add portainer

portainer/hassingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hassingress
+  annotations: 
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    haproxy.org/whitelist: "192.168.86.0/24,10.233.71.0/24"
+spec:
+  ingressClassName: haproxy
+  rules:
+  - host: "home.geesink.org"
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: hasssvc
+            port:
+              number: 8123
+  tls:
+  -  
+    secretName: hass-cert-prod
+    hosts:
+    - home.geesink.org

portainer/ingress_zoals_het_werkt

@@ -0,0 +1,45 @@
+# Please edit the object below. Lines beginning with a '#' will be ignored,
+# and an empty file will abort the edit. If an error occurs while saving this file will be
+# reopened with the relevant failures.
+#
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubernetes.io/ingress.class: haproxy
+    meta.helm.sh/release-name: portainer
+    meta.helm.sh/release-namespace: portainer
+  creationTimestamp: "2023-05-31T18:17:22Z"
+  generation: 7
+  labels:
+    app.kubernetes.io/instance: portainer
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: portainer
+    app.kubernetes.io/version: ce-latest-ee-2.18.3
+    helm.sh/chart: portainer-1.0.43
+  name: portainer
+  namespace: portainer
+  resourceVersion: "17547843"
+  uid: 2471a902-9fad-49af-a56b-9d4173b562c9
+spec:
+  ingressClassName: haproxy
+  rules:
+  - host: portainer.geesink.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: portainer
+            port:
+              number: 9443
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - portainer.geesink.org
+    secretName: portainer-cert-prod
+status:
+  loadBalancer:
+    ingress:
+    - ip: 10.86.0.100

portainer/install

@@ -0,0 +1,6 @@
+helm upgrade --install --create-namespace -n portainer portainer portainer/portainer \
+    --set service.type=ClusterIP \
+    --set tls.force=true \
+    --set ingress.enabled=true \
+    --set ingress.ingressClassName=haproxy 
+

portainer/portainer/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

portainer/portainer/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+appVersion: ce-latest-ee-2.18.3
+description: Helm chart used to deploy the Portainer for Kubernetes
+home: https://www.portainer.io
+icon: https://github.com/portainer/portainer/raw/develop/app/assets/ico/apple-touch-icon.png
+maintainers:
+- email: platform-team@portainer.io
+  name: Portainer
+  url: https://www.portainer.io
+name: portainer
+sources:
+- https://github.com/portainer/k8s
+type: application
+version: 1.0.43

