first commit

templates/common/NOTES.txt

@@ -0,0 +1,8 @@
+Thank you for installing the {{ .Chart.Name }} chart for the Amplify Integration Platform.
+
+Your release is named {{ .Release.Name }}.
+
+To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }}
+  $ helm get all {{ .Release.Name }}

templates/common/certificate.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.common.certificate.enabled -}}
+{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace "domain-certificate" ).metadata | required "Secret 'domain-certificate' containing p12 certificate is required. Create it external to helm chart or set common.certificate.enabled to true, to autogenerate cert using cert-manager" }}
+{{- else }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: domain-certificate
+spec:
+  # Secret names are always required.
+  secretName: domain-certificate
+  duration: {{ .Values.common.certificate.generate.duration }}
+  renewBefore: {{ .Values.common.certificate.generate.renewBefore }}
+  subject: {{- toYaml .Values.common.certificate.generate.subject | nindent 4 }}
+  {{- if eq  (include "parent.dataplaneMode" . ) "shared" }}
+  commonName: "*.{{ .Values.global.external_domain }}"
+  {{- else if .Values.global.multihost.enabled }}
+  commonName: "*.{{ .Values.global.external_domain }}"
+  {{- else }}
+  commonName: "{{ .Values.global.external_domain }}"
+  {{- end }}
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  dnsNames:
+    {{- if eq  (include "parent.dataplaneMode" . ) "shared" }}
+    - "*.{{ .Values.global.external_domain }}"
+    {{- else if .Values.global.multihost.enabled }}
+    - "*.{{ .Values.global.external_domain }}"
+    {{- end }}
+    - {{ .Values.global.external_domain }}
+  issuerRef: {{- toYaml .Values.common.certificate.generate.issuerRef | nindent 4 }}
+  keystores:
+    pkcs12:
+      create: true
+      profile: LegacyDES
+      passwordSecretRef:
+        name: certificate-password
+        key: password
+{{- end -}}

