Admin client.
deny:
# -- on component level, set cookie affinity for the ingress
# example: `XtConLoadBalancerSession` for nscale Web
cookie:
# -- Sets the name of the tls secret to be used for this ingress, that contains
# the private and public key. These secrets can optionally be provided by the instance
# @default -- `{{ .this.ingress.domain }}-tls`
secret:
# -- Sets the domain to be used. This domain should be provided by the instance globally
# for all components, but you are free to override it here
domain:
# -- The ingressclass to use for this ingress. Most likely, this is provided globally by the
# instance, but you are free to override it here if this component should use a different class
# e.g. if you have separated ingress controllers, like a public and an internal one
# @default -- `public`
class:
# -- optionally sets a whitelist of ip ranges (CIDR format, comma separated)
# from which ingress is allowed. This is an annotation for nginx, so won't work with other
# ingress controllers
whitelist:
# -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy
# to allow traffic from this namespace to our pods. This may be a comma separated list
# @default -- "ingress, kube-system, ingress-nginx"
namespace:
# -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the
# most though this is only a constant used in the scripts.
contextPath: "/rapadm"
# -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.
proxyReadTimeout:
# -- Adds extra Annotations to the ingress
annotations:
# -- Security Section defining default runtime environment for your container
security:
podSecurityContext:
# -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context
# for security
# @internal -- there is normally no need to change this
runAsUser: 1001
# -- The file system group as which new files are created
# @internal -- there is normally no need to change this
fsGroup: 1001
# -- Under which condition should the fsGroup be changed
# @internal -- there is normally no need to change this
fsGroupChangePolicy: OnRootMismatch
containerSecurityContext:
# -- sets the container root file system to read only. This should be the case in production environment
# @internal -- you should not change this
readOnlyRootFilesystem: true
# -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
# @internal -- you should not change this
allowPrivilegeEscalation: false
# -- Capabilities this container should have. Only allow the necessity, and drop as many as possible
# @internal -- you should not change this
capabilities:
drop:
- ALL
# -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes
# @default -- `false`
zeroTrust:
mounts:
# -- The temp volume is used to hold any superflues and temporary data.
# it is deleted when the pod terminates. However, it is extremely important
# as all pods filesystems are read only
temp:
# -- Sets the path to the temporary files
# @internal -- do not change this value
path: "/tmp"
# -- Sets a list of paths to the temporary files
# @internal -- do not change this value
paths:
# -- Sets the size of the temporary disk (all paths)
size: "1Gi"
# -- The conf volume is a RWX volume mounted by the environment, that holds
# all configurations of all instances and components in this environment
conf:
# -- Sets the path to the conf files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the conf files
# @internal -- do not change this value
paths:
# -- The log volume is used to take any left-over logging in the container.
# The container should log to stdout, but if any component still tries to log to disk
# this disk needs to be writeable
logs:
# -- Sets the path to the log files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the log files
# @internal -- do not change this value
paths:
# -- Sets the size of the log disk (all paths)
size:
# -- some nscale Components require a license file and this
# defines it's location
license:
# -- Sets the path to the license files
# @internal -- do not change this value
path:
# -- If you want to use additional
# fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the
# fonts directory from the environment pool
fonts:
# -- Sets the path to the fonts folder.
# @internal -- do not change this value
path:
# -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to
# connect to alien services via https. If you have a self-signed root certificate,
# you can also add it here.
caCerts:
# -- Sets the path to the certs folder.
# @internal -- do not change this value
paths:
# -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting
secret:
# -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting
configMap:
# -- the java based nscale components have their own certificates, that you might want to upload.
# You can normally do so via the environment configuration, but should you want to use a secret,
# you can set it here
componentCerts:
# -- Sets the path to the component certs.
# @internal -- do not change this value
paths:
# -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting
secret:
# -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting
configMap:
data:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- Sets the size of the data disk
size:
# -- Sets the class of the data disk
class:
# -- Sets the path to the data files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the data files
# @internal -- do not change this value
paths:
file:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- Sets the size of the shared disk
size:
# -- Sets the class of the shared disk
class:
# -- Sets the path to the shared files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the shared files
# @internal -- do not change this value
paths:
pool:
# -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted.
# this is used to store scripts, apps and assets that are required to deploy an application / solution
# @internal -- do not change this value
path:
# -- The temp volume is used to hold any superflues and temporary data.
# it is deleted when the pod terminates. However, it is extremely important
# as all pods filesystems are read only
ptemp:
# -- Sets the path for temporary files that are persisted
# @internal -- do not change this value
path:
# -- Sets a list of paths for temporary files that are persisted
# @internal -- do not change this value
paths:
# -- Allows to define generic mounts of pre-provisioned PVs into any container.
# This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.
generic:
disk:
# -- Sets the size of the disk
size:
# -- Sets the class of the disk
class:
# -- Sets the path to the disk files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the data files
# @internal -- do not change this value
paths:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk.
# In case of the (default) disabled, the paths will be added to the primaty data disk.
enabled: false
# -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk.
# This is done only once and only if there is legacy data at all. No files are overwritten!
migration: false
# -- Options for the Java VM
javaOpts:
# -- set the percentage of RAM, Java will use of the total.
# The total amount is the amount installed in the K8s Cluster Node,
# OR the Memory Limit set (see resources), if any.
javaMaxRamPercentage:
# -- set the minimum memory, java will consume
javaMinMem:
# -- set the maximum memory, java will consume.
# Attention: This is NOT the real maximum and it does not include any non Java memory.
# Please read google, as this is highly discussed
javaMaxMem:
# -- Any misc Java Options that need to be passed to the container
javaMisc: "-Dorg.eclipse.rap.rwt.settingStoreFactory=settings-per-user"
# -- provide the image to be used for this component
image:
# -- you can provide your own pullSecrets, in case you use
# a private repo.
pullSecrets:
- nscale-cr
- nplus-cr
# -- the name of the image to use
name: administrator
# -- the tag of the image to use
tag: latest
# -- if you use a private repo, feel free to set it here
repo: ceyoniq.azurecr.io/release/nscale
pullPolicy: IfNotPresent
# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl)
# etc.
# @default -- `Europe/Berlin`
timezone:
# -- defines internal constants for nplus.
# do not change these values
meta:
# -- the type of the component. You should not change this value, except if
# you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner*
# This type is used to create cluster communication for nappl and nstl and potentially
# group multiple replicaSets into one service.
type: administrator
# -- lists the ports this component exposes. This is important for zero trust mode and others.
ports:
# -- The http port this component uses (if any). In zero trust mode, this will be disabled.
# @internal -- this is a constant value of the component and should not be changed.
http: 8080
# -- The tls / https port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
https: 8443
# -- A potential tcp port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcp:
# -- A potential rmi port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
rmi:
# -- A potential tls / tcps port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcps:
# -- sets tenant information to be able to invoice per use in a cloud environment
tenant:
# -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment
provider:
# -- Sets the wave in which this component should be deployed within an ArgoCD deployment
# if unset, it uses the default wave thus all components are installed in one wave, then relying
# on correct wait settings just like in a helm installation
wave:
# -- Sets the language of the main service (in the *service* container). This is used for instance
# if you turn OpenTelemetry on, to know which Agent to inject into the container.
language: java
# -- The container name of the main service for this component. This is used to define where to
# inject the telemetry agents, if any
serviceContainer: administrator
# -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment
# runs in. This can be used in template functions to add the stage to for instance the service name of
# telemetry services like open telemetry. (see telemetry example)
stage:
# -- This is the version of the component, used for display
# @internal -- set by devOps pipeline, so do not modify
componentVersion:
# -- Set tolerations for this component
tolerations:
# -- select specific nodes for this component
nodeSelector:
# -- There should only be a single Administrator instance, so the replicaCount is
# fixed to 1
# @ignore -- Do not change this.
replicaCount: 1
# # <id>:
# # path: <the path in the container, where you want to mount this>
# # volumeName: <the name of the PV to be mounted>
# # subPath: <an (optional) subpath to be used inside the PV>
# -- Sets the name of a secret, which holds additional environment variables for
# the configuration. It is added as envFrom secretRef to the container.
envSecret:
# -- Sets the name of a configMap, which holds additional environment variables for
# the configuration. It is added as envFrom configMap to the container.
envMap:
# -- Sets additional environment variables for
# the configuration.
env:
# -- The nscale Application Layer, this component should talk to
nappl:
# -- nappl host name
host:
# -- nappl port (http 8080 or https 8443)
port:
# -- sets the Advanced Connect to tls
ssl:
# -- instance of the Application Layer, likely `instance1`
instance:
# -- The technical account to login with
account:
# -- The domain of the technical account
domain:
# -- The password of the technical accunt (if not set by secret)
password:
# -- An optional secret that holds the credentials (the keys must be `account` and `password`)
secret:
# -- Assigns hardware resources to container
resources:
# -- Requests are used to assign a minimum to a container. This is the guaranteed amount
requests:
# -- Set the share of guaranteed CPU to the container.
cpu:
# -- Set the share of guaranteed RAM to the container
memory:
# -- Limits the maximum resources
limits:
# -- The maximum allowed CPU for the container
cpu:
# -- The maximum allowed RAM for the container
memory:
# -- This overrides the output of the internal name function
nameOverride:
# -- This overrides the output of the internal fullname function
fullnameOverride:
utils:
# -- Turn debugging *on* will give you stack trace etc.
# Please check out the Chart Developer Guide
# @default -- `false`
debug:
# -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It
# will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD
# @default -- `true`
renderComments:
# -- By default, the namespace is rendered into the manifest. However, if you want to use
# `helm template` and store manifests for later applying them to multiple namespaces, you might
# want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later
# @default -- `true`
includeNamespace:
# -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the
# pods will start in idle, not starting the service at all. This will allow you to gain access to the container
# to perform recovery and maintenance tasks while having the real container up.
# @default -- `false`
maintenance:
# -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components
# of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components
# while previous waves are not finished yet.
# @default -- `false`
disableWave:
# -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are
# only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might
# start components even if they are not intended to run yet.
# @default -- `false`
disableWait:
service:
# -- enables the service to be consumed by group components and a potential ingress
# Disabling the service also disables the ingress.
enabled: true
# -- The selector can be `component` or `type`
# *component* selects only pods that are in the replicaset.
# *type* selects any pod that has the given type
selector: "component"
# -- adds extra Annotations to the service
annotations:
# -- Defines a list of conditions that need to be met before this components starts.
# The condition must be a network port that opens, when the master component is ready.
# Mostly, this will be a service, since a component is only added to a service if the
# probes succeed.
waitFor:
# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as
# minAvailable, using the component type as selector. This is useful for components, that are spread
# across multiple replicaSets, like sharepoint or storage layer
minReplicaCountType:
# -- provide extra settings for pod templates
template:
# -- set additional annotations for pods
annotations:
# -- set additional labels for pods
labels:
# -- Settings for telemetry tools
telemetry:
# -- turns Open Telemetry on
openTelemetry:
# -- Sets the service name for the telemetry service to more convenient
# identify the displayed component
# Example: "{{ .this.meta.type }}-{{ .instance.name }}"
serviceName:
# -- Sets the terminationGracePeriodSeconds for the component
# If not set, it uses the Kubernetes defaults
terminationGracePeriodSeconds:

15
charts/application/Chart.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v2
name: nplus-application
description: nplus Application, used to install Apps and Customizations into the nscale Application Layer.
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
dependencies:
- name: nplus-globals
alias: globals
version: "*-0"
repository: "file://../globals"
version: 1.0.0

340
charts/application/README.md Normal file
View File

@@ -0,0 +1,340 @@
# nplus-application
nplus Application, used to install Apps and Customizations into the nscale Application Layer.
## AppInstaller
In order to install Apps, you will need a matching AppInstaller. This can be downloaded from the Ceyoniq Service Portal.
Once you have it, copy it the pool folder (or any other place where the application chart has access to):
```
kubectl cp app-installer-9.0.1202.jar nplus-toolbox-0:/conf/pool
```
## Ceyoniq Smart Business Apps (SBS)
The SBS Apps are automatically downloaded from the official Ceyoniq nstore by a job in the *nplus environment*, if you switched it on during the environment installation:
```
nstoreDownloader.enabled: true
```
If enabled, the Downloader job will run regularly in the background, and download the latest SBS Apps in the pool folder.
You can always enabled it in the environment chart later on if desired:
```
helm upgrade \
--set toolbox.enabled=true \
--set nstoreDownloader.enabled=true \
dev nplus/nplus-environment
```
## SBS Example
You can install SBS by adding the necessary apps to the deployment:
```yaml
components:
application: true
application:
appInstaller: "/pool/app-installer-9.0.1202.jar"
docAreas:
- id: "SBS"
name: "DocArea with SBS"
description: "This is a sample DocArea with the SBS Apps installed"
apps:
- "/pool/nstore/bl-app-9.0.1202.zip"
- "/pool/nstore/gdpr-app-9.0.1302.zip"
- "/pool/nstore/sbs-base-9.0.1302.zip"
- "/pool/nstore/sbs-app-9.0.1302.zip"
- "/pool/nstore/tmpl-app-9.0.1302.zip"
- "/pool/nstore/cm-base-9.0.1302.zip"
- "/pool/nstore/cm-app-9.0.1302.zip"
- "/pool/nstore/hr-base-9.0.1302.zip"
- "/pool/nstore/hr-app-9.0.1302.zip"
- "/pool/nstore/pm-base-9.0.1302.zip"
- "/pool/nstore/pm-app-9.0.1302.zip"
- "/pool/nstore/sd-base-9.0.1302.zip"
- "/pool/nstore/sd-app-9.0.1302.zip"
- "/pool/nstore/kon-app-9.0.1302.zip"
- "/pool/nstore/kal-app-9.0.1302.zip"
- "/pool/nstore/dok-app-9.0.1302.zip"
- "/pool/nstore/ts-base-9.0.1302.zip"
- "/pool/nstore/ts-app-9.0.1302.zip"
- "/pool/nstore/ocr-base-9.0.1302.zip"
```
This will install the SBS Apps into the DocArea "SBS". The DocArea is created, if it does not exist.
## Install custom Generic Base Apps (GBA)
If you wish to deploy your custom GBAs, simply copy them to the pool (e.g. in the apps folder):
```
kubectl cp my-gba-1.0.1000.zip nplus-toolbox-0:/conf/pool/apps
```
Then, use the GBA file name and version in the DocArea:
```
application:
docAreas:
- id: "MyGBA"
name: "DocArea with my GBA"
description: "This is a sample DocArea with a custom GBA installed"
apps:
- "/pool/apps/my-gba-1.0.1000.zip"
```
## Downloading assets from the web, like git
If your assets are in git, you can simply download them prior to installing. That way, you do not have to upload them manually:
```
application:
download:
- "https://git.nplus.cloud/public/nplus/raw/branch/master/apps/my-gba-1.0.1000.zip"
docAreas:
- id: "MyGBA"
name: "DocArea with my GBA"
description: "This is a sample DocArea with a custom GBA installed"
apps:
- "/pool/downloads/my-gba-1.0.1000.zip"
```
> You can also use the *prepper* for downloading assets, which is useful to for example download snippets into the web client before it starts.
## Deploying additional parts
You might want to deploy additional parts like web snippets to your instance. This can by done by custom scripts.
Custom scripts can be run either in *global* or in *document area* context:
```
application:
preRun:
- "/pool/scripts/global-init.sh"
docAreas:
- id: "MyGBA"
run:
- "/pool/scripts/da-deployment.sh"
run:
- "/pool/scripts/global-deployment.sh"
```
In *DA* context, the script will get the NAPPL information passed to it.
In *global* context, the script does not get any application specific context.
Example (for a global script):
```
#/bin/sh
cp /pool/snippets/test.jar /instance/web/snippets
```
This script copies the file *test.jar* to the web snippets folder, so the web containers have access to it.
Place this script in the pool folder of your environment, like this:
```
kubectl cp global-deployment.sh nplus-toolbox-0:/conf/pool/scripts
```
Then you can run it during the initialization Job like in the example above.
Of course you also need to copy your snippet to the pool first:
```
kubectl cp test.jar nplus-toolbox-0:/conf/pool/snippets
```
Scripts can run Pre- and Post DocArea and App installs:
- The *global preRun* scripts are run **before** any document area initialization.
- The *DA preRun* scripts are run **before** all apps are installed.
- The *DA Run* scripts are run **after** all apps are installed.
- The *global Run* scripts are run **after** any document area initialization.
## Debugging
The Application Chart uses a job that runs a pod once the Application Layer is available. This pod then creates document areas (if not present) and installs apps into them.
While the job is running, you can check its log using
```
kubectl logs -l nplus/instance=<instance>,nplus/component=application
```
Please substitute `<instance>` with your instance name.
The job/pod is automatically removed shortly after it finishes, so the `kubectl logs` command might not find the resource any more if you try this after minutes. Of course you will still find these logs in splunk, prometheus, kibana or whatever log stack you use.
Alternatively, you can check the log at `/conf/<instance>/application/10init.log` from inside the environment toolbox.
```
kubectl exec --stdin --tty nplus-toolbox-0 -- cat /conf/<instance>/application/10init.log
```
## Wait-One-Minute
If you have an update scenario (and not using argoCD with its waves) and your application is inside your instance, you might get into a race condition problem:
Your Application Layer is still up when the job is created. The jobs waits for the Application Layer, which - since it is still there - is only a split second and then the job executes. Kubernetes might then update the Application Layer which terminates, leaving the job crashing. As the application job only tries to install once, it will be left incomplete.
We use an init container `wait-one-minute`, which will wait a minute before the job executes, leaving Kubernetes and the Application Layer enough time to terminate for the update.
This is the default when **not** using argoCD and waves.
## nplus-application Chart Configuration
You can customize / configure nplus-application by setting configuration values on the command line or in values files,
that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
### Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template,
or escaped quotes).
### Global Values
All values can be set per component, per instance or globally per environment.
Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority:
- Prio 1 - Component Level: `ingress.domain`
- Prio 2 - Instance Level: `global.ingress.domain`
- Prio 3 - Environment Level: `global.environment.ingress.domain`
### Using Values in Templates
As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your
template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version
of your Values.
So an example in your `values.yaml` would be:
```
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
```
This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care.
The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables:
- `.component.chartName`
The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride`
- `.component.shortChartName`
A shorter Version of the name - `nappl` instead of `nplus-component-nappl`
- `.component.prefix`
The instance Prefix used to name the resources including `-`. This prefix is dropped, if the
`.Release.Name` equals `.Release.Namespace` for those of you that only
run one nplus Instance per namespace
- `.component.name`
The name of the component, including `.Values.nameOverride` and some logic
- `.component.fullName`
The fullName inlcuding `.Values.fullnameOverride` and some logic
- `.component.chart`
Mainly the `Chart.Name` and `Chart.Version`
- `.component.storagePath`
The path where the component config is stored in the conf PVC
- `.component.handler`
The handler (either helm, argoCD or manual)
- `.instance.name`
The name of the instance, but with override by `.Values.instanceOverride`
- `.instance.group`
The group, this instance belongs to. Override by `.Values.groupOverride`
- `.instance.version`
The *nscale* version (mostly taken from Application Layer), this instance is deploying.
- `.environment.name`
The name of the environment, but with override by `.Values.environmentNameOverride`
### Keys
You can set any of the following values for this component:
| Key | Description | Default |
|-----|-------------|---------|
docAreas | Provide a list of docareas to create. Please also see the example files | |
download | A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads | |
env | Sets additional environment variables for the configuration. | |
envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | |
envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | |
fullnameOverride | This overrides the output of the internal fullname function | |
**image**&#8203;.name | the name of the image to use | `"application-layer"` |
**image**&#8203;.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` |
**image**&#8203;.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` |
**image**&#8203;.tag | the tag of the image to use | `"latest"` |
**meta**&#8203;.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | |
**meta**&#8203;.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | |
**meta**&#8203;.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | |
**meta**&#8203;.tenant | sets tenant information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"application"` |
**meta**&#8203;.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | |
minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | |
**mounts**&#8203;.caCerts&#8203;.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.caCerts&#8203;.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.componentCerts&#8203;.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.componentCerts&#8203;.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.conf&#8203;.path | Sets the path to the conf files <br>do not change this value | **info only**, do not change<br> `"/application"` |
**mounts**&#8203;.data&#8203;.class | Sets the class of the data disk | |
**mounts**&#8203;.data&#8203;.size | Sets the size of the data disk | |
**mounts**&#8203;.data&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.disk&#8203;.class | Sets the class of the disk | |
**mounts**&#8203;.disk&#8203;.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` |
**mounts**&#8203;.disk&#8203;.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` |
**mounts**&#8203;.disk&#8203;.size | Sets the size of the disk | |
**mounts**&#8203;.disk&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.file&#8203;.class | Sets the class of the shared disk | |
**mounts**&#8203;.file&#8203;.size | Sets the size of the shared disk | |
**mounts**&#8203;.file&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | |
**mounts**&#8203;.logs&#8203;.size | Sets the size of the log disk (all paths) | |
**mounts**&#8203;.pool&#8203;.path | Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution <br>do not change this value | **info only**, do not change<br> `"/pool"` |
**mounts**&#8203;.temp&#8203;.path | Sets the path to the temporary files <br>do not change this value | **info only**, do not change<br> `"/tmp"` |
**mounts**&#8203;.temp&#8203;.size | Sets the size of the temporary disk (all paths) | |
nameOverride | This overrides the output of the internal name function | |
**nappl**&#8203;.account | The technical account to login with | |
**nappl**&#8203;.domain | The domain of the technical account | |
**nappl**&#8203;.host | nappl host name | |
**nappl**&#8203;.instance | instance of the Application Layer, likely `instance1` | |
**nappl**&#8203;.password | The password of the technical accunt (if not set by secret) | |
**nappl**&#8203;.port | nappl port (http 8080 or https 8443) | |
**nappl**&#8203;.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | |
**nappl**&#8203;.ssl | sets the Advanced Connect to tls | |
nodeSelector | select specific nodes for this component | |
**nstl**&#8203;.host | The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration | |
prerun | A list of scripts to run before the deployment of Apps | |
**resources**&#8203;.limits&#8203;.cpu | The maximum allowed CPU for the container | |
**resources**&#8203;.limits&#8203;.memory | The maximum allowed RAM for the container | |
**resources**&#8203;.requests&#8203;.cpu | Set the share of guaranteed CPU to the container. | |
**resources**&#8203;.requests&#8203;.memory | Set the share of guaranteed RAM to the container | |
**rs**&#8203;.host | The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration | |
run | A list of scripts to run after the deployment of Apps | |
**security**&#8203;.containerSecurityContext&#8203;.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive <br>you should not change this | **info only**, do not change<br> `false` |
**security**&#8203;.containerSecurityContext&#8203;.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment <br>you should not change this | **info only**, do not change<br> `true` |
**security**&#8203;.podSecurityContext&#8203;.fsGroup | The file system group as which new files are created <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.podSecurityContext&#8203;.fsGroupChangePolicy | Under which condition should the fsGroup be changed <br>there is normally no need to change this | **info only**, do not change<br> `"OnRootMismatch"` |
**security**&#8203;.podSecurityContext&#8203;.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` |
**telemetry**&#8203;.openTelemetry | turns Open Telemetry on | |
**telemetry**&#8203;.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | |
terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | |
timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` |
tolerations | Set tolerations for this component | |
**utils**&#8203;.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` |
**utils**&#8203;.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` |
**utils**&#8203;.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` |
**utils**&#8203;.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later | `true` |
**utils**&#8203;.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` |
**utils**&#8203;.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` |
waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | |

14
charts/application/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,14 @@
{{- if .Values.docAreas }}
{{- range $docArea := .Values.docAreas }}
Created Document Area {{ $docArea.id }} on Server {{ $.this.nappl.host }}
{{- if $docArea.apps }}
{{- range $app := $docArea.apps }}
- Installed App {{ $app }} into {{ $docArea.id }}
{{- end }}
{{- else }}
- No Apps in Document Area {{ $docArea.id }} specified
{{- end }}
{{- end }}
{{- else }}
No Document Areas specified
{{- end }}

19
charts/application/templates/application.tpl Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: nplus.cloud/v1beta1
kind: Application
metadata:
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
name: {{ .component.fullName }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.annotations" . | nindent 4 }}
argocd.argoproj.io/sync-wave: "1"
spec:
docAreas:
{{- toYaml .Values.docAreas | nindent 4 }}
run:
{{- toYaml .Values.run | nindent 4 }}
selector:
{{- include "nplus.selectorLabels" . | nindent 4 }}

18
charts/application/templates/config.tpl Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .component.fullName }}-config
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
data:
{{- range $path, $bytes := .Files.Glob "config/*" }}
{{- base $path | nindent 2 }}: |
{{- tpl ($.Files.Get $path) $ | nindent 4 }}
{{- end }}

89
charts/application/templates/job.tpl Normal file
View File

@@ -0,0 +1,89 @@
{{- include "nplus.init" $ -}}
# Component: {{ .component.chartName }}
# will connect to:
{{- if (.this.nappl).host }}
# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }}
{{- else }}
# defined by config file in conf PV.
{{- end }}
#
{{- if (.this.utils).maintenance -}}
# Job must not be running, as we are in maintenance mode and there might not even be a nappl service
{{- else }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
# Deletion ist done by Operator when successful, so no ttl necessary.
# ttlSecondsAfterFinished: 60
template:
metadata:
labels:
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .instance.group | default .instance.name | default .Release.Name }}
app.kubernetes.io/component: {{ .component.chartName }}
{{- include "nplus.templateLabels" . | nindent 8 }}
spec:
# hostname: {{ .component.fullName }}
{{- include "nplus.imagePullSecrets" . | nindent 6 }}
{{- include "nplus.podSecurityContext" . | nindent 6 }}
{{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }}
initContainers:
{{- if (or .this.utils.disableWave (not (and .component.isArgo .this.meta.wave))) }}
{{- include "nplus.waitOneMinute" . | nindent 6 }}
{{- else }}
# -- wait-one-minute - not waiting as {{ .this.utils.disableWave }} {{ .component.isArgo }} {{ .this.meta.wave }}
{{- end }}
{{- include "nplus.waitFor" . | nindent 6 }}
containers:
- name: run
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
env:
# -- NAPPL Connection Credentials
{{- include "nplus.envCredentials" (list
"APP_AL_USER" ($.this.nappl).account
"APP_AL_PASSWORD" ($.this.nappl).password
($.this.nappl).secret
) | nindent 10 }}
{{- include "nplus.environment" . | nindent 8 }}
command: ["/bin/sh", "-c", "/config/run"]
{{- include "nplus.resources" . | nindent 8 }}
volumeMounts:
{{- include "nplus.defaultMounts" . | nindent 8 }}
- name: config
mountPath: /config
- name: conf
subPath: {{ .this.instance.name }}
mountPath: /instance
volumes:
{{- include "nplus.defaultVolumes" . | nindent 6 }}
- name: config
configMap:
name: {{ .component.fullName }}-config
defaultMode: 0777
restartPolicy: Never
backoffLimit: 0
{{- end }}

28
charts/application/templates/networkpolicy.tpl Normal file
View File

@@ -0,0 +1,28 @@
{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
nplus/group: {{ .instance.group }}
nplus/type: core
{{- end }}

