Public Information

charts/rms/templates/component.tpl

@@ -0,0 +1,2 @@
+{{- include "nplus.init" $ -}}
+{{- include "nplus.component" . -}}

charts/rms/templates/configmap-haproxy.tpl

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .component.fullName }}-haproxy
+  {{- if .this.utils.includeNamespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "nplus.instanceLabels" . | nindent 4 }}
+  annotations:
+    {{- include "nplus.argoWave" . | nindent 4 }}
+    {{- include "nplus.annotations" . | nindent 4 }}
+    {{- include "nplus.securityAnnotations" . | nindent 4 }}
+data:
+{{- range $path, $bytes := .Files.Glob "haproxy/*" }}
+{{- base $path | nindent 2 }}: |
+{{- tpl ($.Files.Get $path) $ | nindent 4 }}
+{{- end }}

charts/rms/templates/configmap-repository.tpl

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .component.fullName }}-repository
+  {{- if .this.utils.includeNamespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "nplus.instanceLabels" . | nindent 4 }}
+  annotations:
+    {{- include "nplus.argoWave" . | nindent 4 }}
+    {{- include "nplus.annotations" . | nindent 4 }}
+    {{- include "nplus.securityAnnotations" . | nindent 4 }}
+data:
+{{- range $path, $bytes := .Files.Glob "repository/*" }}
+{{- base $path | nindent 2 }}: |
+{{- tpl ($.Files.Get $path) $ | nindent 4 }}
+{{- end }}

charts/rms/templates/networkpolicy.tpl

@@ -0,0 +1,42 @@
+{{- include "nplus.init" $ -}}
+
+{{- if ((.this.security).cni).createNetworkPolicy }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ .component.fullName }}
+  {{- if .this.utils.includeNamespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "nplus.instanceLabels" . | nindent 4 }}
+  annotations:
+    {{- include "nplus.argoWave" . | nindent 4 }}
+    {{- include "nplus.annotations" . | nindent 4 }}
+    {{- include "nplus.securityAnnotations" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+    {{- include "nplus.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    # Access from out of Cluster (Admin Desktop)
+    - ipBlock:
+        cidr: {{ ((.this.security).cni).adminIpRange | quote }}
+  egress:
+  - to:
+    # All Pods in Instance
+    - podSelector:
+        matchLabels:
+          nplus/group: {{ .instance.group }}
+
+  # Allow API Access
+  - ports:
+    - protocol: TCP
+      port: 16443
+    - protocol: TCP
+      port: 443
+{{- end }}

charts/rms/templates/pdb.tpl

@@ -0,0 +1,2 @@
+{{- include "nplus.init" $ -}}
+{{- include "nplus.podDisruptionBudget" . -}}

charts/rms/templates/rms-rbac.tpl

@@ -0,0 +1,53 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .component.fullName }}-svc-account
+  {{- if .this.utils.includeNamespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "nplus.instanceLabels" . | nindent 4 }}
+  annotations:
+    {{- include "nplus.argoSharedResource" . | nindent 4 }}
+    {{- include "nplus.annotations" . | nindent 4 }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .component.fullName }}-role
+  {{- if .this.utils.includeNamespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "nplus.instanceLabels" . | nindent 4 }}
+  annotations:
+    {{- include "nplus.argoSharedResource" . | nindent 4 }}
+    {{- include "nplus.annotations" . | nindent 4 }}
+
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments","deployments/scale", "statefulsets","statefulsets/scale", "replicasets"]
+    verbs: ["get", "patch", "list"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .component.fullName }}-role-binding
+  {{- if .this.utils.includeNamespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "nplus.instanceLabels" . | nindent 4 }}
+  annotations:
+    {{- include "nplus.argoSharedResource" . | nindent 4 }}
+    {{- include "nplus.annotations" . | nindent 4 }}
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .component.fullName }}-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .component.fullName }}-svc-account

charts/rms/templates/service.tpl

@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Service
+metadata:
+  {{- if .this.utils.includeNamespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  name: {{ .component.fullName }}-admin
+  labels:
+    {{- include "nplus.instanceLabels" . | nindent 4 }}
+  annotations:
+    {{- include "nplus.argoWave" . | nindent 4 }}
+    {{- include "nplus.annotations" . | nindent 4 }}
+    {{- include "nplus.securityAnnotations" . | nindent 4 }}
+    {{- include "nplus.serviceAnnotations" . | nindent 4 }}
+spec:
+  selector:
+  {{- if eq .this.service.selector "component" }}
+    {{- include "nplus.selectorLabels" . | nindent 4 }}
+  {{- else if eq .this.service.selector "type" }}
+    {{- include "nplus.selectorLabelsNc" . | nindent 4 }}
+  {{- else }}
+    {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }}
+  {{- end }}
+  type: LoadBalancer
+  {{- if .Values.externalIp }}
+  loadBalancerIP: {{ .Values.externalIp }}
+  {{- end }}
+  ports:
+    - protocol: TCP
+      port: 3120
+      targetPort: 3120
+      name: rms
+
+    {{- range $ckey, $component := .Values.comps }}
+    {{- if $component.enabled }}
+    {{- range $pkey, $port := .ports }}
+    - protocol: TCP
+      port: {{ $port }}
+      targetPort: {{ $port }}
+      name: {{ $ckey }}-{{ $pkey }}
+    {{- end }}
+    {{- end }}
+    {{- end }}