portainer/portainer/README.md

@@ -0,0 +1,92 @@
+# Deploy Portainer using Helm Chart
+
+Before proceeding, ensure to create a namespace in advance.
+For instance:
+```bash
+kubectl create namespace portainer
+```
+
+# Install the chart repository
+
+```bash
+helm repo add portainer https://portainer.github.io/k8s/
+helm repo update
+```
+
+# Testing the Chart
+Execute the following for testing the chart:
+
+```bash
+helm install --dry-run --debug portainer -n portainer deploy/helm/portainer
+```
+
+# Installing the Chart
+Execute the following for installing the chart:
+
+```bash
+helm upgrade -i -n portainer portainer portainer/portainer
+
+## Refer to the output NOTES on how-to access Portainer web
+## An example is attached below
+
+NOTES:
+1. Get the application URL by running these commands:
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace portainer svc -w portainer'
+
+  export SERVICE_IP=$(kubectl get svc --namespace portainer portainer --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")
+  echo http://$SERVICE_IP:9000
+  http://20.40.176.8:9000
+```
+
+# Deleting the Chart
+Execute the following for deleting the chart:
+
+```bash
+## Delete the Helm Chart
+helm delete -n portainer portainer
+## Delete the Namespace
+kubectl delete namespace portainer
+```
+
+# Chart Configuration
+The following table lists the configurable parameters of the Portainer chart and their default values. The values file can be found under `deploy/helm/portainer/values.yaml`.
+
+*The parameters will be keep updating.*
+
+| Parameter | Description | Default |
+| - | - | - |
+| `replicaCount` | Number of Portainer service replicas (ALWAYS set to 1) | `1` |
+| `image.repository` | Portainer Docker Hub repository | `portainer/portainer-ce` |
+| `image.tag` | Tag for the Portainer image | `latest` |
+| `image.pullPolicy` | Portainer image pulling policy | `IfNotPresent` |
+| `imagePullSecrets` | If Portainer image requires to be in a private repository | `nil` |
+| `nodeSelector` | Used to apply a nodeSelector to the deployment | `{}` |
+| `serviceAccount.annotations` | Annotations to add to the service account | `null` |
+| `serviceAccount.name` | The name of the service account to use | `portainer-sa-clusteradmin` |
+| `service.type` | Service Type for the main Portainer Service; ClusterIP, NodePort and LoadBalancer | `LoadBalancer` |
+| `service.httpPort` | HTTP port for accessing Portainer Web | `9000` |
+| `service.httpNodePort` | Static NodePort for accessing Portainer Web. Specify only if the type is NodePort | `30777` |
+| `service.edgePort` | TCP port for accessing Portainer Edge | `8000` |
+| `service.edgeNodePort` | Static NodePort for accessing Portainer Edge. Specify only if the type is NodePort | `30776` |
+| `service.annotations` | Annotations to add to the service | `{}` |
+| `feature.flags` | Enable one or more features separated by spaces. For instance, `--feat=open-amt` | `nil` |
+| `ingress.enabled` | Create an ingress for Portainer | `false` |
+| `ingress.ingressClassName` | For Kubernetes >= 1.18 you should specify the ingress-controller via the field `ingressClassName`. For instance, `nginx` | `nil` |
+| `ingress.annotations` | Annotations to add to the ingress. For instane, `kubernetes.io/ingress.class: nginx` | `{}` |
+| `ingress.hosts.host` | URL for Portainer Web. For instance, `portainer.example.io` | `nil` |
+| `ingress.hosts.paths.path` | Path for the Portainer Web. | `/` |
+| `ingress.hosts.paths.port` | Port for the Portainer Web. | `9000` |
+| `ingress.tls` | TLS support on ingress. Must create a secret with TLS certificates in advance | `[]` |
+| `resources` | Portainer resource requests and limits | `{}` |
+| `tls.force` | Force Portainer to be configured to use TLS only | `false` |
+| `tls.existingSecret` | Mount the existing TLS secret into the pod | `""` |
+| `mtls.enable` | Option to specicy mtls Certs to be used by Portainer | `false` |
+| `mtls.existingSecret` | Mount the existing mtls secret into the pod | `""` |
+| `persistence.enabled` | Whether to enable data persistence | `true` |
+| `persistence.existingClaim` | Name of an existing PVC to use for data persistence | `nil` |
+| `persistence.size` | Size of the PVC used for persistence | `10Gi` |
+| `persistence.annotations` | Annotations to apply to PVC used for persistence | `{}` |
+| `persistence.storageClass` | StorageClass to apply to PVC used for persistence | `default` |
+| `persistence.accessMode` | AccessMode for persistence | `ReadWriteOnce` |
+| `persistence.selector` | Selector for persistence | `nil` |

portainer/portainer/templates/NOTES.txt

@@ -0,0 +1,27 @@
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  Use the URL below to access the application
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ if .port }}:{{ .port }}{{ else }}{{ end }}{{.path}}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  Get the application URL by running these commands:
+  {{- if .Values.tls.force }}
+    export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "portainer.fullname" . }})
+  {{- else }}
+    export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[1].nodePort}" services {{ include "portainer.fullname" . }})  
+  {{- end}}
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo https://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+  Get the application URL by running these commands:
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "portainer.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "portainer.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo https://$SERVICE_IP:{{ .Values.service.httpsPort }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  Get the application URL by running these commands:
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "portainer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].me$  echo "Visit http://127.0.0.1:9443 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9443:9443
+{{- end }}

portainer/portainer/templates/_helpers.tpl

@@ -0,0 +1,87 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "portainer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "portainer.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "portainer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "portainer.labels" -}}
+helm.sh/chart: {{ include "portainer.chart" . }}
+{{ include "portainer.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "portainer.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "portainer.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "portainer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "portainer.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Provide a pre-defined claim or a claim based on the Release
+*/}}
+{{- define "portainer.pvcName" -}}
+{{- if .Values.persistence.existingClaim }}
+{{- .Values.persistence.existingClaim }}
+{{- else -}}
+{{- template "portainer.fullname" . }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Generate a right Ingress apiVersion
+*/}}
+{{- define "ingress.apiVersion" -}}
+{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion -}}
+networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+networking.k8s.io/v1beta1
+{{- else -}}
+extensions/v1
+{{- end }}
+{{- end -}}

