Renders configmap with admission webhook client CA certificate which uses to verify the AdmissionReview requests.
{{ include "helm_lib_admission_webhook_client_ca_certificate" (list . "namespace") }}
list:
- Template context with .Values, .Chart, etc
- Namespace where CA configmap will be created
returns true if the specified resource kind (case-insensitive) is represented in the cluster
{{ include "helm_lib_kind_exists" (list . "<kind-name>") }}
list:
- Template context with .Values, .Chart, etc
- Kind name portion
returns current apiVersion string, based on available helm capabilities, for the provided kind (not all kinds are supported)
{{ include "helm_lib_get_api_version_by_kind" (list . "<kind-name>") }}
list:
- Template context with .Values, .Chart, etc
- Kind name portion
returns image name in format "registry/package@digest"
{{ include "helm_lib_application_image" (list . "<image-name>") }}
returns PodSecurityContext parameters for Pod with custom user and group
{{ include "helm_lib_application_pod_security_context_run_as_user_custom" (list . 1000 1000) }}
list:
- Template context with .Values, .Chart, etc
- User id
- Group id
returns PodSecurityContext parameters for Pod with user and group "nobody"
{{ include "helm_lib_application_pod_security_context_run_as_user_nobody" . }}
- Template context with .Values, .Chart, etc
returns PodSecurityContext parameters for Pod with user and group "nobody" with write access to mounted volumes
{{ include "helm_lib_application_pod_security_context_run_as_user_nobody_with_writable_fs" . }}
- Template context with .Values, .Chart, etc
returns PodSecurityContext parameters for Pod with user and group "deckhouse"
{{ include "helm_lib_application_pod_security_context_run_as_user_deckhouse" . }}
- Template context with .Values, .Chart, etc
returns PodSecurityContext parameters for Pod with user and group "deckhouse" with write access to mounted volumes
{{ include "helm_lib_application_pod_security_context_run_as_user_deckhouse_with_writable_fs" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext parameters for Container with user and group "deckhouse" plus minimal required settings to comply with the Restricted mode of the Pod Security Standards
{{ include "helm_lib_application_container_security_context_run_as_user_deckhouse_pss_restricted" . }}
- Template context with .Values, .Chart, etc
SecurityContext for Deckhouse UID/GID 64535 (or root), PSS Restricted Optional keys: .ro – bool, read-only root FS (default true) .caps – []string, capabilities.add (default empty) .uid – int, runAsUser/runAsGroup (default 64535) .runAsNonRoot – bool, run as Deckhouse user when true, root when false (default true) .seccompProfile – bool, disable seccompProfile when false (default true)
include "helm_lib_application_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false "runAsNonRoot" true)
returns PodSecurityContext parameters for Pod with user and group 0
{{ include "helm_lib_application_pod_security_context_run_as_user_root" . }}
- Template context with .Values, .Chart, etc
returns PodSecurityContext parameters for Pod with seccomp profile RuntimeDefault
{{ include "helm_lib_application_pod_security_context_runtime_default" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext parameters for Container with allowPrivilegeEscalation false
{{ include "helm_lib_application_container_security_context_not_allow_privilege_escalation" . }}
returns SecurityContext parameters for Container with read only root filesystem and options for SELinux compatibility
{{ include "helm_lib_application_container_security_context_read_only_root_filesystem_with_selinux" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext parameters for Container with read only root filesystem
{{ include "helm_lib_application_container_security_context_read_only_root_filesystem" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext parameters for Container running privileged
{{ include "helm_lib_application_container_security_context_privileged" . }}
returns SecurityContext parameters for Container running privileged with escalation and sys_admin
{{ include "helm_lib_application_container_security_context_escalated_sys_admin_privileged" . }}
returns SecurityContext parameters for Container running privileged with read only root filesystem
{{ include "helm_lib_application_container_security_context_privileged_read_only_root_filesystem" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext for Container with read only root filesystem and all capabilities dropped
{{ include "helm_lib_application_container_security_context_read_only_root_filesystem_capabilities_drop_all" . }}
