Jean-Gabriel Gill-Couture
99e661ce4d
All checks were successful
Run Check Script / check (pull_request) Successful in 2m44s
Chapter 3 scaffolding. Chart layout mirrors the CloudNativePG convention after reviewing the CRD-in-chart vs CRD-as-hook tradeoff: CRDs live inside templates/ (so helm upgrade re-applies schema changes) with helm.sh/resource-policy: keep so helm uninstall never deletes them. Chart publication target is hub.nationtech.io. CRD yaml is generated at chart-release time by a new `iot-operator-v0 gen-chart-crd` subcommand reading Deployment::crd() — the runtime install path remains the typed Score; only the chart deliverable uses generated yaml. Wrapped with the helm conditional + annotations by templates/crds.yaml via .Files.Get so the generated yaml stays pure. Install / upgrade / uninstall-preserves-CRD validated against a scratch k3d cluster; the operator pod naturally stays pending because the hub.nationtech.io image hasn't been published yet.
80 lines
2.0 KiB
YAML
80 lines
2.0 KiB
YAML
## iot-operator-v0 helm chart values.
|
|
## Cnpg-aligned conventions: image.* shape, crds.create toggle,
|
|
## non-root podSecurityContext, resources{} stub.
|
|
|
|
image:
|
|
repository: hub.nationtech.io/iot-operator-v0
|
|
# Defaults to .Chart.AppVersion when unset.
|
|
tag: ""
|
|
pullPolicy: IfNotPresent
|
|
|
|
imagePullSecrets: []
|
|
|
|
## Controller is singleton today — kube-rs Controller handles
|
|
## reconcile-level concurrency within the process. Multi-replica
|
|
## HA would need leader election wired up first (see ROADMAP
|
|
## for future work).
|
|
replicaCount: 1
|
|
|
|
## NATS connection. The operator connects to this URL on startup
|
|
## and stays connected; a flaky NATS link surfaces as pod restart.
|
|
nats:
|
|
url: nats://nats.iot-system.svc.cluster.local:4222
|
|
|
|
## Override the KV bucket name the operator writes desired-state
|
|
## into. Defaults to harmony-reconciler-contracts' BUCKET_DESIRED_STATE
|
|
## constant, so this is only useful for multi-tenant testbeds.
|
|
kvBucket: ""
|
|
|
|
## RUST_LOG directive passed through to the operator pod.
|
|
logLevel: info
|
|
|
|
## CRDs. Cnpg pattern: install by default, gated by this toggle so
|
|
## GitOps/cluster-admin teams managing CRDs out-of-band can flip
|
|
## it off. Resource-policy: keep annotation on the CRDs themselves
|
|
## means `helm uninstall` never deletes them (and therefore never
|
|
## deletes customer CRs).
|
|
crds:
|
|
create: true
|
|
|
|
serviceAccount:
|
|
create: true
|
|
# Leave empty to default to the release name.
|
|
name: ""
|
|
annotations: {}
|
|
|
|
rbac:
|
|
create: true
|
|
|
|
## Standard k8s resource requests/limits. Left unset by default;
|
|
## uncomment and tune before running in production.
|
|
resources: {}
|
|
# limits:
|
|
# cpu: 200m
|
|
# memory: 256Mi
|
|
# requests:
|
|
# cpu: 50m
|
|
# memory: 128Mi
|
|
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 10001
|
|
runAsGroup: 10001
|
|
fsGroup: 10001
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|