portainer/portainer/templates/deployment.yaml

@@ -0,0 +1,193 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "portainer.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    io.portainer.kubernetes.application.stack: portainer
+    {{- include "portainer.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  strategy:
+    type: "Recreate"
+  selector:
+    matchLabels:
+      {{- include "portainer.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "portainer.selectorLabels" . | nindent 8 }}
+    spec:
+      nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 -}}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "portainer.serviceAccountName" . }}
+      volumes:
+        {{- if .Values.persistence.enabled }}
+        - name: "data"
+          persistentVolumeClaim:
+            claimName: {{ template "portainer.pvcName" . }}
+        {{- end }}
+        {{- if .Values.tls.existingSecret }}
+        - name: certs
+          secret:
+            secretName: {{ .Values.tls.existingSecret }}
+        {{- end }}
+        {{- if .Values.mtls.existingSecret }}
+        - name: mtlscerts
+          secret:
+            secretName: {{ .Values.mtls.existingSecret }}
+        {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- if .Values.enterpriseEdition.enabled }}
+          image: "{{ .Values.enterpriseEdition.image.repository }}:{{ .Values.enterpriseEdition.image.tag }}"
+          imagePullPolicy: {{ .Values.enterpriseEdition.image.pullPolicy }}
+          {{- else }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- end }}
+          args: 
+          {{- if .Values.tls.force }}
+          - --http-disabled
+          {{- end }}
+          {{- if .Values.tls.existingSecret }}
+          - --sslcert=/certs/tls.crt
+          - --sslkey=/certs/tls.key
+          {{- end }}
+          {{- if .Values.mtls.existingSecret }}
+          - --mtlscacert=/certs/mtls/mtlsca.crt
+          - --mtlscert=/certs/mtls/mtlscert.crt
+          - --mtlskey=/certs/mtls/mtlskey.key
+          {{- end }}          
+          {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.edgeNodePort))) }}
+          - '--tunnel-port={{ .Values.service.edgeNodePort }}'
+          {{- end }}
+          {{- if (not (empty .Values.feature.flags)) }}
+          - '{{ .Values.feature.flags }}'
+          {{- end }}
+          volumeMounts:
+            {{- if .Values.persistence.enabled }}
+            - name: data
+              mountPath: /data
+            {{- end }}
+            {{- if .Values.tls.existingSecret }}
+            - name: certs
+              mountPath: /certs
+              readOnly: true
+            {{- end }}
+            {{- if .Values.mtls.existingSecret }}
+            - name: mtlscerts
+              mountPath: /certs/mtls
+              readOnly: true
+            {{- end }}
+          ports:
+            {{- if not .Values.tls.force }}
+            - name: http
+              containerPort: 9000
+              protocol: TCP
+            {{- end }}
+            - name: https
+              containerPort: 9443
+              protocol: TCP
+            - name: tcp-edge
+              containerPort: 8000
+              protocol: TCP
+          livenessProbe:
+            failureThreshold: 3
+            initialDelaySeconds: 45
+            httpGet:
+              path: /
+              {{- if .Values.tls.force }}
+              port: 9443
+              scheme: HTTPS
+              {{- else }}
+                {{- if .Values.enterpriseEdition.enabled }}
+                  {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+$" .Values.enterpriseEdition.image.tag }}
+                    {{- if eq (semver .Values.enterpriseEdition.image.tag | (semver "2.7.0").Compare) -1 }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- else }}
+                    {{- if eq .Values.enterpriseEdition.image.tag "latest" }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- end}}
+                {{- else }}
+                  {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+$" .Values.image.tag }}
+                    {{- if eq (semver .Values.image.tag | (semver "2.6.0").Compare) -1 }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end}}
+                  {{- else }}
+                    {{- if eq .Values.image.tag "latest" }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+          readinessProbe:
+            failureThreshold: 3
+            initialDelaySeconds: 45
+            httpGet:
+              path: /
+              {{- if .Values.tls.force }}
+              port: 9443
+              scheme: HTTPS
+              {{- else }}
+                {{- if .Values.enterpriseEdition.enabled }}
+                  {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+$" .Values.enterpriseEdition.image.tag }}
+                    {{- if eq (semver .Values.enterpriseEdition.image.tag | (semver "2.7.0").Compare) -1 }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- else }}
+                    {{- if eq .Values.enterpriseEdition.image.tag "latest" }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- end}}
+                {{- else }}
+                  {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+$" .Values.image.tag }}
+                    {{- if eq (semver .Values.image.tag | (semver "2.6.0").Compare) -1 }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end}}
+                  {{- else }}
+                    {{- if eq .Values.image.tag "latest" }}
+              port: 9443
+              scheme: HTTPS
+                    {{- else }}
+              port: 9000
+              scheme: HTTP
+                    {{- end }}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}

