Commit 69d272a4 authored by konfiot's avatar konfiot

Add stash

parent 5cfcd609
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# Helm files
OWNERS
apiVersion: v1
appVersion: 0.7.0
description: Stash by AppsCode - Backup your Kubernetes Volumes
home: https://github.com/appscode/stash
icon: https://cdn.appscode.com/images/icon/stash.png
maintainers:
- email: support@appscode.com
name: appscode
name: stash
sources:
- https://github.com/appscode/stash
version: 0.7.0
# Stash
[Stash by AppsCode](https://github.com/appscode/stash) - Backup your Kubernetes Volumes
## TL;DR;
```console
$ helm repo add appscode https://charts.appscode.com/stable/
$ helm repo update
$ helm install appscode/stash
```
## Introduction
This chart bootstraps a [Stash controller](https://github.com/appscode/stash) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Prerequisites
- Kubernetes 1.8+
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm install appscode/stash --name my-release
```
The command deploys Stash operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release`:
```console
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
The following table lists the configurable parameters of the Stash chart and their default values.
| Parameter | Description | Default |
| ----------------------------------- | ----------------------------------------------------------------- | ------------------ |
| `replicaCount` | Number of stash operator replicas to create (only 1 is supported) | `1` |
| `operator.registry` | Docker registry used to pull operator image | `appscode` |
| `operator.repository` | operator container image | `stash` |
| `operator.tag` | operator container image tag | `0.7.0` |
| `pushgateway.registry` | Docker registry used to pull Prometheus pushgateway image | `prom` |
| `pushgateway.repository` | Prometheus pushgateway container image | `pushgateway` |
| `pushgateway.tag` | Prometheus pushgateway container image tag | `v0.4.0` |
| `imagePullPolicy` | container image pull policy | `IfNotPresent` |
| `criticalAddon` | If true, installs Stash operator as critical addon | `false` |
| `rbac.create` | If `true`, create and use RBAC resources | `true` |
| `serviceAccount.create` | If `true`, create a new service account | `true` |
| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | `` |
| `apiserver.groupPriorityMinimum` | The minimum priority the group should have. | 10000 |
| `apiserver.versionPriority` | The ordering of this API inside of the group. | 15 |
| `apiserver.enableValidatingWebhook` | Enable validating webhooks for Stash CRDs | false |
| `apiserver.enableMutatingWebhook` | Enable mutating webhooks for Kubernetes workloads | false |
| `apiserver.ca` | CA certificate used by main Kubernetes api server | `` |
| `enableAnalytics` | Send usage events to Google Analytics | `true` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
```console
$ helm install --name my-release --set image.tag=v0.2.1 appscode/stash
```
Alternatively, a YAML file that specifies the values for the parameters can be provided while
installing the chart. For example:
```console
$ helm install --name my-release --values values.yaml appscode/stash
```
## RBAC
By default the chart will not install the recommended RBAC roles and rolebindings.
You need to have the flag `--authorization-mode=RBAC` on the api server. See the following document for how to enable [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/).
To determine if your cluster supports RBAC, run the following command:
```console
$ kubectl api-versions | grep rbac
```
If the output contains "beta", you may install the chart with RBAC enabled (see below).
### Enable RBAC role/rolebinding creation
To enable the creation of RBAC resources (On clusters with RBAC). Do the following:
```console
$ helm install --name my-release appscode/stash --set rbac.create=true
```
To verify that Stash has started, run:
kubectl --namespace={{ .Release.Namespace }} get deployments -l "release={{ .Release.Name }}, app={{ template "stash.name" . }}"
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "stash.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "stash.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "stash.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "stash.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- $ca := genCA "svc-cat-ca" 3650 }}
{{- $cn := include "stash.fullname" . -}}
{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }}
{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}
{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }}
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1alpha1.admission.stash.appscode.com
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
spec:
group: admission.stash.appscode.com
version: v1alpha1
service:
namespace: {{ .Release.Namespace }}
name: {{ template "stash.fullname" . }}
caBundle: {{ b64enc $ca.Cert }}
groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }}
versionPriority: {{ .Values.apiserver.versionPriority }}
---
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1alpha1.repositories.stash.appscode.com
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
spec:
group: repositories.stash.appscode.com
version: v1alpha1
service:
namespace: {{ .Release.Namespace }}
name: {{ template "stash.fullname" . }}
caBundle: {{ b64enc $ca.Cert }}
groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }}
versionPriority: {{ .Values.apiserver.versionPriority }}
{{ end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "stash.fullname" . }}-apiserver-cert
namespace: {{ .Release.Namespace }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
type: Opaque
data:
tls.crt: {{ b64enc $cert.Cert }}
tls.key: {{ b64enc $cert.Key }}
---
{{ if .Values.rbac.create }}
# to read the config for terminating authentication
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "stash.fullname" . }}-apiserver-extension-server-authentication-reader
namespace: kube-system
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: {{ template "stash.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
# to delegate authentication and authorization
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "stash.fullname" . }}-apiserver-auth-delegator
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ template "stash.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
\ No newline at end of file
{{ if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "stash.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "stash.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "stash.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{ end }}
