diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 334cde3..3f31abf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,7 +5,7 @@ on: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - VERSION: 0.11.0-RC2 + VERSION: 0.11.0-RC3 jobs: build: diff --git a/README.md b/README.md index fb3cc88..6170e0a 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ This repository contains the following Carvel packages. | [cartographer-delivery](https://github.com/kadras-io/cartographer-delivery) | Cartographer delivery chains to deploy workloads to a Kubernetes cluster based on GitOps or RegistryOps. | | [cartographer-supply-chains](https://github.com/kadras-io/cartographer-supply-chains) | Cartographer supply chains to build golden paths to production for applications and functions, from source code to delivery in a Kubernetes cluster. | | [cert-manager](https://github.com/kadras-io/package-for-cert-manager) | A cloud-native solution to automatically provision and manage X.509 certificates. | +| [cert-manager-issuers](https://github.com/kadras-io/cert-manager-issuers) | A collection of issuers for Cert Manager, used by the Kadras platform to support TLS via a private CA or Let's Encrypt. | | [contour](https://github.com/kadras-io/package-for-contour) | An Envoy-based ingress controller that supports dynamic configuration updates and multi-team ingress delegation. | | [engineering-platform](https://github.com/kadras-io/engineering-platform) | A curated set of Carvel packages to build an engineering platform supporting application developers with paved paths to production on Kubernetes. | | [fluxcd-source-controller](https://github.com/kadras-io/package-for-fluxcd-source-controller) | A source management component from the Flux GitOps Toolkit to provide a common interface for artifacts acquisition. | diff --git a/repo/packages/cert-manager-issuers.packages.kadras.io/0.1.0.yml b/repo/packages/cert-manager-issuers.packages.kadras.io/0.1.0.yml new file mode 100644 index 0000000..408df9d --- /dev/null +++ b/repo/packages/cert-manager-issuers.packages.kadras.io/0.1.0.yml @@ -0,0 +1,50 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: Package +metadata: + creationTimestamp: null + name: cert-manager-issuers.packages.kadras.io.0.1.0 +spec: + licenses: + - Apache 2.0 + refName: cert-manager-issuers.packages.kadras.io + releaseNotes: https://github.com/kadras-io/cert-manager-issuers/releases + releasedAt: "2023-04-10T17:23:11Z" + template: + spec: + deploy: + - kapp: {} + fetch: + - imgpkgBundle: + image: ghcr.io/kadras-io/cert-manager-issuers@sha256:0bf8807f63cb5756a3006fb6db248aa1209692075d2d79f1510164819c0b2441 + template: + - ytt: + paths: + - config + - kbld: + paths: + - '-' + - .imgpkg/images.yml + valuesSchema: + openAPIv3: + additionalProperties: false + properties: + letsencrypt: + additionalProperties: false + description: Settings for Let's Encrypt. + properties: + include: + default: false + description: Whether to include a ClusterIssuer for Let's Encrypt. + type: boolean + staging: + default: true + description: Whether to use Let's Encrypt staging, recommended for non-production + environments. + type: boolean + type: object + namespace: + default: cert-manager + description: The namespace where Cert Manager is deployed. + type: string + type: object + version: 0.1.0 diff --git a/repo/packages/cert-manager-issuers.packages.kadras.io/metadata.yml b/repo/packages/cert-manager-issuers.packages.kadras.io/metadata.yml new file mode 100644 index 0000000..0bf0159 --- /dev/null +++ b/repo/packages/cert-manager-issuers.packages.kadras.io/metadata.yml @@ -0,0 +1,19 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: PackageMetadata +metadata: + creationTimestamp: null + name: cert-manager-issuers.packages.kadras.io +spec: + categories: + - certificate-management + - security + - tls + displayName: cert-manager-issuers + longDescription: A collection of ClusterIssuers to use with cert-manager, including + a private CA and optional Let's Encrypt support. + maintainers: + - name: Thomas Vitale + providerName: Kadras + shortDescription: A collection of ClusterIssuers to use with cert-manager. + supportDescription: Go to https://kadras.io for documentation and https://github.com/kadras-io/cert-manager-issuers + for community support. diff --git a/repo/packages/cert-manager.packages.kadras.io/1.11.1+kadras.1.yml