diff --git a/Makefile b/Makefile
index 9a457aca..d49a7117 100644
--- a/Makefile
+++ b/Makefile
@@ -134,7 +134,6 @@ openapi: $(addprefix openapi-, $(subst :,_, $(API_GROUPS)))
-w $(DOCKER_REPO_ROOT) \
--env HTTP_PROXY=$(HTTP_PROXY) \
--env HTTPS_PROXY=$(HTTPS_PROXY) \
- --env GO111MODULE=on \
--env GOFLAGS="-mod=vendor" \
$(BUILD_IMAGE) \
go run hack/gencrd/main.go
@@ -381,7 +380,6 @@ lint: $(BUILD_DIRS)
-v $$(pwd)/.go/cache:/.cache \
--env HTTP_PROXY=$(HTTP_PROXY) \
--env HTTPS_PROXY=$(HTTPS_PROXY) \
- --env GO111MODULE=on \
--env GOFLAGS="-mod=vendor" \
$(BUILD_IMAGE) \
golangci-lint run
@@ -397,8 +395,8 @@ verify: verify-gen verify-modules
.PHONY: verify-modules
verify-modules:
- GO111MODULE=on go mod tidy
- GO111MODULE=on go mod vendor
+ go mod tidy
+ go mod vendor
@if !(git diff --exit-code HEAD); then \
echo "go module files are out of date"; exit 1; \
fi
diff --git a/apis/installer/v1alpha1/aws_credential_manager_types.go b/apis/installer/v1alpha1/aws_credential_manager_types.go
index ce381a80..8ebb7327 100644
--- a/apis/installer/v1alpha1/aws_credential_manager_types.go
+++ b/apis/installer/v1alpha1/aws_credential_manager_types.go
@@ -36,7 +36,6 @@ const (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true
-// +kubebuilder:resource:path=aceshifters,singular=aceshifter,categories={kubeops,appscode}
type AwsCredentialManager struct {
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
diff --git a/apis/installer/v1alpha1/gcp_credential_manager_types.go b/apis/installer/v1alpha1/gcp_credential_manager_types.go
new file mode 100644
index 00000000..60c95a14
--- /dev/null
+++ b/apis/installer/v1alpha1/gcp_credential_manager_types.go
@@ -0,0 +1,118 @@
+/*
+Copyright AppsCode Inc. and Contributors
+
+Licensed under the AppsCode Community License 1.0.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+ core "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "kmodules.xyz/resource-metadata/apis/shared"
+)
+
+const (
+ ResourceKindGcpCredentialManager = "GcpCredentialManager"
+ ResourceGcpCredentialManager = "gcpcredentialmanager"
+ ResourceGcpCredentialManagers = "gcpcredentialmanagers"
+)
+
+// GcpCredentialManager defines the schema for GcpCredentialManager operator installer.
+
+// +genclient
+// +genclient:skipVerbs=updateStatus
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// +kubebuilder:object:root=true
+type GcpCredentialManager struct {
+ metav1.TypeMeta `json:",inline,omitempty"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+ Spec GcpCredentialManagerSpec `json:"spec,omitempty"`
+}
+
+// GcpCredentialManagerSpec is the schema for GCP Credential Manager values file.
+type GcpCredentialManagerSpec struct {
+ //+optional
+ NameOverride string `json:"nameOverride"`
+ //+optional
+ FullnameOverride string `json:"fullnameOverride"`
+ //+optional
+ RegistryFQDN string `json:"registryFQDN"`
+ ReplicaCount int32 `json:"replicaCount"`
+ Image ImageReference `json:"image"`
+ //+optional
+ ImagePullSecrets []string `json:"imagePullSecrets"`
+ //+optional
+ PodAnnotations map[string]string `json:"podAnnotations"`
+ //+optional
+ PodLabels map[string]string `json:"podLabels"`
+ // PodSecurityContext holds pod-level security attributes and common container settings.
+ // Optional: Defaults to empty. See type description for default values of each field.
+ // +optional
+ PodSecurityContext *core.PodSecurityContext `json:"podSecurityContext"`
+ //+optional
+ SecurityContext *core.SecurityContext `json:"securityContext"`
+ //+optional
+ Resources core.ResourceRequirements `json:"resources"`
+ //+optional
+ NodeSelector map[string]string `json:"nodeSelector"`
+ // If specified, the pod's tolerations.
+ // +optional
+ Tolerations []core.Toleration `json:"tolerations"`
+ // If specified, the pod's scheduling constraints.
+ // +optional
+ Affinity *core.Affinity `json:"affinity"`
+ // +optional
+ LivenessProbe *core.Probe `json:"livenessProbe"`
+ // +optional
+ ReadinessProbe *core.Probe `json:"readinessProbe"`
+ Service ServiceSpec `json:"service"`
+ ServiceAccount ServiceAccountSpec `json:"serviceAccount"`
+ Volumes []core.Volume `json:"volumes"`
+ VolumeMounts []core.VolumeMount `json:"volumeMounts"`
+ // +optional
+ Distro shared.DistroSpec `json:"distro"`
+ // +optional
+ Apiserver GcpCredentialManagerApiserver `json:"apiserver"`
+ // +optional
+ BucketAccessor GcpBucketAccessor `json:"bucketAccessor"`
+}
+
+type GcpCredentialManagerApiserver struct {
+ GroupPriorityMinimum int `json:"groupPriorityMinimum"`
+ VersionPriority int `json:"versionPriority"`
+ EnableMutatingWebhook bool `json:"enableMutatingWebhook"`
+ EnableValidatingWebhook bool `json:"enableValidatingWebhook"`
+ Ca string `json:"ca"`
+ BypassValidatingWebhookXray bool `json:"bypassValidatingWebhookXray"`
+ UseKubeapiserverFqdnForAks bool `json:"useKubeapiserverFqdnForAks"`
+ Healthcheck HealthcheckSpec `json:"healthcheck"`
+ ServingCerts ServingCerts `json:"servingCerts"`
+}
+
+type GcpBucketAccessor struct {
+ GcsMaxIntervalSeconds string `json:"gcsMaxIntervalSeconds"`
+ GcsMaxWaitSeconds string `json:"gcsMaxWaitSeconds"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// GcpCredentialManagerList is a list of GcpCredentialManagers.