725
charts/application/values.schema.json Normal file
View File

@@ -0,0 +1,725 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"docAreas": {
"default": "",
"description": "Provide a list of docareas to create. Please also see the example files",
"title": "docAreas"
},
"download": {
"default": "",
"description": "A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads",
"title": "download"
},
"env": {
"default": "",
"description": "Sets additional environment variables for the configuration.",
"title": "env"
},
"envMap": {
"default": "",
"description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.",
"title": "envMap"
},
"envSecret": {
"default": "",
"description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.",
"title": "envSecret"
},
"fullnameOverride": {
"default": "",
"description": "This overrides the output of the internal fullname function",
"title": "fullnameOverride"
},
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
},
"globals": {
"description": "nplus Global Functions Library Chart",
"properties": {
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
}
},
"title": "nplus-globals",
"type": "object"
},
"image": {
"additionalProperties": false,
"description": "provide the image to be used for this component",
"properties": {
"name": {
"default": "application-layer",
"description": "the name of the image to use",
"title": "name"
},
"pullSecrets": {
"description": "you can provide your own pullSecrets, in case you use a private repo.",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
]
},
"title": "pullSecrets"
},
"repo": {
"default": "ceyoniq.azurecr.io/release/nscale",
"description": "if you use a private repo, feel free to set it here",
"title": "repo"
},
"tag": {
"default": "ubi.9.3.1300.2024121814",
"description": "the tag of the image to use",
"title": "tag"
}
},
"title": "image"
},
"meta": {
"additionalProperties": false,
"properties": {
"componentVersion": {
"default": "",
"description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify",
"title": "componentVersion"
},
"language": {
"default": "",
"description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.",
"title": "language"
},
"ports": {
"additionalProperties": false,
"description": "lists the ports this component exposes. This is important for zero trust mode and others.",
"properties": {
"http": {
"default": "",
"description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.",
"title": "http"
},
"https": {
"default": "",
"description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "https"
},
"rmi": {
"default": "",
"description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "rmi"
},
"tcp": {
"default": "",
"description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcp"
},
"tcps": {
"default": "",
"description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcps"
}
},
"title": "ports"
},
"provider": {
"default": "",
"description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment",
"title": "provider"
},
"serviceContainer": {
"default": "",
"description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any",
"title": "serviceContainer"
},
"stage": {
"default": "",
"description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)",
"title": "stage"
},
"tenant": {
"default": "",
"description": "sets tenant information to be able to invoice per use in a cloud environment",
"title": "tenant"
},
"type": {
"default": "application",
"description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.",
"title": "type"
},
"wave": {
"default": "",
"description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation",
"title": "wave"
}
},
"title": "meta",
"type": "object"
},
"minReplicaCountType": {
"default": "",
"description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer",
"title": "minReplicaCountType"
},
"mounts": {
"additionalProperties": false,
"properties": {
"caCerts": {
"additionalProperties": false,
"description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.",
"properties": {
"configMap": {
"default": "",
"description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting",
"title": "configMap"
},
"paths": {
"default": "",
"description": "Sets the path to the certs folder. @internal -- do not change this value",
"title": "paths"
},
"secret": {
"default": "",
"description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting",
"title": "secret"
}
},
"title": "caCerts"
},
"componentCerts": {
"additionalProperties": false,
"description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here",
"properties": {
"configMap": {
"default": "",
"description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting",
"title": "configMap"
},
"paths": {
"default": "",
"description": "Sets the path to the component certs. @internal -- do not change this value",
"title": "paths"
},
"secret": {
"default": "",
"description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting",
"title": "secret"
}
},
"title": "componentCerts"
},
"conf": {
"additionalProperties": false,
"description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment",
"properties": {
"path": {
"default": "/application",
"description": "Sets the path to the conf files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the conf files @internal -- do not change this value",
"title": "paths"
}
},
"title": "conf"
},
"data": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the data disk",
"title": "class"
},
"path": {
"default": "",
"description": "Sets the path to the data files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the data files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the data disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "data",
"type": "object"
},
"disk": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the disk",
"title": "class"
},
"enabled": {
"default": "false",
"description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.",
"title": "enabled"
},
"migration": {
"default": "false",
"description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!",
"title": "migration"
},
"path": {
"default": "",
"description": "Sets the path to the disk files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the data files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "disk",
"type": "object"
},
"file": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the shared disk",
"title": "class"
},
"path": {
"default": "",
"description": "Sets the path to the shared files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the shared files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the shared disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "file",
"type": "object"
},
"fonts": {
"additionalProperties": false,
"description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the fonts folder. @internal -- do not change this value",
"title": "path"
}
},
"title": "fonts"
},
"generic": {
"default": "",
"description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.",
"title": "generic"
},
"license": {
"additionalProperties": false,
"description": "some nscale Components require a license file and this defines it's location",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the license files @internal -- do not change this value",
"title": "path"
}
},
"title": "license"
},
"logs": {
"additionalProperties": false,
"description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the log files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the log files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the log disk (all paths)",
"title": "size"
}
},
"title": "logs"
},
"pool": {
"additionalProperties": false,
"properties": {
"path": {
"default": "/pool",
"description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value",
"title": "path"
}
},
"title": "pool",
"type": "object"
},
"ptemp": {
"additionalProperties": false,
"description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only",
"properties": {
"path": {
"default": "",
"description": "Sets the path for temporary files that are persisted @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value",
"title": "paths"
}
},
"title": "ptemp"
},
"temp": {
"additionalProperties": false,
"description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only",
"properties": {
"path": {
"default": "/tmp",
"description": "Sets the path to the temporary files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the temporary files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the temporary disk (all paths)",
"title": "size"
}
},
"title": "temp"
}
},
"title": "mounts",
"type": "object"
},
"nameOverride": {
"default": "",
"description": "This overrides the output of the internal name function",
"title": "nameOverride"
},
"nappl": {
"additionalProperties": false,
"description": "The nscale Application Layer, this component should talk to",
"properties": {
"account": {
"default": "",
"description": "The technical account to login with",
"title": "account"
},
"domain": {
"default": "",
"description": "The domain of the technical account",
"title": "domain"
},
"host": {
"default": "",
"description": "nappl host name",
"title": "host"
},
"instance": {
"default": "",
"description": "instance of the Application Layer, likely `instance1`",
"title": "instance"
},
"password": {
"default": "",
"description": "The password of the technical accunt (if not set by secret)",
"title": "password"
},
"port": {
"default": "",
"description": "nappl port (http 8080 or https 8443)",
"title": "port"
},
"secret": {
"default": "",
"description": "An optional secret that holds the credentials (the keys must be `account` and `password`)",
"title": "secret"
},
"ssl": {
"default": "",
"description": "sets the Advanced Connect to tls",
"title": "ssl"
}
},
"title": "nappl"
},
"nodeSelector": {
"default": "",
"description": "select specific nodes for this component",
"title": "nodeSelector"
},
"nstl": {
"additionalProperties": false,
"properties": {
"host": {
"default": "",
"description": "The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration",
"title": "host"
}
},
"title": "nstl",
"type": "object"
},
"prerun": {
"default": "",
"description": "A list of scripts to run before the deployment of Apps",
"title": "prerun"
},
"resources": {
"additionalProperties": false,
"description": "Assigns hardware resources to container",
"properties": {
"limits": {
"additionalProperties": false,
"description": "Limits the maximum resources",
"properties": {
"cpu": {
"default": "",
"description": "The maximum allowed CPU for the container",
"title": "cpu"
},
"memory": {
"default": "",
"description": "The maximum allowed RAM for the container",
"title": "memory"
}
},
"title": "limits"
},
"requests": {
"additionalProperties": false,
"description": "Requests are used to assign a minimum to a container. This is the guaranteed amount",
"properties": {
"cpu": {
"default": "",
"description": "Set the share of guaranteed CPU to the container.",
"title": "cpu"
},
"memory": {
"default": "",
"description": "Set the share of guaranteed RAM to the container",
"title": "memory"
}
},
"title": "requests"
}
},
"title": "resources"
},
"rs": {
"additionalProperties": false,
"properties": {
"host": {
"default": "",
"description": "The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration",
"title": "host"
}
},
"title": "rs",
"type": "object"
},
"run": {
"default": "",
"description": "A list of scripts to run after the deployment of Apps",
"title": "run"
},
"security": {
"additionalProperties": false,
"description": "Security Section defining default runtime environment for your container",
"properties": {
"containerSecurityContext": {
"additionalProperties": false,
"properties": {
"allowPrivilegeEscalation": {
"default": "false",
"description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this",
"title": "allowPrivilegeEscalation"
},
"capabilities": {
"additionalProperties": false,
"description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this",
"properties": {
"drop": {
"items": {
"anyOf": [
{
"type": "string"
}
]
},
"title": "drop",
"type": "array"
}
},
"title": "capabilities"
},
"readOnlyRootFilesystem": {
"default": "true",
"description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this",
"title": "readOnlyRootFilesystem"
}
},
"title": "containerSecurityContext",
"type": "object"
},
"podSecurityContext": {
"additionalProperties": false,
"properties": {
"fsGroup": {
"default": "1001",
"description": "The file system group as which new files are created @internal -- there is normally no need to change this",
"title": "fsGroup"
},
"fsGroupChangePolicy": {
"default": "OnRootMismatch",
"description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this",
"title": "fsGroupChangePolicy"
},
"runAsUser": {
"default": "1001",
"description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this",
"title": "runAsUser"
}
},
"title": "podSecurityContext",
"type": "object"
},
"zeroTrust": {
"default": "`false`",
"description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes",
"title": "zeroTrust"
}
},
"title": "security"
},
"telemetry": {
"additionalProperties": false,
"description": "Settings for telemetry tools",
"properties": {
"openTelemetry": {
"default": "",
"description": "turns Open Telemetry on",
"title": "openTelemetry"
},
"serviceName": {
"default": "",
"description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"",
"title": "serviceName"
}
},
"title": "telemetry"
},
"terminationGracePeriodSeconds": {
"default": "",
"description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults",
"title": "terminationGracePeriodSeconds"
},
"timezone": {
"default": "`Europe/Berlin`",
"description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.",
"title": "timezone"
},
"tolerations": {
"default": "",
"description": "Set tolerations for this component",
"title": "tolerations"
},
"utils": {
"additionalProperties": false,
"properties": {
"debug": {
"default": "`false`",
"description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide",
"title": "debug"
},
"disableWait": {
"default": "`false`",
"description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.",
"title": "disableWait"
},
"disableWave": {
"default": "`false`",
"description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.",
"title": "disableWave"
},
"includeNamespace": {
"default": "`true`",
"description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later",
"title": "includeNamespace"
},
"maintenance": {
"default": "`false`",
"description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.",
"title": "maintenance"
},
"renderComments": {
"default": "`true`",
"description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD",
"title": "renderComments"
}
},
"title": "utils",
"type": "object"
},
"waitFor": {
"default": "",
"description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.",
"title": "waitFor"
}
},
"type": "object"
}

338
charts/application/values.yaml Normal file
View File

@@ -0,0 +1,338 @@
# yaml-language-server: $schema=values.schema.json
meta:
# -- the type of the component. You should not change this value, except if
# you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner*
# This type is used to create cluster communication for nappl and nstl and potentially
# group multiple replicaSets into one service.
type: application
# -- lists the ports this component exposes. This is important for zero trust mode and others.
ports:
# -- The http port this component uses (if any). In zero trust mode, this will be disabled.
# @internal -- this is a constant value of the component and should not be changed.
http:
# -- The tls / https port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
https:
# -- A potential tcp port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcp:
# -- A potential tls / tcps port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcps:
# -- A potential rmi port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
rmi:
# -- sets tenant information to be able to invoice per use in a cloud environment
tenant:
# -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment
provider:
# -- Sets the wave in which this component should be deployed within an ArgoCD deployment
# if unset, it uses the default wave thus all components are installed in one wave, then relying
# on correct wait settings just like in a helm installation
wave:
# -- Sets the language of the main service (in the *service* container). This is used for instance
# if you turn OpenTelemetry on, to know which Agent to inject into the container.
language:
# -- The container name of the main service for this component. This is used to define where to
# inject the telemetry agents, if any
serviceContainer:
# -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment
# runs in. This can be used in template functions to add the stage to for instance the service name of
# telemetry services like open telemetry. (see telemetry example)
stage:
# -- This is the version of the component, used for display
# @internal -- set by devOps pipeline, so do not modify
componentVersion:
mounts:
# -- The conf volume is a RWX volume mounted by the environment, that holds
# all configurations of all instances and components in this environment
conf:
# -- Sets the path to the conf files
# @internal -- do not change this value
path: "/application"
# -- Sets a list of paths to the conf files
# @internal -- do not change this value
paths:
pool:
# -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted.
# this is used to store scripts, apps and assets that are required to deploy an application / solution
# @internal -- do not change this value
path: "/pool"
# -- The temp volume is used to hold any superflues and temporary data.
# it is deleted when the pod terminates. However, it is extremely important
# as all pods filesystems are read only
temp:
# -- Sets the path to the temporary files
# @internal -- do not change this value
path: "/tmp"
# -- Sets a list of paths to the temporary files
# @internal -- do not change this value
paths:
# -- Sets the size of the temporary disk (all paths)
size:
# -- The log volume is used to take any left-over logging in the container.
# The container should log to stdout, but if any component still tries to log to disk
# this disk needs to be writeable
logs:
# -- Sets the path to the log files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the log files
# @internal -- do not change this value
paths:
# -- Sets the size of the log disk (all paths)
size:
# -- some nscale Components require a license file and this
# defines it's location
license:
# -- Sets the path to the license files
# @internal -- do not change this value
path:
# -- If you want to use additional
# fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the
# fonts directory from the environment pool
fonts:
# -- Sets the path to the fonts folder.
# @internal -- do not change this value
path:
# -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to
# connect to alien services via https. If you have a self-signed root certificate,
# you can also add it here.
caCerts:
# -- Sets the path to the certs folder.
# @internal -- do not change this value
paths:
# -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting
secret:
# -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting
configMap:
# -- the java based nscale components have their own certificates, that you might want to upload.
# You can normally do so via the environment configuration, but should you want to use a secret,
# you can set it here
componentCerts:
# -- Sets the path to the component certs.
# @internal -- do not change this value
paths:
# -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting
secret:
# -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting
configMap:
data:
# -- Sets the size of the data disk
size:
# -- Sets the class of the data disk
class:
# -- Sets the path to the data files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the data files
# @internal -- do not change this value
paths:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
file:
# -- Sets the size of the shared disk
size:
# -- Sets the class of the shared disk
class:
# -- Sets the path to the shared files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the shared files
# @internal -- do not change this value
paths:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- The temp volume is used to hold any superflues and temporary data.
# it is deleted when the pod terminates. However, it is extremely important
# as all pods filesystems are read only
ptemp:
# -- Sets the path for temporary files that are persisted
# @internal -- do not change this value
path:
# -- Sets a list of paths for temporary files that are persisted
# @internal -- do not change this value
paths:
# -- Allows to define generic mounts of pre-provisioned PVs into any container.
# This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.
generic:
disk:
# -- Sets the size of the disk
size:
# -- Sets the class of the disk
class:
# -- Sets the path to the disk files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the data files
# @internal -- do not change this value
paths:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk.
# In case of the (default) disabled, the paths will be added to the primaty data disk.
enabled: false
# -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk.
# This is done only once and only if there is legacy data at all. No files are overwritten!
migration: false
# -- The nscale Application Layer, this component should talk to
nappl:
# -- nappl host name
host:
# -- nappl port (http 8080 or https 8443)
port:
# -- sets the Advanced Connect to tls
ssl:
# -- instance of the Application Layer, likely `instance1`
instance:
# -- The technical account to login with
account:
# -- The domain of the technical account
domain:
# -- The password of the technical accunt (if not set by secret)
password:
# -- An optional secret that holds the credentials (the keys must be `account` and `password`)
secret:
nstl:
# -- The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration
host:
rs:
# -- The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration
host:
# -- provide the image to be used for this component
image:
# -- you can provide your own pullSecrets, in case you use
# a private repo.
pullSecrets:
- nscale-cr
- nplus-cr
# -- the name of the image to use
name: application-layer
# -- the tag of the image to use
tag: latest
# -- if you use a private repo, feel free to set it here
repo: ceyoniq.azurecr.io/release/nscale
# -- Security Section defining default runtime environment for your container
security:
podSecurityContext:
# -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context
# for security
# @internal -- there is normally no need to change this
runAsUser: 1001
# -- The file system group as which new files are created
# @internal -- there is normally no need to change this
fsGroup: 1001
# -- Under which condition should the fsGroup be changed
# @internal -- there is normally no need to change this
fsGroupChangePolicy: OnRootMismatch
containerSecurityContext:
# -- sets the container root file system to read only. This should be the case in production environment
# @internal -- you should not change this
readOnlyRootFilesystem: true
# -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
# @internal -- you should not change this
allowPrivilegeEscalation: false
# -- Capabilities this container should have. Only allow the necessity, and drop as many as possible
# @internal -- you should not change this
capabilities:
drop:
- ALL
# -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes
# @default -- `false`
zeroTrust:
# -- Assigns hardware resources to container
resources:
# -- Requests are used to assign a minimum to a container. This is the guaranteed amount
requests:
# -- Set the share of guaranteed CPU to the container.
cpu:
# -- Set the share of guaranteed RAM to the container
memory:
# -- Limits the maximum resources
limits:
# -- The maximum allowed CPU for the container
cpu:
# -- The maximum allowed RAM for the container
memory:
# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl)
# etc.
# @default -- `Europe/Berlin`
timezone:
# -- Set tolerations for this component
tolerations:
# -- select specific nodes for this component
nodeSelector:
# -- Sets the name of a secret, which holds additional environment variables for
# the configuration. It is added as envFrom secretRef to the container.
envSecret:
# -- Sets the name of a configMap, which holds additional environment variables for
# the configuration. It is added as envFrom configMap to the container.
envMap:
# -- Sets additional environment variables for
# the configuration.
env:
# -- This overrides the output of the internal name function
nameOverride:
# -- This overrides the output of the internal fullname function
fullnameOverride:
# -- A list of scripts to run after the deployment of Apps
run:
# -- A list of scripts to run before the deployment of Apps
prerun:
# -- A list of URLs (Links) to Assets to download before anything else
# if the download is a .tar.gz, it is automatically untared to /pool/downloads
download:
# -- Provide a list of docareas to create. Please also see the example files
docAreas:
utils:
# -- Turn debugging *on* will give you stack trace etc.
# Please check out the Chart Developer Guide
# @default -- `false`
debug:
# -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It
# will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD
# @default -- `true`
renderComments:
# -- By default, the namespace is rendered into the manifest. However, if you want to use
# `helm template` and store manifests for later applying them to multiple namespaces, you might
# want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later
# @default -- `true`
includeNamespace:
# -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the
# pods will start in idle, not starting the service at all. This will allow you to gain access to the container
# to perform recovery and maintenance tasks while having the real container up.
# @default -- `false`
maintenance:
# -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components
# of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components
# while previous waves are not finished yet.
# @default -- `false`
disableWave:
# -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are
# only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might
# start components even if they are not intended to run yet.
# @default -- `false`
disableWait:
# -- Defines a list of conditions that need to be met before this components starts.
# The condition must be a network port that opens, when the master component is ready.
# Mostly, this will be a service, since a component is only added to a service if the
# probes succeed.
waitFor:
# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as
# minAvailable, using the component type as selector. This is useful for components, that are spread
# across multiple replicaSets, like sharepoint or storage layer
minReplicaCountType:
# -- Settings for telemetry tools
telemetry:
# -- turns Open Telemetry on
openTelemetry:
# -- Sets the service name for the telemetry service to more convenient
# identify the displayed component
# Example: "{{ .this.meta.type }}-{{ .instance.name }}"
serviceName:
# -- Sets the terminationGracePeriodSeconds for the component
# If not set, it uses the Kubernetes defaults
terminationGracePeriodSeconds:

6
charts/cluster/Chart.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v2
name: nplus-cluster
description: Installs Cluster-Wide Resources such as CRDs
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
version: 1.0.0

6
charts/cluster/README.md Normal file
View File

@@ -0,0 +1,6 @@
# nplus-cluster
Installs Cluster-Wide Resources such as CRDs

81
charts/cluster/templates/controller-rbac.tpl Executable file
View File

@@ -0,0 +1,81 @@
{{/*
#
# Dieses ist erstmal ausgeschaltet, vielleicht brauchen wir das mal in einer späteren Version
#
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nplus-role-argo
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
rules:
- apiGroups: ["argoproj.io"]
resources: ["applications"]
verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nplus-role-binding-argo
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nplus-role-argo
subjects:
- kind: ServiceAccount
name: nplus-svc-account
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: nplus-argo-role
namespace: argocd
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["configmaps", "application","applicationset"]
verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nplus-argo-role-binding
namespace: argocd
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nplus-argo-role
subjects:
- kind: ServiceAccount
name: nplus-svc-account
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
*/}}

54
charts/cluster/templates/crd-application.tpl Normal file
View File

@@ -0,0 +1,54 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: applications.nplus.cloud
spec:
group: nplus.cloud
scope: Namespaced
names:
kind: Application
singular: application
plural: applications
categories:
- nplus
- nscale
versions:
- name: v1beta1
served: true
storage: true
additionalPrinterColumns:
- name: Environment
type: string
jsonPath: .metadata.labels.nplus/environment
priority: 1
- name: Instance
type: string
jsonPath: .metadata.labels.nplus/instance
- name: Application
type: string
jsonPath: .metadata.labels.nplus/component
- name: Version
type: string
jsonPath: .metadata.annotations.nplus/componentVersion
- name: Status
type: string
jsonPath: .status.message
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
properties:
message:
description: Health human readable
type: string
id:
description: Health status id
type: integer
updateTimestamp:
description: Timestamp of last Health Change
type: string

57
charts/cluster/templates/crd-component.tpl Normal file
View File

@@ -0,0 +1,57 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: components.nplus.cloud
spec:
group: nplus.cloud
scope: Namespaced
names:
kind: Component
singular: component
plural: components
categories:
- nplus
- nscale
versions:
- name: v1beta1
served: true
storage: true
additionalPrinterColumns:
- name: Environment
type: string
jsonPath: .metadata.labels.nplus/environment
priority: 1
- name: Instance
type: string
jsonPath: .metadata.labels.nplus/instance
- name: Component
type: string
jsonPath: .metadata.labels.nplus/component
- name: Type
type: string
jsonPath: .metadata.labels.nplus/type
- name: Version
type: string
jsonPath: .metadata.annotations.nplus/componentVersion
- name: Status
type: string
jsonPath: .status.message
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
properties:
message:
description: Health human readable
type: string
id:
description: Health status id
type: integer
updateTimestamp:
description: Timestamp of last Health Change
type: string

92
charts/cluster/templates/crd-instance.tpl Normal file
View File

@@ -0,0 +1,92 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: instances.nplus.cloud
spec:
group: nplus.cloud
scope: Namespaced
names:
kind: Instance
singular: instance
plural: instances
categories:
- nplus
- nscale
versions:
- name: v1beta1
served: true
storage: true
additionalPrinterColumns:
- name: Handler
type: string
jsonPath: .spec.handler
- name: Version
type: string
jsonPath: .spec.nscaleVersion
- name: Tenant
type: string
jsonPath: .spec.tenant
- name: Provider
type: string
jsonPath: .spec.provider
priority: 1
- name: Status
type: string
jsonPath: .status.message
- name: Components
type: string
jsonPath: .spec.components
priority: 2
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
# x-kubernetes-preserve-unknown-fields: true
properties:
nscaleVersion:
type: string
components:
type: string
handler:
type: string
tenant:
type: string
provider:
type: string
url:
type: string
expected:
type: array
items:
type: object
properties:
component:
type: string
replicaCount:
type: integer
required:
- component
- replicaCount
status:
type: object
properties:
usage:
type: object
properties:
volume:
type: integer
accounts:
type: integer
documents:
type: integer
message:
description: Health human readable
type: string
id:
description: Health status id
type: integer
updateTimestamp:
description: Timestamp of last Health Change
type: string

12
charts/cluster/values.schema.json Normal file
View File

@@ -0,0 +1,12 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
}
},
"type": "object"
}

2
charts/cluster/values.yaml Normal file
View File

@@ -0,0 +1,2 @@
# yaml-language-server: $schema=values.schema.json
{}

11
charts/cmis/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: nplus-component-cmis
description: nscale CMIS Connector, provides a CMIS Interface to the Instance
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
dependencies:
- name: nplus-globals
alias: globals
version: "*-0"
repository: "file://../globals"
version: 1.0.0

179
charts/cmis/README.md Normal file
View File

@@ -0,0 +1,179 @@
# nplus-component-cmis
nscale CMIS Connector, provides a CMIS Interface to the Instance
## nplus-component-cmis Chart Configuration
You can customize / configure nplus-component-cmis by setting configuration values on the command line or in values files,
that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
### Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template,
or escaped quotes).
### Global Values
All values can be set per component, per instance or globally per environment.
Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority:
- Prio 1 - Component Level: `ingress.domain`
- Prio 2 - Instance Level: `global.ingress.domain`
- Prio 3 - Environment Level: `global.environment.ingress.domain`
### Using Values in Templates
As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your
template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version
of your Values.
So an example in your `values.yaml` would be:
```
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
```
This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care.
The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables:
- `.component.chartName`
The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride`
- `.component.shortChartName`
A shorter Version of the name - `nappl` instead of `nplus-component-nappl`
- `.component.prefix`
The instance Prefix used to name the resources including `-`. This prefix is dropped, if the
`.Release.Name` equals `.Release.Namespace` for those of you that only
run one nplus Instance per namespace
- `.component.name`
The name of the component, including `.Values.nameOverride` and some logic
- `.component.fullName`
The fullName inlcuding `.Values.fullnameOverride` and some logic
- `.component.chart`
Mainly the `Chart.Name` and `Chart.Version`
- `.component.storagePath`
The path where the component config is stored in the conf PVC
- `.component.handler`
The handler (either helm, argoCD or manual)
- `.instance.name`
The name of the instance, but with override by `.Values.instanceOverride`
- `.instance.group`
The group, this instance belongs to. Override by `.Values.groupOverride`
- `.instance.version`
The *nscale* version (mostly taken from Application Layer), this instance is deploying.
- `.environment.name`
The name of the environment, but with override by `.Values.environmentNameOverride`
### Keys
You can set any of the following values for this component:
| Key | Description | Default |
|-----|-------------|---------|
env | Sets additional environment variables for the configuration. | |
envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | |
envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | |
fullnameOverride | This overrides the output of the internal fullname function | |
**image**&#8203;.name | the name of the image to use | `"cmis-connector"` |
**image**&#8203;.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` |
**image**&#8203;.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` |
**image**&#8203;.tag | the tag of the image to use | `"latest"` |
**ingress**&#8203;.annotations | Adds extra Annotations to the ingress | |
**ingress**&#8203;.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http` <br> `https` in zero trust mode |
**ingress**&#8203;.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` |
**ingress**&#8203;.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/cmis"` |
**ingress**&#8203;.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | |
**ingress**&#8203;.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | |
**ingress**&#8203;.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | |
**ingress**&#8203;.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` |
**ingress**&#8203;.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" |
**ingress**&#8203;.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | |
**ingress**&#8203;.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` |
**ingress**&#8203;.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | |
**javaOpts**&#8203;.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | |
**javaOpts**&#8203;.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | |
**javaOpts**&#8203;.javaMinMem | set the minimum memory, java will consume | |
**javaOpts**&#8203;.javaMisc | Any misc Java Options that need to be passed to the container | |
**meta**&#8203;.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` |
**meta**&#8203;.ports&#8203;.http | The http port this component uses (if any). In zero trust mode, this will be disabled. <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `8096` |
**meta**&#8203;.ports&#8203;.https | The tls / https port, this component uses (if any) <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `8196` |
**meta**&#8203;.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"cmis-connector"` |
**meta**&#8203;.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | |
**meta**&#8203;.tenant | sets tenant information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"cmis"` |
**meta**&#8203;.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | |
minReplicaCount | if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas. | |
minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | |
**mounts**&#8203;.caCerts&#8203;.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.caCerts&#8203;.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.componentCerts&#8203;.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.componentCerts&#8203;.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.conf&#8203;.path | Sets the path to the conf files <br>do not change this value | **info only**, do not change<br> `"/opt/ceyoniq/nscale-cmis-connector/conf"` |
**mounts**&#8203;.data&#8203;.class | Sets the class of the data disk | |
**mounts**&#8203;.data&#8203;.size | Sets the size of the data disk | |
**mounts**&#8203;.data&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.disk&#8203;.class | Sets the class of the disk | |
**mounts**&#8203;.disk&#8203;.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` |
**mounts**&#8203;.disk&#8203;.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` |
**mounts**&#8203;.disk&#8203;.size | Sets the size of the disk | |
**mounts**&#8203;.disk&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.file&#8203;.class | Sets the class of the shared disk | |
**mounts**&#8203;.file&#8203;.size | Sets the size of the shared disk | |
**mounts**&#8203;.file&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | |
**mounts**&#8203;.logs&#8203;.path | Sets the path to the log files <br>do not change this value | **info only**, do not change<br> `"/opt/ceyoniq/nscale-cmis-connector/logs"` |
**mounts**&#8203;.logs&#8203;.size | Sets the size of the log disk (all paths) | `"1Gi"` |
**mounts**&#8203;.temp&#8203;.path | Sets the path to the temporary files <br>do not change this value | **info only**, do not change<br> `"/opt/ceyoniq/nscale-cmis-connector/temp"` |
**mounts**&#8203;.temp&#8203;.size | Sets the size of the temporary disk (all paths) | `"1Gi"` |
nameOverride | This overrides the output of the internal name function | |
**nappl**&#8203;.account | The technical account to login with | |
**nappl**&#8203;.domain | The domain of the technical account | |
**nappl**&#8203;.host | nappl host name | |
**nappl**&#8203;.instance | instance of the Application Layer, likely `instance1` | |
**nappl**&#8203;.password | The password of the technical accunt (if not set by secret) | |
**nappl**&#8203;.port | nappl port (http 8080 or https 8443) | |
**nappl**&#8203;.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | |
**nappl**&#8203;.ssl | sets the Advanced Connect to tls | |
nodeSelector | select specific nodes for this component | |
replicaCount | Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1. | `1` |
**resources**&#8203;.limits&#8203;.cpu | The maximum allowed CPU for the container | |
**resources**&#8203;.limits&#8203;.memory | The maximum allowed RAM for the container | |
**resources**&#8203;.requests&#8203;.cpu | Set the share of guaranteed CPU to the container. | |
**resources**&#8203;.requests&#8203;.memory | Set the share of guaranteed RAM to the container | |
**security**&#8203;.containerSecurityContext&#8203;.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive <br>you should not change this | **info only**, do not change<br> `false` |
**security**&#8203;.containerSecurityContext&#8203;.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment <br>you should not change this | **info only**, do not change<br> `true` |
**security**&#8203;.podSecurityContext&#8203;.fsGroup | The file system group as which new files are created <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.podSecurityContext&#8203;.fsGroupChangePolicy | Under which condition should the fsGroup be changed <br>there is normally no need to change this | **info only**, do not change<br> `"OnRootMismatch"` |
**security**&#8203;.podSecurityContext&#8203;.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` |
**service**&#8203;.annotations | adds extra Annotations to the service | |
**service**&#8203;.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` |
**service**&#8203;.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` |
**telemetry**&#8203;.openTelemetry | turns Open Telemetry on | |
**telemetry**&#8203;.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | |
**template**&#8203;.annotations | set additional annotations for pods | |
**template**&#8203;.labels | set additional labels for pods | |
terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | |
timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` |
tolerations | Set tolerations for this component | |
updateStrategy | the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures. | |
**utils**&#8203;.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` |
**utils**&#8203;.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` |
**utils**&#8203;.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` |
**utils**&#8203;.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later | `true` |
**utils**&#8203;.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` |
**utils**&#8203;.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` |
waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | |

2
charts/cmis/templates/component.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.component" . -}}

100
charts/cmis/templates/deployment.tpl Normal file
View File

@@ -0,0 +1,100 @@
{{- include "nplus.init" $ -}}
# Component: {{ .component.chartName }}
# will connect to:
{{- if (.this.nappl).host }}
# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }}
{{- else }}
# defined by config file in conf PV.
{{- end }}
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
replicas: {{ .Values.replicaCount }}
strategy:
type: RollingUpdate
template:
metadata:
labels:
{{- include "nplus.templateLabels" . | nindent 8 }}
annotations:
{{- include "nplus.templateAnnotations" . | nindent 8 }}
{{- include "nplus.securityAnnotations" . | nindent 8 }}
spec:
{{- include "nplus.templateAffinity" . | nindent 6 }}
{{- include "nplus.imagePullSecrets" . | nindent 6 }}
{{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }}
{{- include "nplus.podSecurityContext" . | nindent 6 }}
{{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }}
initContainers:
{{- include "nplus.waitFor" . | nindent 6 }}
{{- include "nplus.copyConfig" . | nindent 6 }}
containers:
- name: cmis-connector
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
env:
# -- NAPPL Connection Settings
{{- include "nplus.env" (dict
"CMIS_AL_HOST" ($.this.nappl).host
"CMIS_AL_PORT" ($.this.nappl).port
"CMIS_AL_INSTANCE" ($.this.nappl).instance
"CMIS_AL_SSL" ($.this.nappl).ssl
) | nindent 10 }}
{{- include "nplus.environment" . | nindent 8 }}
{{- if .this.utils.maintenance }}
{{- include "nplus.idle" . | nindent 8 }}
{{- else }}
startupProbe:
tcpSocket:
port: {{ include "nplus.backendPort" . }}
initialDelaySeconds: 10
failureThreshold: 12
periodSeconds: 10
timeoutSeconds: 5
# -- Ceyoniq does currently not define an *official* livenessProbe, so we use
# one that quickly checks the main socket on Layer 4.
livenessProbe:
tcpSocket:
port: {{ include "nplus.backendPort" . }}
periodSeconds: 10
readinessProbe:
httpGet:
path: /cmis/
port: {{ include "nplus.backendPort" . }}
scheme: {{ include "nplus.backendProtocol" . | upper }}
periodSeconds: 10
{{- end }}
ports:
{{- include "nplus.defaultContainerPorts" . | nindent 8 }}
{{- include "nplus.resources" . | nindent 8 }}
volumeMounts:
{{- include "nplus.defaultMounts" . | nindent 8 }}
volumes:
{{- include "nplus.defaultVolumes" . | nindent 6 }}

16
charts/cmis/templates/ingress.tpl Normal file
View File

@@ -0,0 +1,16 @@
{{- include "nplus.init" $ -}}
{{- if ( include "nplus.ingressEnabled" . ) }}
{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }}
- path: {{ .Values.ingress.contextPath }}
pathType: Prefix
backend:
service:
name: {{ .component.fullName }}
port:
name: {{ include "nplus.backendProtocol" . }}
{{- else }}
# kind: ingress
# Not Generating any Ingress for {{ .component.fullName }} as
# Ingress = {{ .this.ingress }}
# Service = {{ .this.service }}
{{- end }}

35
charts/cmis/templates/networkpolicy.tpl Normal file
View File

@@ -0,0 +1,35 @@
{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
- Egress
ingress:
{{- if ( include "nplus.ingressEnabled" . ) }}
{{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }}
{{- end }}
{{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }}
{{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }}
egress:
{{- include "nplus.networkpolicy.allowToNappl" . | nindent 2 }}
{{- end }}

2
charts/cmis/templates/pdb.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.podDisruptionBudget" . -}}

2
charts/cmis/templates/pvc.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.pvc" . }}

33
charts/cmis/templates/service.tpl Normal file
View File

@@ -0,0 +1,33 @@
{{- include "nplus.init" $ -}}
apiVersion: v1
kind: Service
metadata:
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
name: {{ .component.fullName }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
{{- include "nplus.serviceAnnotations" . | nindent 4 }}
spec:
# this is a "headless service", no cluster IP is defined
# as none of the internal components need to access this service,
# access is purely through an ingress if desired.
type: ClusterIP
clusterIP: None
ports:
{{- include "nplus.defaultServicePorts" . | nindent 4 }}
selector:
{{- if eq .this.service.selector "component" }}
{{- include "nplus.selectorLabels" . | nindent 4 }}
{{- else if eq .this.service.selector "type" }}
{{- include "nplus.selectorLabelsNc" . | nindent 4 }}
{{- else }}
{{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }}
{{- end }}

844
charts/cmis/values.schema.json Normal file
View File

@@ -0,0 +1,844 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"env": {
"default": "",
"description": "Sets additional environment variables for the configuration.",
"title": "env"
},
"envMap": {
"default": "",
"description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.",
"title": "envMap"
},
"envSecret": {
"default": "",
"description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.",
"title": "envSecret"
},
"fullnameOverride": {
"default": "",
"description": "This overrides the output of the internal fullname function",
"title": "fullnameOverride"
},
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
},
"globals": {
"description": "nplus Global Functions Library Chart",
"properties": {
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
}
},
"title": "nplus-globals",
"type": "object"
},
"image": {
"additionalProperties": false,
"description": "provide the image to be used for this component",
"properties": {
"name": {
"default": "cmis-connector",
"description": "the name of the image to use",
"title": "name"
},
"pullPolicy": {
"default": "IfNotPresent",
"title": "pullPolicy",
"type": "string"
},
"pullSecrets": {
"description": "you can provide your own pullSecrets, in case you use a private repo.",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
]
},
"title": "pullSecrets"
},
"repo": {
"default": "ceyoniq.azurecr.io/release/nscale",
"description": "if you use a private repo, feel free to set it here",
"title": "repo"
},
"tag": {
"default": "ubi.9.3.1200.2024112508",
"description": "the tag of the image to use",
"title": "tag"
}
},
"title": "image"
},
"ingress": {
"additionalProperties": false,
"description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)",
"properties": {
"annotations": {
"default": "",
"description": "Adds extra Annotations to the ingress",
"title": "annotations"
},
"backendProtocol": {
"default": "`http` <br> `https` in zero trust mode",
"description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.",
"title": "backendProtocol"
},
"class": {
"default": "`public`",
"description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one",
"title": "class"
},
"contextPath": {
"default": "/cmis",
"description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.",
"title": "contextPath"
},
"cookie": {
"default": "",
"description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web",
"title": "cookie"
},
"deny": {
"default": "",
"description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.",
"title": "deny"
},
"domain": {
"default": "",
"description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here",
"title": "domain"
},
"enabled": {
"default": "true",
"description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.",
"title": "enabled"
},
"inputPath": {
"default": "",
"description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.",
"title": "inputPath"
},
"namespace": {
"default": "\"ingress, kube-system, ingress-nginx\"",
"description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list",
"title": "namespace"
},
"proxyReadTimeout": {
"default": "",
"description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.",
"title": "proxyReadTimeout"
},
"rewriteTarget": {
"default": "",
"description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.",
"title": "rewriteTarget"
},
"secret": {
"default": "`{{ .this.ingress.domain }}-tls`",
"description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance",
"title": "secret"
},
"whitelist": {
"default": "",
"description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers",
"title": "whitelist"
}
},
"title": "ingress"
},
"javaOpts": {
"additionalProperties": false,
"description": "Options for the Java VM",
"properties": {
"javaMaxMem": {
"default": "",
"description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed",
"title": "javaMaxMem"
},
"javaMaxRamPercentage": {
"default": "",
"description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.",
"title": "javaMaxRamPercentage"
},
"javaMinMem": {
"default": "",
"description": "set the minimum memory, java will consume",
"title": "javaMinMem"
},
"javaMisc": {
"default": "",
"description": "Any misc Java Options that need to be passed to the container",
"title": "javaMisc"
}
},
"title": "javaOpts"
},
"meta": {
"additionalProperties": false,
"description": "defines internal constants for nplus. do not change these values",
"properties": {
"componentVersion": {
"default": "",
"description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify",
"title": "componentVersion"
},
"language": {
"default": "java",
"description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.",
"title": "language"
},
"ports": {
"additionalProperties": false,
"description": "lists the ports this component exposes. This is important for zero trust mode and others.",
"properties": {
"http": {
"default": "8096",
"description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.",
"title": "http"
},
"https": {
"default": "8196",
"description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "https"
},
"rmi": {
"default": "",
"description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "rmi"
},
"tcp": {
"default": "",
"description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcp"
},
"tcps": {
"default": "",
"description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcps"
}
},
"title": "ports"
},
"provider": {
"default": "",
"description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment",
"title": "provider"
},
"serviceContainer": {
"default": "cmis-connector",
"description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any",
"title": "serviceContainer"
},
"stage": {
"default": "",
"description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)",
"title": "stage"
},
"tenant": {
"default": "",
"description": "sets tenant information to be able to invoice per use in a cloud environment",
"title": "tenant"
},
"type": {
"default": "cmis",
"description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.",
"title": "type"
},
"wave": {
"default": "",
"description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation",
"title": "wave"
}
},
"title": "meta"
},
"minReplicaCount": {
"default": "",
"description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.",
"title": "minReplicaCount"
},
"minReplicaCountType": {
"default": "",
"description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer",
"title": "minReplicaCountType"
},
"mounts": {
"additionalProperties": false,
"properties": {
"caCerts": {
"additionalProperties": false,
"description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.",
"properties": {
"configMap": {
"default": "",
"description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting",
"title": "configMap"
},
"paths": {
"default": "",
"description": "Sets the path to the certs folder. @internal -- do not change this value",
"title": "paths"
},
"secret": {
"default": "",
"description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting",
"title": "secret"
}
},
"title": "caCerts"
},
"componentCerts": {
"additionalProperties": false,
"description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here",
"properties": {
"configMap": {
"default": "",
"description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting",
"title": "configMap"
},
"paths": {
"default": "",
"description": "Sets the path to the component certs. @internal -- do not change this value",
"title": "paths"
},
"secret": {
"default": "",
"description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting",
"title": "secret"
}
},
"title": "componentCerts"
},
"conf": {
"additionalProperties": false,
"description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment",
"properties": {
"path": {
"default": "/opt/ceyoniq/nscale-cmis-connector/conf",
"description": "Sets the path to the conf files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the conf files @internal -- do not change this value",
"title": "paths"
}
},
"title": "conf"
},
"data": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the data disk",
"title": "class"
},
"path": {
"default": "",
"description": "Sets the path to the data files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the data files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the data disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "data",
"type": "object"
},
"disk": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the disk",
"title": "class"
},
"enabled": {
"default": "false",
"description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.",
"title": "enabled"
},
"migration": {
"default": "false",
"description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!",
"title": "migration"
},
"path": {
"default": "",
"description": "Sets the path to the disk files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the data files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "disk",
"type": "object"
},
"file": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the shared disk",
"title": "class"
},
"path": {
"default": "",
"description": "Sets the path to the shared files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the shared files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the shared disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "file",
"type": "object"
},
"fonts": {
"additionalProperties": false,
"description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the fonts folder. @internal -- do not change this value",
"title": "path"
}
},
"title": "fonts"
},
"generic": {
"default": "",
"description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.",
"title": "generic"
},
"license": {
"additionalProperties": false,
"description": "some nscale Components require a license file and this defines it's location",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the license files @internal -- do not change this value",
"title": "path"
}
},
"title": "license"
},
"logs": {
"additionalProperties": false,
"description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable",
"properties": {
"path": {
"default": "/opt/ceyoniq/nscale-cmis-connector/logs",
"description": "Sets the path to the log files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the log files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "1Gi",
"description": "Sets the size of the log disk (all paths)",
"title": "size"
}
},
"title": "logs"
},
"pool": {
"additionalProperties": false,
"properties": {
"path": {
"default": "",
"description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value",
"title": "path"
}
},
"title": "pool",
"type": "object"
},
"ptemp": {
"additionalProperties": false,
"description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only",
"properties": {
"path": {
"default": "",
"description": "Sets the path for temporary files that are persisted @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value",
"title": "paths"
}
},
"title": "ptemp"
},
"temp": {
"additionalProperties": false,
"description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only",
"properties": {
"path": {
"default": "/opt/ceyoniq/nscale-cmis-connector/temp",
"description": "Sets the path to the temporary files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the temporary files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "1Gi",
"description": "Sets the size of the temporary disk (all paths)",
"title": "size"
}
},
"title": "temp"
}
},
"title": "mounts",
"type": "object"
},
"nameOverride": {
"default": "",
"description": "This overrides the output of the internal name function",
"title": "nameOverride"
},
"nappl": {
"additionalProperties": false,
"description": "The nscale Application Layer, this component should talk to",
"properties": {
"account": {
"default": "",
"description": "The technical account to login with",
"title": "account"
},
"domain": {
"default": "",
"description": "The domain of the technical account",
"title": "domain"
},
"host": {
"default": "",
"description": "nappl host name",
"title": "host"
},
"instance": {
"default": "",
"description": "instance of the Application Layer, likely `instance1`",
"title": "instance"
},
"password": {
"default": "",
"description": "The password of the technical accunt (if not set by secret)",
"title": "password"
},
"port": {
"default": "",
"description": "nappl port (http 8080 or https 8443)",
"title": "port"
},
"secret": {
"default": "",
"description": "An optional secret that holds the credentials (the keys must be `account` and `password`)",
"title": "secret"
},
"ssl": {
"default": "",
"description": "sets the Advanced Connect to tls",
"title": "ssl"
}
},
"title": "nappl"
},
"nodeSelector": {
"default": "",
"description": "select specific nodes for this component",
"title": "nodeSelector"
},
"replicaCount": {
"default": "1",
"description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.",
"title": "replicaCount"
},
"resources": {
"additionalProperties": false,
"description": "Assigns hardware resources to container",
"properties": {
"limits": {
"additionalProperties": false,
"description": "Limits the maximum resources",
"properties": {
"cpu": {
"default": "",
"description": "The maximum allowed CPU for the container",
"title": "cpu"
},
"memory": {
"default": "",
"description": "The maximum allowed RAM for the container",
"title": "memory"
}
},
"title": "limits"
},
"requests": {
"additionalProperties": false,
"description": "Requests are used to assign a minimum to a container. This is the guaranteed amount",
"properties": {
"cpu": {
"default": "",
"description": "Set the share of guaranteed CPU to the container.",
"title": "cpu"
},
"memory": {
"default": "",
"description": "Set the share of guaranteed RAM to the container",
"title": "memory"
}
},
"title": "requests"
}
},
"title": "resources"
},
"security": {
"additionalProperties": false,
"description": "Security Section defining default runtime environment for your container",
"properties": {
"containerSecurityContext": {
"additionalProperties": false,
"properties": {
"allowPrivilegeEscalation": {
"default": "false",
"description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this",
"title": "allowPrivilegeEscalation"
},
"capabilities": {
"additionalProperties": false,
"description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this",
"properties": {
"drop": {
"items": {
"anyOf": [
{
"type": "string"
}
]
},
"title": "drop",
"type": "array"
}
},
"title": "capabilities"
},
"readOnlyRootFilesystem": {
"default": "true",
"description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this",
"title": "readOnlyRootFilesystem"
}
},
"title": "containerSecurityContext",
"type": "object"
},
"podSecurityContext": {
"additionalProperties": false,
"properties": {
"fsGroup": {
"default": "1001",
"description": "The file system group as which new files are created @internal -- there is normally no need to change this",
"title": "fsGroup"
},
"fsGroupChangePolicy": {
"default": "OnRootMismatch",
"description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this",
"title": "fsGroupChangePolicy"
},
"runAsUser": {
"default": "1001",
"description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this",
"title": "runAsUser"
}
},
"title": "podSecurityContext",
"type": "object"
},
"zeroTrust": {
"default": "`false`",
"description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes",
"title": "zeroTrust"
}
},
"title": "security"
},
"service": {
"additionalProperties": false,
"properties": {
"annotations": {
"default": "",
"description": "adds extra Annotations to the service",
"title": "annotations"
},
"enabled": {
"default": "true",
"description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.",
"title": "enabled"
},
"selector": {
"default": "component",
"description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type",
"title": "selector"
}
},
"title": "service",
"type": "object"
},
"telemetry": {
"additionalProperties": false,
"description": "Settings for telemetry tools",
"properties": {
"openTelemetry": {
"default": "",
"description": "turns Open Telemetry on",
"title": "openTelemetry"
},
"serviceName": {
"default": "",
"description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"",
"title": "serviceName"
}
},
"title": "telemetry"
},
"template": {
"additionalProperties": false,
"description": "provide extra settings for pod templates",
"properties": {
"annotations": {
"default": "",
"description": "set additional annotations for pods",
"title": "annotations"
},
"labels": {
"default": "",
"description": "set additional labels for pods",
"title": "labels"
}
},
"title": "template"
},
"terminationGracePeriodSeconds": {
"default": "",
"description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults",
"title": "terminationGracePeriodSeconds"
},
"timezone": {
"default": "`Europe/Berlin`",
"description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.",
"title": "timezone"
},
"tolerations": {
"default": "",
"description": "Set tolerations for this component",
"title": "tolerations"
},
"updateStrategy": {
"default": "",
"description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.",
"title": "updateStrategy"
},
"utils": {
"additionalProperties": false,
"properties": {
"debug": {
"default": "`false`",
"description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide",
"title": "debug"
},
"disableWait": {
"default": "`false`",
"description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.",
"title": "disableWait"
},
"disableWave": {
"default": "`false`",
"description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.",
"title": "disableWave"
},
"includeNamespace": {
"default": "`true`",
"description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later",
"title": "includeNamespace"
},
"maintenance": {
"default": "`false`",
"description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.",
"title": "maintenance"
},
"renderComments": {
"default": "`true`",
"description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD",
"title": "renderComments"
}
},
"title": "utils",
"type": "object"
},
"waitFor": {
"default": "",
"description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.",
"title": "waitFor"
}
},
"type": "object"
}

423
charts/cmis/values.yaml Normal file
View File

@@ -0,0 +1,423 @@
# yaml-language-server: $schema=values.schema.json
# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)
ingress:
# -- You can toggle the ingress on wether you'd like this component
# to be reachable through an ingress or not.
enabled: true
# -- Overrides the default backend protocol. The default is http,
# unless in zeroTrust Mode, then it is switched to https automatically.
# @default -- `http` <br> `https` in zero trust mode
backendProtocol:
# -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason
# Example: `/nscalealinst1(/\|$)(.*)`
# @internal -- This is an alpha feature - do not use it.
inputPath:
# -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason
# Example: `/nscalealinst1/$2`
# @internal -- This is an alpha feature - do not use it.
rewriteTarget:
# -- deny is used to exclude specific paths from public access, such as
# administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is
# the burlap protocol. The configuration service is the endpoint used by
# the Admin client.
deny:
# -- on component level, set cookie affinity for the ingress
# example: `XtConLoadBalancerSession` for nscale Web
cookie:
# -- Sets the name of the tls secret to be used for this ingress, that contains
# the private and public key. These secrets can optionally be provided by the instance
# @default -- `{{ .this.ingress.domain }}-tls`
secret:
# -- Sets the domain to be used. This domain should be provided by the instance globally
# for all components, but you are free to override it here
domain:
# -- The ingressclass to use for this ingress. Most likely, this is provided globally by the
# instance, but you are free to override it here if this component should use a different class
# e.g. if you have separated ingress controllers, like a public and an internal one
# @default -- `public`
class:
# -- optionally sets a whitelist of ip ranges (CIDR format, comma separated)
# from which ingress is allowed. This is an annotation for nginx, so won't work with other
# ingress controllers
whitelist:
# -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy
# to allow traffic from this namespace to our pods. This may be a comma separated list
# @default -- "ingress, kube-system, ingress-nginx"
namespace:
# -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the
# most though this is only a constant used in the scripts.
contextPath: "/cmis"
# -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.
proxyReadTimeout:
# -- Adds extra Annotations to the ingress
annotations:
# -- Sets the number of replicas in this replicaSet.
# Some Components (like nstl or sharepoint) only allow a count of 1.
replicaCount: 1
# -- the update Strategy for this component. Normally, you can update all components
# rolling, except for nappl, where you need to follow the documented update procedures.
updateStrategy:
# -- Security Section defining default runtime environment for your container
security:
podSecurityContext:
# -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context
# for security
# @internal -- there is normally no need to change this
runAsUser: 1001
# -- The file system group as which new files are created
# @internal -- there is normally no need to change this
fsGroup: 1001
# -- Under which condition should the fsGroup be changed
# @internal -- there is normally no need to change this
fsGroupChangePolicy: OnRootMismatch
containerSecurityContext:
# -- sets the container root file system to read only. This should be the case in production environment
# @internal -- you should not change this
readOnlyRootFilesystem: true
# -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
# @internal -- you should not change this
allowPrivilegeEscalation: false
# -- Capabilities this container should have. Only allow the necessity, and drop as many as possible
# @internal -- you should not change this
capabilities:
drop:
- ALL
# -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes
# @default -- `false`
zeroTrust:
# # <id>:
# # path: <the path in the container, where you want to mount this>
# # volumeName: <the name of the PV to be mounted>
# # subPath: <an (optional) subpath to be used inside the PV>
mounts:
# -- The temp volume is used to hold any superflues and temporary data.
# it is deleted when the pod terminates. However, it is extremely important
# as all pods filesystems are read only
temp:
# -- Sets the path to the temporary files
# @internal -- do not change this value
path: "/opt/ceyoniq/nscale-cmis-connector/temp"
# -- Sets a list of paths to the temporary files
# @internal -- do not change this value
paths:
# -- Sets the size of the temporary disk (all paths)
size: "1Gi"
# -- The conf volume is a RWX volume mounted by the environment, that holds
# all configurations of all instances and components in this environment
conf:
# -- Sets the path to the conf files
# @internal -- do not change this value
path: "/opt/ceyoniq/nscale-cmis-connector/conf"
# -- Sets a list of paths to the conf files
# @internal -- do not change this value
paths:
# -- The log volume is used to take any left-over logging in the container.
# The container should log to stdout, but if any component still tries to log to disk
# this disk needs to be writeable
logs:
# -- Sets the path to the log files
# @internal -- do not change this value
path: "/opt/ceyoniq/nscale-cmis-connector/logs"
# -- Sets a list of paths to the log files
# @internal -- do not change this value
paths:
# -- Sets the size of the log disk (all paths)
size: "1Gi"
# -- some nscale Components require a license file and this
# defines it's location
license:
# -- Sets the path to the license files
# @internal -- do not change this value
path:
# -- If you want to use additional
# fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the
# fonts directory from the environment pool
fonts:
# -- Sets the path to the fonts folder.
# @internal -- do not change this value
path:
# -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to
# connect to alien services via https. If you have a self-signed root certificate,
# you can also add it here.
caCerts:
# -- Sets the path to the certs folder.
# @internal -- do not change this value
paths:
# -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting
secret:
# -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting
configMap:
# -- the java based nscale components have their own certificates, that you might want to upload.
# You can normally do so via the environment configuration, but should you want to use a secret,
# you can set it here
componentCerts:
# -- Sets the path to the component certs.
# @internal -- do not change this value
paths:
# -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting
secret:
# -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting
configMap:
data:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- Sets the size of the data disk
size:
# -- Sets the class of the data disk
class:
# -- Sets the path to the data files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the data files
# @internal -- do not change this value
paths:
file:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- Sets the size of the shared disk
size:
# -- Sets the class of the shared disk
class:
# -- Sets the path to the shared files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the shared files
# @internal -- do not change this value
paths:
pool:
# -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted.
# this is used to store scripts, apps and assets that are required to deploy an application / solution
# @internal -- do not change this value
path:
# -- The temp volume is used to hold any superflues and temporary data.
# it is deleted when the pod terminates. However, it is extremely important
# as all pods filesystems are read only
ptemp:
# -- Sets the path for temporary files that are persisted
# @internal -- do not change this value
path:
# -- Sets a list of paths for temporary files that are persisted
# @internal -- do not change this value
paths:
# -- Allows to define generic mounts of pre-provisioned PVs into any container.
# This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.
generic:
disk:
# -- Sets the size of the disk
size:
# -- Sets the class of the disk
class:
# -- Sets the path to the disk files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the data files
# @internal -- do not change this value
paths:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk.
# In case of the (default) disabled, the paths will be added to the primaty data disk.
enabled: false
# -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk.
# This is done only once and only if there is legacy data at all. No files are overwritten!
migration: false
# -- Options for the Java VM
javaOpts:
# -- set the percentage of RAM, Java will use of the total.
# The total amount is the amount installed in the K8s Cluster Node,
# OR the Memory Limit set (see resources), if any.
javaMaxRamPercentage:
# -- set the minimum memory, java will consume
javaMinMem:
# -- set the maximum memory, java will consume.
# Attention: This is NOT the real maximum and it does not include any non Java memory.
# Please read google, as this is highly discussed
javaMaxMem:
# -- Any misc Java Options that need to be passed to the container
javaMisc:
# -- provide the image to be used for this component
image:
# -- you can provide your own pullSecrets, in case you use
# a private repo.
pullSecrets:
- nscale-cr
- nplus-cr
# -- the name of the image to use
name: cmis-connector
# -- the tag of the image to use
tag: latest
# -- if you use a private repo, feel free to set it here
repo: ceyoniq.azurecr.io/release/nscale
pullPolicy: IfNotPresent
# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl)
# etc.
# @default -- `Europe/Berlin`
timezone:
# -- defines internal constants for nplus.
# do not change these values
meta:
# -- the type of the component. You should not change this value, except if
# you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner*
# This type is used to create cluster communication for nappl and nstl and potentially
# group multiple replicaSets into one service.
type: cmis
# -- lists the ports this component exposes. This is important for zero trust mode and others.
ports:
# -- The http port this component uses (if any). In zero trust mode, this will be disabled.
# @internal -- this is a constant value of the component and should not be changed.
http: 8096
# -- The tls / https port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
https: 8196
# -- A potential tcp port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcp:
# -- A potential rmi port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
rmi:
# -- A potential tls / tcps port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcps:
# -- sets tenant information to be able to invoice per use in a cloud environment
tenant:
# -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment
provider:
# -- Sets the wave in which this component should be deployed within an ArgoCD deployment
# if unset, it uses the default wave thus all components are installed in one wave, then relying
# on correct wait settings just like in a helm installation
wave:
# -- Sets the language of the main service (in the *service* container). This is used for instance
# if you turn OpenTelemetry on, to know which Agent to inject into the container.
language: java
# -- The container name of the main service for this component. This is used to define where to
# inject the telemetry agents, if any
serviceContainer: cmis-connector
# -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment
# runs in. This can be used in template functions to add the stage to for instance the service name of
# telemetry services like open telemetry. (see telemetry example)
stage:
# -- This is the version of the component, used for display
# @internal -- set by devOps pipeline, so do not modify
componentVersion:
# -- Set tolerations for this component
tolerations:
# -- select specific nodes for this component
nodeSelector:
# -- Sets the name of a secret, which holds additional environment variables for
# the configuration. It is added as envFrom secretRef to the container.
envSecret:
# -- Sets the name of a configMap, which holds additional environment variables for
# the configuration. It is added as envFrom configMap to the container.
envMap:
# -- Sets additional environment variables for
# the configuration.
env:
# -- The nscale Application Layer, this component should talk to
nappl:
# -- nappl host name
host:
# -- nappl port (http 8080 or https 8443)
port:
# -- sets the Advanced Connect to tls
ssl:
# -- instance of the Application Layer, likely `instance1`
instance:
# -- The technical account to login with
account:
# -- The domain of the technical account
domain:
# -- The password of the technical accunt (if not set by secret)
password:
# -- An optional secret that holds the credentials (the keys must be `account` and `password`)
secret:
# -- Assigns hardware resources to container
resources:
# -- Requests are used to assign a minimum to a container. This is the guaranteed amount
requests:
# -- Set the share of guaranteed CPU to the container.
cpu:
# -- Set the share of guaranteed RAM to the container
memory:
# -- Limits the maximum resources
limits:
# -- The maximum allowed CPU for the container
cpu:
# -- The maximum allowed RAM for the container
memory:
# -- This overrides the output of the internal name function
nameOverride:
# -- This overrides the output of the internal fullname function
fullnameOverride:
utils:
# -- Turn debugging *on* will give you stack trace etc.
# Please check out the Chart Developer Guide
# @default -- `false`
debug:
# -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It
# will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD
# @default -- `true`
renderComments:
# -- By default, the namespace is rendered into the manifest. However, if you want to use
# `helm template` and store manifests for later applying them to multiple namespaces, you might
# want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later
# @default -- `true`
includeNamespace:
# -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the
# pods will start in idle, not starting the service at all. This will allow you to gain access to the container
# to perform recovery and maintenance tasks while having the real container up.
# @default -- `false`
maintenance:
# -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components
# of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components
# while previous waves are not finished yet.
# @default -- `false`
disableWave:
# -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are
# only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might
# start components even if they are not intended to run yet.
# @default -- `false`
disableWait:
service:
# -- enables the service to be consumed by group components and a potential ingress
# Disabling the service also disables the ingress.
enabled: true
# -- The selector can be `component` or `type`
# *component* selects only pods that are in the replicaset.
# *type* selects any pod that has the given type
selector: "component"
# -- adds extra Annotations to the service
annotations:
# -- Defines a list of conditions that need to be met before this components starts.
# The condition must be a network port that opens, when the master component is ready.
# Mostly, this will be a service, since a component is only added to a service if the
# probes succeed.
waitFor:
# -- if you set minReplicaCount, a podDesruptionBudget will be created with this value as
# minAvailable, using the full component as selector. This is useful for components, that are
# using multiple replicas.
minReplicaCount:
# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as
# minAvailable, using the component type as selector. This is useful for components, that are spread
# across multiple replicaSets, like sharepoint or storage layer
minReplicaCountType:
# -- provide extra settings for pod templates
template:
# -- set additional annotations for pods
annotations:
# -- set additional labels for pods
labels:
# -- Settings for telemetry tools
telemetry:
# -- turns Open Telemetry on
openTelemetry:
# -- Sets the service name for the telemetry service to more convenient
# identify the displayed component
# Example: "{{ .this.meta.type }}-{{ .instance.name }}"
serviceName:
# -- Sets the terminationGracePeriodSeconds for the component
# If not set, it uses the Kubernetes defaults
terminationGracePeriodSeconds:

