spectrocloud · vishwanaths · Apr 10, 2025 · Mar 20, 2025 · Apr 8, 2025 · Apr 8, 2025
diff --git a/packs/medik8s-1.0.0/charts/medik8s-1.0.0.tgz b/packs/medik8s-1.0.0/charts/medik8s-1.0.0.tgz
diff --git a/packs/medik8s-1.0.0/charts/medik8s/.helmignore b/packs/medik8s-1.0.0/charts/medik8s/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/packs/medik8s-1.0.0/charts/medik8s/Chart.yaml b/packs/medik8s-1.0.0/charts/medik8s/Chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v2
+name: medik8s
+description: Kubernetes Node Remediation
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"
diff --git a/packs/medik8s-1.0.0/charts/medik8s/crds/nhc_crd.yaml b/packs/medik8s-1.0.0/charts/medik8s/crds/nhc_crd.yaml
diff --git a/packs/medik8s-1.0.0/charts/medik8s/crds/olm_crds.yaml b/packs/medik8s-1.0.0/charts/medik8s/crds/olm_crds.yaml
diff --git a/packs/medik8s-1.0.0/charts/medik8s/templates/cleanup.yaml b/packs/medik8s-1.0.0/charts/medik8s/templates/cleanup.yaml
@@ -0,0 +1,123 @@
+{{- if or .Values.olm.install .Values.operators.cleanupOnDelete.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: medik8s-resource-cleanup
+  namespace: kube-system
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      name: medik8s-resource-cleanup
+    spec:
+      serviceAccountName: sa-medik8s-resource-cleanup
+      restartPolicy: OnFailure
+{{- if and (not .Values.olm.install) .Values.operators.cleanupOnDelete.enabled }}
+      containers:
+{{- else if and .Values.olm.install .Values.operators.cleanupOnDelete.enabled }}
+      initContainers:
+{{- end }}
+{{- if .Values.operators.cleanupOnDelete.enabled }}
+        - name: medik8s-operators-cleanup
+          image: bitnami/kubectl
+          imagePullPolicy: {{ .Values.olm.packageserver.imagePullPolicy }}
+          command:
+          - bash
+          - -c
+          - >
+              echo "Cleaning up operator custom resources";
+          {{- range $item := .Values.operators.cleanupOnDelete.subscriptions }}
+              kubectl delete subscriptions.operators.coreos.com --ignore-not-found=true -n {{ $.Values.operators.namespace }} {{ $item }};
+          {{- end -}}
+          {{- range $item := .Values.operators.cleanupOnDelete.operators }}
+              kubectl delete operators.operators.coreos.com --ignore-not-found=true -n {{ $.Values.operators.namespace }} {{ $item }};
+          {{- end -}}
+          {{- range $item := .Values.operators.cleanupOnDelete.clusterServiceVersions }}
+              kubectl delete clusterserviceversions.operators.coreos.com -A --field-selector='metadata.name={{ $item }}';
+          {{- end -}}
+          {{- range $item := .Values.operators.cleanupOnDelete.daemonSets }}
+              kubectl delete daemonsets --ignore-not-found=true -n {{ $.Values.operators.namespace }} {{ $item }};
+          {{- end }}
+{{- end }}
+{{- if .Values.olm.install }}
+      containers:
+        - name: medik8s-olm-cleanup
+          image: bitnami/kubectl
+          imagePullPolicy: {{ .Values.olm.packageserver.imagePullPolicy }}
+          command:
+          - bash
+          - -c
+          - >
+              kubectl delete subscriptions.operators.coreos.com -A --all;
+              kubectl delete operators.operators.coreos.com -A --all;
+              kubectl delete clusterserviceversions.operators.coreos.com -A --all;
+              kubectl delete daemonset -l k8s-app=self-node-remediation -n {{ .Values.operators.namespace }};
+{{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-medik8s-resource-cleanup
+  namespace: kube-system
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: medik8s-resource-cleanup
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  - apiGroups:
+      - "operators.coreos.com"
+    resources:
+      - "clusterserviceversions"
+      - "operators"
+      - "subscriptions"
+    verbs:
+      - "get"
+      - "list"
+      - "delete"
+  - apiGroups:
+      - "apps"
+    resources:
+      - "daemonsets"
+    verbs:
+      - "get"
+      - "list"
+      - "delete"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: medik8s-resource-cleanup
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: medik8s-resource-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: sa-medik8s-resource-cleanup
+    namespace: kube-system
+{{- end }}
diff --git a/packs/medik8s-1.0.0/charts/medik8s/templates/deployment.yaml b/packs/medik8s-1.0.0/charts/medik8s/templates/deployment.yaml
@@ -0,0 +1,130 @@
+{{- if .Values.olm.install }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: olm-operator
+  namespace: {{ .Values.olm.namespace }}
+  labels:
+    app: olm-operator
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: olm-operator
+  template:
+    metadata:
+      labels:
+        app: olm-operator
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: olm-operator-serviceaccount
+      containers:
+        - name: olm-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ "ALL" ]
+          command:
+          - /bin/olm
+          args:
+          - --namespace
+          - $(OPERATOR_NAMESPACE)
+          - --writeStatusName
+          - ""
+          image: {{ .Values.olm.image }}
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8080
+              name: metrics
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+              scheme: HTTP
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+              scheme: HTTP
+          terminationMessagePolicy: FallbackToLogsOnError
+          env:
+          - name: OPERATOR_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: OPERATOR_NAME
+            value: olm-operator
+          resources:
+            requests:
+              cpu: 10m
+              memory: 160Mi
+      nodeSelector:
+        kubernetes.io/os: linux
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: catalog-operator
+  namespace: {{ .Values.olm.namespace }}
+  labels:
+    app: catalog-operator
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: catalog-operator
+  template:
+    metadata:
+      labels:
+        app: catalog-operator
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: olm-operator-serviceaccount
+      containers:
+        - name: catalog-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ "ALL" ]
+          command:
+          - /bin/catalog
+          args:
+          - '--namespace'
+          - {{ .Values.olm.namespace }}
+          - --configmapServerImage={{ .Values.olm.catalogOperator.configmapImage }}
+          - --util-image
+          -  {{ .Values.olm.image }}
+          - --set-workload-user-id=true
+          image: {{ .Values.olm.image }}
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8080
+              name: metrics
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+              scheme: HTTP
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+              scheme: HTTP
+          terminationMessagePolicy: FallbackToLogsOnError
+          resources:
+            requests:
+              cpu: 10m
+              memory: 80Mi
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- end }}
diff --git a/packs/medik8s-1.0.0/charts/medik8s/templates/namespace.yaml b/packs/medik8s-1.0.0/charts/medik8s/templates/namespace.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.olm.install }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.olm.namespace }}
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+{{- end }}
+{{- if not (lookup "v1" "Namespace" "" .Values.operators.namespace).kind }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.operators.namespace }}
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: latest
+{{- end }}
diff --git a/packs/medik8s-1.0.0/charts/medik8s/templates/nodehealthcheck.yaml b/packs/medik8s-1.0.0/charts/medik8s/templates/nodehealthcheck.yaml
@@ -0,0 +1,8 @@
+{{- range $nhc := .Values.nodeHealthChecks }}
+---
+apiVersion: remediation.medik8s.io/v1alpha1
+kind: NodeHealthCheck
+metadata:
+  name: {{ $nhc.name }}
+spec: {{ toYaml $nhc.spec | nindent 2 }}
+{{ end }}