templates/common/configmap.yaml

@@ -0,0 +1,78 @@
+{{- if eq .Values.common.externalConfigMaps false }}
+{{- $domain := ((eq .Values.global.clusterKey "") | ternary  .Values.global.ctlplane_domain (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).domain )) | required "If deploying a shared dataplane, set your control plane domain using .Values.global.ctlplane_domain. If not set a valid clusterKey" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: configmap-common
+  namespace: {{ .Release.Namespace }}
+data:
+  s3_payload: "{{ tpl  .Values.common.s3_payload . }}"
+  app_env: {{ .Values.global.appEnv }}
+  tenant_namespace: "{{ .Release.Namespace }}"
+  k8_namespace: "{{ .Release.Namespace }}"
+  cluster_name: {{ (eq .Values.global.clusterKey "") | ternary "Shared Data Plane" (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).name) }}
+  cluster_type: {{ (eq .Values.global.clusterKey "") | ternary "MANAGED_SHARED" (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).runtimeType) }}
+  domain: {{ $domain }}
+  tenant: {{ (eq .Values.global.clusterKey "") | ternary "shared" (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).tenant) }}
+  im_url: {{ (eq .Values.global.clusterKey "") | ternary (printf "wss://services.%s/monitor/ws" .Values.global.ctlplane_domain) (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).im_url) }}
+  sink_ws_url: {{ (eq .Values.global.clusterKey "") | ternary (printf "wss://services.%s/auditservice/ws" .Values.global.ctlplane_domain) (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).audit_service_url) }}
+  mode: {{ include "parent.dataplaneMode" . }}
+  server_cert_path: /certificate/{{ .Values.common.certificate.name }}
+  sftp_server_cert_path: /certificate/{{ .Values.common.certificate.name }}
+  support_email: "{{ tpl  .Values.common.support_email . }}"
+  {{- if eq  (include "parent.dataplaneMode" . ) "shared" }}
+  server_truststore_path: /efs/certificate/{{ include "parent.dataplaneMode" . }}/{{ tpl  .Values.common.truststore . }}
+  efs_root: /efs
+  {{- else }}
+  clusterRefId: "{{ tpl  .Values.common.clusterRefId . }}"
+  server_truststore_path: /efs/certificates/{{ tpl  .Values.common.clusterRefId . }}/{{ tpl  .Values.common.truststore . }}
+  efs_root: /efs/clusters/{{ tpl  .Values.common.clusterRefId . }}
+  {{- end }}
+  sftp_server_port: "{{ tpl  .Values.common.sftp_server_port . }}"
+  admin_email: "{{ tpl  .Values.common.admin_email . }}"
+  dxchange_email_host: "{{ tpl  .Values.common.email_host . }}"
+  dxchange_email_port: "{{ tpl  .Values.common.email_port . }}"
+  dxchange_email_usetls: "{{ .Values.common.email_usetls }}"
+  dxchange_email_username: "{{ tpl  .Values.common.email_username . }}"
+  dxchange_email_authentication: "{{ .Values.common.email_authentication }}"
+  dxchange_email_frommailid: "{{ tpl  .Values.common.email_frommailid . }}"
+  log_file_enabled: "{{ .Values.common.logFileEnabled }}"
+  {{- if .Values.common.openTelemetry.enabled }}
+  otel_enabled: "{{ .Values.common.openTelemetry.enabled }}"
+  {{- if .Values.common.openTelemetry.exporter.http.enabled }}
+  otel_exporter_http_enabled: "{{ .Values.common.openTelemetry.exporter.http.enabled }}"
+  otel_exporter_http_endpoint: "{{ .Values.common.openTelemetry.exporter.http.endpoint }}"
+  {{- end }}
+  {{- if .Values.common.openTelemetry.exporter.grpc.enabled }}
+  otel_exporter_grpc_enabled: "{{ .Values.common.openTelemetry.exporter.grpc.enabled }}"
+  otel_exporter_grpc_endpoint: "{{ .Values.common.openTelemetry.exporter.grpc.endpoint }}"
+  {{- end }}
+  {{- end }}
+  {{- if .Values.valkey.enabled }}
+  datagrid_deployment_model: "{{ .Values.valkey.client.deployment_model }}"
+  datagrid_implementation: VALKEY
+  datagrid_read_mode: "{{ .Values.valkey.client.read_mode }}"
+  datagrid_username: "{{ .Values.valkey.client.datagrid_username }}"
+  datagrid_use_insecure_connection: "{{ not .Values.valkey.client.use_secure_connection }}"
+  datagrid_secure_connection_verification_mode: "{{ .Values.valkey.client.security_mode }}"
+  datagrid_addresses: "{{- range $i, $v := .Values.valkey.hosts }}{{ if $i }},{{ end }}{{ $v.hostname }}{{ if $v.port }}:{{ $v.port }}{{ end }}{{ end -}}"
+  datagrid_primary_connection_pool_min: "{{ .Values.valkey.client.datagrid_primary_connection_pool_min }}"
+  datagrid_primary_connection_pool_max: "{{ .Values.valkey.client.datagrid_primary_connection_pool_max }}"
+  datagrid_replica_connection_pool_min: "{{ .Values.valkey.client.datagrid_replica_connection_pool_min }}"
+  datagrid_replica_connection_pool_max: "{{ .Values.valkey.client.datagrid_replica_connection_pool_max }}"
+  datagrid_worker_threads: "{{ .Values.valkey.client.datagrid_worker_threads }}"
+  datagrid_idle_connection_timeout_millis: "{{ .Values.valkey.client.datagrid_idle_connection_timeout_millis }}"
+  datagrid_cluster_connect_timeout_millis: "{{ .Values.valkey.client.datagrid_cluster_connect_timeout_millis }}"
+  datagrid_response_timeout_millis: "{{ .Values.valkey.client.datagrid_response_timeout_millis }}"
+  datagrid_number_of_retries: "{{ .Values.valkey.client.datagrid_number_of_retries }}"
+  datagrid_retry_interval_millis: "{{ .Values.valkey.client.datagrid_retry_interval_millis }}"
+  datagrid_subscription_mode: "{{ .Values.valkey.client.subscription_mode }}"
+  datagrid_subscriptions_per_connection: "{{ .Values.valkey.client.datagrid_subscriptions_per_connection }}"
+  datagrid_subscription_connection_pool_size: "{{ .Values.valkey.client.datagrid_subscription_connection_pool_size }}"
+  datagrid_subscription_connection_min_idle_size: "{{ .Values.valkey.client.datagrid_subscription_connection_min_idle_size }}"
+  datagrid_subscription_connection_timeout_millis: "{{ .Values.valkey.client.datagrid_subscription_connection_timeout_millis }}"
+  {{- end }}
+  {{- with .Values.common.hsm }}
+  hsmCacheExpiration: "{{ .hsmCacheExpiration }}"
+  {{- end }}
+{{- end }}

templates/common/general_conditions.yaml

@@ -0,0 +1,5 @@
+{{- if not ( kindIs "string" .Values.common.acceptGeneralConditions ) }}
+{{- fail "The acceptGeneralConditions value must be a string. Check that you are using double quotes in your values file, or --set-string if using the command line. See the information in the values.yaml file, or on the online documentation." }}
+{{- else if ne .Values.common.acceptGeneralConditions "yes" }}
+{{- fail "You need to accept the General Conditions in order to install the application. See the information in the values.yaml file, or on the online documentation." }}
+{{- end }}

templates/common/jobs/domain-cert-watch/_helpers.tpl

@@ -0,0 +1,30 @@
+{{- define "domainCertWatch.appName" -}}
+{{- $name := default "domain-cert-watch" .Values.common.domainCertWatch.nameOverride -}}
+{{- $env := default "env" .Values.global.appEnv -}}
+{{- printf "%s-%s" $name $env  | trunc 63 | trimSuffix "-" -}}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "domainCertWatch.serviceAccountName" -}}
+{{- if .Values.common.domainCertWatch.serviceAccount.enabled -}}
+    {{ default "domain-cert-watch" .Values.common.domainCertWatch.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.common.domainCertWatch.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+
+{{- define "domainCertWatch.domainCertHash" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace "domain-certificate") -}}
+{{- if $secret -}}
+{{- $secretData := $secret.data -}}
+{{- $json := toJson $secretData -}}
+{{- printf "%s" $json | sha1sum -}}
+{{- else -}}
+{{- "UNINITIALIZED" -}}
+{{- end -}}
+{{- end -}}
+
+

templates/common/jobs/domain-cert-watch/calico.netpol.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.common.domainCertWatch.calicoNetpol.enabled }}
+apiVersion: projectcalico.org/v3
+kind: NetworkPolicy
+metadata:
+  name: domain-cert-watch-network-policy
+  namespace: {{ .Release.Namespace }}
+spec:
+  order: 10
+  selector: dplane == 'domain-cert-watch-job'
+  types:
+    - Egress
+  egress:
+    # allow to communicate to DNS pods
+    - action: Allow
+      protocol: UDP
+      destination:
+        namespaceSelector: projectcalico.org/name == 'kube-system'
+        ports:
+          - 53
+    - action: Allow
+      protocol: TCP
+      destination:
+        namespaceSelector: projectcalico.org/name == 'kube-system'
+        ports:
+          - 53
+    # allow to communicate with k8s api server
+    - action: Allow
+      destination:
+        services:
+          name:  kubernetes
+          namespace: default
+      protocol: TCP
+{{- end}}

templates/common/jobs/domain-cert-watch/domain-cert-watch-configmap.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.common.domainCertWatch.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "domainCertWatch.appName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dataplane.labels" . | nindent 4 }}
+data:
+  sha: {{ template "domainCertWatch.domainCertHash" . }}
+{{- end }}