- Template context with .Values, .Chart, etc
helm_lib_application_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add
returns SecurityContext parameters for Container with read only root filesystem, all dropped and some added capabilities
{{ include "helm_lib_application_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }}
list:
- Template context with .Values, .Chart, etc
- List of capabilities
returns SecurityContext parameters for Container with all dropped and some added capabilities
{{ include "helm_lib_application_container_security_context_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }}
list:
- Template context with .Values, .Chart, etc
- List of capabilities
returns SecurityContext parameters for Container with read only root filesystem, all dropped, and custom user ID
{{ include "helm_lib_application_container_security_context_capabilities_drop_all_and_run_as_user_custom" (list . 1000 1000) }}
list:
- Template context with .Values, .Chart, etc
- User id
- Group id
helm_lib_application_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted
returns SecurityContext parameters for Container with minimal required settings to comply with the Restricted mode of the Pod Security Standards
{{ include "helm_lib_application_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . }}
- Template context with .Values, .Chart, etc
Renders common manifests for provider-specific CAPI Controller Managers. Includes Deployment, VerticalPodAutoscaler (optional) and PodDisruptionBudget (optional). Supported configuration parameters:
- fullname (required) — resource base name used for Deployment, PDB, VPA, and by default for the main container name.
- namespace (optional, default:
d8-{{ $context.Chart.Name }}) — resource base namespace. - image (required) — image for the main container.
- capiProviderName (required) — value for the cluster.x-k8s.io/provider label in selectors and pod labels.
- resources (optional, default:
{cpu: 25m, memory: 50Mi}) — main container resource requests used when VPA is disabled. - priorityClassName (optional, default:
"system-cluster-critical") — Pod priority class name. - serviceAccountName (optional, default:
$config.fullname) — ServiceAccount name used by the Pod. - automountServiceAccountToken (optional, default:
true) — controls whether the service account token is mounted into the Pod. - revisionHistoryLimit (optional, default:
2) — number of old ReplicaSets retained by the Deployment. - terminationGracePeriodSeconds (optional, default:
10) — Pod termination grace period. - hostNetwork (optional, default:
false) — enables host networking for the Pod. - dnsPolicy (optional, default:
nil) — Pod DNS policy; if not set, the field is omitted. - nodeSelectorStrategy (optional, default:
"master") — strategy passed to helm_lib_node_selector. - tolerationsStrategies (optional, default:
["any-node", "uninitialized"]) — arguments passed to helm_lib_tolerations. - livenessProbe (optional, default:
{httpGet: {path: /healthz, port: 8081}, initialDelaySeconds: 15, periodSeconds: 20}) — liveness probe configuration for the main container. - readinessProbe (optional, default:
{httpGet: {path: /readyz, port: 8081}, initialDelaySeconds: 5, periodSeconds: 10}) — readiness probe configuration for the main container. - additionalArgs (optional, default:
[]) — extra args for the main container. - additionalEnv (optional, default:
[]) — extra environment variables for the main container. - additionalPorts (optional, default:
[]) — extra container ports for the main container. - additionalInitContainers (optional, default:
[]) — extra initContainers for the Pod. - additionalVolumeMounts (optional, default:
[]) — extra volumeMounts for the main container. - additionalVolumes (optional, default:
[]) — extra Pod volumes. - additionalPodLabels (optional, default:
{}) — extra labels added to the pod template metadata. - additionalPodAnnotations (optional, default:
{}) — extra annotations added to the pod template metadata. - pdbEnabled (optional, default:
true) — enables PodDisruptionBudget rendering. - pdbMaxUnavailable (optional, default:
1) — maxUnavailable value for PodDisruptionBudget. - vpaEnabled (optional, default:
false) — enables VerticalPodAutoscaler rendering. - vpaUpdateMode (optional, default:
"InPlaceOrRecreate") — VPA update mode. - vpaMaxAllowed (optional, default:
{cpu: 50m, memory: 50Mi}) — maximum resource values used in VPA policy. - securityPolicyExceptionEnabled (optional, default:
false) — enables SecurityPolicyException rendering and adds the related pod label.
{{ include "helm_lib_capi_controller_manager_manifests" (list . $config) }}
list:
- Template context with .Values, .Chart, etc.
- Configuration dict for the CAPI Controller Manager.
Renders common manifests for provider-specific Cloud Controller Managers. Includes Deployment, VerticalPodAutoscaler (optional), PodDisruptionBudget (optional), and SecurityPolicyException (optional). Supported configuration parameters:
- fullname (optional, default:
"cloud-controller-manager") — resource base name used for Deployment, PDB, VPA, SecurityPolicyException, and the main container name by default. - namespace (optional, default:
d8-{{ $context.Chart.Name }}) — resource base namespace. - image (required) — image for the main container.
- resources (optional, default:
{cpu: 25m, memory: 50Mi}) — main container resource requests used when VPA is disabled. - priorityClassName (optional, default:
"system-cluster-critical") — Pod priority class name. - nodeSelectorStrategy (optional, default:
"master") — strategy passed to helm_lib_node_selector. - tolerationsStrategies (optional, default: ["wildcard"]) — strategies passed to helm_lib_tolerations.
- hostNetwork (optional, default:
true) — enables host networking for the Pod and SecurityPolicyException network rule generation. - dnsPolicy (optional, default:
"Default") — Pod DNS policy. - automountServiceAccountToken (optional, default:
true) — controls whether the service account token is mounted into the Pod. - serviceAccountName (optional, default:
$config.fullname) — ServiceAccount name used by the Pod. - revisionHistoryLimit (optional, default:
2) — number of old ReplicaSets retained by the Deployment. - livenessProbe (optional, default:
{httpGet: {path: /healthz, port: 10471, host: 127.0.0.1, scheme: HTTPS}}) — liveness probe configuration for the main container. - readinessProbe (optional, default:
{httpGet: {path: /healthz, port: 10471, host: 127.0.0.1, scheme: HTTPS}}) — readiness probe configuration for the main container. - additionalEnvs (optional, default:
[]) — extra environment variables for the main container. - additionalArgs (optional, default:
nil) — extra args for the main container. - additionalVolumeMounts (optional, default:
[]) — extra volumeMounts for the main container. - additionalVolumes (optional, default:
[]) — extra Pod volumes; hostPath volumes are also used to build SecurityPolicyException rules when enabled. - additionalPodLabels (optional, default:
{}) — extra labels added to the pod template metadata. - additionalPodAnnotations (optional, default:
{}) — extra annotations added to the pod template metadata. - pdbEnabled (optional, default:
true) — enables PodDisruptionBudget rendering. - pdbMaxUnavailable (optional, default:
1) — maxUnavailable value for PodDisruptionBudget. - additionalPDBAnnotations (optional, default:
{}) — extra annotations added to PodDisruptionBudget metadata. - vpaEnabled (optional, default:
true) — enables VerticalPodAutoscaler rendering. - vpaUpdateMode (optional, default:
"InPlaceOrRecreate") — VPA update mode. - vpaMaxAllowed (optional, default:
{cpu: 50m, memory: 50Mi}) — maximum resource values used in VPA policy. - securityPolicyExceptionEnabled (optional, default:
false) — enables SecurityPolicyException rendering and adds the related pod label.
{{ include "helm_lib_cloud_controller_manager_manifests" (list . $config) }}
list:
- Template context with .Values, .Chart, etc.
- Configuration dict for the Cloud Controller Manager.
Renders common manifests for provider-specific Cloud Data Discoverers. Includes Deployment, VerticalPodAutoscaler (optional) and PodDisruptionBudget (optional). Supported configuration parameters:
- fullname (optional, default:
"cloud-data-discoverer") — resource base name used for Deployment, PDB, VPA, and the main container name by default. - namespace (optional, default:
d8-{{ $context.Chart.Name }}) — resource base namespace. - image (required) — image for the main container.
- resources (optional, default:
{cpu: 25m, memory: 50Mi}) — main container resource requests used when VPA is disabled. - replicas (optional, default:
1) — number of Deployment replicas. - revisionHistoryLimit (optional, default:
2) — number of old ReplicaSets retained by the Deployment. - serviceAccountName (optional, default:
$config.fullname) — ServiceAccount name used by the Pod. - automountServiceAccountToken (optional, default:
true) — controls whether the service account token is mounted into the Pod. - priorityClassName (optional, default:
"cluster-low") — Pod priority class name. - nodeSelectorStrategy (optional, default:
"master") — strategy passed to helm_lib_node_selector. - tolerationsStrategies (optional, default:
["any-node", "with-uninitialized"]) — strategies passed to helm_lib_tolerations. - livenessProbe (optional, default:
{httpGet: {path: /healthz, port: 8080, scheme: HTTPS}}) — liveness probe configuration for the main container. - readinessProbe (optional, default:
{httpGet: {path: /healthz, port: 8080, scheme: HTTPS}}) — readiness probe configuration for the main container. - additionalArgs (optional, default:
[]) — extra args for the main container. - additionalEnv (optional, default:
[]) — extra environment variables for the main container. - additionalPodLabels (optional, default:
{}) — extra labels added to the pod template metadata. - additionalPodAnnotations (optional, default:
{}) — extra annotations added to the pod template metadata. - additionalInitContainers (optional, default:
[]) — extra initContainers for the Pod. - additionalVolumes (optional, default:
[]) — extra Pod volumes. - additionalVolumeMounts (optional, default:
[]) — extra volumeMounts for the main container. - pdbEnabled (optional, default:
true) — enables PodDisruptionBudget rendering. - pdbMaxUnavailable (optional, default:
1) — maxUnavailable value for PodDisruptionBudget. - vpaEnabled (optional, default:
true) — enables VerticalPodAutoscaler rendering. - vpaUpdateMode (optional, default:
"Initial") — VPA update mode. - vpaMaxAllowed (optional, default:
{cpu: 50m, memory: 50Mi}) — maximum resource values used in VPA policy.
{{ include "helm_lib_cloud_data_discoverer_manifests" (list . $config) }}
list:
- Template context with .Values, .Chart, etc.
- Configuration dict for the Cloud Data Discoverer.
Renders PodMonitor manifest for provider-specific Cloud Data Discoverers. Supported configuration parameters:
- fullname (optional, default:
"cloud-data-discoverer") — PodMonitor base name. - targetNamespace (required) — target pod namespace for selector.
- additionalRelabelings (optional, default:
[]) — additional rules for labels rewriting.
{{ include "helm_lib_cloud_data_discoverer_pod_monitor" (list . $config) }}
returns image name from storage foundation module if enabled, otherwise from common module
{{ include "helm_lib_csi_image_with_common_fallback" (list . "<raw-container-name>" "<semver>") }}
list:
- Template context with .Values, .Chart, etc
- Container raw name
- Kubernetes semantic version
returns the proper dnsPolicy value depending on the cluster bootstrap phase
{{ include "helm_lib_dns_policy_bootstraping_state" (list . "Default" "ClusterFirstWithHostNet") }}
Adds cluster-autoscaler.kubernetes.io/enable-ds-eviction annotation to manage DaemonSet eviction by the Cluster Autoscaler.
This is important to prevent the eviction of DaemonSet pods during cluster scaling.
{{ include "helm_lib_prevent_ds_eviction_annotation" . }}
Add HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables for container depends on proxy settings
{{ include "helm_lib_envs_for_proxy" . }}
- Template context with .Values, .Chart, etc
returns value "yes" if cluster is highly available, else — returns "no"
{{ include "helm_lib_is_ha_to_value" (list . yes no) }}
list:
- Template context with .Values, .Chart, etc
- Yes value
- No value
returns empty value, which is treated by go template as false
{{- if (include "helm_lib_ha_enabled" .) }}
- Template context with .Values, .Chart, etc
Renders configmap with kube-rbac-proxy CA certificate which uses to verify the kube-rbac-proxy clients.