11
charts/database/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: nplus-component-database
description: Postgres Database, deploys a DEV or TESTING environment DB
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
dependencies:
- name: nplus-globals
alias: globals
version: "*-0"
repository: "file://../globals"
version: 1.0.0

160
charts/database/README.md Normal file
View File

@@ -0,0 +1,160 @@
# nplus-component-database
Postgres Database, deploys a DEV or TESTING environment DB
## nplus-component-database Chart Configuration
You can customize / configure nplus-component-database by setting configuration values on the command line or in values files,
that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
### Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template,
or escaped quotes).
### Global Values
All values can be set per component, per instance or globally per environment.
Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority:
- Prio 1 - Component Level: `ingress.domain`
- Prio 2 - Instance Level: `global.ingress.domain`
- Prio 3 - Environment Level: `global.environment.ingress.domain`
### Using Values in Templates
As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your
template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version
of your Values.
So an example in your `values.yaml` would be:
```
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
```
This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care.
The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables:
- `.component.chartName`
The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride`
- `.component.shortChartName`
A shorter Version of the name - `nappl` instead of `nplus-component-nappl`
- `.component.prefix`
The instance Prefix used to name the resources including `-`. This prefix is dropped, if the
`.Release.Name` equals `.Release.Namespace` for those of you that only
run one nplus Instance per namespace
- `.component.name`
The name of the component, including `.Values.nameOverride` and some logic
- `.component.fullName`
The fullName inlcuding `.Values.fullnameOverride` and some logic
- `.component.chart`
Mainly the `Chart.Name` and `Chart.Version`
- `.component.storagePath`
The path where the component config is stored in the conf PVC
- `.component.handler`
The handler (either helm, argoCD or manual)
- `.instance.name`
The name of the instance, but with override by `.Values.instanceOverride`
- `.instance.group`
The group, this instance belongs to. Override by `.Values.groupOverride`
- `.instance.version`
The *nscale* version (mostly taken from Application Layer), this instance is deploying.
- `.environment.name`
The name of the environment, but with override by `.Values.environmentNameOverride`
### Keys
You can set any of the following values for this component:
| Key | Description | Default |
|-----|-------------|---------|
**database**&#8203;.account | the technical account to own the nscale database, if not set by secret | `"nscale"` |
**database**&#8203;.name | name of the nscale database | `"nscale"` |
**database**&#8203;.password | password of the technical account, if not set by secret | `"nscale"` |
**database**&#8203;.secret | the secret with credentials (account, password) for the nscale technical account. This setting has priority over account and password | |
**dbAdmin**&#8203;.account | the database admin account, if not set by secret | `"postgres"` |
**dbAdmin**&#8203;.password | the database admin password, if not set by secret | `"postgres"` |
**dbAdmin**&#8203;.secret | the secret with credentials (account, password) for the database admin account. This setting has priority over adminAccount and adminPassword | |
env | Sets additional environment variables for the configuration. | |
envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | |
envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | |
fullnameOverride | This overrides the output of the internal fullname function | |
**image**&#8203;.name | the name of the image to use | `"bitnami/postgresql"` |
**image**&#8203;.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | |
**image**&#8203;.repo | if you use a private repo, feel free to set it here | |
**image**&#8203;.tag | the tag of the image to use | `15` |
**meta**&#8203;.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | |
**meta**&#8203;.ports&#8203;.tcp | A potential tcp port, this component uses (if any) <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `5432` |
**meta**&#8203;.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | |
**meta**&#8203;.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | |
**meta**&#8203;.tenant | sets tenant information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"database"` |
**meta**&#8203;.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | |
minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | |
**mounts**&#8203;.caCerts&#8203;.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.caCerts&#8203;.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.componentCerts&#8203;.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.componentCerts&#8203;.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.conf&#8203;.path | Sets the path to the conf files <br>do not change this value | **info only**, do not change<br> `"/opt/bitnami/postgresql/conf"` |
**mounts**&#8203;.data&#8203;.class | Sets the class of the data disk | |
**mounts**&#8203;.data&#8203;.paths | Sets a list of paths to the data files <br>do not change this value | **info only**, do not change<br> `["/bitnami/postgresql"]` |
**mounts**&#8203;.data&#8203;.size | Sets the size of the data disk | `"30Gi"` |
**mounts**&#8203;.data&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.disk&#8203;.class | Sets the class of the disk | |
**mounts**&#8203;.disk&#8203;.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` |
**mounts**&#8203;.disk&#8203;.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` |
**mounts**&#8203;.disk&#8203;.size | Sets the size of the disk | |
**mounts**&#8203;.disk&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.file&#8203;.class | Sets the class of the shared disk | |
**mounts**&#8203;.file&#8203;.size | Sets the size of the shared disk | |
**mounts**&#8203;.file&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | |
**mounts**&#8203;.logs&#8203;.size | Sets the size of the log disk (all paths) | |
**mounts**&#8203;.temp&#8203;.paths | Sets a list of paths to the temporary files <br>do not change this value | **info only**, do not change<br> `["/tmp", "/opt/bitnami/postgresql/tmp"]` |
**mounts**&#8203;.temp&#8203;.size | Sets the size of the temporary disk (all paths) | `"1Gi"` |
nameOverride | This overrides the output of the internal name function | |
nodeSelector | select specific nodes for this component | |
**priority**&#8203;.className | Set the priority class for the Application Layer deployment if desired | |
**priority**&#8203;.createClass | Creates an individual PriorityClass for this instance | |
**priority**&#8203;.value | Sets the priorityValue | 1000000 |
**resources**&#8203;.limits&#8203;.cpu | The maximum allowed CPU for the container | |
**resources**&#8203;.limits&#8203;.memory | The maximum allowed RAM for the container | |
**resources**&#8203;.requests&#8203;.cpu | Set the share of guaranteed CPU to the container. | |
**resources**&#8203;.requests&#8203;.memory | Set the share of guaranteed RAM to the container | |
**security**&#8203;.containerSecurityContext&#8203;.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive <br>you should not change this | **info only**, do not change<br> `false` |
**security**&#8203;.containerSecurityContext&#8203;.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment <br>you should not change this | **info only**, do not change<br> `true` |
**security**&#8203;.podSecurityContext&#8203;.fsGroup | The file system group as which new files are created <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.podSecurityContext&#8203;.fsGroupChangePolicy | Under which condition should the fsGroup be changed <br>there is normally no need to change this | **info only**, do not change<br> `"OnRootMismatch"` |
**security**&#8203;.podSecurityContext&#8203;.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` |
**service**&#8203;.annotations | adds extra Annotations to the service | |
**service**&#8203;.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` |
**service**&#8203;.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` |
**telemetry**&#8203;.openTelemetry | turns Open Telemetry on | |
**telemetry**&#8203;.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | |
**template**&#8203;.annotations | set additional annotations for pods | |
**template**&#8203;.labels | set additional labels for pods | |
terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | |
timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` |
tolerations | Set tolerations for this component | |
**utils**&#8203;.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` |
**utils**&#8203;.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` |
**utils**&#8203;.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` |
**utils**&#8203;.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later | `true` |
**utils**&#8203;.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` |
**utils**&#8203;.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` |

2
charts/database/templates/component.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.component" . -}}

16
charts/database/templates/config.tpl Normal file
View File

@@ -0,0 +1,16 @@
{{- include "nplus.init" $ -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .component.fullName }}-config
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
data:
{{ (.Files.Glob "config/*").AsConfig | indent 2 }}

33
charts/database/templates/networkpolicy.tpl Normal file
View File

@@ -0,0 +1,33 @@
{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
ingress:
- from:
# Allow access from NAPPL Cores
- podSelector:
matchLabels:
nplus/group: {{ .instance.group }}
nplus/type: core
{{- if ((.this.security).cni).excludeUnusedPorts }}
ports:
{{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
{{- end }}
{{- end }}

2
charts/database/templates/pdb.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.podDisruptionBudget" . -}}

2
charts/database/templates/priorityClass.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.priorityClass" . }}

2
charts/database/templates/pvc.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.pvc" . }}

28
charts/database/templates/service.tpl Normal file
View File

@@ -0,0 +1,28 @@
{{- include "nplus.init" $ -}}
apiVersion: v1
kind: Service
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
{{- include "nplus.serviceAnnotations" . | nindent 4 }}
spec:
ports:
{{- include "nplus.defaultServicePorts" . | nindent 4 }}
selector:
{{- if eq .this.service.selector "component" }}
{{- include "nplus.selectorLabels" . | nindent 4 }}
{{- else if eq .this.service.selector "type" }}
{{- include "nplus.selectorLabelsNc" . | nindent 4 }}
{{- else }}
{{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }}
{{- end }}

119
charts/database/templates/statefulset.tpl Normal file
View File

@@ -0,0 +1,119 @@
{{- include "nplus.init" $ -}}
# Component: {{ .component.chartName }}
#
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
serviceName: {{ .component.fullName }}
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
podManagementPolicy: OrderedReady
updateStrategy:
type: OnDelete
minReadySeconds: 10
template:
metadata:
labels:
{{- include "nplus.templateLabels" . | nindent 8 }}
annotations:
{{- include "nplus.templateAnnotations" . | nindent 8 }}
{{- include "nplus.securityAnnotations" . | nindent 8 }}
spec:
{{- include "nplus.priorityClassName" . | nindent 6 }}
{{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }}
{{- include "nplus.podSecurityContext" . | nindent 6 }}
{{- include "nplus.templateAffinity" . | nindent 6 }}
{{- include "nplus.imagePullSecrets" . | nindent 6 }}
{{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }}
initContainers:
{{- include "nplus.copyConfig" . | nindent 6 }}
containers:
- name: postgres
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
{{- include "nplus.resources" . | nindent 8 }}
env:
# -- POSTGRES Admin Credentials
{{- include "nplus.envCredentials" (list
"POSTGRES_USERNAME" ($.this.dbAdmin).account
"POSTGRES_PASSWORD" ($.this.dbAdmin).password
($.this.dbAdmin).secret
) | nindent 10 }}
# -- NAPPL Postgres Connection Credentials
{{- include "nplus.envCredentials" (list
"NSCALE_USERNAME" ($.this.database).account
"NSCALE_PASSWORD" ($.this.database).password
($.this.database).secret
) | nindent 10 }}
- name: NSCALE_DATABASE
value: {{ (.this.database).name }}
{{- include "nplus.environment" . | nindent 8 }}
ports:
{{- include "nplus.defaultContainerPorts" . | nindent 8 }}
{{- if .this.utils.maintenance }}
{{- include "nplus.idle" . | nindent 8 }}
{{- else }}
startupProbe:
initialDelaySeconds: 10
failureThreshold: 12
periodSeconds: 10
timeoutSeconds: 5
exec:
command:
- sh
- -c
- exec pg_isready -U "postgres" -h 127.0.0.1 -p {{ required "Postgres Port must be set" ((.this.meta).ports).tcp }}
livenessProbe:
exec:
command:
- sh
- -c
- exec pg_isready -U "postgres" -h 127.0.0.1 -p {{ required "Postgres Port must be set" ((.this.meta).ports).tcp }}
periodSeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
readinessProbe:
exec:
command:
- sh
- -c
- |
pg_isready -U "postgres" -h 127.0.0.1 -p 5432 -t 1
[ -f /opt/bitnami/postgresql/tmp/.initialized ]
{{- end }}
volumeMounts:
# Postgres requires this directory to be **completely** empty,
# so also no lost&found directory.
{{- include "nplus.defaultMounts" . | nindent 8 }}
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d/
volumes:
- name: custom-init-scripts
configMap:
name: {{ .component.fullName }}-config
{{- include "nplus.defaultVolumes" . | nindent 6 }}

750
charts/database/values.schema.json Normal file
View File

@@ -0,0 +1,750 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"database": {
"additionalProperties": false,
"properties": {
"account": {
"default": "nscale",
"description": "the technical account to own the nscale database, if not set by secret",
"title": "account"
},
"name": {
"default": "nscale",
"description": "name of the nscale database",
"title": "name"
},
"password": {
"default": "nscale",
"description": "password of the technical account, if not set by secret",
"title": "password"
},
"secret": {
"default": "",
"description": "the secret with credentials (account, password) for the nscale technical account. This setting has priority over account and password",
"title": "secret"
}
},
"title": "database",
"type": "object"
},
"dbAdmin": {
"additionalProperties": false,
"properties": {
"account": {
"default": "postgres",
"description": "the database admin account, if not set by secret",
"title": "account"
},
"password": {
"default": "postgres",
"description": "the database admin password, if not set by secret",
"title": "password"
},
"secret": {
"default": "",
"description": "the secret with credentials (account, password) for the database admin account. This setting has priority over adminAccount and adminPassword",
"title": "secret"
}
},
"title": "dbAdmin",
"type": "object"
},
"env": {
"default": "",
"description": "Sets additional environment variables for the configuration.",
"title": "env"
},
"envMap": {
"default": "",
"description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.",
"title": "envMap"
},
"envSecret": {
"default": "",
"description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.",
"title": "envSecret"
},
"fullnameOverride": {
"default": "",
"description": "This overrides the output of the internal fullname function",
"title": "fullnameOverride"
},
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
},
"globals": {
"description": "nplus Global Functions Library Chart",
"properties": {
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
}
},
"title": "nplus-globals",
"type": "object"
},
"image": {
"additionalProperties": false,
"description": "provide the image to be used for this component",
"properties": {
"name": {
"default": "bitnami/postgresql",
"description": "the name of the image to use",
"title": "name"
},
"pullSecrets": {
"default": "",
"description": "you can provide your own pullSecrets, in case you use a private repo.",
"title": "pullSecrets"
},
"repo": {
"default": "",
"description": "if you use a private repo, feel free to set it here",
"title": "repo"
},
"tag": {
"default": "15",
"description": "the tag of the image to use",
"title": "tag"
}
},
"title": "image"
},
"meta": {
"additionalProperties": false,
"properties": {
"componentVersion": {
"default": "",
"description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify",
"title": "componentVersion"
},
"language": {
"default": "",
"description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.",
"title": "language"
},
"ports": {
"additionalProperties": false,
"description": "lists the ports this component exposes. This is important for zero trust mode and others.",
"properties": {
"http": {
"default": "",
"description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.",
"title": "http"
},
"https": {
"default": "",
"description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "https"
},
"rmi": {
"default": "",
"description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "rmi"
},
"tcp": {
"default": "5432",
"description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcp"
},
"tcps": {
"default": "",
"description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcps"
}
},
"title": "ports"
},
"provider": {
"default": "",
"description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment",
"title": "provider"
},
"serviceContainer": {
"default": "",
"description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any",
"title": "serviceContainer"
},
"stage": {
"default": "",
"description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)",
"title": "stage"
},
"tenant": {
"default": "",
"description": "sets tenant information to be able to invoice per use in a cloud environment",
"title": "tenant"
},
"type": {
"default": "database",
"description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.",
"title": "type"
},
"wave": {
"default": "",
"description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation",
"title": "wave"
}
},
"title": "meta",
"type": "object"
},
"minReplicaCountType": {
"default": "",
"description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer",
"title": "minReplicaCountType"
},
"mounts": {
"additionalProperties": false,
"properties": {
"caCerts": {
"additionalProperties": false,
"description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.",
"properties": {
"configMap": {
"default": "",
"description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting",
"title": "configMap"
},
"paths": {
"default": "",
"description": "Sets the path to the certs folder. @internal -- do not change this value",
"title": "paths"
},
"secret": {
"default": "",
"description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting",
"title": "secret"
}
},
"title": "caCerts"
},
"componentCerts": {
"additionalProperties": false,
"description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here",
"properties": {
"configMap": {
"default": "",
"description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting",
"title": "configMap"
},
"paths": {
"default": "",
"description": "Sets the path to the component certs. @internal -- do not change this value",
"title": "paths"
},
"secret": {
"default": "",
"description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting",
"title": "secret"
}
},
"title": "componentCerts"
},
"conf": {
"additionalProperties": false,
"description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment",
"properties": {
"path": {
"default": "/opt/bitnami/postgresql/conf",
"description": "Sets the path to the conf files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the conf files @internal -- do not change this value",
"title": "paths"
}
},
"title": "conf"
},
"data": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the data disk",
"title": "class"
},
"path": {
"default": "",
"description": "Sets the path to the data files @internal -- do not change this value",
"title": "path"
},
"paths": {
"description": "Sets a list of paths to the data files @internal -- do not change this value",
"items": {
"anyOf": [
{
"type": "string"
}
]
},
"title": "paths"
},
"size": {
"default": "30Gi",
"description": "Sets the size of the data disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "data",
"type": "object"
},
"disk": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the disk",
"title": "class"
},
"enabled": {
"default": "false",
"description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.",
"title": "enabled"
},
"migration": {
"default": "false",
"description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!",
"title": "migration"
},
"path": {
"default": "",
"description": "Sets the path to the disk files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the data files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "disk",
"type": "object"
},
"file": {
"additionalProperties": false,
"properties": {
"class": {
"default": "",
"description": "Sets the class of the shared disk",
"title": "class"
},
"path": {
"default": "",
"description": "Sets the path to the shared files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the shared files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the shared disk",
"title": "size"
},
"volumeName": {
"default": "",
"description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one",
"title": "volumeName"
}
},
"title": "file",
"type": "object"
},
"fonts": {
"additionalProperties": false,
"description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the fonts folder. @internal -- do not change this value",
"title": "path"
}
},
"title": "fonts"
},
"generic": {
"default": "",
"description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.",
"title": "generic"
},
"license": {
"additionalProperties": false,
"description": "some nscale Components require a license file and this defines it's location",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the license files @internal -- do not change this value",
"title": "path"
}
},
"title": "license"
},
"logs": {
"additionalProperties": false,
"description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the log files @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths to the log files @internal -- do not change this value",
"title": "paths"
},
"size": {
"default": "",
"description": "Sets the size of the log disk (all paths)",
"title": "size"
}
},
"title": "logs"
},
"pool": {
"additionalProperties": false,
"properties": {
"path": {
"default": "",
"description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value",
"title": "path"
}
},
"title": "pool",
"type": "object"
},
"ptemp": {
"additionalProperties": false,
"description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only",
"properties": {
"path": {
"default": "",
"description": "Sets the path for temporary files that are persisted @internal -- do not change this value",
"title": "path"
},
"paths": {
"default": "",
"description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value",
"title": "paths"
}
},
"title": "ptemp"
},
"temp": {
"additionalProperties": false,
"description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only",
"properties": {
"path": {
"default": "",
"description": "Sets the path to the temporary files @internal -- do not change this value",
"title": "path"
},
"paths": {
"description": "Sets a list of paths to the temporary files @internal -- do not change this value",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
]
},
"title": "paths"
},
"size": {
"default": "1Gi",
"description": "Sets the size of the temporary disk (all paths)",
"title": "size"
}
},
"title": "temp"
}
},
"title": "mounts",
"type": "object"
},
"nameOverride": {
"default": "",
"description": "This overrides the output of the internal name function",
"title": "nameOverride"
},
"nodeSelector": {
"default": "",
"description": "select specific nodes for this component",
"title": "nodeSelector"
},
"priority": {
"additionalProperties": false,
"description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.",
"properties": {
"className": {
"default": "",
"description": "Set the priority class for the Application Layer deployment if desired",
"title": "className"
},
"createClass": {
"default": "",
"description": "Creates an individual PriorityClass for this instance",
"title": "createClass"
},
"value": {
"default": "1000000",
"description": "Sets the priorityValue",
"title": "value"
}
},
"title": "priority"
},
"replicaCount": {
"default": "1",
"description": "The replicaCount for the Database should never be changed @ignore",
"title": "replicaCount"
},
"resources": {
"additionalProperties": false,
"description": "Assigns hardware resources to container",
"properties": {
"limits": {
"additionalProperties": false,
"description": "Limits the maximum resources",
"properties": {
"cpu": {
"default": "",
"description": "The maximum allowed CPU for the container",
"title": "cpu"
},
"memory": {
"default": "",
"description": "The maximum allowed RAM for the container",
"title": "memory"
}
},
"title": "limits"
},
"requests": {
"additionalProperties": false,
"description": "Requests are used to assign a minimum to a container. This is the guaranteed amount",
"properties": {
"cpu": {
"default": "",
"description": "Set the share of guaranteed CPU to the container.",
"title": "cpu"
},
"memory": {
"default": "",
"description": "Set the share of guaranteed RAM to the container",
"title": "memory"
}
},
"title": "requests"
}
},
"title": "resources"
},
"security": {
"additionalProperties": false,
"description": "Security Section defining default runtime environment for your container",
"properties": {
"containerSecurityContext": {
"additionalProperties": false,
"properties": {
"allowPrivilegeEscalation": {
"default": "false",
"description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this",
"title": "allowPrivilegeEscalation"
},
"capabilities": {
"additionalProperties": false,
"description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this",
"properties": {
"drop": {
"items": {
"anyOf": [
{
"type": "string"
}
]
},
"title": "drop",
"type": "array"
}
},
"title": "capabilities"
},
"readOnlyRootFilesystem": {
"default": "true",
"description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this",
"title": "readOnlyRootFilesystem"
}
},
"title": "containerSecurityContext",
"type": "object"
},
"podSecurityContext": {
"additionalProperties": false,
"properties": {
"fsGroup": {
"default": "1001",
"description": "The file system group as which new files are created @internal -- there is normally no need to change this",
"title": "fsGroup"
},
"fsGroupChangePolicy": {
"default": "OnRootMismatch",
"description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this",
"title": "fsGroupChangePolicy"
},
"runAsUser": {
"default": "1001",
"description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this",
"title": "runAsUser"
}
},
"title": "podSecurityContext",
"type": "object"
},
"zeroTrust": {
"default": "`false`",
"description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes",
"title": "zeroTrust"
}
},
"title": "security"
},
"service": {
"additionalProperties": false,
"properties": {
"annotations": {
"default": "",
"description": "adds extra Annotations to the service",
"title": "annotations"
},
"enabled": {
"default": "true",
"description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.",
"title": "enabled"
},
"selector": {
"default": "component",
"description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type",
"title": "selector"
}
},
"title": "service",
"type": "object"
},
"telemetry": {
"additionalProperties": false,
"description": "Settings for telemetry tools",
"properties": {
"openTelemetry": {
"default": "",
"description": "turns Open Telemetry on",
"title": "openTelemetry"
},
"serviceName": {
"default": "",
"description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"",
"title": "serviceName"
}
},
"title": "telemetry"
},
"template": {
"additionalProperties": false,
"description": "provide extra settings for pod templates",
"properties": {
"annotations": {
"default": "",
"description": "set additional annotations for pods",
"title": "annotations"
},
"labels": {
"default": "",
"description": "set additional labels for pods",
"title": "labels"
}
},
"title": "template"
},
"terminationGracePeriodSeconds": {
"default": "",
"description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults",
"title": "terminationGracePeriodSeconds"
},
"timezone": {
"default": "`Europe/Berlin`",
"description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.",
"title": "timezone"
},
"tolerations": {
"default": "",
"description": "Set tolerations for this component",
"title": "tolerations"
},
"utils": {
"additionalProperties": false,
"properties": {
"debug": {
"default": "`false`",
"description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide",
"title": "debug"
},
"disableWait": {
"default": "`false`",
"description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.",
"title": "disableWait"
},
"disableWave": {
"default": "`false`",
"description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.",
"title": "disableWave"
},
"includeNamespace": {
"default": "`true`",
"description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later",
"title": "includeNamespace"
},
"maintenance": {
"default": "`false`",
"description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.",
"title": "maintenance"
},
"renderComments": {
"default": "`true`",
"description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD",
"title": "renderComments"
}
},
"title": "utils",
"type": "object"
}
},
"type": "object"
}