+type GcpCredentialManagerList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ // Items is a list of GcpCredentialManager CRD objects.
+ Items []GcpCredentialManager `json:"items,omitempty"`
+}
diff --git a/apis/installer/v1alpha1/register.go b/apis/installer/v1alpha1/register.go
index 5b7faf45..e02347f0 100644
--- a/apis/installer/v1alpha1/register.go
+++ b/apis/installer/v1alpha1/register.go
@@ -56,6 +56,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&AwsCredentialManager{},
&AwsCredentialManagerList{},
+ &GcpCredentialManager{},
+ &GcpCredentialManagerList{},
&CapaVpcPeeringOperator{},
&CapaVpcPeeringOperatorList{},
&CapiOpsManager{},
diff --git a/apis/installer/v1alpha1/types_test.go b/apis/installer/v1alpha1/types_test.go
index ea099b0d..47d24d8f 100644
--- a/apis/installer/v1alpha1/types_test.go
+++ b/apis/installer/v1alpha1/types_test.go
@@ -28,6 +28,7 @@ import (
func TestDefaultValues(t *testing.T) {
checker := sc.New(os.DirFS("../../.."),
sc.TestCase{Obj: v1alpha1.AwsCredentialManagerSpec{}},
+ sc.TestCase{Obj: v1alpha1.GcpCredentialManagerSpec{}},
sc.TestCase{Obj: v1alpha1.CapaVpcPeeringOperatorSpec{}},
sc.TestCase{Obj: v1alpha1.CapiOpsManagerSpec{}},
sc.TestCase{Obj: v1alpha1.DockerMachineOperatorSpec{}},
diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go
index a951ff64..81f87f99 100644
--- a/apis/installer/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go
@@ -603,6 +603,190 @@ func (in *DockerMachineOperatorSpec) DeepCopy() *DockerMachineOperatorSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GcpBucketAccessor) DeepCopyInto(out *GcpBucketAccessor) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpBucketAccessor.
+func (in *GcpBucketAccessor) DeepCopy() *GcpBucketAccessor {
+ if in == nil {
+ return nil
+ }
+ out := new(GcpBucketAccessor)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GcpCredentialManager) DeepCopyInto(out *GcpCredentialManager) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpCredentialManager.
+func (in *GcpCredentialManager) DeepCopy() *GcpCredentialManager {
+ if in == nil {
+ return nil
+ }
+ out := new(GcpCredentialManager)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *GcpCredentialManager) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GcpCredentialManagerApiserver) DeepCopyInto(out *GcpCredentialManagerApiserver) {
+ *out = *in
+ out.Healthcheck = in.Healthcheck
+ out.ServingCerts = in.ServingCerts
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpCredentialManagerApiserver.
+func (in *GcpCredentialManagerApiserver) DeepCopy() *GcpCredentialManagerApiserver {
+ if in == nil {
+ return nil
+ }
+ out := new(GcpCredentialManagerApiserver)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GcpCredentialManagerList) DeepCopyInto(out *GcpCredentialManagerList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]GcpCredentialManager, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpCredentialManagerList.
+func (in *GcpCredentialManagerList) DeepCopy() *GcpCredentialManagerList {
+ if in == nil {
+ return nil
+ }
+ out := new(GcpCredentialManagerList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *GcpCredentialManagerList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GcpCredentialManagerSpec) DeepCopyInto(out *GcpCredentialManagerSpec) {
+ *out = *in
+ out.Image = in.Image
+ if in.ImagePullSecrets != nil {
+ in, out := &in.ImagePullSecrets, &out.ImagePullSecrets
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.PodAnnotations != nil {
+ in, out := &in.PodAnnotations, &out.PodAnnotations
+ *out = make(map[string]string, len(*in))
+ for key, val := range *in {
+ (*out)[key] = val
+ }
+ }
+ if in.PodLabels != nil {
+ in, out := &in.PodLabels, &out.PodLabels
+ *out = make(map[string]string, len(*in))
+ for key, val := range *in {
+ (*out)[key] = val
+ }
+ }
+ if in.PodSecurityContext != nil {
+ in, out := &in.PodSecurityContext, &out.PodSecurityContext
+ *out = new(v1.PodSecurityContext)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.SecurityContext != nil {
+ in, out := &in.SecurityContext, &out.SecurityContext
+ *out = new(v1.SecurityContext)
+ (*in).DeepCopyInto(*out)
+ }
+ in.Resources.DeepCopyInto(&out.Resources)
+ if in.NodeSelector != nil {
+ in, out := &in.NodeSelector, &out.NodeSelector
+ *out = make(map[string]string, len(*in))
+ for key, val := range *in {
+ (*out)[key] = val
+ }
+ }
+ if in.Tolerations != nil {
+ in, out := &in.Tolerations, &out.Tolerations
+ *out = make([]v1.Toleration, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ if in.Affinity != nil {
+ in, out := &in.Affinity, &out.Affinity
+ *out = new(v1.Affinity)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.LivenessProbe != nil {
+ in, out := &in.LivenessProbe, &out.LivenessProbe
+ *out = new(v1.Probe)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.ReadinessProbe != nil {
+ in, out := &in.ReadinessProbe, &out.ReadinessProbe
+ *out = new(v1.Probe)
+ (*in).DeepCopyInto(*out)
+ }
+ out.Service = in.Service
+ in.ServiceAccount.DeepCopyInto(&out.ServiceAccount)
+ if in.Volumes != nil {
+ in, out := &in.Volumes, &out.Volumes
+ *out = make([]v1.Volume, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ if in.VolumeMounts != nil {
+ in, out := &in.VolumeMounts, &out.VolumeMounts
+ *out = make([]v1.VolumeMount, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ out.Distro = in.Distro
+ out.Apiserver = in.Apiserver
+ out.BucketAccessor = in.BucketAccessor
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpCredentialManagerSpec.