{{ if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "stash.fullname" . }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- "*"
- apiGroups:
- extensions
resources:
- thirdpartyresources
verbs:
- "*"
- apiGroups:
- stash.appscode.com
resources: ["*"]
verbs: ["*"]
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs: ["get", "list", "watch", "patch"]
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups:
- extensions
resources:
- replicasets
- daemonsets
verbs: ["get", "list", "watch", "patch"]
- apiGroups: [""]
resources:
- namespaces
- replicationcontrollers
verbs: ["get", "list", "watch", "patch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["create", "update", "get", "delete"]
- apiGroups: [""]
resources:
- secrets
verbs: ["get"]
- apiGroups: [""]
resources:
- events
verbs: ["create"]
- apiGroups: [""]
resources:
- nodes
verbs: ["list"]
- apiGroups: [""]
resources:
- pods
- pods/exec
verbs: ["get", "create", "list", "delete", "deletecollection"]
- apiGroups: [""]
resources:
- serviceaccounts
verbs: ["get", "create", "patch", "delete"]
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- roles
- rolebindings
verbs: ["get", "create", "delete", "patch"]
{{ end }}
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: {{ template "stash.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: "{{ template "stash.name" . }}"
release: "{{ .Release.Name }}"
template:
metadata:
labels:
app: "{{ template "stash.name" . }}"
release: "{{ .Release.Name }}"
{{- if and .Values.criticalAddon (eq .Release.Namespace "kube-system") }}
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
{{- end }}
spec:
serviceAccountName: {{ template "stash.serviceAccountName" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 6 }}
{{- end }}
containers:
- name: operator
image: {{ .Values.operator.registry }}/{{ .Values.operator.repository }}:{{ .Values.operator.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
args:
- run
- --v=3
- --rbac={{ .Values.rbac.create }}
- --docker-registry={{ .Values.operator.registry }}
- --secure-port=8443
- --audit-log-path=-
- --tls-cert-file=/var/serving-cert/tls.crt
- --tls-private-key-file=/var/serving-cert/tls.key
- --enable-analytics={{ .Values.enableAnalytics }}
ports:
- containerPort: 8443
- containerPort: 56790
readinessProbe:
httpGet:
path: /healthz
port: 8443
scheme: HTTPS
volumeMounts:
- mountPath: /var/serving-cert
name: serving-cert
- name: pushgateway
image: '{{ .Values.pushgateway.registry }}/{{ .Values.pushgateway.repository }}:{{ .Values.pushgateway.tag }}'
imagePullPolicy: {{ .Values.imagePullPolicy }}
args:
- -web.listen-address=:56789
- -persistence.file=/var/pv/pushgateway.dat
ports:
- containerPort: 56789
volumeMounts:
- mountPath: /var/pv
name: data-volume
- mountPath: /tmp
name: stash-scratchdir
volumes:
- emptyDir: {}
name: data-volume
- emptyDir: {}
name: stash-scratchdir
- name: serving-cert
secret:
defaultMode: 420
secretName: {{ template "stash.fullname" . }}-apiserver-cert
{{- if and .Values.criticalAddon (eq .Release.Namespace "kube-system") }}
tolerations:
- key: CriticalAddonsOnly
operator: Exists
{{- end -}}
{{- if .Values.apiserver.enableMutatingWebhook }}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: admission.stash.appscode.com
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
webhooks:
- name: deployment.admission.stash.appscode.com
clientConfig:
service:
namespace: default
name: kubernetes
path: /apis/admission.stash.appscode.com/v1alpha1/deployments
caBundle: {{ b64enc .Values.apiserver.ca }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- apps
- extensions
apiVersions:
- "*"
resources:
- deployments
failurePolicy: Fail
- name: daemonset.admission.stash.appscode.com
clientConfig:
service:
namespace: default
name: kubernetes
path: /apis/admission.stash.appscode.com/v1alpha1/daemonsets
caBundle: {{ b64enc .Values.apiserver.ca }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- apps
- extensions
apiVersions:
- "*"
resources:
- daemonsets
failurePolicy: Fail
- name: statefulset.admission.stash.appscode.com
clientConfig:
service:
namespace: default
name: kubernetes
path: /apis/admission.stash.appscode.com/v1alpha1/statefulsets
caBundle: {{ b64enc .Values.apiserver.ca }}
rules:
- operations:
- CREATE
apiGroups:
- apps
apiVersions:
- "*"
resources:
- statefulsets
failurePolicy: Fail
- name: replicationcontroller.admission.stash.appscode.com
clientConfig:
service:
namespace: default
name: kubernetes
path: /apis/admission.stash.appscode.com/v1alpha1/replicationcontrollers
caBundle: {{ b64enc .Values.apiserver.ca }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- ""
apiVersions:
- "*"
resources:
- replicationcontrollers
failurePolicy: Fail
- name: replicaset.admission.stash.appscode.com
clientConfig:
service:
namespace: default
name: kubernetes
path: /apis/admission.stash.appscode.com/v1alpha1/replicasets
caBundle: {{ b64enc .Values.apiserver.ca }}
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- apps
- extensions
apiVersions:
- "*"
resources:
- replicasets
failurePolicy: Fail
{{ end }}
{{ if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "stash.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
{{ end }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "stash.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: "{{ template "stash.name" . }}"
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
ports:
# Port used to expose admission webhook apiserver
- name: admission
port: 443
targetPort: 8443
# Port used to expose Prometheus pushgateway
- name: pushgateway
port: 56789
protocol: TCP
targetPort: 56789
# Port used to expose Prometheus metrics for the operator
- name: ops
port: 56790
protocol: TCP
targetPort: 56790
selector:
app: "{{ template "stash.name" . }}"
release: "{{ .Release.Name }}"
{{ if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: appscode:stash:edit
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
rules:
- apiGroups:
- stash.appscode.com
resources:
- restics
- recoveries
- repositories
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: appscode:stash:view
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
rules:
- apiGroups:
- stash.appscode.com
resources:
- restics
- recoveries
- repositories
verbs:
- get
- list
- watch
{{ end }}
\ No newline at end of file
{{- if .Values.apiserver.enableValidatingWebhook }}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: admission.stash.appscode.com
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
app: "{{ template "stash.name" . }}"
heritage: "{{ .Release.Service }}"
release: "{{ .Release.Name }}"
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
webhooks: