Skip to content

Commit a399b4e

Browse files
thokra-navthokra-nav
committed
Add chart
1 parent 5812ff4 commit a399b4e

11 files changed

+369
-0
lines changed

charts/Chart.yaml

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
apiVersion: v2
2+
name: nais-api
3+
description: The all mighty NAIS API
4+
type: application
5+
version: 0.1.0
6+
sources:
7+
- https://github.com/nais/api/tree/main/charts

charts/templates/deployment.yaml

+122
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
apiVersion: apps/v1
2+
kind: Deployment
3+
metadata:
4+
name: "{{ .Release.Name }}"
5+
labels:
6+
app: "{{ .Release.Name }}"
7+
spec:
8+
replicas: 1
9+
selector:
10+
matchLabels:
11+
app: "{{ .Release.Name }}"
12+
template:
13+
metadata:
14+
annotations:
15+
prometheus.io/path: "/metrics"
16+
kubectl.kubernetes.io/default-container: "{{ .Chart.Name }}"
17+
labels:
18+
app: "{{ .Release.Name }}"
19+
spec:
20+
serviceAccountName: "{{ .Release.Name }}"
21+
securityContext:
22+
seccompProfile:
23+
type: RuntimeDefault
24+
containers:
25+
- name: cloud-sql-proxy
26+
image: {{ .Values.image.cloudsql_proxy }}
27+
command:
28+
- "/cloud_sql_proxy"
29+
- "-log_debug_stdout"
30+
- "-instances={{ .Values.database.instance }}=tcp:5432"
31+
securityContext:
32+
runAsNonRoot: true
33+
runAsUser: 1000
34+
runAsGroup: 1000
35+
allowPrivilegeEscalation: false
36+
readOnlyRootFilesystem: true
37+
capabilities:
38+
drop:
39+
- ALL
40+
resources:
41+
requests:
42+
memory: "256Mi"
43+
cpu: "0.22"
44+
- name: "{{ .Chart.Name }}"
45+
env:
46+
- name: KUBERNETES_CLUSTERS
47+
value: "{{ .Values.kubernetes.clusters }}"
48+
{{- if .Values.kubernetes.static }}
49+
- name: KUBERNETES_CLUSTERS_STATIC
50+
value: "{{ .Values.kubernetes.static }}"
51+
{{- end }}
52+
- name: TENANT
53+
value: "{{ .Values.fasit.tenant.name }}"
54+
- name: TENANT_DOMAIN
55+
value: "{{ .Values.tenant.domain }}"
56+
- name: GOOGLE_MANAGEMENT_PROJECT_ID
57+
value: "{{ .Values.google.managementProjectID }}"
58+
- name: COST_DATA_IMPORT_ENABLED
59+
value: "true"
60+
- name: RESOURCE_UTILIZATION_IMPORT_ENABLED
61+
value: "true"
62+
- name: DEPENDENCYTRACK_FRONTEND
63+
value: "{{ .Values.dependencytrack.frontend }}"
64+
- name: USERSYNC_ENABLED
65+
value: "true"
66+
- name: OAUTH_CLIENT_ID
67+
value: "{{ .Values.oauth.clientID }}"
68+
- name: OAUTH_REDIRECT_URL
69+
value: "https://{{ .Values.host }}/oauth2/callback"
70+
- name: OAUTH_FRONTEND_URL
71+
value: "https://{{ .Values.host }}"
72+
- name: LISTEN_ADDRESS
73+
value: ":3000"
74+
- name: GRPC_LISTEN_ADDRESS
75+
value: ":3001"
76+
envFrom:
77+
- secretRef:
78+
name: "{{ .Release.Name }}"
79+
securityContext:
80+
capabilities:
81+
drop:
82+
- ALL
83+
readOnlyRootFilesystem: true
84+
runAsNonRoot: true
85+
runAsUser: 1069
86+
allowPrivilegeEscalation: false
87+
image: "{{ .Values.image.repository }}/{{ .Values.image.name }}:{{ .Chart.Version }}"
88+
ports:
89+
- name: http
90+
containerPort: 3000
91+
protocol: TCP
92+
- name: grpc
93+
containerPort: 3001
94+
protocol: TCP
95+
startupProbe:
96+
httpGet:
97+
path: /healthz
98+
port: http
99+
initialDelaySeconds: 5
100+
periodSeconds: 2
101+
failureThreshold: 10
102+
readinessProbe:
103+
httpGet:
104+
path: /healthz
105+
port: http
106+
failureThreshold: 3
107+
livenessProbe:
108+
httpGet:
109+
path: /healthz
110+
port: http
111+
failureThreshold: 3
112+
resources:
113+
limits:
114+
memory: "{{ .Values.resources.memory }}"
115+
requests:
116+
cpu: "{{ .Values.resources.cpu }}"
117+
memory: "{{ .Values.resources.memory }}"
118+
strategy:
119+
type: RollingUpdate
120+
rollingUpdate:
121+
maxSurge: 1
122+
maxUnavailable: 0