+func (in *GcpCredentialManagerSpec) DeepCopy() *GcpCredentialManagerSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(GcpCredentialManagerSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *HealthcheckSpec) DeepCopyInto(out *HealthcheckSpec) {
*out = *in
diff --git a/charts/aws-credential-manager/templates/mutating-webhook.yaml b/charts/aws-credential-manager/templates/mutating-webhook.yaml
similarity index 100%
rename from charts/aws-credential-manager/templates/mutating-webhook.yaml
rename to charts/aws-credential-manager/templates/mutating-webhook.yaml
diff --git a/charts/aws-credential-manager/values.openapiv3_schema.yaml b/charts/aws-credential-manager/values.openapiv3_schema.yaml
index 8530324f..3125a200 100644
--- a/charts/aws-credential-manager/values.openapiv3_schema.yaml
+++ b/charts/aws-credential-manager/values.openapiv3_schema.yaml
@@ -438,6 +438,75 @@ properties:
x-kubernetes-list-type: atomic
type: object
type: object
+ apiserver:
+ properties:
+ bypassValidatingWebhookXray:
+ type: boolean
+ ca:
+ type: string
+ enableMutatingWebhook:
+ type: boolean
+ enableValidatingWebhook:
+ type: boolean
+ groupPriorityMinimum:
+ type: integer
+ healthcheck:
+ properties:
+ enabled:
+ type: boolean
+ type: object
+ servingCerts:
+ properties:
+ caCrt:
+ type: string
+ generate:
+ type: boolean
+ serverCrt:
+ type: string
+ serverKey:
+ type: string
+ required:
+ - generate
+ type: object
+ useKubeapiserverFqdnForAks:
+ type: boolean
+ versionPriority:
+ type: integer
+ required:
+ - bypassValidatingWebhookXray
+ - ca
+ - enableMutatingWebhook
+ - enableValidatingWebhook
+ - groupPriorityMinimum
+ - healthcheck
+ - servingCerts
+ - useKubeapiserverFqdnForAks
+ - versionPriority
+ type: object
+ bucketAccessor:
+ properties:
+ awsMaxIntervalSeconds:
+ type: string
+ awsMaxWaitSeconds:
+ type: string
+ required:
+ - awsMaxIntervalSeconds
+ - awsMaxWaitSeconds
+ type: object
+ distro:
+ properties:
+ openshift:
+ type: boolean
+ ubi:
+ enum:
+ - all
+ - catalog
+ - operator
+ type: string
+ required:
+ - openshift
+ - ubi
+ type: object
fullnameOverride:
type: string
image:
@@ -479,6 +548,7 @@ properties:
format: int32
type: integer
service:
+ default: ''
type: string
required:
- port
@@ -578,6 +648,8 @@ properties:
runAsUser:
format: int64
type: integer
+ seLinuxChangePolicy:
+ type: string
seLinuxOptions:
properties:
level:
@@ -604,6 +676,8 @@ properties:
type: integer
type: array
x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ type: string
sysctls:
items:
properties:
@@ -648,6 +722,7 @@ properties:
format: int32
type: integer
service:
+ default: ''
type: string
required:
- port
@@ -721,6 +796,8 @@ properties:
properties:
name:
type: string
+ request:
+ type: string
required:
- name
type: object
@@ -904,10 +981,12 @@ properties:
diskURI:
type: string
fsType:
+ default: ext4
type: string
kind:
type: string
readOnly:
+ default: false
type: boolean
required:
- diskName
@@ -1284,6 +1363,13 @@ properties:
required:
- path
type: object
+ image:
+ properties:
+ pullPolicy:
+ type: string
+ reference:
+ type: string
+ type: object
iscsi:
properties:
chapAuthDiscovery:
@@ -1297,6 +1383,7 @@ properties:
iqn:
type: string
iscsiInterface:
+ default: default
type: string
lun:
format: int32
@@ -1479,6 +1566,25 @@ properties:
type: array
x-kubernetes-list-type: atomic
type: object
+ podCertificate:
+ properties:
+ certificateChainPath:
+ type: string
+ credentialBundlePath:
+ type: string
+ keyPath:
+ type: string
+ keyType:
+ type: string
+ maxExpirationSeconds:
+ format: int32
+ type: integer
+ signerName:
+ type: string
+ required:
+ - keyType
+ - signerName
+ type: object
secret:
properties:
items:
@@ -1545,6 +1651,7 @@ properties:
image:
type: string
keyring:
+ default: /etc/ceph/keyring
type: string
monitors:
items:
@@ -1552,6 +1659,7 @@ properties:
type: array
x-kubernetes-list-type: atomic
pool:
+ default: rbd
type: string
readOnly:
type: boolean
@@ -1563,6 +1671,7 @@ properties:
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
type: string
required:
- image
@@ -1571,6 +1680,7 @@ properties:
scaleIO:
properties:
fsType:
+ default: xfs
type: string
gateway:
type: string
@@ -1588,6 +1698,7 @@ properties:
sslEnabled:
type: boolean
storageMode:
+ default: ThinProvisioned
type: string
storagePool:
type: string
diff --git a/charts/aws-credential-manager/values.yaml b/charts/aws-credential-manager/values.yaml
index 8a1742d8..1313bce2 100644
--- a/charts/aws-credential-manager/values.yaml
+++ b/charts/aws-credential-manager/values.yaml
@@ -125,4 +125,4 @@ apiserver:
# Serving certficate used by webhook server.
serverCrt: ""
# Private key for the serving certificate used by webhook server.
- serverKey: ""
\ No newline at end of file
+ serverKey: ""
diff --git a/charts/gcp-credential-manager/.helmignore b/charts/gcp-credential-manager/.helmignore
new file mode 100644
index 00000000..0e8a0eb3
--- /dev/null
+++ b/charts/gcp-credential-manager/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/gcp-credential-manager/Chart.yaml b/charts/gcp-credential-manager/Chart.yaml
new file mode 100644
index 00000000..310db739
--- /dev/null
+++ b/charts/gcp-credential-manager/Chart.yaml
@@ -0,0 +1,13 @@
+apiVersion: v2
+name: gcp-credential-manager
+description: A Helm chart for GCP Credential Manager
+type: application
+version: v2026.3.11
+appVersion: v0.1.0
+home: https://github.com/appscode-cloud
+icon: https://cdn.appscode.com/images/products/bytebuilders/icons/android-icon-192x192.png
+sources:
+- https://github.com/appscode-cloud
+maintainers:
+- name: appscode
+ email: support@appscode.com
diff --git a/charts/gcp-credential-manager/README.md b/charts/gcp-credential-manager/README.md
new file mode 100644
index 00000000..513b2876
--- /dev/null
+++ b/charts/gcp-credential-manager/README.md
@@ -0,0 +1,113 @@
+# GCP Credential Manager
+
+[GCP Credential Manager by AppsCode](https://github.com/appscode-cloud) - GCP Credential Manager
+
+## TL;DR;
+
+```bash
+$ helm repo add appscode https://charts.appscode.com/stable
+$ helm repo update
+$ helm search repo appscode/gcp-credential-manager --version=v2026.3.11
+$ helm upgrade -i gcp-credential-manager appscode/gcp-credential-manager -n kubeops --create-namespace --version=v2026.3.11
+```
+
+## Introduction
+
+This chart deploys a GCP Credential Manager on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes 1.29+
+
+## Installing the Chart
+
+To install/upgrade the chart with the release name `gcp-credential-manager`:
+
+```bash
+$ helm upgrade -i gcp-credential-manager appscode/gcp-credential-manager -n kubeops --create-namespace --version=v2026.3.11
+```
+
+The command deploys a GCP Credential Manager on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
+
+> **Tip**: List all releases using `helm list`
+
+## Uninstalling the Chart
+
+To uninstall the `gcp-credential-manager`:
+
+```bash
+$ helm uninstall gcp-credential-manager -n kubeops
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Configuration
+
+The following table lists the configurable parameters of the `gcp-credential-manager` chart and their default values.
+
+| Parameter | Description | Default |
+|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| replicaCount | | 1 |
+| registryFQDN | Docker registry fqdn used to pull app related images. Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | ghcr.io |
+| image.registry | Docker registry used to pull app container image | appscode |
+| image.repository | | gcp-credential-manager |
+| image.pullPolicy | | IfNotPresent |
+| image.tag | Overrides the image tag whose default is the chart appVersion. | "" |
+| imagePullSecrets | | [] |
+| nameOverride | | "" |
+| fullnameOverride | | "" |
+| serviceAccount.create | Specifies whether a service account should be created | true |
+| serviceAccount.annotations | Annotations to add to the service account | {} |
+| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
+| podAnnotations | | {} |
+| podLabels | | {} |
+| podSecurityContext | | {} |
+| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} |
+| service.type | | ClusterIP |
+| service.port | | 8081 |
+| resources | | {} |
+| livenessProbe.httpGet.path | | /healthz |
+| livenessProbe.httpGet.port | | 8081 |
+| livenessProbe.httpGet.scheme | | HTTP |
+| livenessProbe.initialDelaySeconds | | 15 |
+| livenessProbe.periodSeconds | | 20 |
+| readinessProbe.httpGet.path | | /readyz |
+| readinessProbe.httpGet.port | | 8081 |
+| readinessProbe.httpGet.scheme | | HTTP |
+| readinessProbe.initialDelaySeconds | | 5 |
+| readinessProbe.periodSeconds | | 10 |
+| volumes | | [] |
+| volumeMounts | | [] |
+| nodeSelector | | {} |
+| tolerations | | [] |
+| affinity | | {} |
+| distro.openshift | Set true, if installed in OpenShift | false |
+| distro.ubi | Set operator or all to use ubi images | "" |
+| bucketAccessor.gcsMaxIntervalSeconds | | "5" |
+| bucketAccessor.gcsMaxWaitSeconds | | "300" |
+| apiserver.groupPriorityMinimum | The minimum priority the webhook api group should have at least. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64 for more information on proper values of this field. | 10000 |
+| apiserver.versionPriority | The ordering of the webhook api inside of the group. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 for more information on proper values of this field | 15 |
+| apiserver.enableMutatingWebhook | If true, mutating webhook is configured for Kubernetes workloads | true |
+| apiserver.enableValidatingWebhook | If true, validating webhook is configured for Stash CRDss | true |
+| apiserver.ca | CA certificate used by the Kubernetes api server. This field is automatically assigned by the operator. | not-ca-cert |
+| apiserver.bypassValidatingWebhookXray | If true, bypasses checks that validating webhook is actually enabled in the Kubernetes cluster. | false |
+| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true |
+| apiserver.healthcheck.enabled | If true, enables the readiness and liveliness probes for the operator pod. | false |
+| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | true |
+| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of webhook server. | "" |
+| apiserver.servingCerts.serverCrt | Serving certficate used by webhook server. | "" |
+| apiserver.servingCerts.serverKey | Private key for the serving certificate used by webhook server. | "" |
+
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