b/repo/packages/cert-manager.packages.kadras.io/1.11.1+kadras.1.yml new file mode 100644 index 0000000..9885756 --- /dev/null +++ b/repo/packages/cert-manager.packages.kadras.io/1.11.1+kadras.1.yml @@ -0,0 +1,119 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: Package +metadata: + creationTimestamp: null + name: cert-manager.packages.kadras.io.1.11.1+kadras.1 +spec: + licenses: + - Apache 2.0 + refName: cert-manager.packages.kadras.io + releaseNotes: https://github.com/kadras-io/package-for-cert-manager/releases + releasedAt: "2023-04-10T16:43:35Z" + template: + spec: + deploy: + - kapp: + rawOptions: + - --wait-timeout=5m + - --kube-api-qps=50 + - --kube-api-burst=100 + fetch: + - imgpkgBundle: + image: ghcr.io/kadras-io/package-for-cert-manager@sha256:5eb109783bf54f76e09621437a9bacfe6bd38348ee459883173c89a5e7fcc4fc + template: + - ytt: + paths: + - config + - kbld: + paths: + - '-' + - .imgpkg/images.yml + valuesSchema: + openAPIv3: + additionalProperties: false + properties: + leader_election: + additionalProperties: false + description: Leader election configuration for the cert-manager and cert-manager-cainjector + Deployments. + properties: + lease_duration: + default: 60s + description: The duration that non-leader candidates will wait after + observing a leadership renewal until attempting to acquire leadership + of a led but unrenewed leader slot. This is effectively the maximum + duration that a leader can be stopped before it is replaced by another + candidate. + type: string + namespace: + default: kube-system + description: 'Namespace used to perform leader election. The default + namespace needs changing in environments like GKE. More information: + https://cert-manager.io/docs/installation/compatibility/#gke.' + type: string + renew_deadline: + default: 40s + description: The interval between attempts by the acting leader to renew + a leadership slot before it stops leading. + type: string + retry_period: + default: 15s + description: The duration the clients should wait between attempting + acquisition and renewal of a leadership. + type: string + type: object + namespace: + default: cert-manager + description: The namespace in which to deploy Cert Manager. + type: string + policies: + additionalProperties: false + description: Settings for the Kyverno policies. + properties: + include: + default: false + description: Whether to include the out-of-the-box Kyverno policies + to validate and secure the package installation. + type: boolean + type: object + proxy: + additionalProperties: false + description: Settings for the proxy. + properties: + http_proxy: + default: "" + description: The HTTP proxy URL. + type: string + https_proxy: + default: "" + description: The HTTPS proxy URL. + type: string + no_proxy: + default: "" + description: For which domains the proxy should not be used. + type: string + type: object + webhook: + additionalProperties: false + description: Settings for the cert-manager webhook. + properties: + host_network: + default: false + description: 'Whether to run the webhook in the host network so that + it can be reached by the cert-manager controller in environments like + AWS EKS. More information: https://cert-manager.io/docs/installation/compatibility/#aws-eks.' + type: boolean + replicas: + default: 1 + description: The number of replicas. In order to enable high availability, + it should be greater than 1. + type: integer + secure_port: + default: 10250 + description: 'The port where the webhook is exposed. The default port + needs changing in environments like AWS EKS and AWS Fargate. More + information: https://cert-manager.io/docs/installation/compatibility/#aws-eks.' + type: integer + type: object + type: object + version: 1.11.1+kadras.1 diff --git a/repo/packages/contour.packages.kadras.io/1.24.3+kadras.2.yml b/repo/packages/contour.packages.kadras.io/1.24.3+kadras.2.yml new file mode 100644 index 0000000..df5b1be --- /dev/null +++ b/repo/packages/contour.packages.kadras.io/1.24.3+kadras.2.yml @@ -0,0 +1,222 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: Package +metadata: + creationTimestamp: null + name: contour.packages.kadras.io.1.24.3+kadras.2 +spec: + licenses: + - Apache 2.0 + refName: contour.packages.kadras.io + releaseNotes: https://github.com/kadras-io/package-for-contour/releases + releasedAt: "2023-04-10T15:17:02Z" + template: + spec: + deploy: + - kapp: + rawOptions: + - --wait-timeout=5m + - --kube-api-qps=50 + - --kube-api-burst=100 + fetch: + - imgpkgBundle: + image: ghcr.io/kadras-io/package-for-contour@sha256:8ad525ebd8fe06e636056b13f386d96fe61e484a5acad42a93f0a44f71d85e5f + template: + - ytt: + paths: + - config + - kbld: + paths: + - '-' + - .imgpkg/images.yml + valuesSchema: + openAPIv3: + additionalProperties: false + properties: + certificates: + additionalProperties: false + description: TLS configuration to secure the communication between Contour + and Envoy. + properties: + duration: + default: 8760h + description: If using cert-manager, how long the certificates should + be valid for. If `useCertManager` is false, this field is ignored. + type: string + renewBefore: + default: 360h + description: If using cert-manager, how long before expiration the certificates + should be renewed. If `useCertManager` is false, this field is ignored. + type: string + useCertManager: + default: false + description: 'Whether to use cert-manager to provision TLS certificates + for securing the communication between Contour and Envoy. If `false`, + the `contour-certgen` Job will be used to provision certificates. + If `true`, cert-manager must be installed in the cluster. See: https://github.com/kadras-io/package-for-cert-manager.' + type: boolean + type: object + contour: + additionalProperties: false + description: Settings for the Contour component. + properties: + config: + additionalProperties: false + description: Configuration for the Contour Deployment. + properties: + logFormat: + default: text + description: Log output format for Contour. Either `text` (default) + or `json`. + type: string + logLevel: + default: info + description: The Contour log level. Valid options are `info` and + `debug`. + type: string + useProxyProtocol: + default: false + description: Whether to enable PROXY protocol for all Envoy listeners. + type: boolean + type: object + configFileContents: + default: {} + description: The YAML contents of the Contour config file. See https://projectcontour.io/docs/latest/configuration/#configuration-file + for more information. + nullable: true + replicas: + default: 2 + description: The number of Contour replicas. In order to enable high + availability, it should be greater than 1. + type: integer + type: object + envoy: + additionalProperties: false + description: Settings for the Envoy component. + properties: + config: + additionalProperties: false + description: Configuration for the Envoy workload. + properties: + logLevel: + default: info + description: The Envoy log level. + type: string + type: object + service: + additionalProperties: false + description: Envoy service settings. + properties: + annotations: + default: null + description: Annotations to set on the Envoy service. + nullable: true + aws: + additionalProperties: false + description: AWS-specific settings for the Envoy service. If `infrastructureProvider` + is not `aws`, these settings are ignored. + properties: + loadBalancerType: + default: classic + description: The type of AWS load balancer to provision. Options + are 'classic' and 'nlb'. + type: string + type: object + externalTrafficPolicy: + default: null + description: The external traffic policy for the Envoy service. + If type is `ClusterIP`, this field is ignored. Otherwise, it defaults + to `Cluster` for vsphere and `Local` for others. + nullable: true + type: string + loadBalancerIP: + default: "" + description: The desired load balancer IP. If `type` is not `LoadBalancer', + this field is ignored. It is up to the cloud provider whether + to honor this request. If not specified, then load balancer IP + will be assigned by the cloud provider. + type: string + nodePorts: + additionalProperties: false + description: NodePort settings for the Envoy service. If type is + not `NodePort` or `LoadBalancer`, these settings are ignored. + properties: + http: + default: 0 + description: The node port number to expose Envoy's HTTP listener + on. If not specified, a node port will be auto-assigned by + Kubernetes. + type: integer + https: + default: 0 + description: The node port number to expose Envoy's HTTPS listener + on. If not specified, a node port will be auto-assigned by + Kubernetes. + type: integer + type: object + type: + default: null + description: The type of Kubernetes service to provision for Envoy. + If not specified, it will default to `NodePort` for local and + vsphere and `LoadBalancer` for others. + nullable: true + type: string + type: object + workload: + additionalProperties: false + description: Envoy workload settings. + properties: + hostNetwork: + default: false + description: Whether to enable host networking for the Envoy pods. + type: boolean + hostPorts: + additionalProperties: false + description: Host port settings for the Envoy pods. + properties: + enabled: + default: false + description: Whether to enable host ports. If false, http & + https are ignored. + type: boolean + http: + default: 80 + description: If enabled, the host port number to expose Envoy's + HTTP listener on. + type: integer + https: + default: 443 + description: If enabled, the host port number to expose Envoy's + HTTPS listener on. + type: integer + type: object + replicas: + default: 2 + description: The number of Envoy replicas to deploy when `type` + is set to `Deployment`. + type: integer + terminationGracePeriodSeconds: + default: 300 + description: The termination grace period, in seconds, for the Envoy + pods. + type: integer + type: + default: DaemonSet + description: The type of Kubernetes workload that Envoy is deployed + as. Options are `Deployment` or `DaemonSet`. If not specified, + it defaults to `DaemonSet`. + type: string + type: object + type: object + infrastructureProvider: + default: null + description: The underlying infrastructure provider. Options are `aws`, + `azure`, `local` and `vsphere`. This field is not required, but it enables + better validation and defaulting if provided. + nullable: true + type: string + namespace: + default: projectcontour + description: The namespace in which to deploy Contour and Envoy. + type: string + type: object + version: 1.24.3+kadras.2 diff --git a/repo/packages/knative-serving.packages.kadras.io/1.9.3+kadras.2.yml b/repo/packages/knative-serving.packages.kadras.io/1.9.3+kadras.2.yml new file mode 100644 index 0000000..8f9b331 --- /dev/null +++ b/repo/packages/knative-serving.packages.kadras.io/1.9.3+kadras.2.yml @@ -0,0 +1,221 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: Package +metadata: + creationTimestamp: null + name: knative-serving.packages.kadras.io.1.9.3+kadras.2 +spec: + licenses: + - Apache 2.0 + refName: knative-serving.packages.kadras.io + releaseNotes: https://github.com/kadras-io/package-for-knative-serving/releases + releasedAt: "2023-04-10T15:34:58Z" + template: + spec: + deploy: + - kapp: + rawOptions: + - --wait-timeout=5m + fetch: + - imgpkgBundle: + image: ghcr.io/kadras-io/package-for-knative-serving@sha256:744ed4a68edd201d0a138a561fb396655e808bca5ae88d4ec49d6e28418e2c42 + template: + - ytt: + paths: + - config + - kbld: + paths: + - '-' + - .imgpkg/images.yml + valuesSchema: + openAPIv3: + additionalProperties: false + properties: + ca_cert_data: + default: "" + description: PEM-encoded certificate data to trust TLS connections with + a custom CA. + type: string + config: + additionalProperties: false + description: Settings for the Knative Serving ConfigMaps. + properties: + network: + additionalProperties: false + description: Network configuration stored in the `config-network` ConfigMap. + properties: + default-external-scheme: + default: http + description: Defines the scheme used for external URLs if autoTLS + is not enabled. This can be used for making Knative report all + URLs as `https`, for example, if you're fronting Knative with + an external loadbalancer that deals with TLS termination and Knative + doesn't know about that otherwise. + type: string + domain-template: + default: '{{.Name}}.{{.Namespace}}.