354
charts/database/values.yaml Normal file
View File

@@ -0,0 +1,354 @@
# yaml-language-server: $schema=values.schema.json
meta:
# -- the type of the component. You should not change this value, except if
# you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner*
# This type is used to create cluster communication for nappl and nstl and potentially
# group multiple replicaSets into one service.
type: database
# -- lists the ports this component exposes. This is important for zero trust mode and others.
ports:
# -- A potential tcp port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcp: 5432
# -- The http port this component uses (if any). In zero trust mode, this will be disabled.
# @internal -- this is a constant value of the component and should not be changed.
http:
# -- The tls / https port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
https:
# -- A potential tls / tcps port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcps:
# -- A potential rmi port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
rmi:
# -- sets tenant information to be able to invoice per use in a cloud environment
tenant:
# -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment
provider:
# -- Sets the wave in which this component should be deployed within an ArgoCD deployment
# if unset, it uses the default wave thus all components are installed in one wave, then relying
# on correct wait settings just like in a helm installation
wave:
# -- Sets the language of the main service (in the *service* container). This is used for instance
# if you turn OpenTelemetry on, to know which Agent to inject into the container.
language:
# -- The container name of the main service for this component. This is used to define where to
# inject the telemetry agents, if any
serviceContainer:
# -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment
# runs in. This can be used in template functions to add the stage to for instance the service name of
# telemetry services like open telemetry. (see telemetry example)
stage:
# -- This is the version of the component, used for display
# @internal -- set by devOps pipeline, so do not modify
componentVersion:
# -- The replicaCount for the Database should never be changed
# @ignore
replicaCount: 1
mounts:
data:
# -- Sets the size of the data disk
size: "30Gi"
# -- Sets a list of paths to the data files
# @internal -- do not change this value
paths:
- "/bitnami/postgresql"
# -- Sets the class of the data disk
class:
# -- Sets the path to the data files
# @internal -- do not change this value
path:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- The conf volume is a RWX volume mounted by the environment, that holds
# all configurations of all instances and components in this environment
conf:
# -- Sets the path to the conf files
# @internal -- do not change this value
path: "/opt/bitnami/postgresql/conf"
# -- Sets a list of paths to the conf files
# @internal -- do not change this value
paths:
# -- The temp volume is used to hold any superflues and temporary data.
# it is deleted when the pod terminates. However, it is extremely important
# as all pods filesystems are read only
temp:
# -- Sets the size of the temporary disk (all paths)
size: "1Gi"
# -- Sets a list of paths to the temporary files
# @internal -- do not change this value
paths:
- "/tmp"
- "/opt/bitnami/postgresql/tmp"
# -- Sets the path to the temporary files
# @internal -- do not change this value
path:
# -- The log volume is used to take any left-over logging in the container.
# The container should log to stdout, but if any component still tries to log to disk
# this disk needs to be writeable
logs:
# -- Sets the path to the log files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the log files
# @internal -- do not change this value
paths:
# -- Sets the size of the log disk (all paths)
size:
# -- some nscale Components require a license file and this
# defines it's location
license:
# -- Sets the path to the license files
# @internal -- do not change this value
path:
# -- If you want to use additional
# fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the
# fonts directory from the environment pool
fonts:
# -- Sets the path to the fonts folder.
# @internal -- do not change this value
path:
# -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to
# connect to alien services via https. If you have a self-signed root certificate,
# you can also add it here.
caCerts:
# -- Sets the path to the certs folder.
# @internal -- do not change this value
paths:
# -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting
secret:
# -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting
configMap:
# -- the java based nscale components have their own certificates, that you might want to upload.
# You can normally do so via the environment configuration, but should you want to use a secret,
# you can set it here
componentCerts:
# -- Sets the path to the component certs.
# @internal -- do not change this value
paths:
# -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting
secret:
# -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting
configMap:
file:
# -- Sets the size of the shared disk
size:
# -- Sets the class of the shared disk
class:
# -- Sets the path to the shared files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the shared files
# @internal -- do not change this value
paths:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
pool:
# -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted.
# this is used to store scripts, apps and assets that are required to deploy an application / solution
# @internal -- do not change this value
path:
# -- The temp volume is used to hold any superflues and temporary data.
# it is deleted when the pod terminates. However, it is extremely important
# as all pods filesystems are read only
ptemp:
# -- Sets the path for temporary files that are persisted
# @internal -- do not change this value
path:
# -- Sets a list of paths for temporary files that are persisted
# @internal -- do not change this value
paths:
# -- Allows to define generic mounts of pre-provisioned PVs into any container.
# This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.
generic:
disk:
# -- Sets the size of the disk
size:
# -- Sets the class of the disk
class:
# -- Sets the path to the disk files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the data files
# @internal -- do not change this value
paths:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk.
# In case of the (default) disabled, the paths will be added to the primaty data disk.
enabled: false
# -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk.
# This is done only once and only if there is legacy data at all. No files are overwritten!
migration: false
database:
# -- name of the nscale database
name: nscale
# -- the technical account to own the nscale database, if not set by secret
account: nscale
# -- password of the technical account, if not set by secret
password: nscale
# -- the secret with credentials (account, password) for the nscale technical account.
# This setting has priority over account and password
secret:
dbAdmin:
# -- the database admin account, if not set by secret
account: "postgres"
# -- the database admin password, if not set by secret
password: "postgres"
# -- the secret with credentials (account, password) for the database admin account.
# This setting has priority over adminAccount and adminPassword
secret:
# -- provide the image to be used for this component
image:
# -- the name of the image to use
name: bitnami/postgresql
# -- the tag of the image to use
tag: 15
# -- you can provide your own pullSecrets, in case you use
# a private repo.
pullSecrets:
# -- if you use a private repo, feel free to set it here
repo:
# -- Security Section defining default runtime environment for your container
security:
podSecurityContext:
# -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context
# for security
# @internal -- there is normally no need to change this
runAsUser: 1001
# -- The file system group as which new files are created
# @internal -- there is normally no need to change this
fsGroup: 1001
# -- Under which condition should the fsGroup be changed
# @internal -- there is normally no need to change this
fsGroupChangePolicy: OnRootMismatch
containerSecurityContext:
# -- sets the container root file system to read only. This should be the case in production environment
# @internal -- you should not change this
readOnlyRootFilesystem: true
# -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
# @internal -- you should not change this
allowPrivilegeEscalation: false
# -- Capabilities this container should have. Only allow the necessity, and drop as many as possible
# @internal -- you should not change this
capabilities:
drop:
- ALL
# -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes
# @default -- `false`
zeroTrust:
# # <id>:
# # path: <the path in the container, where you want to mount this>
# # volumeName: <the name of the PV to be mounted>
# # subPath: <an (optional) subpath to be used inside the PV>
# -- You can give a component a specific priorityClass to implement a quality of service.
# You can leave this empty, then no priority is set. If you set a class, this class is taken
# If you additionally enable create, the class is created for you with the value defined.
priority:
# -- Set the priority class for the Application Layer deployment if desired
className:
# -- Creates an individual PriorityClass for this instance
createClass:
# -- Sets the priorityValue
# @default -- 1000000
value:
# -- Assigns hardware resources to container
resources:
# -- Requests are used to assign a minimum to a container. This is the guaranteed amount
requests:
# -- Set the share of guaranteed CPU to the container.
cpu:
# -- Set the share of guaranteed RAM to the container
memory:
# -- Limits the maximum resources
limits:
# -- The maximum allowed CPU for the container
cpu:
# -- The maximum allowed RAM for the container
memory:
# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl)
# etc.
# @default -- `Europe/Berlin`
timezone:
# -- Set tolerations for this component
tolerations:
# -- select specific nodes for this component
nodeSelector:
# -- Sets the name of a secret, which holds additional environment variables for
# the configuration. It is added as envFrom secretRef to the container.
envSecret:
# -- Sets the name of a configMap, which holds additional environment variables for
# the configuration. It is added as envFrom configMap to the container.
envMap:
# -- Sets additional environment variables for
# the configuration.
env:
# -- This overrides the output of the internal name function
nameOverride:
# -- This overrides the output of the internal fullname function
fullnameOverride:
utils:
# -- Turn debugging *on* will give you stack trace etc.
# Please check out the Chart Developer Guide
# @default -- `false`
debug:
# -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It
# will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD
# @default -- `true`
renderComments:
# -- By default, the namespace is rendered into the manifest. However, if you want to use
# `helm template` and store manifests for later applying them to multiple namespaces, you might
# want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later
# @default -- `true`
includeNamespace:
# -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the
# pods will start in idle, not starting the service at all. This will allow you to gain access to the container
# to perform recovery and maintenance tasks while having the real container up.
# @default -- `false`
maintenance:
# -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components
# of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components
# while previous waves are not finished yet.
# @default -- `false`
disableWave:
# -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are
# only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might
# start components even if they are not intended to run yet.
# @default -- `false`
disableWait:
service:
# -- enables the service to be consumed by group components and a potential ingress
# Disabling the service also disables the ingress.
enabled: true
# -- The selector can be `component` or `type`
# *component* selects only pods that are in the replicaset.
# *type* selects any pod that has the given type
selector: "component"
# -- adds extra Annotations to the service
annotations:
# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as
# minAvailable, using the component type as selector. This is useful for components, that are spread
# across multiple replicaSets, like sharepoint or storage layer
minReplicaCountType:
# -- provide extra settings for pod templates
template:
# -- set additional annotations for pods
annotations:
# -- set additional labels for pods
labels:
# -- Settings for telemetry tools
telemetry:
# -- turns Open Telemetry on
openTelemetry:
# -- Sets the service name for the telemetry service to more convenient
# identify the displayed component
# Example: "{{ .this.meta.type }}-{{ .instance.name }}"
serviceName:
# -- Sets the terminationGracePeriodSeconds for the component
# If not set, it uses the Kubernetes defaults
terminationGracePeriodSeconds:

11
charts/envbackend/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: nplus-environment-backend
description: Installs Namespace-Wide Resources such as the conf PVC and the ptemp PVC
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
dependencies:
- name: nplus-globals
alias: globals
version: "*-0"
repository: "file://../globals"
version: 1.0.0

115
charts/envbackend/README.md Normal file
View File

@@ -0,0 +1,115 @@
# nplus-environment-backend
Installs Namespace-Wide Resources such as the conf PVC and the ptemp PVC
## nplus-environment-backend Chart Configuration
You can customize / configure nplus-environment-backend by setting configuration values on the command line or in values files,
that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
### Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template,
or escaped quotes).
### Global Values
All values can be set per component, per instance or globally per environment.
Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority:
- Prio 1 - Component Level: `ingress.domain`
- Prio 2 - Instance Level: `global.ingress.domain`
- Prio 3 - Environment Level: `global.environment.ingress.domain`
### Using Values in Templates
As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your
template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version
of your Values.
So an example in your `values.yaml` would be:
```
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
```
This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care.
The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables:
- `.component.chartName`
The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride`
- `.component.shortChartName`
A shorter Version of the name - `nappl` instead of `nplus-component-nappl`
- `.component.prefix`
The instance Prefix used to name the resources including `-`. This prefix is dropped, if the
`.Release.Name` equals `.Release.Namespace` for those of you that only
run one nplus Instance per namespace
- `.component.name`
The name of the component, including `.Values.nameOverride` and some logic
- `.component.fullName`
The fullName inlcuding `.Values.fullnameOverride` and some logic
- `.component.chart`
Mainly the `Chart.Name` and `Chart.Version`
- `.component.storagePath`
The path where the component config is stored in the conf PVC
- `.component.handler`
The handler (either helm, argoCD or manual)
- `.instance.name`
The name of the instance, but with override by `.Values.instanceOverride`
- `.instance.group`
The group, this instance belongs to. Override by `.Values.groupOverride`
- `.instance.version`
The *nscale* version (mostly taken from Application Layer), this instance is deploying.
- `.environment.name`
The name of the environment, but with override by `.Values.environmentNameOverride`
### Keys
You can set any of the following values for this component:
| Key | Description | Default |
|-----|-------------|---------|
env | Sets additional environment variables for the configuration. | |
envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | |
envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | |
fullnameOverride | This overrides the output of the internal fullname function | |
**meta**&#8203;.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | |
**meta**&#8203;.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | |
**meta**&#8203;.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | |
**meta**&#8203;.tenant | sets tenant information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | |
**meta**&#8203;.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | |
minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | |
nameOverride | This overrides the output of the internal name function | |
nodeSelector | select specific nodes for this component | |
**storage**&#8203;.conf&#8203;.name | this is the name of the common config storage. please see section "Storage" for more information | |
**storage**&#8203;.conf&#8203;.size | this is the size of the common config storage. please see section "Storage" for more information | |
**storage**&#8203;.conf&#8203;.volumeName | you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner | |
**storage**&#8203;.ptemp&#8203;.name | this is the name of the common persistant temp storage. please see section "Storage" for more information | |
**storage**&#8203;.ptemp&#8203;.size | this is the size of the common ptemp storage. please see section "Storage" for more information | |
**storage**&#8203;.ptemp&#8203;.volumeName | you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner | |
**telemetry**&#8203;.openTelemetry | turns Open Telemetry on | |
**telemetry**&#8203;.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | |
terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | |
timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` |
tolerations | Set tolerations for this component | |
**utils**&#8203;.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` |
**utils**&#8203;.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` |
**utils**&#8203;.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` |
**utils**&#8203;.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later | `true` |
**utils**&#8203;.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` |
**utils**&#8203;.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` |

43
charts/envbackend/templates/pvc-conf.tpl Normal file
View File

@@ -0,0 +1,43 @@
{{- include "nplus.init" $ -}}
# The "conf" PVC is used to store all config data of the nplus components.
# You may want to use a git repo on this conf store
{{- if ((.this.storage).conf).name }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ required "You have to define a name for the conf PVC" ((.this.storage).conf).name }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.environmentLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
spec:
{{- if ((.this.storage).conf).volumeName }}
# -- You have set storage.conf.volumeName,
# so we add the volumeName here to avoid automatic
# volume generation and rather use an existing volume
# to bind to this PVC.
volumeName: {{ tpl .this.storage.conf.volumeName . }}
# -- set an empty string must be explicitly set otherwise default StorageClass will be set
# see https://kubernetes.io/docs/concepts/storage/persistent-volumes/
storageClassName: ""
{{- else }}
# -- volumeName: storage.conf.volumeName
# If you set the volumeName, it appears here. You
# have not done so, so the provisioner for this
# volume class will pick up this claim and fulfill it.
{{- $scn := ((.this.storage).conf).class }}
{{- if $scn }}
storageClassName: {{ $scn | quote }}
{{- end }}
{{- end }}
accessModes:
- ReadWriteMany
resources:
requests:
storage: {{ required "You have to define a size for the conf PVC" ((.this.storage).conf).size }}
{{- end }}

44
charts/envbackend/templates/pvc-ptemp.tpl Normal file
View File

@@ -0,0 +1,44 @@
{{- include "nplus.init" $ -}}
# The "ptemp" PVC is used to persist temporary data of the nplus components.
# This is used e.g. in nstl, to store accounting.log info to make sure it is not deleted
# during a PODs recreate
{{- if ((.this.storage).ptemp).name }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ required "You have to define a name for the ptemp PVC" ((.this.storage).ptemp).name }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.environmentLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
spec:
{{- if ((.this.storage).ptemp).volumeName }}
# -- You have set storage.ptemp.volumeName,
# so we add the volumeName here to avoid automatic
# volume generation and rather use an existing volume
# to bind to this PVC.
volumeName: {{ tpl .this.storage.ptemp.volumeName . }}
# -- set an empty string must be explicitly set otherwise default StorageClass will be set
# see https://kubernetes.io/docs/concepts/storage/persistent-volumes/
storageClassName: ""
{{- else }}
# -- volumeName: storage.ptemp.volumeName
# If you set the volumeName, it appears here. You
# have not done so, so the provisioner for this
# volume class will pick up this claim and fulfill it.
{{- $scn := ((.this.storage).ptemp).class }}
{{- if $scn }}
storageClassName: {{ $scn | quote }}
{{- end }}
{{- end }}
accessModes:
- ReadWriteMany
resources:
requests:
storage: {{ required "You have to define a size for the ptemp PVC" ((.this.storage).ptemp).size }}
{{- end }}

258
charts/envbackend/values.schema.json Normal file
View File

@@ -0,0 +1,258 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"env": {
"default": "",
"description": "Sets additional environment variables for the configuration.",
"title": "env"
},
"envMap": {
"default": "",
"description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.",
"title": "envMap"
},
"envSecret": {
"default": "",
"description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.",
"title": "envSecret"
},
"fullnameOverride": {
"default": "",
"description": "This overrides the output of the internal fullname function",
"title": "fullnameOverride"
},
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
},
"globals": {
"description": "nplus Global Functions Library Chart",
"properties": {
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
}
},
"title": "nplus-globals",
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"componentVersion": {
"default": "",
"description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify",
"title": "componentVersion"
},
"language": {
"default": "",
"description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.",
"title": "language"
},
"ports": {
"additionalProperties": false,
"description": "lists the ports this component exposes. This is important for zero trust mode and others.",
"properties": {
"http": {
"default": "",
"description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.",
"title": "http"
},
"https": {
"default": "",
"description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "https"
},
"rmi": {
"default": "",
"description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "rmi"
},
"tcp": {
"default": "",
"description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcp"
},
"tcps": {
"default": "",
"description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcps"
}
},
"title": "ports"
},
"provider": {
"default": "",
"description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment",
"title": "provider"
},
"serviceContainer": {
"default": "",
"description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any",
"title": "serviceContainer"
},
"stage": {
"default": "",
"description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)",
"title": "stage"
},
"tenant": {
"default": "",
"description": "sets tenant information to be able to invoice per use in a cloud environment",
"title": "tenant"
},
"type": {
"default": "",
"description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.",
"title": "type"
},
"wave": {
"default": "",
"description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation",
"title": "wave"
}
},
"title": "meta",
"type": "object"
},
"minReplicaCountType": {
"default": "",
"description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer",
"title": "minReplicaCountType"
},
"nameOverride": {
"default": "",
"description": "This overrides the output of the internal name function",
"title": "nameOverride"
},
"nodeSelector": {
"default": "",
"description": "select specific nodes for this component",
"title": "nodeSelector"
},
"storage": {
"additionalProperties": false,
"properties": {
"conf": {
"additionalProperties": false,
"properties": {
"name": {
"default": "",
"description": "this is the name of the common config storage. please see section \"Storage\" for more information",
"title": "name"
},
"size": {
"default": "",
"description": "this is the size of the common config storage. please see section \"Storage\" for more information",
"title": "size"
},
"volumeName": {
"default": "",
"description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner",
"title": "volumeName"
}
},
"title": "conf",
"type": "object"
},
"ptemp": {
"additionalProperties": false,
"properties": {
"name": {
"default": "",
"description": "this is the name of the common persistant temp storage. please see section \"Storage\" for more information",
"title": "name"
},
"size": {
"default": "",
"description": "this is the size of the common ptemp storage. please see section \"Storage\" for more information",
"title": "size"
},
"volumeName": {
"default": "",
"description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner",
"title": "volumeName"
}
},
"title": "ptemp",
"type": "object"
}
},
"title": "storage",
"type": "object"
},
"telemetry": {
"additionalProperties": false,
"description": "Settings for telemetry tools",
"properties": {
"openTelemetry": {
"default": "",
"description": "turns Open Telemetry on",
"title": "openTelemetry"
},
"serviceName": {
"default": "",
"description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"",
"title": "serviceName"
}
},
"title": "telemetry"
},
"terminationGracePeriodSeconds": {
"default": "",
"description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults",
"title": "terminationGracePeriodSeconds"
},
"timezone": {
"default": "`Europe/Berlin`",
"description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.",
"title": "timezone"
},
"tolerations": {
"default": "",
"description": "Set tolerations for this component",
"title": "tolerations"
},
"utils": {
"additionalProperties": false,
"properties": {
"debug": {
"default": "`false`",
"description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide",
"title": "debug"
},
"disableWait": {
"default": "`false`",
"description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.",
"title": "disableWait"
},
"disableWave": {
"default": "`false`",
"description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.",
"title": "disableWave"
},
"includeNamespace": {
"default": "`true`",
"description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later",
"title": "includeNamespace"
},
"maintenance": {
"default": "`false`",
"description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.",
"title": "maintenance"
},
"renderComments": {
"default": "`true`",
"description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD",
"title": "renderComments"
}
},
"title": "utils",
"type": "object"
}
},
"type": "object"
}

131
charts/envbackend/values.yaml Normal file
View File

@@ -0,0 +1,131 @@
# yaml-language-server: $schema=values.schema.json
storage:
conf:
# -- this is the name of the common config storage.
# please see section "Storage" for more information
name:
# -- this is the size of the common config storage.
# please see section "Storage" for more information
size:
# -- you can set the volumeName to the value of a pre-existing
# volume to avoid having the PV created for you by the csi driver provisioner
volumeName:
ptemp:
# -- this is the name of the common persistant temp storage.
# please see section "Storage" for more information
name:
# -- this is the size of the common ptemp storage.
# please see section "Storage" for more information
size:
# -- you can set the volumeName to the value of a pre-existing
# volume to avoid having the PV created for you by the csi driver provisioner
volumeName:
# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl)
# etc.
# @default -- `Europe/Berlin`
timezone:
meta:
# -- the type of the component. You should not change this value, except if
# you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner*
# This type is used to create cluster communication for nappl and nstl and potentially
# group multiple replicaSets into one service.
type:
# -- lists the ports this component exposes. This is important for zero trust mode and others.
ports:
# -- The http port this component uses (if any). In zero trust mode, this will be disabled.
# @internal -- this is a constant value of the component and should not be changed.
http:
# -- The tls / https port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
https:
# -- A potential tcp port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcp:
# -- A potential tls / tcps port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcps:
# -- A potential rmi port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
rmi:
# -- sets tenant information to be able to invoice per use in a cloud environment
tenant:
# -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment
provider:
# -- Sets the wave in which this component should be deployed within an ArgoCD deployment
# if unset, it uses the default wave thus all components are installed in one wave, then relying
# on correct wait settings just like in a helm installation
wave:
# -- Sets the language of the main service (in the *service* container). This is used for instance
# if you turn OpenTelemetry on, to know which Agent to inject into the container.
language:
# -- The container name of the main service for this component. This is used to define where to
# inject the telemetry agents, if any
serviceContainer:
# -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment
# runs in. This can be used in template functions to add the stage to for instance the service name of
# telemetry services like open telemetry. (see telemetry example)
stage:
# -- This is the version of the component, used for display
# @internal -- set by devOps pipeline, so do not modify
componentVersion:
# -- Set tolerations for this component
tolerations:
# -- select specific nodes for this component
nodeSelector:
# -- Sets the name of a secret, which holds additional environment variables for
# the configuration. It is added as envFrom secretRef to the container.
envSecret:
# -- Sets the name of a configMap, which holds additional environment variables for
# the configuration. It is added as envFrom configMap to the container.
envMap:
# -- Sets additional environment variables for
# the configuration.
env:
# -- This overrides the output of the internal name function
nameOverride:
# -- This overrides the output of the internal fullname function
fullnameOverride:
utils:
# -- Turn debugging *on* will give you stack trace etc.
# Please check out the Chart Developer Guide
# @default -- `false`
debug:
# -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It
# will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD
# @default -- `true`
renderComments:
# -- By default, the namespace is rendered into the manifest. However, if you want to use
# `helm template` and store manifests for later applying them to multiple namespaces, you might
# want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later
# @default -- `true`
includeNamespace:
# -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the
# pods will start in idle, not starting the service at all. This will allow you to gain access to the container
# to perform recovery and maintenance tasks while having the real container up.
# @default -- `false`
maintenance:
# -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components
# of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components
# while previous waves are not finished yet.
# @default -- `false`
disableWave:
# -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are
# only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might
# start components even if they are not intended to run yet.
# @default -- `false`
disableWait:
# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as
# minAvailable, using the component type as selector. This is useful for components, that are spread
# across multiple replicaSets, like sharepoint or storage layer
minReplicaCountType:
# -- Settings for telemetry tools
telemetry:
# -- turns Open Telemetry on
openTelemetry:
# -- Sets the service name for the telemetry service to more convenient
# identify the displayed component
# Example: "{{ .this.meta.type }}-{{ .instance.name }}"
serviceName:
# -- Sets the terminationGracePeriodSeconds for the component
# If not set, it uses the Kubernetes defaults
terminationGracePeriodSeconds:

11
charts/envdav/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: nplus-environment-dav
description: Provides WebDAV access to environment resources such as the conf PVC and the ptemp PVC
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
dependencies:
- name: nplus-globals
alias: globals
version: "*-0"
repository: "file://../globals"
version: 1.0.0

145
charts/envdav/README.md Normal file
View File

@@ -0,0 +1,145 @@
# nplus-environment-dav
Provides WebDAV access to environment resources such as the conf PVC and the ptemp PVC
## nplus-environment-dav Chart Configuration
You can customize / configure nplus-environment-dav by setting configuration values on the command line or in values files,
that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
### Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template,
or escaped quotes).
### Global Values
All values can be set per component, per instance or globally per environment.
Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority:
- Prio 1 - Component Level: `ingress.domain`
- Prio 2 - Instance Level: `global.ingress.domain`
- Prio 3 - Environment Level: `global.environment.ingress.domain`
### Using Values in Templates
As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your
template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version
of your Values.
So an example in your `values.yaml` would be:
```
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
```
This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care.
The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables:
- `.component.chartName`
The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride`
- `.component.shortChartName`
A shorter Version of the name - `nappl` instead of `nplus-component-nappl`
- `.component.prefix`
The instance Prefix used to name the resources including `-`. This prefix is dropped, if the
`.Release.Name` equals `.Release.Namespace` for those of you that only
run one nplus Instance per namespace
- `.component.name`
The name of the component, including `.Values.nameOverride` and some logic
- `.component.fullName`
The fullName inlcuding `.Values.fullnameOverride` and some logic
- `.component.chart`
Mainly the `Chart.Name` and `Chart.Version`
- `.component.storagePath`
The path where the component config is stored in the conf PVC
- `.component.handler`
The handler (either helm, argoCD or manual)
- `.instance.name`
The name of the instance, but with override by `.Values.instanceOverride`
- `.instance.group`
The group, this instance belongs to. Override by `.Values.groupOverride`
- `.instance.version`
The *nscale* version (mostly taken from Application Layer), this instance is deploying.
- `.environment.name`
The name of the environment, but with override by `.Values.environmentNameOverride`
### Keys
You can set any of the following values for this component:
| Key | Description | Default |
|-----|-------------|---------|
account | the dav user | `"admin"` |
env | Sets additional environment variables for the configuration. | |
envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | |
envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | |
fullnameOverride | This overrides the output of the internal fullname function | |
**image**&#8203;.name | the name of the image to use | `"toolbox2"` |
**image**&#8203;.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` |
**image**&#8203;.repo | if you use a private repo, feel free to set it here | `"cr.nplus.cloud/subscription"` |
**image**&#8203;.tag | the tag of the image to use | `"latest"` |
**ingress**&#8203;.annotations | Adds extra Annotations to the ingress | |
**ingress**&#8203;.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http` <br> `https` in zero trust mode |
**ingress**&#8203;.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` |
**ingress**&#8203;.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/dav"` |
**ingress**&#8203;.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | |
**ingress**&#8203;.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | |
**ingress**&#8203;.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | |
**ingress**&#8203;.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` |
**ingress**&#8203;.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" |
**ingress**&#8203;.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | |
**ingress**&#8203;.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` |
**ingress**&#8203;.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | |
**meta**&#8203;.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | |
**meta**&#8203;.ports&#8203;.http | The http port this component uses (if any). In zero trust mode, this will be disabled. <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `8080` |
**meta**&#8203;.ports&#8203;.https | The tls / https port, this component uses (if any) <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `8443` |
**meta**&#8203;.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | |
**meta**&#8203;.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | |
**meta**&#8203;.tenant | sets tenant information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"envdav"` |
**meta**&#8203;.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | |
minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | |
nameOverride | This overrides the output of the internal name function | |
nodeSelector | select specific nodes for this component | |
password | password of the dav user | `"admin"` |
**resources**&#8203;.limits&#8203;.cpu | The maximum allowed CPU for the container | `"1"` |
**resources**&#8203;.limits&#8203;.memory | The maximum allowed RAM for the container | `"512Mi"` |
**resources**&#8203;.requests&#8203;.cpu | Set the share of guaranteed CPU to the container. | `"1m"` |
**resources**&#8203;.requests&#8203;.memory | Set the share of guaranteed RAM to the container | `"64Mi"` |
secret | Alternatively, define a secret | |
**security**&#8203;.containerSecurityContext&#8203;.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive <br>you should not change this | **info only**, do not change<br> `false` |
**security**&#8203;.containerSecurityContext&#8203;.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment <br>you should not change this | **info only**, do not change<br> `true` |
**security**&#8203;.podSecurityContext&#8203;.fsGroup | The file system group as which new files are created <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.podSecurityContext&#8203;.fsGroupChangePolicy | Under which condition should the fsGroup be changed <br>there is normally no need to change this | **info only**, do not change<br> `"OnRootMismatch"` |
**security**&#8203;.podSecurityContext&#8203;.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` |
**service**&#8203;.annotations | adds extra Annotations to the service | |
**service**&#8203;.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` |
**service**&#8203;.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` |
**telemetry**&#8203;.openTelemetry | turns Open Telemetry on | |
**telemetry**&#8203;.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | |
**template**&#8203;.annotations | set additional annotations for pods | |
**template**&#8203;.labels | set additional labels for pods | |
terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | |
timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` |
tolerations | Set tolerations for this component | |
**utils**&#8203;.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` |
**utils**&#8203;.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` |
**utils**&#8203;.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` |
**utils**&#8203;.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later | `true` |
**utils**&#8203;.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` |
**utils**&#8203;.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` |

16
charts/envdav/templates/ingress.tpl Normal file
View File

@@ -0,0 +1,16 @@
{{- include "nplus.init" $ -}}
{{- if ( include "nplus.ingressEnabled" . ) }}
{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }}
- path: {{ .Values.ingress.contextPath }}
pathType: Prefix
backend:
service:
name: {{ .component.fullName }}
port:
name: {{ include "nplus.backendProtocol" . }}
{{- else }}
# kind: ingress
# Not Generating any Ingress for {{ .component.fullName }} as
# Ingress = {{ .this.ingress }}
# Service = {{ .this.service }}
{{- end }}

39
charts/envdav/templates/networkpolicy.tpl Normal file
View File

@@ -0,0 +1,39 @@
{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
spec:
podSelector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
ingress:
{{- if ( include "nplus.ingressEnabled" . ) }}
{{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }}
{{- end }}
- from:
- ipBlock:
cidr: {{ ((.this.security).cni).adminIpRange | quote }}
{{- if ((.this.security).cni).excludeUnusedPorts }}
ports:
{{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
{{- end }}
policyTypes:
- Egress
- Ingress
egress:
# -- Access DNS
- ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
{{- end }}

2
charts/envdav/templates/pdb.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.podDisruptionBudget" . -}}

33
charts/envdav/templates/service.tpl Normal file
View File

@@ -0,0 +1,33 @@
{{- include "nplus.init" $ -}}
apiVersion: v1
kind: Service
metadata:
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
name: {{ .component.fullName }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
# this is a "headless service", no cluster IP is defined
# as none of the internal components need to access this service,
# access is purely through an ingress if desired.
type: ClusterIP
clusterIP: None
ports:
{{- include "nplus.defaultServicePorts" . | nindent 4 }}
selector:
{{- if eq .this.service.selector "component" }}
{{- include "nplus.selectorLabels" . | nindent 4 }}
{{- else if eq .this.service.selector "type" }}
{{- include "nplus.selectorLabelsNc" . | nindent 4 }}
{{- else }}
{{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }}
{{- end }}

89
charts/envdav/templates/statefulset.tpl Normal file
View File

@@ -0,0 +1,89 @@
{{- include "nplus.init" $ -}}
{{- if not ((.this.storage).conf).name -}}
{{ fail "conf name must be set" }}
{{- end -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
serviceName: {{ .component.fullName }}
selector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
replicas: 1
podManagementPolicy: OrderedReady
updateStrategy:
type: RollingUpdate
minReadySeconds: 30
template:
metadata:
labels:
{{- include "nplus.templateLabels" . | nindent 8 }}
annotations:
{{- include "nplus.templateAnnotations" . | nindent 8 }}
{{- include "nplus.securityAnnotations" . | nindent 8 }}
spec:
{{- include "nplus.imagePullSecrets" . | nindent 6 }}
{{- include "nplus.podSecurityContext" . | nindent 6 }}
{{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }}
{{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }}
containers:
- name: dav
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
command: [ "/nplus/davserver" ]
volumeMounts:
- name: conf
mountPath: /webdav/conf
- name: ptemp
mountPath: /webdav/ptemp
{{- include "nplus.resources" . | nindent 8 }}
env:
# -- DAV Connection Credentials
{{- include "nplus.envCredentials" (list
"DAV_USER" $.this.account
"DAV_PASSWORD" $.this.password
$.this.secret
) | nindent 10 }}
- name: DAV_ROOT
value: "/dav"
ports:
{{- include "nplus.defaultContainerPorts" . | nindent 8 }}
readinessProbe:
tcpSocket:
port: {{ include "nplus.backendPort" . }}
initialDelaySeconds: 15
periodSeconds: 10
livenessProbe:
tcpSocket:
port: {{ include "nplus.backendPort" . }}
initialDelaySeconds: 15
periodSeconds: 10
volumes:
- name: conf
persistentVolumeClaim:
claimName: conf
- name: ptemp
persistentVolumeClaim:
claimName: ptemp