+
+```bash
+$ helm upgrade -i gcp-credential-manager appscode/gcp-credential-manager -n kubeops --create-namespace --version=v2026.3.11 --set replicaCount=1
+```
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while
+installing the chart. For example:
+
+```bash
+$ helm upgrade -i gcp-credential-manager appscode/gcp-credential-manager -n kubeops --create-namespace --version=v2026.3.11 --values values.yaml
+```
diff --git a/charts/gcp-credential-manager/doc.yaml b/charts/gcp-credential-manager/doc.yaml
new file mode 100644
index 00000000..e4b4decf
--- /dev/null
+++ b/charts/gcp-credential-manager/doc.yaml
@@ -0,0 +1,18 @@
+project:
+ name: GCP Credential Manager by AppsCode
+ shortName: GCP Credential Manager
+ url: https://github.com/appscode-cloud
+ description: GCP Credential Manager
+ app: a GCP Credential Manager
+repository:
+ url: https://charts.appscode.com/stable
+ name: appscode
+chart:
+ name: gcp-credential-manager
+ values: -- generate from values file --
+ valuesExample: -- generate from values file --
+prerequisites:
+- Kubernetes 1.29+
+release:
+ name: gcp-credential-manager
+ namespace: kubeops
diff --git a/charts/gcp-credential-manager/templates/NOTES.txt b/charts/gcp-credential-manager/templates/NOTES.txt
new file mode 100644
index 00000000..f8535e76
--- /dev/null
+++ b/charts/gcp-credential-manager/templates/NOTES.txt
@@ -0,0 +1,3 @@
+Application deployed. Find pods by running the following command:
+
+kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "gcp-credential-manager.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
diff --git a/charts/gcp-credential-manager/templates/_helpers.tpl b/charts/gcp-credential-manager/templates/_helpers.tpl
new file mode 100644
index 00000000..1ba7a9e6
--- /dev/null
+++ b/charts/gcp-credential-manager/templates/_helpers.tpl
@@ -0,0 +1,125 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "gcp-credential-manager.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gcp-credential-manager.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gcp-credential-manager.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "gcp-credential-manager.labels" -}}
+helm.sh/chart: {{ include "gcp-credential-manager.chart" . }}
+{{ include "gcp-credential-manager.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "gcp-credential-manager.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "gcp-credential-manager.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "gcp-credential-manager.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "gcp-credential-manager.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Returns the registry used for image docker image
+*/}}
+{{- define "image.registry" -}}
+{{- list .Values.registryFQDN .Values.image.registry | compact | join "/" }}
+{{- end }}
+
+{{- define "appscode.imagePullSecrets" -}}
+{{- with .Values.imagePullSecrets -}}
+imagePullSecrets:
+{{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+
+{{/*
+Returns whether the OpenShift distribution is used
+*/}}
+{{- define "distro.openshift" -}}
+{{- or (.Capabilities.APIVersions.Has "project.openshift.io/v1/Project") .Values.distro.openshift -}}
+{{- end }}
+
+{{/*
+Returns if ubi images are to be used
+*/}}
+{{- define "operator.ubi" -}}
+{{ ternary "-ubi" "" (list "operator" "all" | has .Values.distro.ubi) }}
+{{- end }}
+
+
+{{ define "gcp-credential-manager.webhookServiceName" -}}
+{{- printf "%s-webhook" (include "gcp-credential-manager.fullname" . ) | trunc 63 | trimPrefix "-" -}}
+{{- end -}}
+
+{{/*
+Prepare certs
+*/}}
+{{- define "gcp-credential-manager.prepare-certs" -}}
+{{- if not ._caCrt }}
+{{- $caCrt := "" }}
+{{- $serverCrt := "" }}
+{{- $serverKey := "" }}
+{{- if .Values.apiserver.servingCerts.generate }}
+{{- $ca := genCA "ca" 3650 }}
+{{ $cn := include "gcp-credential-manager.webhookServiceName" . -}}
+{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }}
+{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }}
+{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}
+{{- $caCrt = b64enc $ca.Cert }}
+{{- $serverCrt = b64enc $server.Cert }}
+{{- $serverKey = b64enc $server.Key }}
+{{- else }}
+{{- $caCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.caCrt }}
+{{- $serverCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverCrt }}
+{{- $serverKey = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverKey }}
+{{- end }}
+
+{{ $_ := set $ "_caCrt" $caCrt }}
+{{ $_ := set $ "_serverCrt" $serverCrt }}
+{{ $_ := set $ "_serverKey" $serverKey }}
+
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/gcp-credential-manager/templates/cert.yaml b/charts/gcp-credential-manager/templates/cert.yaml
new file mode 100644
index 00000000..b8c65115
--- /dev/null
+++ b/charts/gcp-credential-manager/templates/cert.yaml
@@ -0,0 +1,16 @@
+{{ template "gcp-credential-manager.prepare-certs" $ }}
+
+{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "gcp-credential-manager.fullname" . }}-apiserver-cert
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+type: Opaque
+data:
+ ca.crt: {{ $._caCrt }}
+ tls.crt: {{ $._serverCrt }}
+ tls.key: {{ $._serverKey }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/gcp-credential-manager/templates/deployment.yaml b/charts/gcp-credential-manager/templates/deployment.yaml
new file mode 100644
index 00000000..6236075d
--- /dev/null
+++ b/charts/gcp-credential-manager/templates/deployment.yaml
@@ -0,0 +1,94 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "gcp-credential-manager.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "gcp-credential-manager.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 8 }}
+ {{- with .Values.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- include "appscode.imagePullSecrets" . | nindent 6 }}
+ serviceAccountName: {{ include "gcp-credential-manager.serviceAccountName" . }}