portainer/portainer/templates/ingress.yaml

@@ -0,0 +1,60 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "portainer.fullname" . -}}
+{{- $tlsforced := .Values.tls.force -}}
+{{- $apiVersion := include "ingress.apiVersion" . -}}
+apiVersion: {{ $apiVersion }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "portainer.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+{{- with .Values.ingress.ingressClassName }}
+  ingressClassName: {{ . }}
+{{- end }}
+{{- if .Values.ingress.tls }}
+  tls:
+  {{- range .Values.ingress.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+  {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+        {{- range .paths }}
+          - path: {{ .path | default "/" }}
+            {{- if eq $apiVersion "networking.k8s.io/v1" }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+            {{- if eq $apiVersion "networking.k8s.io/v1" }}
+              service:
+                name: {{ $fullName }}
+                port:
+                {{- if $tlsforced }}
+                  number: {{ .port | default 9443 }}
+                {{- else }}
+                  number: {{ .port | default 9000 }}
+                {{- end }}
+            {{- else }}
+              serviceName: {{ $fullName }}
+              {{- if $tlsforced }}
+              servicePort: {{ .port | default 9443 }}
+              {{- else }}
+              servicePort: {{ .port | default 9000 }}
+              {{- end }}
+            {{- end }}
+        {{- end }}
+  {{- end }}
+{{- end }}

portainer/portainer/templates/namespace.yaml

@@ -0,0 +1,6 @@
+{{ if .Values.createNamespace }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portainer
+{{ end }}

portainer/portainer/templates/pvc.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.persistence.enabled -}}
+{{- if not .Values.persistence.existingClaim -}}
+---
+kind: "PersistentVolumeClaim"
+apiVersion: "v1"
+metadata:
+  name: {{ template "portainer.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+  {{- if .Values.persistence.storageClass }}
+    volume.beta.kubernetes.io/storage-class: {{ .Values.persistence.storageClass | quote }}
+  {{- else }}
+    volume.alpha.kubernetes.io/storage-class: "generic"
+  {{- end }}
+  {{- if .Values.persistence.annotations }}
+  {{ toYaml .Values.persistence.annotations | indent 2 }}  
+  {{ end }}
+  labels:
+    io.portainer.kubernetes.application.stack: portainer
+    {{- include "portainer.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - {{ default "ReadWriteOnce" .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+  {{- if .Values.persistence.selector }}
+  selector:
+{{ toYaml .Values.persistence.selector | indent 4 }}
+  {{ end }}
+{{- end }}
+{{- end }}

portainer/portainer/templates/rbac.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "portainer.fullname" . }}
+  labels:
+    {{- include "portainer.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: {{ include "portainer.serviceAccountName" . }}

portainer/portainer/templates/service.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "portainer.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    io.portainer.kubernetes.application.stack: portainer
+    {{- include "portainer.labels" . | nindent 4 }}
+  {{- if .Values.service.annotations }}
+  annotations:
+  {{- range $key, $value := .Values.service.annotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    {{- if not .Values.tls.force }}
+    - port: {{ .Values.service.httpPort }}
+      targetPort: 9000
+      protocol: TCP
+      name: http
+      {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.httpNodePort))) }}
+      nodePort: {{ .Values.service.httpNodePort}}
+      {{- end }}
+    {{- end }}
+    - port: {{ .Values.service.httpsPort }}
+      targetPort: 9443
+      protocol: TCP
+      name: https
+      {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.httpsNodePort))) }}
+      nodePort: {{ .Values.service.httpsNodePort}}
+      {{- end }}
+    {{- if (eq .Values.service.type "NodePort") }}
+    - port: {{ .Values.service.edgeNodePort }}
+      targetPort: {{ .Values.service.edgeNodePort }}
+      {{- else }}
+    - port: {{ .Values.service.edgePort }}
+      targetPort: {{ .Values.service.edgePort }}
+      {{- end }}
+      protocol: TCP
+      name: edge
+      {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.edgeNodePort))) }}
+      nodePort: {{ .Values.service.edgeNodePort }}
+    {{- end }}
+  selector:
+    {{- include "portainer.selectorLabels" . | nindent 4 }}

portainer/portainer/templates/serviceaccount.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "portainer.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "portainer.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}

portainer/portainer/templates/tests/test-connection.yaml

@@ -0,0 +1,18 @@
+{{- if not .Values.disableTest -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "portainer.fullname" . }}-test-connection"
+  namespace: {{ .Release.Namespace }}  
+  labels:
+    {{- include "portainer.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "portainer.fullname" . }}:{{ .Values.service.httpPort }}']
+  restartPolicy: Never
+{{ end }}