{{ include "helm_lib_kube_rbac_proxy_ca_certificate" (list . "namespace") }}
list:
- Template context with .Values, .Chart, etc
- Namespace where CA configmap will be created
Returns default controller resources
{{ include "helm_lib_module_controller_resources" . }}
Returns default webhooks resources
{{ include "helm_lib_module_webhooks_resources" . }}
Returns numeric log level from module values
{{ include "helm_lib_module_controller_log_level" (list . "csiHpe") }}
returns rendered documentation uri using publicDomainTemplate or deckhouse.io domains
{{ include "helm_lib_module_documentation_uri" (list . "<path_to_document>") }}
50Mi for container logs log-opts.max-file * log-opts.max-size would be added to passed value
returns ephemeral-storage size for logs with extra space
{{ include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 }}
- Extra space in mebibytes
50Mi for container logs log-opts.max-file * log-opts.max-size would be requested
returns ephemeral-storage size for only logs
{{ include "helm_lib_module_ephemeral_storage_only_logs" . }}
- Template context with .Values, .Chart, etc
accepts a dict that is updated with current gateway name and namespace
{{- include "helm_lib_module_gateway" (list . $gateway)
list:
- Template context with .Values, .Chart, etc
- An empty dict to update with current default gateway name and namespace
returns the commonName parameter for use in the Certificate custom resource(cert-manager)
{{ include "helm_lib_module_generate_common_name" (list . "<name-portion>") }}
list:
- Template context with .Values, .Chart, etc
- Name portion
return module uri scheme "http" or "https"
{{ include "helm_lib_module_uri_scheme" . }}
- Template context with .Values, .Chart, etc
returns https mode for module
{{ if (include "helm_lib_module_https_mode" .) }}
- Template context with .Values, .Chart, etc
returns cluster issuer name
{{ include "helm_lib_module_https_cert_manager_cluster_issuer_name" . }}
- Template context with .Values, .Chart, etc
returns not empty string if tls should be enabled for the ingress
{{ if (include "helm_lib_module_https_ingress_tls_enabled" .) }}
- Template context with .Values, .Chart, etc
returns not empty string if tls should be enabled for the route
{{ if (include "helm_lib_module_https_route_tls_enabled" .) }}
- Template context with .Values, .Chart, etc
Renders secret with custom certificate in passed namespace with passed prefix
{{ include "helm_lib_module_https_copy_custom_certificate" (list . "namespace" "secret_name_prefix") }}
list:
- Template context with .Values, .Chart, etc
- Namespace
- Secret name prefix
returns custom certificate name
{{ include "helm_lib_module_https_secret_name (list . "secret_name_prefix") }}
list:
- Template context with .Values, .Chart, etc
- Secret name prefix
returns image name
{{ include "helm_lib_module_image" (list . "<container-name>" "<module-name>(optional)") }}
list:
- Template context with .Values, .Chart, etc
- Container name
returns image name if found
{{ include "helm_lib_module_image_no_fail" (list . "<container-name>") }}
list:
- Template context with .Values, .Chart, etc
- Container name
returns image name from common module
{{ include "helm_lib_module_common_image" (list . "<container-name>") }}
list:
- Template context with .Values, .Chart, etc
- Container name
returns image name from common module if found
{{ include "helm_lib_module_common_image_no_fail" (list . "<container-name>") }}
list:
- Template context with .Values, .Chart, etc
- Container name
returns image digest
{{ include "helm_lib_module_image_digest" (list . "<container-name>" "<module-name>(optional)") }}
list:
- Template context with .Values, .Chart, etc
- Container name
returns image digest if found
{{ include "helm_lib_module_image_digest_no_fail" (list . "<container-name>" "<module-name>(optional)") }}
list:
- Template context with .Values, .Chart, etc
- Container name
returns ingress class from module settings or if not exists from global config
{{ include "helm_lib_module_ingress_class" . }}
- Template context with .Values, .Chart, etc
returns nginx ingress additional headers (e.g. HSTS) if HTTPS is enabled
nginx.ingress.kubernetes.io/configuration-snippet: | {{ include "helm_lib_module_ingress_configuration_snippet" . | nindent 6 }}
- Template context with .Values, .Chart, etc