489
charts/envdav/values.schema.json Normal file
View File

@@ -0,0 +1,489 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"account": {
"default": "admin",
"description": "the dav user",
"title": "account"
},
"env": {
"default": "",
"description": "Sets additional environment variables for the configuration.",
"title": "env"
},
"envMap": {
"default": "",
"description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.",
"title": "envMap"
},
"envSecret": {
"default": "",
"description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.",
"title": "envSecret"
},
"fullnameOverride": {
"default": "",
"description": "This overrides the output of the internal fullname function",
"title": "fullnameOverride"
},
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
},
"globals": {
"description": "nplus Global Functions Library Chart",
"properties": {
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
}
},
"title": "nplus-globals",
"type": "object"
},
"image": {
"additionalProperties": false,
"description": "provide the image to be used for this component",
"properties": {
"name": {
"default": "toolbox2",
"description": "the name of the image to use",
"title": "name"
},
"pullPolicy": {
"default": "IfNotPresent",
"title": "pullPolicy",
"type": "string"
},
"pullSecrets": {
"description": "you can provide your own pullSecrets, in case you use a private repo.",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
]
},
"title": "pullSecrets"
},
"repo": {
"default": "cr.nplus.cloud/subscription",
"description": "if you use a private repo, feel free to set it here",
"title": "repo"
},
"tag": {
"default": "1.2.1300",
"description": "the tag of the image to use",
"title": "tag"
}
},
"title": "image"
},
"ingress": {
"additionalProperties": false,
"description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)",
"properties": {
"annotations": {
"default": "",
"description": "Adds extra Annotations to the ingress",
"title": "annotations"
},
"backendProtocol": {
"default": "`http` <br> `https` in zero trust mode",
"description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.",
"title": "backendProtocol"
},
"class": {
"default": "`public`",
"description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one",
"title": "class"
},
"contextPath": {
"default": "/dav",
"description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.",
"title": "contextPath"
},
"cookie": {
"default": "",
"description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web",
"title": "cookie"
},
"deny": {
"default": "",
"description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.",
"title": "deny"
},
"domain": {
"default": "",
"description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here",
"title": "domain"
},
"enabled": {
"default": "true",
"description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.",
"title": "enabled"
},
"inputPath": {
"default": "",
"description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.",
"title": "inputPath"
},
"namespace": {
"default": "\"ingress, kube-system, ingress-nginx\"",
"description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list",
"title": "namespace"
},
"proxyReadTimeout": {
"default": "",
"description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.",
"title": "proxyReadTimeout"
},
"rewriteTarget": {
"default": "",
"description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.",
"title": "rewriteTarget"
},
"secret": {
"default": "`{{ .this.ingress.domain }}-tls`",
"description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance",
"title": "secret"
},
"whitelist": {
"default": "",
"description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers",
"title": "whitelist"
}
},
"title": "ingress"
},
"meta": {
"additionalProperties": false,
"properties": {
"componentVersion": {
"default": "",
"description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify",
"title": "componentVersion"
},
"language": {
"default": "",
"description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.",
"title": "language"
},
"ports": {
"additionalProperties": false,
"description": "lists the ports this component exposes. This is important for zero trust mode and others.",
"properties": {
"http": {
"default": "8080",
"description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.",
"title": "http"
},
"https": {
"default": "8443",
"description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "https"
},
"rmi": {
"default": "",
"description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "rmi"
},
"tcp": {
"default": "",
"description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcp"
},
"tcps": {
"default": "",
"description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcps"
}
},
"title": "ports"
},
"provider": {
"default": "",
"description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment",
"title": "provider"
},
"serviceContainer": {
"default": "",
"description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any",
"title": "serviceContainer"
},
"stage": {
"default": "",
"description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)",
"title": "stage"
},
"tenant": {
"default": "",
"description": "sets tenant information to be able to invoice per use in a cloud environment",
"title": "tenant"
},
"type": {
"default": "envdav",
"description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.",
"title": "type"
},
"wave": {
"default": "",
"description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation",
"title": "wave"
}
},
"title": "meta",
"type": "object"
},
"minReplicaCountType": {
"default": "",
"description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer",
"title": "minReplicaCountType"
},
"nameOverride": {
"default": "",
"description": "This overrides the output of the internal name function",
"title": "nameOverride"
},
"nodeSelector": {
"default": "",
"description": "select specific nodes for this component",
"title": "nodeSelector"
},
"password": {
"default": "admin",
"description": "password of the dav user",
"title": "password"
},
"resources": {
"additionalProperties": false,
"description": "Assigns hardware resources to container",
"properties": {
"limits": {
"additionalProperties": false,
"description": "Limits the maximum resources",
"properties": {
"cpu": {
"default": "1",
"description": "The maximum allowed CPU for the container",
"title": "cpu"
},
"memory": {
"default": "512Mi",
"description": "The maximum allowed RAM for the container",
"title": "memory"
}
},
"title": "limits"
},
"requests": {
"additionalProperties": false,
"description": "Requests are used to assign a minimum to a container. This is the guaranteed amount",
"properties": {
"cpu": {
"default": "1m",
"description": "Set the share of guaranteed CPU to the container.",
"title": "cpu"
},
"memory": {
"default": "64Mi",
"description": "Set the share of guaranteed RAM to the container",
"title": "memory"
}
},
"title": "requests"
}
},
"title": "resources"
},
"secret": {
"default": "",
"description": "Alternatively, define a secret",
"title": "secret"
},
"security": {
"additionalProperties": false,
"description": "Security Section defining default runtime environment for your container",
"properties": {
"containerSecurityContext": {
"additionalProperties": false,
"properties": {
"allowPrivilegeEscalation": {
"default": "false",
"description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this",
"title": "allowPrivilegeEscalation"
},
"capabilities": {
"additionalProperties": false,
"description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this",
"properties": {
"drop": {
"items": {
"anyOf": [
{
"type": "string"
}
]
},
"title": "drop",
"type": "array"
}
},
"title": "capabilities"
},
"readOnlyRootFilesystem": {
"default": "true",
"description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this",
"title": "readOnlyRootFilesystem"
}
},
"title": "containerSecurityContext",
"type": "object"
},
"podSecurityContext": {
"additionalProperties": false,
"properties": {
"fsGroup": {
"default": "1001",
"description": "The file system group as which new files are created @internal -- there is normally no need to change this",
"title": "fsGroup"
},
"fsGroupChangePolicy": {
"default": "OnRootMismatch",
"description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this",
"title": "fsGroupChangePolicy"
},
"runAsUser": {
"default": "1001",
"description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this",
"title": "runAsUser"
}
},
"title": "podSecurityContext",
"type": "object"
},
"zeroTrust": {
"default": "`false`",
"description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes",
"title": "zeroTrust"
}
},
"title": "security"
},
"service": {
"additionalProperties": false,
"properties": {
"annotations": {
"default": "",
"description": "adds extra Annotations to the service",
"title": "annotations"
},
"enabled": {
"default": "true",
"description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.",
"title": "enabled"
},
"selector": {
"default": "component",
"description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type",
"title": "selector"
}
},
"title": "service",
"type": "object"
},
"telemetry": {
"additionalProperties": false,
"description": "Settings for telemetry tools",
"properties": {
"openTelemetry": {
"default": "",
"description": "turns Open Telemetry on",
"title": "openTelemetry"
},
"serviceName": {
"default": "",
"description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"",
"title": "serviceName"
}
},
"title": "telemetry"
},
"template": {
"additionalProperties": false,
"description": "provide extra settings for pod templates",
"properties": {
"annotations": {
"default": "",
"description": "set additional annotations for pods",
"title": "annotations"
},
"labels": {
"default": "",
"description": "set additional labels for pods",
"title": "labels"
}
},
"title": "template"
},
"terminationGracePeriodSeconds": {
"default": "",
"description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults",
"title": "terminationGracePeriodSeconds"
},
"timezone": {
"default": "`Europe/Berlin`",
"description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.",
"title": "timezone"
},
"tolerations": {
"default": "",
"description": "Set tolerations for this component",
"title": "tolerations"
},
"utils": {
"additionalProperties": false,
"properties": {
"debug": {
"default": "`false`",
"description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide",
"title": "debug"
},
"disableWait": {
"default": "`false`",
"description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.",
"title": "disableWait"
},
"disableWave": {
"default": "`false`",
"description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.",
"title": "disableWave"
},
"includeNamespace": {
"default": "`true`",
"description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later",
"title": "includeNamespace"
},
"maintenance": {
"default": "`false`",
"description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.",
"title": "maintenance"
},
"renderComments": {
"default": "`true`",
"description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD",
"title": "renderComments"
}
},
"title": "utils",
"type": "object"
}
},
"type": "object"
}

240
charts/envdav/values.yaml Normal file
View File

@@ -0,0 +1,240 @@
# yaml-language-server: $schema=values.schema.json
# -- provide the image to be used for this component
image:
# -- if you use a private repo, feel free to set it here
repo: cr.nplus.cloud/subscription
# -- the name of the image to use
name: toolbox2
# -- the tag of the image to use
tag: latest
pullPolicy: IfNotPresent
# -- you can provide your own pullSecrets, in case you use
# a private repo.
pullSecrets:
- nscale-cr
- nplus-cr
# -- the dav user
account: admin
# -- password of the dav user
password: admin
# -- Alternatively, define a secret
secret:
meta:
# -- lists the ports this component exposes. This is important for zero trust mode and others.
ports:
# -- The http port this component uses (if any). In zero trust mode, this will be disabled.
# @internal -- this is a constant value of the component and should not be changed.
http: 8080
# -- The tls / https port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
https: 8443
# -- A potential tcp port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcp:
# -- A potential tls / tcps port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcps:
# -- A potential rmi port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
rmi:
# -- the type of the component. You should not change this value, except if
# you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner*
# This type is used to create cluster communication for nappl and nstl and potentially
# group multiple replicaSets into one service.
type: envdav
# -- sets tenant information to be able to invoice per use in a cloud environment
tenant:
# -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment
provider:
# -- Sets the wave in which this component should be deployed within an ArgoCD deployment
# if unset, it uses the default wave thus all components are installed in one wave, then relying
# on correct wait settings just like in a helm installation
wave:
# -- Sets the language of the main service (in the *service* container). This is used for instance
# if you turn OpenTelemetry on, to know which Agent to inject into the container.
language:
# -- The container name of the main service for this component. This is used to define where to
# inject the telemetry agents, if any
serviceContainer:
# -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment
# runs in. This can be used in template functions to add the stage to for instance the service name of
# telemetry services like open telemetry. (see telemetry example)
stage:
# -- This is the version of the component, used for display
# @internal -- set by devOps pipeline, so do not modify
componentVersion:
# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)
ingress:
# -- You can toggle the ingress on wether you'd like this component
# to be reachable through an ingress or not.
enabled: true
# -- Overrides the default backend protocol. The default is http,
# unless in zeroTrust Mode, then it is switched to https automatically.
# @default -- `http` <br> `https` in zero trust mode
backendProtocol:
# -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason
# Example: `/nscalealinst1(/\|$)(.*)`
# @internal -- This is an alpha feature - do not use it.
inputPath:
# -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason
# Example: `/nscalealinst1/$2`
# @internal -- This is an alpha feature - do not use it.
rewriteTarget:
# -- deny is used to exclude specific paths from public access, such as
# administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is
# the burlap protocol. The configuration service is the endpoint used by
# the Admin client.
deny:
# -- on component level, set cookie affinity for the ingress
# example: `XtConLoadBalancerSession` for nscale Web
cookie:
# -- Sets the name of the tls secret to be used for this ingress, that contains
# the private and public key. These secrets can optionally be provided by the instance
# @default -- `{{ .this.ingress.domain }}-tls`
secret:
# -- Sets the domain to be used. This domain should be provided by the instance globally
# for all components, but you are free to override it here
domain:
# -- The ingressclass to use for this ingress. Most likely, this is provided globally by the
# instance, but you are free to override it here if this component should use a different class
# e.g. if you have separated ingress controllers, like a public and an internal one
# @default -- `public`
class:
# -- optionally sets a whitelist of ip ranges (CIDR format, comma separated)
# from which ingress is allowed. This is an annotation for nginx, so won't work with other
# ingress controllers
whitelist:
# -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy
# to allow traffic from this namespace to our pods. This may be a comma separated list
# @default -- "ingress, kube-system, ingress-nginx"
namespace:
# -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the
# most though this is only a constant used in the scripts.
contextPath: "/dav"
# -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.
proxyReadTimeout:
# -- Adds extra Annotations to the ingress
annotations:
# -- Security Section defining default runtime environment for your container
security:
podSecurityContext:
# -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context
# for security
# @internal -- there is normally no need to change this
runAsUser: 1001
# -- The file system group as which new files are created
# @internal -- there is normally no need to change this
fsGroup: 1001
# -- Under which condition should the fsGroup be changed
# @internal -- there is normally no need to change this
fsGroupChangePolicy: OnRootMismatch
containerSecurityContext:
# -- sets the container root file system to read only. This should be the case in production environment
# @internal -- you should not change this
readOnlyRootFilesystem: true
# -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
# @internal -- you should not change this
allowPrivilegeEscalation: false
# -- Capabilities this container should have. Only allow the necessity, and drop as many as possible
# @internal -- you should not change this
capabilities:
drop:
- ALL
# -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes
# @default -- `false`
zeroTrust:
# -- Assigns hardware resources to container
resources:
# -- Requests are used to assign a minimum to a container. This is the guaranteed amount
requests:
# -- Set the share of guaranteed CPU to the container.
cpu: "1m"
# -- Set the share of guaranteed RAM to the container
memory: "64Mi"
# -- Limits the maximum resources
limits:
# -- The maximum allowed CPU for the container
cpu: "1"
# -- The maximum allowed RAM for the container
memory: "512Mi"
# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl)
# etc.
# @default -- `Europe/Berlin`
timezone:
# -- Set tolerations for this component
tolerations:
# -- select specific nodes for this component
nodeSelector:
# -- Sets the name of a secret, which holds additional environment variables for
# the configuration. It is added as envFrom secretRef to the container.
envSecret:
# -- Sets the name of a configMap, which holds additional environment variables for
# the configuration. It is added as envFrom configMap to the container.
envMap:
# -- Sets additional environment variables for
# the configuration.
env:
# -- This overrides the output of the internal name function
nameOverride:
# -- This overrides the output of the internal fullname function
fullnameOverride:
utils:
# -- Turn debugging *on* will give you stack trace etc.
# Please check out the Chart Developer Guide
# @default -- `false`
debug:
# -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It
# will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD
# @default -- `true`
renderComments:
# -- By default, the namespace is rendered into the manifest. However, if you want to use
# `helm template` and store manifests for later applying them to multiple namespaces, you might
# want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later
# @default -- `true`
includeNamespace:
# -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the
# pods will start in idle, not starting the service at all. This will allow you to gain access to the container
# to perform recovery and maintenance tasks while having the real container up.
# @default -- `false`
maintenance:
# -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components
# of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components
# while previous waves are not finished yet.
# @default -- `false`
disableWave:
# -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are
# only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might
# start components even if they are not intended to run yet.
# @default -- `false`
disableWait:
service:
# -- enables the service to be consumed by group components and a potential ingress
# Disabling the service also disables the ingress.
enabled: true
# -- The selector can be `component` or `type`
# *component* selects only pods that are in the replicaset.
# *type* selects any pod that has the given type
selector: "component"
# -- adds extra Annotations to the service
annotations:
# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as
# minAvailable, using the component type as selector. This is useful for components, that are spread
# across multiple replicaSets, like sharepoint or storage layer
minReplicaCountType:
# -- provide extra settings for pod templates
template:
# -- set additional annotations for pods
annotations:
# -- set additional labels for pods
labels:
# -- Settings for telemetry tools
telemetry:
# -- turns Open Telemetry on
openTelemetry:
# -- Sets the service name for the telemetry service to more convenient
# identify the displayed component
# Example: "{{ .this.meta.type }}-{{ .instance.name }}"
serviceName:
# -- Sets the terminationGracePeriodSeconds for the component
# If not set, it uses the Kubernetes defaults
terminationGracePeriodSeconds:

34
charts/environment/Chart.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: v2
name: nplus-environment
description: Installs Namespace-Wide Resources such as the conf PVC, the toolbox and the nplus monitoring service
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
dependencies:
- name: nplus-globals
alias: globals
version: "*-0"
repository: "file://../globals"
- name: nplus-environment-backend
alias: backend
version: "*-0"
repository: "file://../envbackend"
- name: nplus-environment-dav
alias: dav
condition: components.dav
version: "*-0"
repository: "file://../envdav"
- name: nplus-environment-toolbox
alias: toolbox
condition: components.toolbox
version: "*-0"
repository: "file://../envtoolbox"
- name: nplus-environment-operator
alias: operator
version: "*-0"
repository: "file://../envoperator"
- name: nplus-prepper
alias: prepper
condition: components.prepper
version: "*-0"
repository: "file://../prepper"
version: 1.0.0

103
charts/environment/README.md Normal file
View File

@@ -0,0 +1,103 @@
# nplus-environment
Installs Namespace-Wide Resources such as the conf PVC, the toolbox and the nplus monitoring service
This Environment Chart provides a common config pool and administrative tools to
operate all nplus instances in this namespace.
There must be exactly one deployed instance of this environment chart per kubernetes namespace.
Without the environment, the instance and component charts will fail to deploy.
It also deployes the operator, which is a monitoring component to observe all instances and provide
healthyness information to the administrator and third party dashboards
## nplus-environment Chart Configuration
You can customize / configure nplus-environment by setting configuration values on the command line or in values files,
that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
### Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template,
or escaped quotes).
### Global Values
All values can be set per component, per instance or globally per environment.
Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority:
- Prio 1 - Component Level: `ingress.domain`
- Prio 2 - Instance Level: `global.ingress.domain`
- Prio 3 - Environment Level: `global.environment.ingress.domain`
### Using Values in Templates
As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your
template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version
of your Values.
So an example in your `values.yaml` would be:
```
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
```
This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care.
The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables:
- `.component.chartName`
The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride`
- `.component.shortChartName`
A shorter Version of the name - `nappl` instead of `nplus-component-nappl`
- `.component.prefix`
The instance Prefix used to name the resources including `-`. This prefix is dropped, if the
`.Release.Name` equals `.Release.Namespace` for those of you that only
run one nplus Instance per namespace
- `.component.name`
The name of the component, including `.Values.nameOverride` and some logic
- `.component.fullName`
The fullName inlcuding `.Values.fullnameOverride` and some logic
- `.component.chart`
Mainly the `Chart.Name` and `Chart.Version`
- `.component.storagePath`
The path where the component config is stored in the conf PVC
- `.component.handler`
The handler (either helm, argoCD or manual)
- `.instance.name`
The name of the instance, but with override by `.Values.instanceOverride`
- `.instance.group`
The group, this instance belongs to. Override by `.Values.groupOverride`
- `.instance.version`
The *nscale* version (mostly taken from Application Layer), this instance is deploying.
- `.environment.name`
The name of the environment, but with override by `.Values.environmentNameOverride`
### Keys
You can set any of the following values for this component:
| Key | Description | Default |
|-----|-------------|---------|
**components**&#8203;.dav | Enables WebDAV access to conf and ptemp | `true` |
**components**&#8203;.prepper | enables an optional prepper that you can use to deploy fonts, scripts etc. during environment setup | `false` |
**components**&#8203;.toolbox | enables the toolbox | `true` |
environmentNameOverride | If you want to override the name of the Environment for display purposes, do it here. | |
**global**&#8203;.environment&#8203;.storage&#8203;.conf&#8203;.name | this is the name of the common config storage. please see section "Storage" for more information | `"conf"` |
**global**&#8203;.environment&#8203;.storage&#8203;.conf&#8203;.size | this is the size of the common config storage. please see section "Storage" for more information | `"10Gi"` |
**global**&#8203;.environment&#8203;.storage&#8203;.conf&#8203;.volumeName | you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner | |
**global**&#8203;.environment&#8203;.storage&#8203;.ptemp&#8203;.name | this is the name of the common persistant temp storage. please see section "Storage" for more information | `"ptemp"` |
**global**&#8203;.environment&#8203;.storage&#8203;.ptemp&#8203;.size | this is the size of the common ptemp storage. please see section "Storage" for more information | `"10Gi"` |
**global**&#8203;.environment&#8203;.storage&#8203;.ptemp&#8203;.volumeName | you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner | |
**global**&#8203;.meta&#8203;.isEnvironment | specifies that this is deployment is part of an Environment. Used to determine the correct name of the deployment <br>Do not change | **info only**, do not change<br> `true` |

43
charts/environment/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,43 @@
{{ .component.chartName }} {{ .Chart.Version }} {{- if .Chart.AppVersion }} / {{ .Chart.AppVersion }}{{- end }}
{{ .Chart.Description }}
To uninstall, use
helm uninstall {{ include "nplus.cli" . }}
{{ if (.Values.dav).enabled }}
The environment DAV Server is enabled. To get logs, use
kubectl logs -n lab -l nplus/component=nplus-environment,nplus/role=davserver
to connect, browse to
https://{{ .Release.Name }}.{{ .this.ingress.domain }}/dav
{{- else }}
The environment DAV Server is disabled.
{{- end }}
{{- if (.Values.nstoreDownloader).enabled }}
The nstore Downloader is enabled. To get logs, use
kubectl logs -n lab -l nplus/component=nplus-environment,nplus/role=downloader
{{- else }}
The nstore Downloader is disabled.
{{- end }}
{{- if (.Values.toolbox).enabled }}
The toolbox is enabled. To get logs, use
kubectl logs -n lab -l nplus/component=nplus-environment,nplus/role=toolbox
{{- else }}
The toolbox is disabled.
{{- end }}
{{- if (.Values.operator).enabled }}
The operator is enabled. You can get information on nscale Instances and Components using
kubectl get instances,components
{{- if (.Values.operator).ui }}
Also, the UI is enabled, access it at
https://{{ .Release.Name }}.{{ .this.ingress.domain }}/monitoring
{{- else }}
The UI is disabled.
{{- end }}
{{- else }}
The operator is disabled.
{{- end }}
Providing {{ ((.this.storage).conf).size }} of storage under the name "{{ ((.this.storage).conf).name }}" of class "{{ ((.this.storage).conf).class | default "default" }}"

2
charts/environment/templates/certificate.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.certificate" . | nindent 0 }}

2435
charts/environment/values.schema.json Normal file
View File

File diff suppressed because it is too large Load Diff

38
charts/environment/values.yaml Normal file
View File

@@ -0,0 +1,38 @@
# yaml-language-server: $schema=values.schema.json
components:
# -- Enables WebDAV access to conf and ptemp
dav: true
# -- enables the toolbox
toolbox: true
# -- enables an optional prepper that you can use to deploy fonts, scripts etc. during environment setup
prepper: false
global:
environment:
storage:
conf:
# -- this is the name of the common config storage.
# please see section "Storage" for more information
name: "conf"
# -- this is the size of the common config storage.
# please see section "Storage" for more information
size: "10Gi"
# -- you can set the volumeName to the value of a pre-existing
# volume to avoid having the PV created for you by the csi driver provisioner
volumeName:
ptemp:
# -- this is the name of the common persistant temp storage.
# please see section "Storage" for more information
name: "ptemp"
# -- this is the size of the common ptemp storage.
# please see section "Storage" for more information
size: "10Gi"
# -- you can set the volumeName to the value of a pre-existing
# volume to avoid having the PV created for you by the csi driver provisioner
volumeName:
meta:
# -- specifies that this is deployment is part of an Environment. Used to determine the correct
# name of the deployment
# @internal -- Do not change
isEnvironment: true
# -- If you want to override the name of the Environment for display purposes, do it here.
environmentNameOverride:

11
charts/envoperator/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: nplus-environment-operator
description: Installs the nplus operator managin the custom resource definitions for nplus and nscale
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
dependencies:
- name: nplus-globals
alias: globals
version: "*-0"
repository: "file://../globals"
version: 1.0.0

141
charts/envoperator/README.md Normal file
View File

@@ -0,0 +1,141 @@
# nplus-environment-operator
Installs the nplus operator managin the custom resource definitions for nplus and nscale
## nplus-environment-operator Chart Configuration
You can customize / configure nplus-environment-operator by setting configuration values on the command line or in values files,
that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
### Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template,
or escaped quotes).
### Global Values
All values can be set per component, per instance or globally per environment.
Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority:
- Prio 1 - Component Level: `ingress.domain`
- Prio 2 - Instance Level: `global.ingress.domain`
- Prio 3 - Environment Level: `global.environment.ingress.domain`
### Using Values in Templates
As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your
template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version
of your Values.
So an example in your `values.yaml` would be:
```
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
```
This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care.
The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables:
- `.component.chartName`
The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride`
- `.component.shortChartName`
A shorter Version of the name - `nappl` instead of `nplus-component-nappl`
- `.component.prefix`
The instance Prefix used to name the resources including `-`. This prefix is dropped, if the
`.Release.Name` equals `.Release.Namespace` for those of you that only
run one nplus Instance per namespace
- `.component.name`
The name of the component, including `.Values.nameOverride` and some logic
- `.component.fullName`
The fullName inlcuding `.Values.fullnameOverride` and some logic
- `.component.chart`
Mainly the `Chart.Name` and `Chart.Version`
- `.component.storagePath`
The path where the component config is stored in the conf PVC
- `.component.handler`
The handler (either helm, argoCD or manual)
- `.instance.name`
The name of the instance, but with override by `.Values.instanceOverride`
- `.instance.group`
The group, this instance belongs to. Override by `.Values.groupOverride`
- `.instance.version`
The *nscale* version (mostly taken from Application Layer), this instance is deploying.
- `.environment.name`
The name of the environment, but with override by `.Values.environmentNameOverride`
### Keys
You can set any of the following values for this component:
| Key | Description | Default |
|-----|-------------|---------|
env | Sets additional environment variables for the configuration. | |
envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | |
envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | |
fullnameOverride | This overrides the output of the internal fullname function | |
**image**&#8203;.name | the name of the image to use | `"operator"` |
**image**&#8203;.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` |
**image**&#8203;.repo | if you use a private repo, feel free to set it here | `"cr.nplus.cloud/subscription"` |
**image**&#8203;.tag | the tag of the image to use | `"latest"` |
**ingress**&#8203;.annotations | Adds extra Annotations to the ingress | |
**ingress**&#8203;.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http` <br> `https` in zero trust mode |
**ingress**&#8203;.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` |
**ingress**&#8203;.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/monitoring"` |
**ingress**&#8203;.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | |
**ingress**&#8203;.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | |
**ingress**&#8203;.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | |
**ingress**&#8203;.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` |
**ingress**&#8203;.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" |
**ingress**&#8203;.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | |
**ingress**&#8203;.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` |
**ingress**&#8203;.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | |
**meta**&#8203;.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | |
**meta**&#8203;.ports&#8203;.http | The http port this component uses (if any). In zero trust mode, this will be disabled. <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `8080` |
**meta**&#8203;.ports&#8203;.https | The tls / https port, this component uses (if any) <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `8443` |
**meta**&#8203;.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | |
**meta**&#8203;.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | |
**meta**&#8203;.tenant | sets tenant information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"envoperator"` |
**meta**&#8203;.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | |
minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | |
nameOverride | This overrides the output of the internal name function | |
nodeSelector | select specific nodes for this component | |
**resources**&#8203;.limits&#8203;.cpu | The maximum allowed CPU for the container | `"1"` |
**resources**&#8203;.limits&#8203;.memory | The maximum allowed RAM for the container | `"512Mi"` |
**resources**&#8203;.requests&#8203;.cpu | Set the share of guaranteed CPU to the container. | `"1m"` |
**resources**&#8203;.requests&#8203;.memory | Set the share of guaranteed RAM to the container | `"64Mi"` |
**security**&#8203;.containerSecurityContext&#8203;.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive <br>you should not change this | **info only**, do not change<br> `false` |
**security**&#8203;.containerSecurityContext&#8203;.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment <br>you should not change this | **info only**, do not change<br> `true` |
**security**&#8203;.podSecurityContext&#8203;.fsGroup | The file system group as which new files are created <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.podSecurityContext&#8203;.fsGroupChangePolicy | Under which condition should the fsGroup be changed <br>there is normally no need to change this | **info only**, do not change<br> `"OnRootMismatch"` |
**security**&#8203;.podSecurityContext&#8203;.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` |
**service**&#8203;.annotations | adds extra Annotations to the service | |
**service**&#8203;.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` |
**service**&#8203;.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` |
**telemetry**&#8203;.openTelemetry | turns Open Telemetry on | |
**telemetry**&#8203;.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | |
terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | |
timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` |
tolerations | Set tolerations for this component | |
ui | Enables the web ui, default under /monitoring | `true` |
**utils**&#8203;.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` |
**utils**&#8203;.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` |
**utils**&#8203;.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` |
**utils**&#8203;.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later | `true` |
**utils**&#8203;.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` |
**utils**&#8203;.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` |