charts/rms/templates/statefulset.tpl

@@ -0,0 +1,128 @@
+{{- include "nplus.init" $ -}}
+
+{{- range $key, $component := .Values.components }}
+  {{- range $port := .ports }}
+# {{ $key }}/{{ $port }}
+  {{- end }}
+{{- end }}
+
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ .component.fullName }}
+  {{- if .this.utils.includeNamespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "nplus.instanceLabels" . | nindent 4 }}
+  annotations:
+    {{- include "nplus.argoWave" . | nindent 4 }}
+    {{- include "nplus.annotations" . | nindent 4 }}
+    {{- include "nplus.securityAnnotations" . | nindent 4 }}
+spec:
+
+  serviceName: {{ .component.fullName }}
+  selector:
+    matchLabels:
+      {{- include "nplus.selectorLabels" . | nindent 6 }}
+  replicas: {{ .Values.replicaCount }}
+  podManagementPolicy: OrderedReady
+  updateStrategy:
+    type: {{ .Values.updateStrategy | default "OnDelete" }}  
+  minReadySeconds: 5
+
+  template:
+    metadata:
+      labels:
+        {{- include "nplus.templateLabels" . | nindent 8 }}
+      annotations:
+        {{- include "nplus.templateAnnotations" . | nindent 8 }}
+        {{- include "nplus.securityAnnotations" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ .component.fullName }}-svc-account
+      
+      {{- include "nplus.imagePullSecrets" . | nindent 6 }}
+      {{- include "nplus.podSecurityContext" . | nindent 6 }}
+      {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }}
+      {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }}
+
+      initContainers:
+      {{- include "nplus.waitFor" . | nindent 6 }}
+
+      containers:
+      - name: rms
+        image: {{ include "nplus.image"  (dict "global" .Values.global "image" .Values.image) }}
+        imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
+        {{- include "nplus.containerSecurityContext" . | nindent 8 }}
+
+        command: ["/opt/ceyoniq/nscale-rms/bin/rms.bin"]
+
+        ports:
+        - containerPort: 3120
+          name: rms
+
+        {{- include "nplus.resources" . | nindent 8 }}
+
+        volumeMounts:
+        {{- include "nplus.defaultMounts" . | nindent 8 }}
+        - name: conf
+          subPath: {{ .this.instance.name | quote }}
+          mountPath: /conf
+
+        {{- if ($.this.ingress).domain }}
+        - name: cert
+          subPath: tls.crt
+          mountPath: "/opt/ceyoniq/nscale-rms/bin/tls.cer"
+          readOnly: true
+        - name: cert
+          subPath: tls.key
+          mountPath: "/opt/ceyoniq/nscale-rms/bin/tls.key"
+          readOnly: true
+        {{- end }}
+        - name: repository
+          mountPath: /etc/ceyoniq/nscale-rms/repository
+
+      - name: proxy
+        image: {{ include "nplus.image"  (dict "global" .Values.global "image" .Values.image) }}
+        imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }}
+        {{- include "nplus.containerSecurityContext" . | nindent 8 }}
+
+        command: ["haproxy", "-f", "/etc/haproxy/haproxy.cfg", "-d"]
+
+        ports:
+        {{- range $ckey, $component := .Values.comps }}
+        {{- if $component.enabled }}
+        {{- range $pkey, $port := .ports }}
+        - containerPort: {{ $port }}
+          name: {{ $ckey }}-{{ $pkey }}
+          protocol: TCP
+        {{- end }}
+        {{- end }}
+        {{- end }}
+
+        {{- include "nplus.resources" . | nindent 8 }}
+
+        volumeMounts:
+        {{- include "nplus.defaultMounts" . | nindent 8 }}
+        - name: haproxy
+          subPath: haproxy.cfg
+          mountPath: /etc/haproxy/haproxy.cfg
+
+      volumes:
+      {{- include "nplus.defaultVolumes" . | nindent 6 }}
+      - name: conf
+        persistentVolumeClaim:
+          claimName: conf
+      {{- if ($.this.ingress).domain }}
+      - name: cert
+        secret:
+          secretName: {{ ($.this.ingress).secret }}
+      {{- end }}
+      - name: repository
+        configMap:
+          name: {{ .component.fullName }}-repository
+          defaultMode: 0777
+      - name: haproxy
+        configMap:
+          name: {{ .component.fullName }}-haproxy
+          defaultMode: 0777