+ {{- if eq "true" ( include "distro.openshift" . ) }}
+ securityContext:
+ {{- toYaml (omit .Values.podSecurityContext "runAsUser" "runAsGroup" "fsGroup" "supplementalGroups") | nindent 8 }}
+ {{- else }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: {{ .Chart.Name }}
+ {{- if eq "true" ( include "distro.openshift" . ) }}
+ securityContext:
+ {{- toYaml (omit .Values.securityContext "runAsUser" "runAsGroup" "fsGroup" "supplementalGroups") | nindent 12 }}
+ {{- else }}
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 12 }}
+ {{- end }}
+ image: {{ include "image.registry" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ include "operator.ubi" . }}
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ args:
+ - run
+ - --metrics-bind-address=:8443
+ - --leader-elect=false
+ - --health-probe-bind-address=:{{ .Values.service.port }}
+ {{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }}
+ - --webhook-cert-path=/var/serving-cert
+ {{- end }}
+ - --gcs-max-interval-seconds={{ .Values.bucketAccessor.gcsMaxIntervalSeconds }}
+ - --gcs-max-wait-seconds={{ .Values.bucketAccessor.gcsMaxWaitSeconds }}
+ ports:
+ - containerPort: 9443
+ name: webhook-server
+ protocol: TCP
+ livenessProbe:
+ {{- toYaml .Values.livenessProbe | nindent 12 }}
+ readinessProbe:
+ {{- toYaml .Values.readinessProbe | nindent 12 }}
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ volumeMounts:
+ {{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }}
+ - mountPath: /var/serving-cert
+ name: serving-cert
+ {{- end }}
+ {{- with .Values.volumeMounts }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ volumes:
+ {{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }}
+ - name: serving-cert
+ secret:
+ defaultMode: 420
+ secretName: {{ include "gcp-credential-manager.fullname" . }}-apiserver-cert
+ {{- end }}
+ {{- with .Values.volumes }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
diff --git a/charts/gcp-credential-manager/templates/mutating-webhook.yaml b/charts/gcp-credential-manager/templates/mutating-webhook.yaml
new file mode 100644
index 00000000..35fd575b
--- /dev/null
+++ b/charts/gcp-credential-manager/templates/mutating-webhook.yaml
@@ -0,0 +1,33 @@
+{{ template "gcp-credential-manager.prepare-certs" $ }}
+
+{{- if .Values.apiserver.enableMutatingWebhook }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: {{ include "gcp-credential-manager.fullname" . }}
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+webhooks:
+ - name: vjob-v1.kb.io
+ admissionReviewVersions:
+ - v1
+ failurePolicy: Fail
+ sideEffects: None
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ - DELETE
+ apiGroups:
+ - batch
+ apiVersions:
+ - v1
+ resources:
+ - jobs
+ clientConfig:
+ service:
+ namespace: {{ .Release.Namespace }}
+ name: {{ include "gcp-credential-manager.webhookServiceName" . }}
+ path: /mutate-batch-v1-job
+ caBundle: {{ $._caCrt }}
+{{- end }}
diff --git a/charts/gcp-credential-manager/templates/rbac.yaml b/charts/gcp-credential-manager/templates/rbac.yaml
new file mode 100644
index 00000000..5ce28184
--- /dev/null
+++ b/charts/gcp-credential-manager/templates/rbac.yaml
@@ -0,0 +1,135 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "gcp-credential-manager.fullname" . }}:leader-election
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "gcp-credential-manager.fullname" . }}:manager
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - serviceaccounts
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - serviceaccounts/finalizers
+ verbs:
+ - update
+- apiGroups:
+ - ""
+ resources:
+ - serviceaccounts/status
+ verbs:
+ - get
+ - patch
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "gcp-credential-manager.fullname" . }}:leader-election
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "gcp-credential-manager.fullname" . }}:leader-election
+subjects:
+- kind: ServiceAccount
+ name: {{ include "gcp-credential-manager.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "gcp-credential-manager.fullname" . }}:manager
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "gcp-credential-manager.fullname" . }}:manager
+subjects:
+- kind: ServiceAccount
+ name: {{ include "gcp-credential-manager.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "gcp-credential-manager.fullname" . }}:metrics-auth
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+ name: {{ include "gcp-credential-manager.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
diff --git a/charts/gcp-credential-manager/templates/service.yaml b/charts/gcp-credential-manager/templates/service.yaml
new file mode 100644
index 00000000..7b617ca9
--- /dev/null
+++ b/charts/gcp-credential-manager/templates/service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "gcp-credential-manager.webhookServiceName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+spec:
+ ports:
+ - port: 443
+ protocol: TCP
+ targetPort: 9443
+ selector:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
diff --git a/charts/gcp-credential-manager/templates/serviceaccount.yaml b/charts/gcp-credential-manager/templates/serviceaccount.yaml
new file mode 100644
index 00000000..bb96876a
--- /dev/null
+++ b/charts/gcp-credential-manager/templates/serviceaccount.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: gcp-credential-manager
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gcp-credential-manager.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+automountServiceAccountToken: true
+{{- end }}
diff --git a/charts/gcp-credential-manager/values.openapiv3_schema.yaml b/charts/gcp-credential-manager/values.openapiv3_schema.yaml
new file mode 100644
index 00000000..01cbc7d5
--- /dev/null
+++ b/charts/gcp-credential-manager/values.openapiv3_schema.yaml
@@ -0,0 +1,1782 @@
+properties:
+ affinity:
+ properties:
+ nodeAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ preference:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ properties:
+ nodeSelectorTerms:
+ items:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ apiserver:
+ properties:
+ bypassValidatingWebhookXray:
+ type: boolean
+ ca:
+ type: string
+ enableMutatingWebhook:
+ type: boolean
+ enableValidatingWebhook:
+ type: boolean
+ groupPriorityMinimum:
+ type: integer
+ healthcheck:
+ properties:
+ enabled:
+ type: boolean
+ type: object
+ servingCerts:
+ properties:
+ caCrt:
+ type: string
+ generate:
+ type: boolean
+ serverCrt:
+ type: string
+ serverKey:
+ type: string
+ required:
+ - generate
+ type: object
+ useKubeapiserverFqdnForAks:
+ type: boolean
+ versionPriority:
+ type: integer
+ required:
+ - bypassValidatingWebhookXray
+ - ca
+ - enableMutatingWebhook
+ - enableValidatingWebhook
+ - groupPriorityMinimum
+ - healthcheck
+ - servingCerts
+ - useKubeapiserverFqdnForAks
+ - versionPriority
+ type: object
+ bucketAccessor:
+ properties:
+ gcsMaxIntervalSeconds:
+ type: string
+ gcsMaxWaitSeconds:
+ type: string
+ required:
+ - gcsMaxIntervalSeconds
+ - gcsMaxWaitSeconds
+ type: object
+ distro:
+ properties:
+ openshift:
+ type: boolean
+ ubi:
+ enum:
+ - all
+ - catalog
+ - operator
+ type: string
+ required:
+ - openshift
+ - ubi
+ type: object
+ fullnameOverride:
+ type: string
+ image:
+ properties:
+ pullPolicy:
+ type: string
+ registry:
+ type: string
+ repository:
+ type: string
+ tag:
+ type: string
+ required:
+ - pullPolicy
+ - registry
+ - repository
+ - tag
+ type: object
+ imagePullSecrets:
+ items:
+ type: string
+ type: array
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ default: ''
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ nameOverride:
+ type: string
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ podAnnotations:
+ additionalProperties:
+ type: string
+ type: object
+ podLabels:
+ additionalProperties:
+ type: string
+ type: object
+ podSecurityContext:
+ properties:
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ fsGroup:
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ type: string
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxChangePolicy:
+ type: string
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ items:
+ format: int64
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ type: string
+ sysctls:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ default: ''
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ registryFQDN:
+ type: string
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ request:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ securityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ service:
+ properties:
+ port:
+ type: integer
+ type:
+ type: string
+ required:
+ - port
+ - type
+ type: object
+ serviceAccount:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ create:
+ type: boolean
+ name:
+ type: string
+ required:
+ - create
+ type: object
+ tolerations:
+ items:
+ properties:
+ effect:
+ type: string
+ key:
+ type: string
+ operator:
+ type: string
+ tolerationSeconds:
+ format: int64
+ type: integer
+ value:
+ type: string
+ type: object
+ type: array
+ volumeMounts:
+ items:
+ properties:
+ mountPath:
+ type: string
+ mountPropagation:
+ type: string
+ name:
+ type: string
+ readOnly:
+ type: boolean
+ recursiveReadOnly:
+ type: string
+ subPath:
+ type: string
+ subPathExpr:
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ volumes:
+ items:
+ properties:
+ awsElasticBlockStore:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ properties:
+ cachingMode:
+ type: string
+ diskName:
+ type: string
+ diskURI:
+ type: string
+ fsType:
+ default: ext4
+ type: string
+ kind:
+ type: string
+ readOnly:
+ default: false
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ properties:
+ readOnly:
+ type: boolean
+ secretName:
+ type: string
+ shareName:
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ properties:
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ secretFile:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ''
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ''
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ''
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ nodePublishSecretRef:
+ properties:
+ name:
+ default: ''
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ properties:
+ volumeClaimTemplate:
+ properties:
+ metadata:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ finalizers:
+ items:
+ type: string
+ type: array
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ name:
+ type: string
+ namespace:
+ type: string
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ properties:
+ fsType:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ targetWWNs:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ type: object
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ''
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ properties:
+ datasetName:
+ type: string
+ datasetUUID:
+ type: string
+ type: object
+ gcePersistentDisk:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ pdName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ properties:
+ directory:
+ type: string
+ repository:
+ type: string
+ revision:
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ properties:
+ endpoints:
+ type: string
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ image:
+ properties:
+ pullPolicy:
+ type: string
+ reference:
+ type: string
+ type: object
+ iscsi:
+ properties:
+ chapAuthDiscovery:
+ type: boolean
+ chapAuthSession:
+ type: boolean
+ fsType:
+ type: string
+ initiatorName:
+ type: string
+ iqn:
+ type: string
+ iscsiInterface:
+ default: default
+ type: string
+ lun:
+ format: int32
+ type: integer
+ portals:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ''
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ type: string