returns initContainer which chowns recursively all files and directories in passed volume
{{ include "helm_lib_module_init_container_chown_nobody_volume" (list . "volume-name") }}
returns initContainer which chowns recursively all files and directories in passed volume
{{ include "helm_lib_module_init_container_chown_deckhouse_volume" (list . "volume-name") }}
returns initContainer which checks the kernel version on the node for compliance to semver constraint
{{ include "helm_lib_module_init_container_check_linux_kernel" (list . ">= 4.9.17") }}
list:
- Template context with .Values, .Chart, etc
- Semver constraint
returns initContainer with iptables-wrapper
{{ include "helm_lib_module_init_container_iptables_wrapper" . }}
- Template context with .Values, .Chart, etc
returns deckhouse labels
{{ include "helm_lib_module_labels" (list . (dict "app" "test" "component" "testing")) }}
list:
- Template context with .Values, .Chart, etc
- Additional labels dict
returns rendered publicDomainTemplate to service fqdn
{{ include "helm_lib_module_public_domain" (list . "<name-portion>") }}
list:
- Template context with .Values, .Chart, etc
- Name portion
returns PodSecurityContext parameters for Pod with custom user and group
{{ include "helm_lib_module_pod_security_context_run_as_user_custom" (list . 1000 1000) }}
list:
- Template context with .Values, .Chart, etc
- User id
- Group id
returns PodSecurityContext parameters for Pod with user and group "nobody"
{{ include "helm_lib_module_pod_security_context_run_as_user_nobody" . }}
- Template context with .Values, .Chart, etc
returns PodSecurityContext parameters for Pod with user and group "nobody" with write access to mounted volumes
{{ include "helm_lib_module_pod_security_context_run_as_user_nobody_with_writable_fs" . }}
- Template context with .Values, .Chart, etc
returns PodSecurityContext parameters for Pod with user and group "deckhouse"
{{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . }}
- Template context with .Values, .Chart, etc
returns PodSecurityContext parameters for Pod with user and group "deckhouse" with write access to mounted volumes
{{ include "helm_lib_module_pod_security_context_run_as_user_deckhouse_with_writable_fs" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext parameters for Container with user and group "deckhouse" plus minimal required settings to comply with the Restricted mode of the Pod Security Standards
{{ include "helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted" . }}
- Template context with .Values, .Chart, etc
SecurityContext for Deckhouse UID/GID 64535 (or root), PSS Restricted Optional keys: .ro – bool, read-only root FS (default true) .caps – []string, capabilities.add (default empty) .uid – int, runAsUser/runAsGroup (default 64535) .runAsNonRoot – bool, run as Deckhouse user when true, root when false (default true) .seccompProfile – bool, disable seccompProfile when false (default true)
include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false "runAsNonRoot" true)
returns PodSecurityContext parameters for Pod with user and group 0
{{ include "helm_lib_module_pod_security_context_run_as_user_root" . }}
- Template context with .Values, .Chart, etc
returns PodSecurityContext parameters for Pod with seccomp profile RuntimeDefault
{{ include "helm_lib_module_pod_security_context_runtime_default" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext parameters for Container with allowPrivilegeEscalation false
{{ include "helm_lib_module_container_security_context_not_allow_privilege_escalation" . }}
returns SecurityContext parameters for Container with read only root filesystem and options for SELinux compatibility
{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_with_selinux" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext parameters for Container with read only root filesystem
{{ include "helm_lib_module_container_security_context_read_only_root_filesystem" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext parameters for Container running privileged
{{ include "helm_lib_module_container_security_context_privileged" . }}
returns SecurityContext parameters for Container running privileged with escalation and sys_admin
{{ include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . }}
returns SecurityContext parameters for Container running privileged with read only root filesystem