templates/common/jobs/domain-cert-watch/domain-cert-watch-cronjob.yaml

@@ -0,0 +1,79 @@
+{{- if .Values.common.domainCertWatch.enabled -}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ template "domainCertWatch.appName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    dplane: "domain-cert-watch-job"
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: {{ .Values.common.domainCertWatch.job_ttl }}
+      template:
+        metadata:
+          labels:
+            dplane: "domain-cert-watch-job"
+        spec:
+          serviceAccountName: {{ include "domainCertWatch.serviceAccountName" . }}
+          containers:
+            - image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
+              imagePullPolicy: {{ .Values.global.image.pullPolicy }}
+              command: [ "/bin/sh", "-c" ]
+              args:
+                - |
+                  cm_name={{ template "domainCertWatch.appName" . }}
+                  if dcert=$(kubectl get secrets domain-certificate -o jsonpath='{.data}'); then
+                    dc_sha=$(echo -n $dcert | sha1sum | awk '{print $1}');
+                    echo "Generated domain-certificate secret sha - $dc_sha";
+                    if dcert_cm=$(kubectl get configmap $cm_name -o json); then
+                      stored_sha=$(echo -n $dcert_cm | jq -r .data.sha);
+                      echo "Retrieved domain-certificate stored sha - $stored_sha";
+                      if [[ "$stored_sha" == "UNINITIALIZED" || "$stored_sha" != "$dc_sha" ]]; then
+                        echo "Stored sha found in configmap $cm_name does not match, updating entry";
+                        if kubectl create configmap $cm_name --from-literal=sha="$dc_sha" -o yaml --dry-run=client | kubectl apply -f -; then
+                          echo "Updated configmap $cm_name with new sha - $dc_sha";
+                          if [[ "$stored_sha" != "UNINITIALIZED" ]]; then
+                            echo "The domain-certificate secret has changed, rolling envoy and inbound-worker deployments";
+                            kubectl rollout restart deployment -l dplane=envoy;
+                            kubectl rollout restart deployment -l dplane=inbound-worker;
+                          fi
+                          exit 0;
+                        else
+                          echo "Failed to update configmap $cm_name";
+                          exit 1;
+                        fi
+                      else
+                        echo "The secret domain-certificate has not changed, no action needed";
+                        exit 0;
+                      fi
+                    else
+                      echo "Failed to retrieve stored domain-certificate sha";
+                      exit 1;
+                    fi
+                  else
+                    echo "Could not get the secret domain-certificate";
+                    exit 1;
+                  fi
+              name: domain-cert-watch
+              {{- with .Values.common.domainCertWatch.securityContext }}
+              securityContext:
+                {{- toYaml . | nindent 16 }}
+              {{- end }}
+          restartPolicy: Never
+          {{- with .Values.global.image.imagePullSecrets }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- if .Values.common.domainCertWatch.podSecurityContextEnabled -}}
+          {{- with .Values.common.domainCertWatch.podSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- end }}
+  schedule: {{ .Values.common.domainCertWatch.schedule | squote }}
+  successfulJobsHistoryLimit: 1
+  suspend: false
+{{- end }}

templates/common/jobs/domain-cert-watch/role.yaml

@@ -0,0 +1,33 @@
+{{- if ( and .Values.common.domainCertWatch.serviceAccount.enabled ( not .Values.common.domainCertWatch.serviceAccount.preexisting ) ) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "domainCertWatch.appName" . }}-role
+  labels:
+    {{- include "dataplane.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+      - list
+      - patch
+{{- end }}

templates/common/jobs/domain-cert-watch/roleBinding.yaml

@@ -0,0 +1,16 @@
+{{- if ( and .Values.common.domainCertWatch.serviceAccount.enabled ( not .Values.common.domainCertWatch.serviceAccount.preexisting ) ) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "domainCertWatch.appName" . }}-role-binding
+  labels:
+    {{- include "dataplane.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "domainCertWatch.appName" . }}-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "domainCertWatch.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

templates/common/jobs/domain-cert-watch/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.common.domainCertWatch.serviceAccount.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "domainCertWatch.serviceAccountName" . }}
+  labels:
+    {{- include "dataplane.labels" . | nindent 4 }}
+  {{- with .Values.common.domainCertWatch.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

