cscott/amplify-fusion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Conan Scott
2026-01-21 17:37:42 +11:00
commit bd1ed71ac4
142 changed files with 18994 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
templates/fusion-operator/_helpers.tpl Normal file
View File

@@ -0,0 +1,66 @@
{{- define "fusionOperator.name" -}}
{{- default "fusion-operator" .Values.fusionOperator.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "fusionOperator.fullname" -}}
{{- if .Values.fusionOperator.fullnameOverride }}
{{- .Values.fusionOperator.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default "fusionOperator" .Values.fusionOperator.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "fusionOperator.labels" -}}
{{ include "dataplane.labels" . }}
{{ include "fusionOperator.selectorLabels" . }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "fusionOperator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "fusionOperator.name" . }}
app: {{ include "fusionOperator.appName" . }}
dplane: "fusion-operator"
{{- end }}
{{- define "fusionOperator.appName" -}}
{{- $name := default "fusion-operator" .Values.fusionOperator.nameOverride -}}
{{- $env := default "fusion-operator" .Values.global.appEnv -}}
{{- printf "%s-%s" $name $env | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "fusionOperator.serviceAccountName" -}}
{{- if .Values.fusionOperator.serviceAccount.enabled }}
{{- default (include "fusionOperator.fullname" .) .Values.fusionOperator.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.fusionOperator.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account for jobs to use
*/}}
{{- define "fusionOperator.job.serviceAccountName" -}}
{{- if .Values.fusionOperator.job.serviceAccount.enabled }}
{{- default (include "fusionOperator.fullname" .) .Values.fusionOperator.job.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.fusionOperator.job.serviceAccount.name }}
{{- end }}
{{- end }}

38
templates/fusion-operator/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if and .Values.fusionOperator.calicoNetpol.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: {{ template "fusionOperator.appName" . }}
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'fusion-operator'
types:
- Ingress
- Egress
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
### Traffic to the internet ###
- action: Allow
protocol: TCP
destination: {{ toYaml .Values.fusionOperator.calicoNetpol.outboundRule | nindent 8 }}
{{- end}}

20
templates/fusion-operator/configmap.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.fusionOperator.enabled }}
{{- if and (eq .Values.common.externalConfigMaps false) (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "fusionOperator.appName" . }}
namespace: {{ .Release.Namespace }}
data:
app_env: {{ .Values.global.appEnv }}
release_namespace: {{ .Release.Namespace }}
deployment_spec: |-
{{- include "orchestrator.deployment" . | nindent 4 }}
pdb_spec: |-
{{- include "orchestrator.podDisruptionBudget" . | nindent 4 }}
service_spec: |-
{{- include "orchestrator.service" . | nindent 4 }}
hpa_spec: |-
{{- include "orchestrator.hpa" . | nindent 4 }}
{{- end }}
{{- end }}

78
templates/fusion-operator/deployment.yaml Normal file
View File

@@ -0,0 +1,78 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "fusionOperator.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fusionOperator.labels" . | nindent 4 }}
spec:
{{- if not .Values.fusionOperator.autoscaling.enabled }}
replicas: {{ .Values.fusionOperator.replicaCount }}
{{- end }}
strategy:
type: {{ .Values.fusionOperator.strategy.type }}
rollingUpdate:
maxSurge: {{ .Values.fusionOperator.strategy.rollingUpdate.maxSurge }}
maxUnavailable: {{ .Values.fusionOperator.strategy.rollingUpdate.maxUnavailable }}
selector:
matchLabels:
{{- include "fusionOperator.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "fusionOperator.selectorLabels" . | nindent 8 }}
spec:
{{- if .Values.fusionOperator.serviceAccount.enabled }}
serviceAccountName: {{ include "fusionOperator.serviceAccountName" . }}
{{- end }}
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.fusionOperator.podSecurityContextEnabled }}
securityContext:
{{ toYaml .Values.fusionOperator.podSecurityContext | nindent 8 }}
{{- end }}
{{- if .Values.fluentBit.enabled }}
{{- include "dataplane.createLogDirectoryInitContainer" (dict "serviceName" "fusion-operator" "securityContext" .Values.fusionOperator.securityContext "additionalPathParam" "" "root" .) | nindent 6 }}
{{- end }}
containers:
- name: {{ template "fusionOperator.appName" . }}
{{- if .Values.fusionOperator.leaderElection.enabled }}
command:
- /manager
args:
- --leader-elect
{{- end }}
securityContext:
{{- toYaml .Values.fusionOperator.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.fusionOperator.image.repository }}/{{ .Values.fusionOperator.image.name }}:{{ .Values.fusionOperator.image.buildTag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
{{- with .Values.fusionOperator.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: configmap-common
- configMapRef:
name: {{ template "fusionOperator.appName" . }}
resources:
{{- toYaml .Values.fusionOperator.resources | nindent 12 }}
livenessProbe: {{- toYaml .Values.fusionOperator.livenessProbe | nindent 12 }}
startupProbe: {{- toYaml .Values.fusionOperator.startupProbe | nindent 12 }}
readinessProbe: {{- toYaml .Values.fusionOperator.readinessProbe | nindent 12 }}
volumeMounts:
- name: {{ .Values.global.volumeStorageName }}
mountPath: /efs
volumes:
- name: {{ .Values.global.volumeStorageName }}
persistentVolumeClaim:
claimName: {{ .Release.Namespace }}-{{ .Values.global.claimName }}
{{- end }}