{{ include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext for Container with read only root filesystem and all capabilities dropped
{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . }}
- Template context with .Values, .Chart, etc
returns SecurityContext parameters for Container with read only root filesystem, all dropped and some added capabilities
{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }}
list:
- Template context with .Values, .Chart, etc
- List of capabilities
returns SecurityContext parameters for Container with all dropped and some added capabilities
{{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_add" (list . (list "KILL" "SYS_PTRACE")) }}
list:
- Template context with .Values, .Chart, etc
- List of capabilities
returns SecurityContext parameters for Container with read only root filesystem, all dropped, and custom user ID
{{ include "helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom" (list . 1000 1000) }}
list:
- Template context with .Values, .Chart, etc
- User id
- Group id
helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted
returns SecurityContext parameters for Container with minimal required settings to comply with the Restricted mode of the Pod Security Standards
{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . }}
- Template context with .Values, .Chart, etc
return module StorageClass annotations
{{ include "helm_lib_module_storage_class_annotations" (list $ $index $storageClass.name) }}
list:
- Template context with .Values, .Chart, etc
- Storage class index
- Storage class name
returns all the dashboard-definintions from / current dir is optional — used for recursion but you can use it for partially generating dashboards
{{ include "helm_lib_grafana_dashboard_definitions_recursion" (list . <root dir> [current dir]) }}
list:
- Template context with .Values, .Chart, etc
- Dashboards root dir
- Dashboards current dir
returns dashboard-definintions from monitoring/grafana-dashboards/
{{ include "helm_lib_grafana_dashboard_definitions" . }}
- Template context with .Values, .Chart, etc
renders a single dashboard
{{ include "helm_lib_single_dashboard" (list . "dashboard-name" "folder" $dashboard) }}
list:
- Template context with .Values, .Chart, etc
- Dashboard name
- Folder
- Dashboard definition
returns all the prometheus rules from / current dir is optional — used for recursion but you can use it for partially generating rules file list is optional - list of files to include (filters all files if provided)
{{ include "helm_lib_prometheus_rules_recursion" (list . <namespace> <root dir> [current dir] [file list]) }}
list:
- Template context with .Values, .Chart, etc
- Namespace for creating rules
- Rules root dir
- Current dir (optional)
- File list for filtering (optional)
returns all the prometheus rules from monitoring/prometheus-rules/ optionally filtered by fileList
{{ include "helm_lib_prometheus_rules" (list . <namespace> [fileList]) }}
list:
- Template context with .Values, .Chart, etc
- Namespace for creating rules
returns adjust timeout value to scrape interval /
{{ include "helm_lib_prometheus_target_scrape_timeout_seconds" (list . <timeout>) }}
list:
- Template context with .Values, .Chart, etc
- Target timeout in seconds
Verify node selector strategy.
Returns node selector for workloads depend on strategy.
list:
- Template context with .Values, .Chart, etc
- strategy, one of "frontend" "monitoring" "system" "master" "any-node" "wildcard"
Returns tolerations for workloads depend on strategy.
{{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized" "without-storage-problems") }}
list:
- Template context with .Values, .Chart, etc
- base strategy, one of "frontend" "monitoring" "system" any-node" "wildcard"
- list of additional strategies. To add strategy list it with prefix "with-", to remove strategy list it with prefix "without-".
Check cluster type. Returns not empty string if this is cloud or hybrid cluster
Verify base strategy. Fails if strategy not in allowed list
Base strategy for any uncordoned node in cluster.
{{ include "helm_lib_tolerations" (tuple . "any-node") }}
Base strategy that tolerates all.
{{ include "helm_lib_tolerations" (tuple . "wildcard") }}
Base strategy that tolerates nodes with "dedicated.deckhouse.io: monitoring" and "dedicated.deckhouse.io: system" taints.