charts/templates/fqdnnetpol.yaml

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
apiVersion: networking.gke.io/v1alpha3
2+
kind: FQDNNetworkPolicy
3+
metadata:
4+
name: "{{ .Release.Name }}-fqdn"
5+
labels:
6+
app: "{{ .Release.Name }}"
7+
spec:
8+
egress:
9+
- ports:
10+
- port: 80
11+
protocol: TCP
12+
to:
13+
- fqdns:
14+
- metadata.google.internal
15+
- ports:
16+
- port: 443
17+
protocol: TCP
18+
to:
19+
- fqdns:
20+
- private.googleapis.com
21+
{{- $root := . }}
22+
{{- range split "," .Values.kubernetes.clusters }}
23+
- ports:
24+
- port: 443
25+
protocol: TCP
26+
to:
27+
- fqdns:
28+
- "apiserver.{{ . }}.{{ $root.Values.fasit.tenant.name }}.cloud.nais.io"
29+
{{- end }}
30+
{{- if .Values.kubernetes.static }}
31+
{{- range split "," .Values.kubernetes.static }}
32+
- ports:
33+
- port: 443
34+
protocol: TCP
35+
to:
36+
- fqdns:
37+
- {{ (split "|" .)._1 }}
38+
{{- end }}
39+
{{- end }}
40+
podSelector:
41+
matchLabels:
42+
app: "{{ .Release.Name }}"
43+
policyTypes:
44+
- Egress

charts/templates/ingress.yaml

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
apiVersion: networking.k8s.io/v1
2+
kind: Ingress
3+
metadata:
4+
name: "{{ .Release.Name }}"
5+
labels:
6+
app: "{{ .Release.Name }}"
7+
spec:
8+
ingressClassName: "{{ .Values.ingressClassName }}"
9+
rules:
10+
- host: "{{ .Values.host }}"
11+
http:
12+
paths:
13+
- backend:
14+
service:
15+
name: "{{ .Release.Name }}"
16+
port:
17+
name: http
18+
path: /query
19+
pathType: Prefix

charts/templates/networkpolicy.yaml

+35
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
apiVersion: networking.k8s.io/v1
2+
kind: NetworkPolicy
3+
metadata:
4+
name: "{{ .Release.Name }}"
5+
labels:
6+
app: "{{ .Release.Name }}"
7+
spec:
8+
egress:
9+
- to:
10+
- ipBlock:
11+
cidr: 0.0.0.0/0
12+
- to:
13+
- namespaceSelector: {}
14+
podSelector:
15+
matchLabels:
16+
k8s-app: kube-dns
17+
- to:
18+
- podSelector:
19+
matchLabels:
20+
app.kubernetes.io/name: hookd
21+
- to:
22+
- podSelector:
23+
matchLabels:
24+
app.kubernetes.io/name: dependencytrack
25+
ingress:
26+
- from:
27+
- namespaceSelector:
28+
matchLabels:
29+
kubernetes.io/metadata.name: "{{ .Release.Namespace }}"
30+
podSelector:
31+
matchLabels:
32+
app: "{{ .Release.Name }}"
33+
policyTypes:
34+
- Egress
35+
- Ingress