templates/common/persistentvolume-az.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.common.azfiles.enabled -}}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ .Release.Namespace }}-{{ .Values.common.persistence.volumeName }}
+spec:
+  accessModes:
+  - {{ .Values.common.persistence.volumeAccessMode  }}
+  capacity:
+    storage: {{ .Values.common.persistence.volumeCapacity }}
+  persistentVolumeReclaimPolicy: {{ .Values.common.persistence.volumeReclaimPolicy }}
+  claimRef:
+    name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
+    namespace: {{ .Release.Namespace }}
+  csi:
+    driver: file.csi.azure.com
+    readOnly: false
+    volumeHandle: {{.Values.common.azfiles.resourceGroup}}#{{.Values.common.azfiles.storageAccountName}}#{{.Values.common.azfiles.fileshareName}}###{{.Release.Namespace}}
+    volumeAttributes:
+      resourceGroup: {{ .Values.common.azfiles.resourceGroup}}
+      shareName: {{.Values.common.azfiles.fileshareName}}
+    nodeStageSecretRef:
+      name: {{ .Values.common.azfiles.secretName }}
+      namespace: {{ .Release.Namespace }}
+  mountOptions:
+    - uid=10010
+    - gid=10020
+{{- end -}}

templates/common/persistentvolume-efs.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.common.efs.enabled -}}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ .Release.Namespace }}-{{ .Values.common.persistence.volumeName }}
+spec:
+  capacity:
+    # This doesn't matter for efs, but k8s requires this field to exist
+    storage: {{ .Values.common.persistence.volumeCapacity }}
+  volumeMode: Filesystem
+  accessModes:
+    - {{ .Values.common.persistence.volumeAccessMode  }}
+  persistentVolumeReclaimPolicy: {{ .Values.common.persistence.volumeReclaimPolicy }}
+  claimRef:
+    name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
+    namespace: {{ .Release.Namespace }}
+  csi:
+    driver: efs.csi.aws.com
+    volumeHandle: {{ .Values.common.efs.volumeHandle }}
+{{- end -}}

templates/common/persistentvolume-nfs.yaml

@@ -0,0 +1,32 @@
+{{- if and .Values.common.nfs.staticPvc .Values.common.nfs.enabled -}}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ .Release.Namespace }}-{{ .Values.common.persistence.volumeName }}
+spec:
+  capacity:
+    # This doesn't matter for efs, but k8s requires this field to exist
+    storage: {{ .Values.common.persistence.volumeCapacity }}
+  volumeMode: Filesystem
+  accessModes:
+    - {{ .Values.common.persistence.volumeAccessMode  }}
+  persistentVolumeReclaimPolicy: {{ .Values.common.persistence.volumeReclaimPolicy }}
+  storageClassName: "{{ .Values.common.nfs.storageClassName }}"
+  claimRef:
+    name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
+    namespace: {{ .Release.Namespace }}
+  mountOptions: {{ toYaml .Values.common.nfs.mountOptions | nindent 2 }}
+  {{- if eq .Values.common.nfs.mode "csi" }}
+  csi:
+    driver: nfs.csi.k8s.io
+    readOnly: false
+    volumeHandle: {{ .Values.common.nfs.server }}{{ .Values.common.nfs.path }}
+    volumeAttributes:
+      server: {{ .Values.common.nfs.server }}
+      share: {{ .Values.common.nfs.path }}
+  {{- else -}}
+  nfs:
+    path: {{ .Values.nfs.path }}
+    server: {{ .Values.nfs.server }}
+  {{- end -}}
+{{- end -}}

templates/common/persistentvolumeclaim-az.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.common.azfiles.enabled -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
+spec:
+  accessModes:
+    - {{ .Values.common.persistence.claimAccessMode }}
+  storageClassName: "manage-csi"
+  resources:
+    requests:
+      storage: {{ .Values.common.persistence.claimRequestCapacity }}
+  volumeMode: Filesystem
+  volumeName: {{ .Release.Namespace }}-{{ .Values.common.persistence.volumeName }}
+{{- end -}}

templates/common/persistentvolumeclaim-efs.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.common.efs.enabled -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  accessModes:
+    - {{ .Values.common.persistence.claimAccessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.common.persistence.claimRequestCapacity }}
+  volumeMode: Filesystem
+  volumeName: {{ .Release.Namespace }}-{{ .Values.common.persistence.volumeName }}
+{{- end -}}