{{.Domain}}' + description: The golang text template string to use when constructing + the Knative Service's DNS name. + type: string + http-protocol: + default: Redirected + description: 'Controls the behavior of the HTTP endpoint for the + Knative ingress. `Enabled`: The Knative ingress will be able to + serve HTTP connection. `Redirected`: The Knative ingress will + send a 301 redirect for all http connections, asking the clients + to use HTTPS.' + type: string + namespace-wildcard-cert-selector: + default: "" + description: A LabelSelector which determines which namespaces should + have a wildcard certificate provisioned. + type: string + rollout-duration: + default: 0 + description: The minimal duration in seconds over which the Configuration + traffic targets are rolled out to the newest revision. + type: integer + type: object + tracing: + additionalProperties: false + description: Network configuration stored in the `config-tracing` ConfigMap. + properties: + backend: + default: none + description: The type of distributed tracing backend. + type: string + debug: + default: "false" + description: Enable the Zipkin debug mode. This allows all spans + to be sent to the server bypassing sampling. + type: string + sample-rate: + default: "0.1" + description: The percentage (0-1) of requests to trace. + type: string + zipkin-endpoint: + default: http://tempo.observability-system.svc.cluster.local:9411/api/v2/spans + description: The Zipkin collector endpoint where traces are sent. + type: string + type: object + type: object + domain_name: + default: "" + description: Domain name for Knative Services. It must be a valid DNS name. + Stored in the `config-domain` ConfigMap. + type: string + ingress: + additionalProperties: false + description: Settings for the Ingress controller. + properties: + contour: + additionalProperties: false + description: Ingress configuration stored in the `config-contour` ConfigMap. + properties: + default-tls-secret: + default: "" + description: If auto-TLS is disabled, fallback to this certificate. + An operator is required to setup a TLSCertificateDelegation for + this Secret to be used. + type: string + external: + additionalProperties: false + description: Configuration for the external Ingress controller + properties: + namespace: + default: projectcontour + description: The namespace where the external Ingress controller + is installed. + type: string + type: object + internal: + additionalProperties: false + description: Configuration for the internal Ingress controller + properties: + namespace: + default: projectcontour + description: The namespace where the internal Ingress controller + is installed. + type: string + type: object + type: object + type: object + ingress_issuer: + default: "" + description: A reference to the ClusterIssuer to use if you want to enable + autoTLS. Stored in the `config-certmanager` ConfigMap. + example: kadras-ca-issuer + type: string + x-example-description: Kadras private CA + policies: + additionalProperties: false + description: Settings for the Kyverno policies. + properties: + include: + default: false + description: Whether to include the out-of-the-box Kyverno policies + to validate and secure the package installation. + type: boolean + type: object + proxy: + additionalProperties: false + description: Settings for the corporate proxy. + properties: + http_proxy: + default: "" + description: The HTTP proxy to use for network traffic + type: string + https_proxy: + default: "" + description: The HTTPS proxy to use for network traffic + type: string + no_proxy: + default: "" + description: A comma-separated list of hostnames, IP addresses, or IP + ranges in CIDR format that should not use a proxy + type: string + type: object + workloads: + additionalProperties: false + description: Settings for the Knative Serving workloads. + properties: + activator: + additionalProperties: false + properties: + minReplicas: + default: 1 + description: The minimum number of replicas as controlled by a HorizontalPodAutoscaler. + In order to enable high availability, it should be greater than + 1. + type: integer + type: object + autoscaler: + additionalProperties: false + properties: + replicas: + default: 1 + description: The number of replicas for this Deployment. In order + to enable high availability, it should be greater than 1. + type: integer + type: object + controller: + additionalProperties: false + properties: + replicas: + default: 1 + description: The number of replicas for this Deployment. In order + to enable high availability, it should be greater than 1. + type: integer + type: object + webhook: + additionalProperties: false + properties: + minReplicas: + default: 1 + description: The minimum number of replicas as controlled by a HorizontalPodAutoscaler. + In order to enable high availability, it should be greater than + 1. + type: integer + type: object + type: object + type: object + version: 1.9.3+kadras.2