charts/templates/prometheusrule.yaml

+32
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
{{ if .Values.alerts.enabled }}
2+
apiVersion: monitoring.coreos.com/v1
3+
kind: PrometheusRule
4+
metadata:
5+
name: "{{ .Release.Name }}"
6+
labels:
7+
app: "{{ .Release.Name }}"
8+
spec:
9+
groups:
10+
- name: "{{ .Release.Name }}-alerts"
11+
rules:
12+
- alert: Hookd requests failing
13+
expr: increase(errors_total{job="{{ .Release.Name }}", component="hookd-client"}[2m]) > 0
14+
for: 5m
15+
labels:
16+
namespace: nais-system
17+
severity: critical
18+
ping: nais-vakt
19+
annotations:
20+
consequence: Users may not be able to see deployments in console.
21+
action: "Check logs in {{ .Release.Name }} and hookd"
22+
- alert: Kubernetes API server requests failing
23+
expr: increase(errors_total{job="{{ .Release.Name }}", component="k8s-client"}[2m]) > 0
24+
for: 5m
25+
labels:
26+
namespace: nais-system
27+
severity: critical
28+
ping: nais-vakt
29+
annotations:
30+
consequence: Users may not be able to see workload information in console.
31+
action: "Check logs in {{ .Release.Name }}"
32+
{{- end }}

charts/templates/secret.yaml

+13
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
apiVersion: v1
2+
kind: Secret
3+
metadata:
4+
name: "{{ .Release.Name }}"
5+
labels:
6+
app: "{{ .Release.Name }}"
7+
type: Opaque
8+
stringData:
9+
HOOKD_PSK: "{{ .Values.hookd.psk }}"
10+
DEPENDENCYTRACK_PASSWORD: "{{ .Values.dependencytrack.password }}"
11+
OAUTH_CLIENT_SECRET: "{{ .Values.oauth.clientSecret }}"
12+
STATIC_SERVICE_ACCOUNTS: {{ .Values.staticServiceAccounts | quote }}
13+
DATABASE_URL: "postgres://{{ .Values.database.user }}:{{ .Values.database.password }}@127.0.0.1:5432/{{ .Values.database.name }}?sslmode=disable"

charts/templates/service.yaml

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
apiVersion: v1
2+
kind: Service
3+
metadata:
4+
name: "{{ .Release.Name }}"
5+
labels:
6+
app: "{{ .Release.Name }}"
7+
spec:
8+
type: ClusterIP
9+
ports:
10+
- port: 80
11+
targetPort: http
12+
protocol: TCP
13+
name: http
14+
- port: 3001
15+
targetPort: grpc
16+
protocol: TCP
17+
name: grpc
18+
selector:
19+
app: "{{ .Release.Name }}"

charts/templates/serviceaccount.yaml

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
kind: ServiceAccount
2+
apiVersion: v1
3+
metadata:
4+
name: "{{ .Release.Name }}"
5+
annotations:
6+
iam.gke.io/gcp-service-account: "{{ .Values.serviceaccount.email }}"
7+
labels:
8+
app: "{{ .Release.Name }}"

charts/templates/servicemonitor.yaml

+18
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
apiVersion: monitoring.coreos.com/v1
2+
kind: ServiceMonitor
3+
metadata:
4+
name: "{{ .Release.Name }}"
5+
namespace: nais-system
6+
labels:
7+
app: "{{ .Release.Name }}"
8+
spec:
9+
endpoints:
10+
- interval: 1m
11+
port: http
12+
scrapeTimeout: 10s
13+
namespaceSelector:
14+
matchNames:
15+
- nais-system
16+
selector:
17+
matchLabels:
18+
app: "{{ .Release.Name }}"

charts/values.yaml

+52
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
database: # mapped in fasit
2+
instance:
3+
name:
4+
user:
5+
password:
6+
7+
ingressClassName: nais-ingress
8+
9+
image:
10+
repository: europe-north1-docker.pkg.dev/nais-io/nais/images
11+
name: nais-api
12+
13+
cloudsql_proxy: gcr.io/cloudsql-docker/gce-proxy:1.33.16
14+
15+
host: ""
16+
17+
hookd:
18+
psk: ""
19+
20+
dependencytrack:
21+
frontend: ""
22+
password: ""
23+
24+
serviceaccount:
25+
email: ""
26+
27+
fasit:
28+
tenant:
29+
name: "dev-nais"
30+
31+
kubernetes:
32+
clusters: "dev,prod"
33+
static: ""
34+
35+
resources:
36+
cpu: 300m
37+
memory: 512Mi
38+
39+
alerts:
40+
enabled: true
41+
42+
tenant:
43+
domain: example.com
44+
45+
google:
46+
managementProjectID: "" # mapped in fasit
47+
48+
oauth: # mapped in fasit
49+
clientID: ""
50+
clientSecret: ""
51+
52+
staticServiceAccounts: "" # mapped in fasit

0 commit comments

Comments
 (0)