templates/common/persistentvolumeclaim-nfs.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.common.nfs.enabled -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  # need to use efs here, though it's nfs, for compatibility with legacy setup
+  name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  accessModes:
+    - {{ .Values.common.persistence.claimAccessMode }}
+  storageClassName: "{{ .Values.common.nfs.storageClassName }}"
+  resources:
+    requests:
+      storage: {{ .Values.common.persistence.claimRequestCapacity }}
+{{- end -}}

templates/common/persistentvolumeclaim.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.common.pvc.enabled -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  accessModes:
+    - {{ .Values.common.pvc.claimAccessMode }}
+  storageClassName: {{ .Values.common.pvc.storageClass }}
+  resources:
+    requests:
+      storage: {{ .Values.common.pvc.claimRequestCapacity }}
+{{- end -}}

templates/common/secret-ampint-docker-artifactory.yaml

@@ -0,0 +1,10 @@
+{{- if not (eq .Values.global.image.createPullSecret.dockerconfigjson "") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ampint-docker-artifactory
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ required "a valid dockerconfigjson is required for the secret ampint-docker-artifactory" .Values.global.image.createPullSecret.dockerconfigjson }}
+{{- end }}

templates/common/secret-certificate-password.yaml

@@ -0,0 +1,12 @@
+{{- if eq  .Values.common.certificate.password "" -}}
+{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace "certificate-password" ).metadata | required "Secret 'certificate-password' is required. Create it external to helm chart or set common.certificate.password" }}
+{{- else }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: certificate-password
+type: "Opaque"
+data:
+  password: {{ required "common.certificate.password is required for the secret certificate-password" .Values.common.certificate.password }}
+{{- end }}

templates/common/secret-cluster-details.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.common.clusterDetails.existingSecret -}}
+{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace .Values.common.clusterDetails.name ).metadata | required "Secret .Values.common.clusterDetails.name is required. Create it external to helm chart or set existingSecret to false" }}
+{{- else }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.common.clusterDetails.name }}
+type: "Opaque"
+data:
+  dxchange_jwt_secret: {{ ((eq .Values.global.clusterKey "") | ternary .Values.common.clusterDetails.jwtSecret (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).secretKey | b64enc)) | required "set required common.clusterDetails values if using shared dataplane. Otherwise set global.clusterKey" }}
+  cluster_id: {{ ((eq .Values.global.clusterKey "") | ternary .Values.common.clusterDetails.clusterId (printf "%s" (.Values.global.clusterKey | b64dec | fromJson).id | b64enc)) | required "set required common.clusterDetails values if using shared dataplane. Otherwise set global.clusterKey" }}
+{{- end }}

templates/common/secret-frommail.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.common.email_authentication -}}
+{{- if .Values.common.fromMail.existingSecret -}}
+{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace .Values.common.fromMail.name ).metadata | required "Secret .Values.common.fromMail.name is required. Create it external to helm chart or set existingSecret to false" }}
+{{- else }}
+
+{{ $fromMailPass := .Values.common.fromMail.password | required "Value password is required for the secret fromMail" -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.common.fromMail.name }}
+type: "Opaque"
+data:
+  dxchange_email_frompassword:  {{ $fromMailPass | quote }}
+{{- end -}}
+{{- end -}}

templates/common/secret-storage-az.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.common.azfiles.enabled -}}
+{{- if .Values.common.azfiles.existingSecret -}}
+{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace .Values.common.azfiles.secretName ).metadata | required "Secret .Values.common.azfiles.secretName is required when azfiles enabled. Create it external to helm chart or set existingSecret to false" }}
+{{- else }}
+
+{{ $storageAccName := ((.Values.common.azfiles.storageAccountName | b64enc )) | trim | required "Value storageAccountName is required for the secret azurefs-secret" -}}
+{{ $storageAccKey := .Values.common.azfiles.azureStorageAccountKey | required "Value azureStorageAccountKey is required for the secret azurefs-secret" -}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.common.azfiles.secretName }}
+type: "Opaque"
+data:
+  azurestorageaccountname: {{ $storageAccName | quote }}
+  azurestorageaccountkey:  {{ $storageAccKey | quote }}
+
+{{- end -}}
+{{- end -}}