{{ include "helm_lib_tolerations" (tuple . "monitoring") }}
Base strategy that tolerates nodes with "dedicated.deckhouse.io: frontend" taints.
{{ include "helm_lib_tolerations" (tuple . "frontend") }}
Base strategy that tolerates nodes with "dedicated.deckhouse.io: system" taints.
{{ include "helm_lib_tolerations" (tuple . "system") }}
Additional strategy "uninitialized" - used for CNI's and kube-proxy to allow cni components scheduled on node after CCM initialization.
{{ include "helm_lib_tolerations" (tuple . "any-node" "with-uninitialized") }}
Additional strategy "node-problems" - used for shedule critical components on non-ready nodes or nodes under pressure.
{{ include "helm_lib_tolerations" (tuple . "any-node" "with-node-problems") }}
Additional strategy "storage-problems" - used for shedule critical components on nodes with drbd problems. This additional strategy enabled by default in any base strategy except "wildcard".
{{ include "helm_lib_tolerations" (tuple . "any-node" "without-storage-problems") }}
Additional strategy "no-csi" - used for any node with no CSI: any node, which was initialized by deckhouse, but have no csi-node driver registered on it.
{{ include "helm_lib_tolerations" (tuple . "any-node" "with-no-csi") }}
Additional strategy "cloud-provider-uninitialized" - used for any node which is not initialized by CCM.
{{ include "helm_lib_tolerations" (tuple . "any-node" "with-cloud-provider-uninitialized") }}
Returns PDB max unavailable
{{ include "helm_lib_pdb_daemonset" . }}
- Template context with .Values, .Chart, etc
returns priority class
list:
- Template context with .Values, .Chart, etc
- Priority class name
returns rendered resources section based on configuration if it is
{{ include "helm_lib_resources_management_pod_resources" (list <resources configuration> [ephemeral storage requests]) }}
list:
- VPA resource configuration example
- Ephemeral storage requests
returns rendered resources section based on configuration if it is present
{{ include "helm_lib_resources_management_original_pod_resources" <resources configuration> }}
- VPA resource configuration example
returns rendered vpa spec based on configuration and target reference
{{ include "helm_lib_resources_management_vpa_spec" (list <target apiversion> <target kind> <target name> <target container> <resources configuration> ) }}
list:
- Target API version
- Target Kind
- Target Name
- Target container name
- VPA resource configuration example
helper for converting cpu units to millicores
{{ include "helm_lib_resources_management_cpu_units_to_millicores" <cpu units> }}
helper for converting memory units to bytes
{{ include "helm_lib_resources_management_memory_units_to_bytes" <memory units> }}
helper for VPA resources for kube_rbac_proxy
{{ include "helm_lib_vpa_kube_rbac_proxy_resources" . }}
- Template context with .Values, .Chart, etc
helper for container resources for kube_rbac_proxy
{{ include "helm_lib_container_kube_rbac_proxy_resources" . }}
- Template context with .Values, .Chart, etc
returns pod affinity spec
{{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "test")) }}
list:
- Template context with .Values, .Chart, etc
- Match labels for podAntiAffinity label selector
Returns affinity spec that combines: podAntiAffinity by provided labels when HA is enabled and optional nodeAffinity that schedules pods only on specified architectures. If the list of architectures is not provided or empty, node affinity is not rendered.
{{- include "helm_lib_pod_affinity" (list . (dict "app" "test") (list "amd64")) }}
list:
- Template context with .Values, .Chart, etc
- Match labels for podAntiAffinity label selector
returns deployment strategy and replicas for ha components running on master nodes
{{ include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" }}
- Template context with .Values, .Chart, etc
returns deployment with custom strategy and replicas for ha components running on master nodes
{{ include "helm_lib_deployment_on_master_custom_strategy_and_replicas_for_ha" (list . (dict "strategy" "strategy_type")) }}
returns deployment strategy and replicas for ha components running not on master nodes
{{ include "helm_lib_deployment_strategy_and_replicas_for_ha" }}
- Template context with .Values, .Chart, etc