18
charts/envoperator/templates/ingress.tpl Normal file
View File

@@ -0,0 +1,18 @@
{{- include "nplus.init" $ -}}
{{- if ( include "nplus.ingressEnabled" . ) }}
{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }}
{{- if .this.ui }}
- path: {{ .Values.ingress.contextPath }}
pathType: Prefix
backend:
service:
name: {{ .component.fullName }}
port:
name: {{ include "nplus.backendProtocol" . }}
{{- end }}
{{- else }}
# kind: ingress
# Not Generating any Ingress for {{ .component.fullName }} as
# Ingress = {{ .this.ingress }}
# Service = {{ .this.service }}
{{- end }}

46
charts/envoperator/templates/networkpolicy.tpl Normal file
View File

@@ -0,0 +1,46 @@
{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
spec:
podSelector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
ingress:
{{- if ( include "nplus.ingressEnabled" . ) }}
{{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }}
{{- end }}
- from:
- ipBlock:
cidr: {{ ((.this.security).cni).adminIpRange | quote }}
{{- if ((.this.security).cni).excludeUnusedPorts }}
ports:
{{- include "nplus.defaultPolicyPorts" . | nindent 4 }}
{{- end }}
policyTypes:
- Egress
- Ingress
egress:
- ports:
# -- Possible K8s API
- protocol: TCP
port: 16443
# -- Possible K8s API
- protocol: TCP
port: 443
# -- Access DNS
- protocol: TCP
port: 53
# -- Access DNS
- protocol: UDP
port: 53
{{- end }}

2
charts/envoperator/templates/pdb.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.podDisruptionBudget" . -}}

60
charts/envoperator/templates/rbac.tpl Executable file
View File

@@ -0,0 +1,60 @@
{{- include "nplus.init" $ -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .component.fullName }}-svc-account
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .component.fullName }}-role
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
rules:
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "update", "patch", "list", "watch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "update", "patch", "list", "watch", "delete"]
- apiGroups: ["nplus.cloud"]
resources: ["components", "instances", "applications"]
verbs: ["get", "update", "patch", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .component.fullName }}-role-binding
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .component.fullName }}-role
subjects:
- kind: ServiceAccount
name: {{ .component.fullName }}-svc-account

33
charts/envoperator/templates/service.tpl Normal file
View File

@@ -0,0 +1,33 @@
{{- include "nplus.init" $ -}}
apiVersion: v1
kind: Service
metadata:
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
name: {{ .component.fullName }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
type: ClusterIP
clusterIP: None
ports:
{{- if .this.ui }}
{{- include "nplus.defaultServicePorts" . | nindent 4 }}
{{- end }}
selector:
{{- if eq .this.service.selector "component" }}
{{- include "nplus.selectorLabels" . | nindent 4 }}
{{- else if eq .this.service.selector "type" }}
{{- include "nplus.selectorLabelsNc" . | nindent 4 }}
{{- else }}
{{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }}
{{- end }}

72
charts/envoperator/templates/statefulset.tpl Normal file
View File

@@ -0,0 +1,72 @@
{{- include "nplus.init" $ -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
serviceName: {{ .component.fullName }}
selector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
replicas: 1
podManagementPolicy: OrderedReady
updateStrategy:
type: RollingUpdate
minReadySeconds: 30
template:
metadata:
labels:
{{- include "nplus.templateLabels" . | nindent 8 }}
annotations:
{{- include "nplus.templateAnnotations" . | nindent 8 }}
{{- include "nplus.securityAnnotations" . | nindent 8 }}
spec:
serviceAccountName: {{ .component.fullName }}-svc-account
{{- include "nplus.imagePullSecrets" . | nindent 6 }}
{{- include "nplus.podSecurityContext" . | nindent 6 }}
{{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }}
{{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }}
containers:
- name: operator
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
{{- include "nplus.resources" . | nindent 8 }}
ports:
{{- include "nplus.defaultContainerPorts" . | nindent 8 }}
env:
- name: OP_PREFIX
value: "/monitoring"
{{- if .this.ui }}
- name: OP_UI
value: "true"
{{- end }}
# -- feel free to switch verbode loggin ON here:
# - name: OP_VERBOSE
# value: "true"
readinessProbe:
tcpSocket:
port: {{ include "nplus.backendPort" . }}
initialDelaySeconds: 10
periodSeconds: 10
livenessProbe:
tcpSocket:
port: {{ include "nplus.backendPort" . }}
initialDelaySeconds: 10
periodSeconds: 10

462
charts/envoperator/values.schema.json Normal file
View File

@@ -0,0 +1,462 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"env": {
"default": "",
"description": "Sets additional environment variables for the configuration.",
"title": "env"
},
"envMap": {
"default": "",
"description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.",
"title": "envMap"
},
"envSecret": {
"default": "",
"description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.",
"title": "envSecret"
},
"fullnameOverride": {
"default": "",
"description": "This overrides the output of the internal fullname function",
"title": "fullnameOverride"
},
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
},
"globals": {
"description": "nplus Global Functions Library Chart",
"properties": {
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
}
},
"title": "nplus-globals",
"type": "object"
},
"image": {
"additionalProperties": false,
"description": "provide the image to be used for this component",
"properties": {
"name": {
"default": "operator",
"description": "the name of the image to use",
"title": "name"
},
"pullPolicy": {
"default": "IfNotPresent",
"title": "pullPolicy",
"type": "string"
},
"pullSecrets": {
"description": "you can provide your own pullSecrets, in case you use a private repo.",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
]
},
"title": "pullSecrets"
},
"repo": {
"default": "cr.nplus.cloud/subscription",
"description": "if you use a private repo, feel free to set it here",
"title": "repo"
},
"tag": {
"default": "1.2.1300",
"description": "the tag of the image to use",
"title": "tag"
}
},
"title": "image"
},
"ingress": {
"additionalProperties": false,
"description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)",
"properties": {
"annotations": {
"default": "",
"description": "Adds extra Annotations to the ingress",
"title": "annotations"
},
"backendProtocol": {
"default": "`http` <br> `https` in zero trust mode",
"description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.",
"title": "backendProtocol"
},
"class": {
"default": "`public`",
"description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one",
"title": "class"
},
"contextPath": {
"default": "/monitoring",
"description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.",
"title": "contextPath"
},
"cookie": {
"default": "",
"description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web",
"title": "cookie"
},
"deny": {
"default": "",
"description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.",
"title": "deny"
},
"domain": {
"default": "",
"description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here",
"title": "domain"
},
"enabled": {
"default": "true",
"description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.",
"title": "enabled"
},
"inputPath": {
"default": "",
"description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.",
"title": "inputPath"
},
"namespace": {
"default": "\"ingress, kube-system, ingress-nginx\"",
"description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list",
"title": "namespace"
},
"proxyReadTimeout": {
"default": "",
"description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.",
"title": "proxyReadTimeout"
},
"rewriteTarget": {
"default": "",
"description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.",
"title": "rewriteTarget"
},
"secret": {
"default": "`{{ .this.ingress.domain }}-tls`",
"description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance",
"title": "secret"
},
"whitelist": {
"default": "",
"description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers",
"title": "whitelist"
}
},
"title": "ingress"
},
"meta": {
"additionalProperties": false,
"properties": {
"componentVersion": {
"default": "",
"description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify",
"title": "componentVersion"
},
"language": {
"default": "",
"description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.",
"title": "language"
},
"ports": {
"additionalProperties": false,
"description": "lists the ports this component exposes. This is important for zero trust mode and others.",
"properties": {
"http": {
"default": "8080",
"description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.",
"title": "http"
},
"https": {
"default": "8443",
"description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "https"
},
"rmi": {
"default": "",
"description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "rmi"
},
"tcp": {
"default": "",
"description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcp"
},
"tcps": {
"default": "",
"description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcps"
}
},
"title": "ports"
},
"provider": {
"default": "",
"description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment",
"title": "provider"
},
"serviceContainer": {
"default": "",
"description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any",
"title": "serviceContainer"
},
"stage": {
"default": "",
"description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)",
"title": "stage"
},
"tenant": {
"default": "",
"description": "sets tenant information to be able to invoice per use in a cloud environment",
"title": "tenant"
},
"type": {
"default": "envoperator",
"description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.",
"title": "type"
},
"wave": {
"default": "",
"description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation",
"title": "wave"
}
},
"title": "meta",
"type": "object"
},
"minReplicaCountType": {
"default": "",
"description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer",
"title": "minReplicaCountType"
},
"nameOverride": {
"default": "",
"description": "This overrides the output of the internal name function",
"title": "nameOverride"
},
"nodeSelector": {
"default": "",
"description": "select specific nodes for this component",
"title": "nodeSelector"
},
"resources": {
"additionalProperties": false,
"description": "Assigns hardware resources to container",
"properties": {
"limits": {
"additionalProperties": false,
"description": "Limits the maximum resources",
"properties": {
"cpu": {
"default": "1",
"description": "The maximum allowed CPU for the container",
"title": "cpu"
},
"memory": {
"default": "512Mi",
"description": "The maximum allowed RAM for the container",
"title": "memory"
}
},
"title": "limits"
},
"requests": {
"additionalProperties": false,
"description": "Requests are used to assign a minimum to a container. This is the guaranteed amount",
"properties": {
"cpu": {
"default": "1m",
"description": "Set the share of guaranteed CPU to the container.",
"title": "cpu"
},
"memory": {
"default": "64Mi",
"description": "Set the share of guaranteed RAM to the container",
"title": "memory"
}
},
"title": "requests"
}
},
"title": "resources"
},
"security": {
"additionalProperties": false,
"description": "Security Section defining default runtime environment for your container",
"properties": {
"containerSecurityContext": {
"additionalProperties": false,
"properties": {
"allowPrivilegeEscalation": {
"default": "false",
"description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this",
"title": "allowPrivilegeEscalation"
},
"capabilities": {
"additionalProperties": false,
"description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this",
"properties": {
"drop": {
"items": {
"anyOf": [
{
"type": "string"
}
]
},
"title": "drop",
"type": "array"
}
},
"title": "capabilities"
},
"readOnlyRootFilesystem": {
"default": "true",
"description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this",
"title": "readOnlyRootFilesystem"
}
},
"title": "containerSecurityContext",
"type": "object"
},
"podSecurityContext": {
"additionalProperties": false,
"properties": {
"fsGroup": {
"default": "1001",
"description": "The file system group as which new files are created @internal -- there is normally no need to change this",
"title": "fsGroup"
},
"fsGroupChangePolicy": {
"default": "OnRootMismatch",
"description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this",
"title": "fsGroupChangePolicy"
},
"runAsUser": {
"default": "1001",
"description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this",
"title": "runAsUser"
}
},
"title": "podSecurityContext",
"type": "object"
},
"zeroTrust": {
"default": "`false`",
"description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes",
"title": "zeroTrust"
}
},
"title": "security"
},
"service": {
"additionalProperties": false,
"properties": {
"annotations": {
"default": "",
"description": "adds extra Annotations to the service",
"title": "annotations"
},
"enabled": {
"default": "true",
"description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.",
"title": "enabled"
},
"selector": {
"default": "component",
"description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type",
"title": "selector"
}
},
"title": "service",
"type": "object"
},
"telemetry": {
"additionalProperties": false,
"description": "Settings for telemetry tools",
"properties": {
"openTelemetry": {
"default": "",
"description": "turns Open Telemetry on",
"title": "openTelemetry"
},
"serviceName": {
"default": "",
"description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"",
"title": "serviceName"
}
},
"title": "telemetry"
},
"terminationGracePeriodSeconds": {
"default": "",
"description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults",
"title": "terminationGracePeriodSeconds"
},
"timezone": {
"default": "`Europe/Berlin`",
"description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.",
"title": "timezone"
},
"tolerations": {
"default": "",
"description": "Set tolerations for this component",
"title": "tolerations"
},
"ui": {
"default": "true",
"description": "Enables the web ui, default under /monitoring",
"title": "ui"
},
"utils": {
"additionalProperties": false,
"properties": {
"debug": {
"default": "`false`",
"description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide",
"title": "debug"
},
"disableWait": {
"default": "`false`",
"description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.",
"title": "disableWait"
},
"disableWave": {
"default": "`false`",
"description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.",
"title": "disableWave"
},
"includeNamespace": {
"default": "`true`",
"description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later",
"title": "includeNamespace"
},
"maintenance": {
"default": "`false`",
"description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.",
"title": "maintenance"
},
"renderComments": {
"default": "`true`",
"description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD",
"title": "renderComments"
}
},
"title": "utils",
"type": "object"
}
},
"type": "object"
}

230
charts/envoperator/values.yaml Normal file
View File

@@ -0,0 +1,230 @@
# yaml-language-server: $schema=values.schema.json
# -- provide the image to be used for this component
image:
# -- if you use a private repo, feel free to set it here
repo: cr.nplus.cloud/subscription
# -- the name of the image to use
name: operator
# -- the tag of the image to use
tag: latest
pullPolicy: IfNotPresent
# -- you can provide your own pullSecrets, in case you use
# a private repo.
pullSecrets:
- nscale-cr
- nplus-cr
# -- Enables the web ui, default under /monitoring
ui: true
meta:
# -- lists the ports this component exposes. This is important for zero trust mode and others.
ports:
# -- The http port this component uses (if any). In zero trust mode, this will be disabled.
# @internal -- this is a constant value of the component and should not be changed.
http: 8080
# -- The tls / https port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
https: 8443
# -- A potential tcp port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcp:
# -- A potential tls / tcps port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcps:
# -- A potential rmi port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
rmi:
# -- the type of the component. You should not change this value, except if
# you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner*
# This type is used to create cluster communication for nappl and nstl and potentially
# group multiple replicaSets into one service.
type: envoperator
# -- sets tenant information to be able to invoice per use in a cloud environment
tenant:
# -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment
provider:
# -- Sets the wave in which this component should be deployed within an ArgoCD deployment
# if unset, it uses the default wave thus all components are installed in one wave, then relying
# on correct wait settings just like in a helm installation
wave:
# -- Sets the language of the main service (in the *service* container). This is used for instance
# if you turn OpenTelemetry on, to know which Agent to inject into the container.
language:
# -- The container name of the main service for this component. This is used to define where to
# inject the telemetry agents, if any
serviceContainer:
# -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment
# runs in. This can be used in template functions to add the stage to for instance the service name of
# telemetry services like open telemetry. (see telemetry example)
stage:
# -- This is the version of the component, used for display
# @internal -- set by devOps pipeline, so do not modify
componentVersion:
# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)
ingress:
# -- You can toggle the ingress on wether you'd like this component
# to be reachable through an ingress or not.
enabled: true
# -- Overrides the default backend protocol. The default is http,
# unless in zeroTrust Mode, then it is switched to https automatically.
# @default -- `http` <br> `https` in zero trust mode
backendProtocol:
# -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason
# Example: `/nscalealinst1(/\|$)(.*)`
# @internal -- This is an alpha feature - do not use it.
inputPath:
# -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason
# Example: `/nscalealinst1/$2`
# @internal -- This is an alpha feature - do not use it.
rewriteTarget:
# -- deny is used to exclude specific paths from public access, such as
# administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is
# the burlap protocol. The configuration service is the endpoint used by
# the Admin client.
deny:
# -- on component level, set cookie affinity for the ingress
# example: `XtConLoadBalancerSession` for nscale Web
cookie:
# -- Sets the name of the tls secret to be used for this ingress, that contains
# the private and public key. These secrets can optionally be provided by the instance
# @default -- `{{ .this.ingress.domain }}-tls`
secret:
# -- Sets the domain to be used. This domain should be provided by the instance globally
# for all components, but you are free to override it here
domain:
# -- The ingressclass to use for this ingress. Most likely, this is provided globally by the
# instance, but you are free to override it here if this component should use a different class
# e.g. if you have separated ingress controllers, like a public and an internal one
# @default -- `public`
class:
# -- optionally sets a whitelist of ip ranges (CIDR format, comma separated)
# from which ingress is allowed. This is an annotation for nginx, so won't work with other
# ingress controllers
whitelist:
# -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy
# to allow traffic from this namespace to our pods. This may be a comma separated list
# @default -- "ingress, kube-system, ingress-nginx"
namespace:
# -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the
# most though this is only a constant used in the scripts.
contextPath: "/monitoring"
# -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.
proxyReadTimeout:
# -- Adds extra Annotations to the ingress
annotations:
# -- Security Section defining default runtime environment for your container
security:
podSecurityContext:
# -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context
# for security
# @internal -- there is normally no need to change this
runAsUser: 1001
# -- The file system group as which new files are created
# @internal -- there is normally no need to change this
fsGroup: 1001
# -- Under which condition should the fsGroup be changed
# @internal -- there is normally no need to change this
fsGroupChangePolicy: OnRootMismatch
containerSecurityContext:
# -- sets the container root file system to read only. This should be the case in production environment
# @internal -- you should not change this
readOnlyRootFilesystem: true
# -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
# @internal -- you should not change this
allowPrivilegeEscalation: false
# -- Capabilities this container should have. Only allow the necessity, and drop as many as possible
# @internal -- you should not change this
capabilities:
drop:
- ALL
# -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes
# @default -- `false`
zeroTrust:
# -- Assigns hardware resources to container
resources:
# -- Requests are used to assign a minimum to a container. This is the guaranteed amount
requests:
# -- Set the share of guaranteed CPU to the container.
cpu: "1m"
# -- Set the share of guaranteed RAM to the container
memory: "64Mi"
# -- Limits the maximum resources
limits:
# -- The maximum allowed CPU for the container
cpu: "1"
# -- The maximum allowed RAM for the container
memory: "512Mi"
# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl)
# etc.
# @default -- `Europe/Berlin`
timezone:
# -- Set tolerations for this component
tolerations:
# -- select specific nodes for this component
nodeSelector:
# -- Sets the name of a secret, which holds additional environment variables for
# the configuration. It is added as envFrom secretRef to the container.
envSecret:
# -- Sets the name of a configMap, which holds additional environment variables for
# the configuration. It is added as envFrom configMap to the container.
envMap:
# -- Sets additional environment variables for
# the configuration.
env:
# -- This overrides the output of the internal name function
nameOverride:
# -- This overrides the output of the internal fullname function
fullnameOverride:
utils:
# -- Turn debugging *on* will give you stack trace etc.
# Please check out the Chart Developer Guide
# @default -- `false`
debug:
# -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It
# will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD
# @default -- `true`
renderComments:
# -- By default, the namespace is rendered into the manifest. However, if you want to use
# `helm template` and store manifests for later applying them to multiple namespaces, you might
# want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later
# @default -- `true`
includeNamespace:
# -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the
# pods will start in idle, not starting the service at all. This will allow you to gain access to the container
# to perform recovery and maintenance tasks while having the real container up.
# @default -- `false`
maintenance:
# -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components
# of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components
# while previous waves are not finished yet.
# @default -- `false`
disableWave:
# -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are
# only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might
# start components even if they are not intended to run yet.
# @default -- `false`
disableWait:
service:
# -- enables the service to be consumed by group components and a potential ingress
# Disabling the service also disables the ingress.
enabled: true
# -- The selector can be `component` or `type`
# *component* selects only pods that are in the replicaset.
# *type* selects any pod that has the given type
selector: "component"
# -- adds extra Annotations to the service
annotations:
# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as
# minAvailable, using the component type as selector. This is useful for components, that are spread
# across multiple replicaSets, like sharepoint or storage layer
minReplicaCountType:
# -- Settings for telemetry tools
telemetry:
# -- turns Open Telemetry on
openTelemetry:
# -- Sets the service name for the telemetry service to more convenient
# identify the displayed component
# Example: "{{ .this.meta.type }}-{{ .instance.name }}"
serviceName:
# -- Sets the terminationGracePeriodSeconds for the component
# If not set, it uses the Kubernetes defaults
terminationGracePeriodSeconds:

11
charts/envtoolbox/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: nplus-environment-toolbox
description: Installs the environment toolbox with git and nstore downloader installed, also serving as target for pool copy actions in the pipeline
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
dependencies:
- name: nplus-globals
alias: globals
version: "*-0"
repository: "file://../globals"
version: 1.0.0

126
charts/envtoolbox/README.md Normal file
View File

@@ -0,0 +1,126 @@
# nplus-environment-toolbox
Installs the environment toolbox with git and nstore downloader installed, also serving as target for pool copy actions in the pipeline
## nplus-environment-toolbox Chart Configuration
You can customize / configure nplus-environment-toolbox by setting configuration values on the command line or in values files,
that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
### Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template,
or escaped quotes).
### Global Values
All values can be set per component, per instance or globally per environment.
Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority:
- Prio 1 - Component Level: `ingress.domain`
- Prio 2 - Instance Level: `global.ingress.domain`
- Prio 3 - Environment Level: `global.environment.ingress.domain`
### Using Values in Templates
As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your
template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version
of your Values.
So an example in your `values.yaml` would be:
```
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
```
This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care.
The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables:
- `.component.chartName`
The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride`
- `.component.shortChartName`
A shorter Version of the name - `nappl` instead of `nplus-component-nappl`
- `.component.prefix`
The instance Prefix used to name the resources including `-`. This prefix is dropped, if the
`.Release.Name` equals `.Release.Namespace` for those of you that only
run one nplus Instance per namespace
- `.component.name`
The name of the component, including `.Values.nameOverride` and some logic
- `.component.fullName`
The fullName inlcuding `.Values.fullnameOverride` and some logic
- `.component.chart`
Mainly the `Chart.Name` and `Chart.Version`
- `.component.storagePath`
The path where the component config is stored in the conf PVC
- `.component.handler`
The handler (either helm, argoCD or manual)
- `.instance.name`
The name of the instance, but with override by `.Values.instanceOverride`
- `.instance.group`
The group, this instance belongs to. Override by `.Values.groupOverride`
- `.instance.version`
The *nscale* version (mostly taken from Application Layer), this instance is deploying.
- `.environment.name`
The name of the environment, but with override by `.Values.environmentNameOverride`
### Keys
You can set any of the following values for this component:
| Key | Description | Default |
|-----|-------------|---------|
env | Sets additional environment variables for the configuration. | |
envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | |
envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | |
fullnameOverride | This overrides the output of the internal fullname function | |
**image**&#8203;.name | the name of the image to use | `"toolbox2"` |
**image**&#8203;.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` |
**image**&#8203;.repo | if you use a private repo, feel free to set it here | `"cr.nplus.cloud/subscription"` |
**image**&#8203;.tag | the tag of the image to use | `"latest"` |
**meta**&#8203;.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | |
**meta**&#8203;.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | |
**meta**&#8203;.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | |
**meta**&#8203;.tenant | sets tenant information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"envtoolbox"` |
**meta**&#8203;.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | |
minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | |
nameOverride | This overrides the output of the internal name function | |
nodeSelector | select specific nodes for this component | |
**nstoreDownloader**&#8203;.enabled | enables the nstore downloader | `false` |
**nstoreDownloader**&#8203;.nstore | set the nstore URL | `https://nstore.ceyoniq.com...` |
**nstoreDownloader**&#8203;.target | target directory in the conf pv | `"pool/nstore"` |
**resources**&#8203;.limits&#8203;.cpu | The maximum allowed CPU for the container | `"1"` |
**resources**&#8203;.limits&#8203;.memory | The maximum allowed RAM for the container | `"512Mi"` |
**resources**&#8203;.requests&#8203;.cpu | Set the share of guaranteed CPU to the container. | `"1m"` |
**resources**&#8203;.requests&#8203;.memory | Set the share of guaranteed RAM to the container | `"64Mi"` |
**security**&#8203;.containerSecurityContext&#8203;.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive <br>you should not change this | **info only**, do not change<br> `false` |
**security**&#8203;.containerSecurityContext&#8203;.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment <br>you should not change this | **info only**, do not change<br> `true` |
**security**&#8203;.podSecurityContext&#8203;.fsGroup | The file system group as which new files are created <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.podSecurityContext&#8203;.fsGroupChangePolicy | Under which condition should the fsGroup be changed <br>there is normally no need to change this | **info only**, do not change<br> `"OnRootMismatch"` |
**security**&#8203;.podSecurityContext&#8203;.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` |
**telemetry**&#8203;.openTelemetry | turns Open Telemetry on | |
**telemetry**&#8203;.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | |
terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | |
timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` |
tolerations | Set tolerations for this component | |
**utils**&#8203;.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` |
**utils**&#8203;.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` |
**utils**&#8203;.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` |
**utils**&#8203;.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later | `true` |
**utils**&#8203;.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` |
**utils**&#8203;.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` |

72
charts/envtoolbox/templates/cronjob-nstore.tpl Normal file
View File

@@ -0,0 +1,72 @@
{{- define "nplus.environment.nstorecopy" -}}
{{- if (.Values.nstoreDownloader).enabled }}
template:
metadata:
labels:
{{- include "nplus.instanceLabels" . | nindent 6 }}
spec:
{{- include "nplus.podSecurityContext" . | nindent 4 }}
{{- include "nplus.imagePullSecrets" . | nindent 4 }}
containers:
- name: downloader
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{ include "nplus.containerSecurityContext" . | nindent 6 }}
command: [ "/bin/sh", "-c" ]
args:
- |
mkdir -p /conf/{{ .Values.nstoreDownloader.target }}
cd /conf/{{ .Values.nstoreDownloader.target }}
wget -r -np -nH -nc -nd -A zip -X '*/*/*/*/*/*/1*,*/*/*/*/*/*/2*,*/*/*/*/*/*/3*,*/*/*/*/*/*/4*,*/*/*/*/*/*/5*,*/*/*/*/*/*/6*,*/*/*/*/*/*/7*,*/*/*/*/*/*/8*' -nd {{ .Values.nstoreDownloader.nstore }}
volumeMounts:
- name: conf
mountPath: /conf
restartPolicy: OnFailure
volumes:
- name: conf
persistentVolumeClaim:
claimName: conf
{{- end -}}
{{- end -}}
---
{{- if .Values.nstoreDownloader.enabled }}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ .component.fullName }}-nstore
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
schedule: "0 3 * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 0
failedJobsHistoryLimit: 1
jobTemplate:
spec:
{{- include "nplus.environment.nstorecopy" . | nindent 6 }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .component.fullName }}-nstore-oncreate
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
ttlSecondsAfterFinished: 60
{{- include "nplus.environment.nstorecopy" . | nindent 2 }}
{{- else }}
# nstore Downloader is disabled
{{- end }}

33
charts/envtoolbox/templates/networkpolicy.tpl Normal file
View File

@@ -0,0 +1,33 @@
{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
spec:
podSelector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
policyTypes:
- Egress
- Ingress
egress:
- ports:
# -- Possible K8s API
- protocol: TCP
port: 16443
# -- Possible K8s API AND potential git server
- protocol: TCP
port: 443
# -- Access DNS
- protocol: TCP
port: 53
# -- Access DNS
- protocol: UDP
port: 53
{{- end }}

2
charts/envtoolbox/templates/pdb.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.podDisruptionBudget" . -}}

76
charts/envtoolbox/templates/rbac.tpl Executable file
View File

@@ -0,0 +1,76 @@
{{- include "nplus.init" $ -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .component.fullName }}-svc-account
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .component.fullName }}-role
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods", "secrets","serviceaccounts", "persistentvolumeclaims", "configmaps", "services", "replicationcontrollers", "pods/log"]
verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["Role", "roles", "rolebindings"]
verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
- apiGroups: ["nplus.cloud"]
resources: ["components", "instances"]
verbs: ["get", "update", "patch", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .component.fullName }}-role-binding
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoSharedResource" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .component.fullName }}-role
subjects:
- kind: ServiceAccount
name: {{ .component.fullName }}-svc-account

125
charts/envtoolbox/templates/statefulset.tpl Normal file
View File

@@ -0,0 +1,125 @@
{{- include "nplus.init" $ -}}
{{- if not ((.this.storage).conf).name -}}
{{ fail "conf name must be set" }}
{{- end -}}
{{- if not ((.this.storage).ptemp).name -}}
{{ fail "ptemp name must be set" }}
{{- end -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
serviceName: {{ .component.fullName }}
selector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
replicas: 1
podManagementPolicy: OrderedReady
updateStrategy:
type: RollingUpdate
minReadySeconds: 30
template:
metadata:
labels:
{{- include "nplus.templateLabels" . | nindent 8 }}
annotations:
{{- include "nplus.templateAnnotations" . | nindent 8 }}
{{- include "nplus.securityAnnotations" . | nindent 8 }}
kubectl.kubernetes.io/default-container: toolbox
spec:
serviceAccountName: {{ .component.fullName }}-svc-account
{{- include "nplus.imagePullSecrets" . | nindent 6 }}
{{- include "nplus.podSecurityContext" . | nindent 6 }}
{{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }}
{{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }}
initContainers:
{{/*
- name: deploy
image: {{ .Values.toolboxImage }}
imagePullPolicy: {{ .Values.toolboxImagePullPolicy }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
command: [ "/bin/sh", "-c" ]
args:
- |
echo "deploying to /nplus"
cp -rnxv /opt/42i/nplus/* /nplus
volumeMounts:
- name: nplus
mountPath: /nplus
{{- end }} */}}
- name: dirprepare
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
{{- include "nplus.initResources" . | nindent 8 }}
command: [ "/bin/sh", "-c" ]
args:
- |
mkdir -p /conf/pool/{apps,fonts,snippets,scripts,snc} && \
{{- if not ((.this.storage).conf).cifs }}
chmod 775 -R /conf/pool && \
{{- end }}
echo "ok."
volumeMounts:
- name: conf
mountPath: /conf
- name: gitprepare
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
{{- include "nplus.initResources" . | nindent 8 }}
command: [ "/bin/sh", "-c" ]
args:
- |
echo "checking git in /conf..."
if [ ! -f "/conf/.gitignore" ]; then
echo "writing .gitignore"
echo "/{{ .Values.nstoreDownloader.target }}/*" > /conf/.gitignore
fi
if [ ! -d "/conf/.git" ]; then
echo "init git in /conf with branch master"
git -C "/conf" init -b master
git -C "/conf" add .gitignore
echo "first commit (with .gitignore)"
git -C "/conf" commit -m "Initial commit for config of nplus environment {{ .Release.Namespace }}"
fi
echo "ok."
volumeMounts:
- name: conf
mountPath: /conf
containers:
- name: toolbox
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumeMounts:
- name: conf
mountPath: /conf
- name: ptemp
mountPath: /ptemp
{{- include "nplus.resources" . | nindent 8 }}
volumes:
- name: ptemp
persistentVolumeClaim:
claimName: ptemp
- name: conf
persistentVolumeClaim:
claimName: conf

380
charts/envtoolbox/values.schema.json Normal file
View File

@@ -0,0 +1,380 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"additionalProperties": false,
"properties": {
"env": {
"default": "",
"description": "Sets additional environment variables for the configuration.",
"title": "env"
},
"envMap": {
"default": "",
"description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.",
"title": "envMap"
},
"envSecret": {
"default": "",
"description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.",
"title": "envSecret"
},
"fullnameOverride": {
"default": "",
"description": "This overrides the output of the internal fullname function",
"title": "fullnameOverride"
},
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
},
"globals": {
"description": "nplus Global Functions Library Chart",
"properties": {
"global": {
"description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
"title": "global",
"type": "object"
}
},
"title": "nplus-globals",
"type": "object"
},
"image": {
"additionalProperties": false,
"description": "provide the image to be used for this component",
"properties": {
"name": {
"default": "toolbox2",
"description": "the name of the image to use",
"title": "name"
},
"pullPolicy": {
"default": "IfNotPresent",
"title": "pullPolicy",
"type": "string"
},
"pullSecrets": {
"description": "you can provide your own pullSecrets, in case you use a private repo.",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "string"
}
]
},
"title": "pullSecrets"
},
"repo": {
"default": "cr.nplus.cloud/subscription",
"description": "if you use a private repo, feel free to set it here",
"title": "repo"
},
"tag": {
"default": "1.2.1300",
"description": "the tag of the image to use",
"title": "tag"
}
},
"title": "image"
},
"meta": {
"additionalProperties": false,
"properties": {
"componentVersion": {
"default": "",
"description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify",
"title": "componentVersion"
},
"language": {
"default": "",
"description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.",
"title": "language"
},
"ports": {
"additionalProperties": false,
"description": "lists the ports this component exposes. This is important for zero trust mode and others.",
"properties": {
"http": {
"default": "",
"description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.",
"title": "http"
},
"https": {
"default": "",
"description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "https"
},
"rmi": {
"default": "",
"description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "rmi"
},
"tcp": {
"default": "",
"description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcp"
},
"tcps": {
"default": "",
"description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.",
"title": "tcps"
}
},
"title": "ports"
},
"provider": {
"default": "",
"description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment",
"title": "provider"
},
"serviceContainer": {
"default": "",
"description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any",
"title": "serviceContainer"
},
"stage": {
"default": "",
"description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)",
"title": "stage"
},
"tenant": {
"default": "",
"description": "sets tenant information to be able to invoice per use in a cloud environment",
"title": "tenant"
},
"type": {
"default": "envtoolbox",
"description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.",
"title": "type"
},
"wave": {
"default": "",
"description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation",
"title": "wave"
}
},
"title": "meta",
"type": "object"
},
"minReplicaCountType": {
"default": "",
"description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer",
"title": "minReplicaCountType"
},
"nameOverride": {
"default": "",
"description": "This overrides the output of the internal name function",
"title": "nameOverride"
},
"nodeSelector": {
"default": "",
"description": "select specific nodes for this component",
"title": "nodeSelector"
},
"nstoreDownloader": {
"additionalProperties": false,
"properties": {
"enabled": {
"default": "false",
"description": "enables the nstore downloader",
"title": "enabled"
},
"nstore": {
"default": "`https://nstore.ceyoniq.com...`",
"description": "set the nstore URL",
"title": "nstore"
},
"target": {
"default": "pool/nstore",
"description": "target directory in the conf pv",
"title": "target"
}
},
"title": "nstoreDownloader",
"type": "object"
},
"resources": {
"additionalProperties": false,
"description": "Assigns hardware resources to container",
"properties": {
"limits": {
"additionalProperties": false,
"description": "Limits the maximum resources",
"properties": {
"cpu": {
"default": "1",
"description": "The maximum allowed CPU for the container",
"title": "cpu"
},
"memory": {
"default": "512Mi",
"description": "The maximum allowed RAM for the container",
"title": "memory"
}
},
"title": "limits"
},
"requests": {
"additionalProperties": false,
"description": "Requests are used to assign a minimum to a container. This is the guaranteed amount",
"properties": {
"cpu": {
"default": "1m",
"description": "Set the share of guaranteed CPU to the container.",
"title": "cpu"
},
"memory": {
"default": "64Mi",
"description": "Set the share of guaranteed RAM to the container",
"title": "memory"
}
},
"title": "requests"
}
},
"title": "resources"
},
"security": {
"additionalProperties": false,
"description": "Security Section defining default runtime environment for your container",
"properties": {
"containerSecurityContext": {
"additionalProperties": false,
"properties": {
"allowPrivilegeEscalation": {
"default": "false",
"description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this",
"title": "allowPrivilegeEscalation"
},
"capabilities": {
"additionalProperties": false,
"description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this",
"properties": {
"drop": {
"items": {
"anyOf": [
{
"type": "string"
}
]
},
"title": "drop",
"type": "array"
}
},
"title": "capabilities"
},
"readOnlyRootFilesystem": {
"default": "true",
"description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this",
"title": "readOnlyRootFilesystem"
}
},
"title": "containerSecurityContext",
"type": "object"
},
"podSecurityContext": {
"additionalProperties": false,
"properties": {
"fsGroup": {
"default": "1001",
"description": "The file system group as which new files are created @internal -- there is normally no need to change this",
"title": "fsGroup"
},
"fsGroupChangePolicy": {
"default": "OnRootMismatch",
"description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this",
"title": "fsGroupChangePolicy"
},
"runAsUser": {
"default": "1001",
"description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this",
"title": "runAsUser"
}
},
"title": "podSecurityContext",
"type": "object"
},
"zeroTrust": {
"default": "`false`",
"description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes",
"title": "zeroTrust"
}
},
"title": "security"
},
"telemetry": {
"additionalProperties": false,
"description": "Settings for telemetry tools",
"properties": {
"openTelemetry": {
"default": "",
"description": "turns Open Telemetry on",
"title": "openTelemetry"
},
"serviceName": {
"default": "",
"description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"",
"title": "serviceName"
}
},
"title": "telemetry"
},
"terminationGracePeriodSeconds": {
"default": "",
"description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults",
"title": "terminationGracePeriodSeconds"
},
"timezone": {
"default": "`Europe/Berlin`",
"description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.",
"title": "timezone"
},
"tolerations": {
"default": "",
"description": "Set tolerations for this component",
"title": "tolerations"
},
"utils": {
"additionalProperties": false,
"properties": {
"debug": {
"default": "`false`",
"description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide",
"title": "debug"
},
"disableWait": {
"default": "`false`",
"description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.",
"title": "disableWait"
},
"disableWave": {
"default": "`false`",
"description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.",
"title": "disableWave"
},
"includeNamespace": {
"default": "`true`",
"description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later",
"title": "includeNamespace"
},
"maintenance": {
"default": "`false`",
"description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.",
"title": "maintenance"
},
"renderComments": {
"default": "`true`",
"description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD",
"title": "renderComments"
}
},
"title": "utils",
"type": "object"
}
},
"type": "object"
}

174
charts/envtoolbox/values.yaml Normal file
View File

@@ -0,0 +1,174 @@
# yaml-language-server: $schema=values.schema.json
nstoreDownloader:
# -- enables the nstore downloader
enabled: false
# -- set the nstore URL
# @default -- `https://nstore.ceyoniq.com...`
nstore: "https://nstore.ceyoniq.com/repository/com/ceyoniq/nscale/businessapps/"
# -- target directory in the conf pv
target: pool/nstore
# -- provide the image to be used for this component
image:
# -- if you use a private repo, feel free to set it here
repo: cr.nplus.cloud/subscription
# -- the name of the image to use
name: toolbox2
# -- the tag of the image to use
tag: "latest"
pullPolicy: IfNotPresent
# -- you can provide your own pullSecrets, in case you use
# a private repo.
pullSecrets:
- nscale-cr
- nplus-cr
# -- Security Section defining default runtime environment for your container
security:
podSecurityContext:
# -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context
# for security
# @internal -- there is normally no need to change this
runAsUser: 1001
# -- The file system group as which new files are created
# @internal -- there is normally no need to change this
fsGroup: 1001
# -- Under which condition should the fsGroup be changed
# @internal -- there is normally no need to change this
fsGroupChangePolicy: OnRootMismatch
containerSecurityContext:
# -- sets the container root file system to read only. This should be the case in production environment
# @internal -- you should not change this
readOnlyRootFilesystem: true
# -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
# @internal -- you should not change this
allowPrivilegeEscalation: false
# -- Capabilities this container should have. Only allow the necessity, and drop as many as possible
# @internal -- you should not change this
capabilities:
drop:
- ALL
# -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes
# @default -- `false`
zeroTrust:
# -- Assigns hardware resources to container
resources:
# -- Requests are used to assign a minimum to a container. This is the guaranteed amount
requests:
# -- Set the share of guaranteed CPU to the container.
cpu: "1m"
# -- Set the share of guaranteed RAM to the container
memory: "64Mi"
# -- Limits the maximum resources
limits:
# -- The maximum allowed CPU for the container
cpu: "1"
# -- The maximum allowed RAM for the container
memory: "512Mi"
# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl)
# etc.
# @default -- `Europe/Berlin`
timezone:
meta:
# -- the type of the component. You should not change this value, except if
# you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner*
# This type is used to create cluster communication for nappl and nstl and potentially
# group multiple replicaSets into one service.
type: envtoolbox
# -- lists the ports this component exposes. This is important for zero trust mode and others.
ports:
# -- The http port this component uses (if any). In zero trust mode, this will be disabled.
# @internal -- this is a constant value of the component and should not be changed.
http:
# -- The tls / https port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
https:
# -- A potential tcp port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcp:
# -- A potential tls / tcps port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcps:
# -- A potential rmi port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
rmi:
# -- sets tenant information to be able to invoice per use in a cloud environment
tenant:
# -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment
provider:
# -- Sets the wave in which this component should be deployed within an ArgoCD deployment
# if unset, it uses the default wave thus all components are installed in one wave, then relying
# on correct wait settings just like in a helm installation
wave:
# -- Sets the language of the main service (in the *service* container). This is used for instance
# if you turn OpenTelemetry on, to know which Agent to inject into the container.
language:
# -- The container name of the main service for this component. This is used to define where to
# inject the telemetry agents, if any
serviceContainer:
# -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment
# runs in. This can be used in template functions to add the stage to for instance the service name of
# telemetry services like open telemetry. (see telemetry example)
stage:
# -- This is the version of the component, used for display
# @internal -- set by devOps pipeline, so do not modify
componentVersion:
# -- Set tolerations for this component
tolerations:
# -- select specific nodes for this component
nodeSelector:
# -- Sets the name of a secret, which holds additional environment variables for
# the configuration. It is added as envFrom secretRef to the container.
envSecret:
# -- Sets the name of a configMap, which holds additional environment variables for
# the configuration. It is added as envFrom configMap to the container.
envMap:
# -- Sets additional environment variables for
# the configuration.
env:
# -- This overrides the output of the internal name function
nameOverride:
# -- This overrides the output of the internal fullname function
fullnameOverride:
utils:
# -- Turn debugging *on* will give you stack trace etc.
# Please check out the Chart Developer Guide
# @default -- `false`
debug:
# -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It
# will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD
# @default -- `true`
renderComments:
# -- By default, the namespace is rendered into the manifest. However, if you want to use
# `helm template` and store manifests for later applying them to multiple namespaces, you might
# want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later
# @default -- `true`
includeNamespace:
# -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the
# pods will start in idle, not starting the service at all. This will allow you to gain access to the container
# to perform recovery and maintenance tasks while having the real container up.
# @default -- `false`
maintenance:
# -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components
# of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components
# while previous waves are not finished yet.
# @default -- `false`
disableWave:
# -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are
# only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might
# start components even if they are not intended to run yet.
# @default -- `false`
disableWait:
# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as
# minAvailable, using the component type as selector. This is useful for components, that are spread
# across multiple replicaSets, like sharepoint or storage layer
minReplicaCountType:
# -- Settings for telemetry tools
telemetry:
# -- turns Open Telemetry on
openTelemetry:
# -- Sets the service name for the telemetry service to more convenient
# identify the displayed component
# Example: "{{ .this.meta.type }}-{{ .instance.name }}"
serviceName:
# -- Sets the terminationGracePeriodSeconds for the component
# If not set, it uses the Kubernetes defaults
terminationGracePeriodSeconds:

11
charts/erpcmis/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: nplus-component-erpcmis
description: nscale ERP CMIS, providing SAP S/4 HANA Public Cloud Archive Access
icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo=
type: application
dependencies:
- name: nplus-globals
alias: globals
version: "*-0"
repository: "file://../globals"
version: 1.0.0

196
charts/erpcmis/README.md Normal file
View File

@@ -0,0 +1,196 @@
# nplus-component-erpcmis
nscale ERP CMIS, providing SAP S/4 HANA Public Cloud Archive Access
## nplus-component-erpcmis Chart Configuration
You can customize / configure nplus-component-erpcmis by setting configuration values on the command line or in values files,
that you can pass to helm. Please see the samples directory for details.
In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component.
### Template Functions
You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template,
or escaped quotes).
### Global Values
All values can be set per component, per instance or globally per environment.
Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator.
In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority:
- Prio 1 - Component Level: `ingress.domain`
- Prio 2 - Instance Level: `global.ingress.domain`
- Prio 3 - Environment Level: `global.environment.ingress.domain`
### Using Values in Templates
As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your
template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version
of your Values.
So an example in your `values.yaml` would be:
```
administrator:
waitFor:
- '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600'
```
This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care.
The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code.
The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables:
- `.component.chartName`
The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride`
- `.component.shortChartName`
A shorter Version of the name - `nappl` instead of `nplus-component-nappl`
- `.component.prefix`
The instance Prefix used to name the resources including `-`. This prefix is dropped, if the
`.Release.Name` equals `.Release.Namespace` for those of you that only
run one nplus Instance per namespace
- `.component.name`
The name of the component, including `.Values.nameOverride` and some logic
- `.component.fullName`
The fullName inlcuding `.Values.fullnameOverride` and some logic
- `.component.chart`
Mainly the `Chart.Name` and `Chart.Version`
- `.component.storagePath`
The path where the component config is stored in the conf PVC
- `.component.handler`
The handler (either helm, argoCD or manual)
- `.instance.name`
The name of the instance, but with override by `.Values.instanceOverride`
- `.instance.group`
The group, this instance belongs to. Override by `.Values.groupOverride`
- `.instance.version`
The *nscale* version (mostly taken from Application Layer), this instance is deploying.
- `.environment.name`
The name of the environment, but with override by `.Values.environmentNameOverride`
### Keys
You can set any of the following values for this component:
| Key | Description | Default |
|-----|-------------|---------|
**alien**&#8203;.doAppend | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**alien**&#8203;.port | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**alien**&#8203;.server | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**alien**&#8203;.ssl | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**alien**&#8203;.url | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**alien**&#8203;.useSign | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
env | Sets additional environment variables for the configuration. | |
envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | |
envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | |
fullnameOverride | This overrides the output of the internal fullname function | |
**image**&#8203;.name | the name of the image to use | `"erp-cmis-connector"` |
**image**&#8203;.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` |
**image**&#8203;.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` |
**image**&#8203;.tag | the tag of the image to use | `"latest"` |
**ingress**&#8203;.annotations | Adds extra Annotations to the ingress | |
**ingress**&#8203;.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http` <br> `https` in zero trust mode |
**ingress**&#8203;.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` |
**ingress**&#8203;.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/cmis/browser"` |
**ingress**&#8203;.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | |
**ingress**&#8203;.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | |
**ingress**&#8203;.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | |
**ingress**&#8203;.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` |
**ingress**&#8203;.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" |
**ingress**&#8203;.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | |
**ingress**&#8203;.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` |
**ingress**&#8203;.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | |
**javaOpts**&#8203;.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | |
**javaOpts**&#8203;.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | |
**javaOpts**&#8203;.javaMinMem | set the minimum memory, java will consume | |
**javaOpts**&#8203;.javaMisc | Any misc Java Options that need to be passed to the container | |
**meta**&#8203;.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` |
**meta**&#8203;.ports&#8203;.http | The http port this component uses (if any). In zero trust mode, this will be disabled. <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `8096` |
**meta**&#8203;.ports&#8203;.https | The tls / https port, this component uses (if any) <br>this is a constant value of the component and should not be changed. | **info only**, do not change<br> `8196` |
**meta**&#8203;.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"erpcmis-connector"` |
**meta**&#8203;.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | |
**meta**&#8203;.tenant | sets tenant information to be able to invoice per use in a cloud environment | |
**meta**&#8203;.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"erpcmis"` |
**meta**&#8203;.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | |
**migration**&#8203;.checkDocuments | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**migration**&#8203;.checkIgnoreTime | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**migration**&#8203;.delay | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**migration**&#8203;.doListMigration | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**migration**&#8203;.enabled | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**migration**&#8203;.fileDelimiter | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**migration**&#8203;.viaFileSystem | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
minReplicaCount | if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas. | |
minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | |
**mounts**&#8203;.caCerts&#8203;.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.caCerts&#8203;.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.componentCerts&#8203;.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.componentCerts&#8203;.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | |
**mounts**&#8203;.conf&#8203;.path | Sets the path to the conf files <br>do not change this value | **info only**, do not change<br> `"/opt/ceyoniq/nscale-for-sap/erp-cmis/conf"` |
**mounts**&#8203;.data&#8203;.class | Sets the class of the data disk | |
**mounts**&#8203;.data&#8203;.size | Sets the size of the data disk | |
**mounts**&#8203;.data&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.disk&#8203;.class | Sets the class of the disk | |
**mounts**&#8203;.disk&#8203;.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` |
**mounts**&#8203;.disk&#8203;.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` |
**mounts**&#8203;.disk&#8203;.size | Sets the size of the disk | |
**mounts**&#8203;.disk&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.file&#8203;.class | Sets the class of the shared disk | |
**mounts**&#8203;.file&#8203;.size | Sets the size of the shared disk | |
**mounts**&#8203;.file&#8203;.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | |
**mounts**&#8203;.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | |
**mounts**&#8203;.logs&#8203;.path | Sets the path to the log files <br>do not change this value | **info only**, do not change<br> `"/opt/ceyoniq/nscale-for-sap/erp-cmis/logs"` |
**mounts**&#8203;.logs&#8203;.size | Sets the size of the log disk (all paths) | `"1Gi"` |
**mounts**&#8203;.temp&#8203;.path | Sets the path to the temporary files <br>do not change this value | **info only**, do not change<br> `"/opt/ceyoniq/nscale-for-sap/erp-cmis/temp"` |
**mounts**&#8203;.temp&#8203;.size | Sets the size of the temporary disk (all paths) | `"1Gi"` |
nameOverride | This overrides the output of the internal name function | |
**nappl**&#8203;.account | The technical account to login with | |
**nappl**&#8203;.domain | The domain of the technical account | |
**nappl**&#8203;.host | nappl host name | |
**nappl**&#8203;.instance | instance of the Application Layer, likely `instance1` | |
**nappl**&#8203;.password | The password of the technical accunt (if not set by secret) | |
**nappl**&#8203;.port | nappl port (http 8080 or https 8443) | |
**nappl**&#8203;.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | |
**nappl**&#8203;.ssl | sets the Advanced Connect to tls | |
nodeSelector | select specific nodes for this component | |
replicaCount | Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1. | `1` |
**resources**&#8203;.limits&#8203;.cpu | The maximum allowed CPU for the container | |
**resources**&#8203;.limits&#8203;.memory | The maximum allowed RAM for the container | |
**resources**&#8203;.requests&#8203;.cpu | Set the share of guaranteed CPU to the container. | |
**resources**&#8203;.requests&#8203;.memory | Set the share of guaranteed RAM to the container | |
**security**&#8203;.containerSecurityContext&#8203;.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive <br>you should not change this | **info only**, do not change<br> `false` |
**security**&#8203;.containerSecurityContext&#8203;.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment <br>you should not change this | **info only**, do not change<br> `true` |
**security**&#8203;.podSecurityContext&#8203;.fsGroup | The file system group as which new files are created <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.podSecurityContext&#8203;.fsGroupChangePolicy | Under which condition should the fsGroup be changed <br>there is normally no need to change this | **info only**, do not change<br> `"OnRootMismatch"` |
**security**&#8203;.podSecurityContext&#8203;.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security <br>there is normally no need to change this | **info only**, do not change<br> `1001` |
**security**&#8203;.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` |
**service**&#8203;.annotations | adds extra Annotations to the service | |
**service**&#8203;.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` |
**service**&#8203;.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` |
**sign**&#8203;.authID | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**sign**&#8203;.keyAlias | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**sign**&#8203;.keyPassword | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |
**telemetry**&#8203;.openTelemetry | turns Open Telemetry on | |
**telemetry**&#8203;.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | |
**template**&#8203;.annotations | set additional annotations for pods | |
**template**&#8203;.labels | set additional labels for pods | |
terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | |
timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` |
tolerations | Set tolerations for this component | |
updateStrategy | the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures. | |
**utils**&#8203;.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` |
**utils**&#8203;.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` |
**utils**&#8203;.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` |
**utils**&#8203;.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n <namespace> -f template.yaml` later | `true` |
**utils**&#8203;.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` |
**utils**&#8203;.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` |
waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | |
**xsap**&#8203;.useSign | Documentation pending until official release of the erp cmis image by *Ceyoniq* | |

31
charts/erpcmis/compose.yaml Normal file
View File

@@ -0,0 +1,31 @@
networks:
nscale:
services:
cmis-connector:
image: ceyoniq.azurecr.io/release/nscale/erp-cmis-connector:ubi.9.2.1000.2024032720
environment:
- CMIS_AL_HOST=application-layer
- CMIS_AL_PORT=8080
- CMIS_AL_SSL=false
- CMIS_AL_INSTANCE=nscalealinst1
- CONF_VIRUSSCAN_ACTIVE=false
- CONF_VIRUSSCAN_UNIXSOCK=false
- CONF_VIRUSSCAN_TEMP_FOLDER=
- CONF_VIRUSSCAN_SOCKPATH=
- CONF_VIRUSSCAN_HOST=clamav
- CONF_VIRUSSCAN_PORT=
ports:
- "8096:8096" # HTTP
- "8196:8196" # HTTPS
networks:
- nscale
depends_on:
- clamav
clamav:
image: docker.io/clamav/clamav:1.2
networks:
- nscale
volumes:
- ./config/clamav/sockets/:/tmp/

2
charts/erpcmis/templates/component.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.component" . -}}

110
charts/erpcmis/templates/deployment.tpl Normal file
View File

@@ -0,0 +1,110 @@
{{- include "nplus.init" $ -}}
# Component: {{ .component.chartName }}
# will connect to:
{{- if (.this.nappl).host }}
# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }}
{{- else }}
# defined by config file in conf PV.
{{- end }}
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
replicas: {{ .Values.replicaCount }}
strategy:
type: RollingUpdate
template:
metadata:
labels:
{{- include "nplus.templateLabels" . | nindent 8 }}
annotations:
{{- include "nplus.templateAnnotations" . | nindent 8 }}
{{- include "nplus.securityAnnotations" . | nindent 8 }}
spec:
{{- include "nplus.imagePullSecrets" . | nindent 6 }}
{{- include "nplus.templateAffinity" . | nindent 6 }}
{{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }}
{{- include "nplus.podSecurityContext" . | nindent 6 }}
{{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }}
initContainers:
{{- include "nplus.waitFor" . | nindent 6 }}
{{- include "nplus.copyConfig" . | nindent 6 }}
containers:
- name: erpcmis-connector
image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }}
imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
{{- include "nplus.containerSecurityContext" . | nindent 8 }}
env:
# -- NAPPL Connection Settings
{{- include "nplus.env" (dict
"CMIS_AL_HOST" ($.this.nappl).host
"CMIS_AL_PORT" ($.this.nappl).port
"CMIS_AL_INSTANCE" ($.this.nappl).instance
"CMIS_AL_SSL" ($.this.nappl).ssl
) | nindent 10 }}
#TODO: Manuel sagt, der Virusscanner würde noch nicht gehen, daher schalten wir den hier erstmal global ab.
# -- Virus Scanner Settings
{{- include "nplus.env" (dict
"CONF_VIRUSSCAN_ACTIVE" "false"
"CONF_VIRUSSCAN_TEMP_FOLDER" ""
"CONF_VIRUSSCAN_SOCKPATH" ""
"CONF_VIRUSSCAN_HOST" ""
"CONF_VIRUSSCAN_PORT" ""
) | nindent 10 }}
{{- include "nplus.environment" . | nindent 8 }}
{{- if .this.utils.maintenance }}
{{- include "nplus.idle" . | nindent 8 }}
{{- else }}
startupProbe:
initialDelaySeconds: 10
failureThreshold: 12
periodSeconds: 10
timeoutSeconds: 5
tcpSocket:
port: {{ include "nplus.backendPort" . }}
#TODO: 9.3: Hier fehlt die echte Readiness Probe, die gibt es auch bei der CT nocht nicht.
readinessProbe:
tcpSocket:
port: {{ include "nplus.backendPort" . }}
# initialDelaySeconds: 10
periodSeconds: 10
# -- Ceyoniq does currently not define an *official* livenessProbe, so we use
# one that quickly checks the main socket on Layer 4.
livenessProbe:
tcpSocket:
port: {{ include "nplus.backendPort" . }}
# initialDelaySeconds: 10
periodSeconds: 10
{{- end }}
ports:
{{- include "nplus.defaultContainerPorts" . | nindent 8 }}
{{- include "nplus.resources" . | nindent 8 }}
volumeMounts:
{{- include "nplus.defaultMounts" . | nindent 8 }}
volumes:
{{- include "nplus.defaultVolumes" . | nindent 6 }}

16
charts/erpcmis/templates/ingress.tpl Normal file
View File

@@ -0,0 +1,16 @@
{{- include "nplus.init" $ -}}
{{- if ( include "nplus.ingressEnabled" . ) }}
{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }}
- path: {{ .Values.ingress.contextPath }}
pathType: Prefix
backend:
service:
name: {{ .component.fullName }}
port:
name: {{ include "nplus.backendProtocol" . }}
{{- else }}
# kind: ingress
# Not Generating any Ingress for {{ .component.fullName }} as
# Ingress = {{ .this.ingress }}
# Service = {{ .this.service }}
{{- end }}

35
charts/erpcmis/templates/networkpolicy.tpl Normal file
View File

@@ -0,0 +1,35 @@
{{- include "nplus.init" $ -}}
{{- if ((.this.security).cni).createNetworkPolicy }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ .component.fullName }}
{{- if .this.utils.includeNamespace }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{- include "nplus.instanceLabels" . | nindent 4 }}
annotations:
{{- include "nplus.argoWave" . | nindent 4 }}
{{- include "nplus.annotations" . | nindent 4 }}
{{- include "nplus.securityAnnotations" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "nplus.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
- Egress
ingress:
{{- if ( include "nplus.ingressEnabled" . ) }}
{{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }}
{{- end }}
{{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }}
{{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }}
egress:
{{- include "nplus.networkpolicy.allowToNappl" . | nindent 2 }}
{{- end }}

2
charts/erpcmis/templates/pdb.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.podDisruptionBudget" . -}}

2
charts/erpcmis/templates/pvc.tpl Normal file
View File

@@ -0,0 +1,2 @@
{{- include "nplus.init" $ -}}
{{- include "nplus.pvc" . }}

Some files were not shown because too many files have changed in this diff Show More