35
templates/fusion-operator/hpa.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{- if .Values.fusionOperator.enabled }}
{{- if and .Values.fusionOperator.autoscaling.enabled (ne (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "fusionOperator.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fusionOperator.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ template "fusionOperator.appName" . }}
minReplicas: {{ .Values.fusionOperator.autoscaling.minReplicas }}
maxReplicas: {{ .Values.fusionOperator.autoscaling.maxReplicas }}
metrics:
{{- if .Values.fusionOperator.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.fusionOperator.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.fusionOperator.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.fusionOperator.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}
{{- end}}

40
templates/fusion-operator/jobs/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
{{- if .Values.fusionOperator.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: crd-netpol
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
order: 10
selector: dplane == 'crd-job'
types:
- Ingress
- Egress
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
{{- end }}
{{- end }}

21
templates/fusion-operator/jobs/clusterrole.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "fusionOperator.name" . }}-role
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources:
- customresourcedefinitions
verbs:
- delete
- create
- update
- get
- list
- watch
{{- end }}

18
templates/fusion-operator/jobs/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "fusionOperator.name" . }}-role-binding
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "fusionOperator.name" . }}-role
subjects:
- kind: ServiceAccount
name: {{ .Values.fusionOperator.job.serviceAccount.enabled | ternary .Values.fusionOperator.job.serviceAccount.name "default" }}
namespace: {{ .Release.Namespace }}
{{- end }}

38
templates/fusion-operator/jobs/crd_remove.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: batch/v1
kind: Job
metadata:
name: remove-crd
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
dplane: "crd-job"
spec:
ttlSecondsAfterFinished: {{ .Values.fusionOperator.job.removeJob_ttl }}
template:
metadata:
labels:
dplane: "crd-job"
spec:
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.fusionOperator.job.serviceAccount.enabled }}
serviceAccountName: {{ include "fusionOperator.job.serviceAccountName" . }}
{{- end }}
{{- if .Values.fusionOperator.podSecurityContextEnabled }}
securityContext: {{- toYaml .Values.fusionOperator.podSecurityContext | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
containers:
- name: delete-crd
securityContext: {{- toYaml .Values.fusionOperator.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
command:
- /bin/sh
- -c
- |
kubectl delete crd orchestrators.operator.fusion.axway.com --ignore-not-found=true
{{- end }}

40
templates/fusion-operator/jobs/crd_update.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
apiVersion: batch/v1
kind: Job
metadata:
name: apply-crd
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
dplane: "crd-job"
spec:
ttlSecondsAfterFinished: {{ .Values.fusionOperator.job.updateJob_ttl }}
template:
metadata:
labels:
dplane: "crd-job"
spec:
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.fusionOperator.job.serviceAccount.enabled }}
serviceAccountName: {{ include "fusionOperator.job.serviceAccountName" . }}
{{- end }}
{{- if .Values.fusionOperator.podSecurityContextEnabled }}
securityContext: {{- toYaml .Values.fusionOperator.podSecurityContext | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
containers:
- name: apply-crd
securityContext: {{- toYaml .Values.fusionOperator.securityContext | nindent 12 }}
image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
command:
- /bin/sh
- -c
- |
cat <<EOF | kubectl apply -f -
{{ .Files.Get "crd/orchestrator.yaml" | nindent 14 }}
EOF
{{- end }}

18
templates/fusion-operator/jobs/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
{{- if ( and .Values.fusionOperator.job.serviceAccount.enabled ( not .Values.fusionOperator.job.serviceAccount.preexisting ) ) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "fusionOperator.job.serviceAccountName" . }}
labels:
{{- include "fusionOperator.labels" . | nindent 4 }}
annotations:
{{- with .Values.fusionOperator.job.serviceAccount.annotations }}
{{- toYaml . }}
{{- end }}
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
automountServiceAccountToken: {{ .Values.fusionOperator.job.serviceAccount.automountServiceAccountToken }}
{{- end }}
{{- end }}

155
templates/fusion-operator/role.yaml Normal file
View File

@@ -0,0 +1,155 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
{{- if ( and .Values.fusionOperator.serviceAccount.enabled ( not .Values.fusionOperator.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "fusionOperator.name" . }}-role
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- apps
resources:
- deployments/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- update
- delete
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# Rules for managing Roles and RoleBindings (RBAC)
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# Rules for managing ServiceAccounts
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# Rules for managing PodDisruptionBudget (PDB)
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.fusion.axway.com
resources:
- orchestrators
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.fusion.axway.com
resources:
- orchestrators/status
verbs:
- get
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- if .Values.fusionOperator.leaderElection.enabled }}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
{{- end }}
- apiGroups: ["apiextensions.k8s.io"]
resources:
- customresourcedefinitions
verbs:
- delete
- create
- update
- get
- list
- watch
{{- end }}
{{- end }}

16
templates/fusion-operator/role_binding.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
{{- if ( and .Values.fusionOperator.serviceAccount.enabled ( not .Values.fusionOperator.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "fusionOperator.name" . }}-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "fusionOperator.name" . }}-role
subjects:
- kind: ServiceAccount
name: {{ .Values.fusionOperator.serviceAccount.enabled | ternary .Values.fusionOperator.serviceAccount.name "default" }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

15
templates/fusion-operator/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
{{- if ( and .Values.fusionOperator.serviceAccount.enabled ( not .Values.fusionOperator.serviceAccount.preexisting ) ) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "fusionOperator.serviceAccountName" . }}
labels:
{{- include "fusionOperator.labels" . | nindent 4 }}
annotations:
{{- with .Values.fusionOperator.serviceAccount.annotations }}
{{- toYaml . }}
{{- end }}
automountServiceAccountToken: {{ .Values.fusionOperator.serviceAccount.automountServiceAccountToken }}
{{- end }}
{{- end }}