+ nfs:
+ properties:
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ server:
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ properties:
+ claimName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ properties:
+ fsType:
+ type: string
+ pdID:
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ sources:
+ items:
+ properties:
+ clusterTrustBundle:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ type: string
+ optional:
+ type: boolean
+ path:
+ type: string
+ signerName:
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ''
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ properties:
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podCertificate:
+ properties:
+ certificateChainPath:
+ type: string
+ credentialBundlePath:
+ type: string
+ keyPath:
+ type: string
+ keyType:
+ type: string
+ maxExpirationSeconds:
+ format: int32
+ type: integer
+ signerName:
+ type: string
+ required:
+ - keyType
+ - signerName
+ type: object
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ''
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ properties:
+ audience:
+ type: string
+ expirationSeconds:
+ format: int64
+ type: integer
+ path:
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ properties:
+ group:
+ type: string
+ readOnly:
+ type: boolean
+ registry:
+ type: string
+ tenant:
+ type: string
+ user:
+ type: string
+ volume:
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ properties:
+ fsType:
+ type: string
+ image:
+ type: string
+ keyring:
+ default: /etc/ceph/keyring
+ type: string
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ default: rbd
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ''
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ default: admin
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ properties:
+ fsType:
+ default: xfs
+ type: string
+ gateway:
+ type: string
+ protectionDomain:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ''
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ type: boolean
+ storageMode:
+ default: ThinProvisioned
+ type: string
+ storagePool:
+ type: string
+ system:
+ type: string
+ volumeName:
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ type: boolean
+ secretName:
+ type: string
+ type: object
+ storageos:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ''
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ type: string
+ volumeNamespace:
+ type: string
+ type: object
+ vsphereVolume:
+ properties:
+ fsType:
+ type: string
+ storagePolicyID:
+ type: string
+ storagePolicyName:
+ type: string
+ volumePath:
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+required:
+- image
+- replicaCount
+- service
+- serviceAccount
+- volumeMounts
+- volumes
+type: object
diff --git a/charts/gcp-credential-manager/values.yaml b/charts/gcp-credential-manager/values.yaml
new file mode 100644
index 00000000..4cb62a5f
--- /dev/null
+++ b/charts/gcp-credential-manager/values.yaml
@@ -0,0 +1,107 @@
+# Default values for gcp-credential-manager.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+# Docker registry fqdn used to pull app related images.
+# Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image}
+registryFQDN: ghcr.io
+image:
+ # Docker registry used to pull app container image
+ registry: appscode
+ repository: gcp-credential-manager
+ pullPolicy: IfNotPresent
+ # Overrides the image tag whose default is the chart appVersion.
+ tag: ""
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # Annotations to add to the service account
+ annotations: {}
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name: ""
+podAnnotations: {}
+podLabels: {}
+podSecurityContext: {}
+ # fsGroup: 2000
+
+securityContext: # +doc-gen:break
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+service:
+ type: ClusterIP
+ port: 8081
+resources: {}
+
+livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8081
+ scheme: HTTP
+ initialDelaySeconds: 15
+ periodSeconds: 20
+readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ scheme: HTTP
+ initialDelaySeconds: 5
+ periodSeconds: 10
+volumes: []
+volumeMounts: []
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+distro:
+ # Set true, if installed in OpenShift
+ openshift: false
+ # Set operator or all to use ubi images
+ ubi: ""
+
+bucketAccessor:
+ gcsMaxIntervalSeconds: "5"
+ gcsMaxWaitSeconds: "300"
+
+apiserver:
+ # The minimum priority the webhook api group should have at least. Please see
+ # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64
+ # for more information on proper values of this field.
+ groupPriorityMinimum: 10000
+ # The ordering of the webhook api inside of the group. Please see
+ # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70
+ # for more information on proper values of this field
+ versionPriority: 15
+ # If true, mutating webhook is configured for Kubernetes workloads
+ enableMutatingWebhook: true
+ # If true, validating webhook is configured for Stash CRDss
+ enableValidatingWebhook: true
+ # CA certificate used by the Kubernetes api server. This field is automatically assigned by the operator.
+ ca: not-ca-cert
+ # If true, bypasses checks that validating webhook is actually enabled in the Kubernetes cluster.
+ bypassValidatingWebhookXray: false
+ # If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
+ useKubeapiserverFqdnForAks: true
+ healthcheck:
+ # If true, enables the readiness and liveliness probes for the operator pod.
+ enabled: false
+ servingCerts:
+ # If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor)
+ # to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`.
+ generate: true
+ # CA certficate used by serving certificate of webhook server.
+ caCrt: ""
+ # Serving certficate used by webhook server.
+ serverCrt: ""
+ # Private key for the serving certificate used by webhook server.
+ serverKey: ""