portainer/portainer/values.yaml

@@ -0,0 +1,77 @@
+# Default values for portainer.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+# If enterpriseEdition is enabled, then use the values below _instead_ of those in .image
+enterpriseEdition: 
+  enabled: false
+  image:
+    repository: portainer/portainer-ee
+    tag: 2.18.3
+    pullPolicy: Always
+
+image:
+  repository: portainer/portainer-ce
+  tag: 2.18.3
+  pullPolicy: Always
+
+imagePullSecrets: []
+
+nodeSelector: {}
+
+serviceAccount:
+  annotations: {}
+  name: portainer-sa-clusteradmin
+
+service:
+  # Set the httpNodePort and edgeNodePort only if the type is NodePort
+  # For Ingress, set the type to be ClusterIP and set ingress.enabled to true
+  # For Cloud Providers, set the type to be LoadBalancer
+  type: NodePort
+  httpPort: 9000
+  httpsPort: 9443
+  httpNodePort: 30777
+  httpsNodePort: 30779
+  edgePort: 8000
+  edgeNodePort: 30776
+  annotations: {}
+
+tls:
+  # If set, Portainer will be configured to use TLS only
+  force: false
+  # If set, will mount the existing secret into the pod
+  existingSecret: ""
+
+mtls:
+  # If set, Portainer will be configured to use mTLS only
+  enable: false
+  # If set, will mount the existing secret into the pod
+  existingSecret: ""
+
+feature:
+  flags: ""
+
+ingress:
+  enabled: false
+  ingressClassName: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # Only use below if tls.force=true
+    # nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+  # Note: Hosts and paths are of type array
+  hosts:
+    - host:
+      paths: []
+      # - path: "/"
+  tls: []
+
+resources: {}
+
+persistence:
+  enabled: true
+  size: "10Gi"
+  annotations: {}
+  storageClass:
+  existingClaim:

portainer/values.yaml

@@ -0,0 +1,81 @@
+# Default values for portainer.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+# If enterpriseEdition is enabled, then use the values below _instead_ of those in .image
+enterpriseEdition: 
+  enabled: true
+  image:
+    repository: portainer/portainer-ee
+    tag: 2.18.3
+    pullPolicy: Always
+
+image:
+  repository: portainer/portainer-ce
+  tag: 2.18.3
+  pullPolicy: Always
+
+imagePullSecrets: []
+
+nodeSelector: {}
+
+serviceAccount:
+  annotations: {}
+  name: portainer-sa-clusteradmin
+
+service:
+  # Set the httpNodePort and edgeNodePort only if the type is NodePort
+  # For Ingress, set the type to be ClusterIP and set ingress.enabled to true
+  # For Cloud Providers, set the type to be LoadBalancer
+  type: ClusterIP
+  httpPort: 9000
+  httpsPort: 9443
+  annotations: 
+    haproxy.org/server-ssl: "true"
+
+
+tls:
+  # If set, Portainer will be configured to use TLS only
+  force: true
+  # If set, will mount the existing secret into the pod
+  existingSecret: ""
+
+mtls:
+  # If set, Portainer will be configured to use mTLS only
+  enable: false
+  # If set, will mount the existing secret into the pod
+  existingSecret: ""
+
+feature:
+  flags: ""
+
+ingress:
+  enabled: true
+  ingressClassName: haproxy
+  annotations: 
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubernetes.io/ingress.class: haproxy
+
+    # kubernetes.io/ingress.class: nginx
+    # Only use below if tls.force=true
+    # nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+  # Note: Hosts and paths are of type array
+  hosts:
+    - host: portainer.geesink.org
+      paths: 
+       - path: "/"
+  tls: 
+  - hosts:
+    - portainer.geesink.org
+    secretName: portainer-cert-prod
+
+resources: {}
+
+persistence:
+  enabled: true
+  size: "10Gi"
+  annotations: {}
+  storageClass:
+  existingClaim:

portainer/values.yaml.old

@@ -0,0 +1,15 @@
+USER-SUPPLIED VALUES:
+enterpriseEdition:
+  enabled: true
+ingress:
+  annotations:
+    kubernetes.io/ingress.class: haproxy
+  enabled: true
+  hosts:
+  - host: portainer.geesink.org
+    paths:
+    - path: '"/"'
+service:
+  type: ClusterIP
+tls:
+  force: true

portainer/values2.yaml

@@ -0,0 +1,15 @@
+USER-SUPPLIED VALUES:
+enterpriseEdition:
+  enabled: true
+ingress:
+  annotations:
+    kubernetes.io/ingress.class: haproxy
+  enabled: true
+  hosts:
+  - host: portainer.geesink.org
+    paths:
+    - path: '"/"'
+service:
+  type: ClusterIP
+tls:
+  force: true